Some Tips for Auditing the Suspicious Activity Reporting Program
In each issue of The SAR Activity Review, representatives from the financial services industry offer insights into some aspect of compliance management or fraud prevention that presents their view of how they implement the BSA within their institution. Although the Industry Forum Section provides an opportunity for the industry to share its views, the information provided in it may not represent the official position of the regulators.
By Alan S. Abel representing The American Institute of Certified Public Accountants to the Bank Secrecy Act Advisory Group31
The Bank Secrecy Act (BSA) requires independent testing of the compliance program to determine whether the program is suitably designed and operating effectively. Because suspicious activity reporting (for purposes of this article, small sar) is an important component of Anti-Money Laundering (AML) and BSA programs increasingly across financial services and now even other sectors, the accounting profession plays an ever-larger role in fulfilling this requirement.
The auditor?s primary objectives in independently reviewing a SAR program include:
- Identifying material program weaknesses, control deficiencies and opportunities for program, process, and control enhancement and reporting them to senior management and the board
- Assisting senior management with identifying money laundering and other financial crime vulnerability in the context of risk focused supervision, in four key regulator defined risk areas: compliance, reputational, strategic, and operational. The flip side of this is helping senior management better assess and manage risk.
- Performing work that may be useful to regulators in conducting their supervisory examinations.32
In addition, it is not unconventional for the auditor to identify unusual and suspicious activity in connection with performing the SAR program audit procedures.
Here then are some criteria and leading practices that auditors may wish to consider in developing and administering an audit program to review and independently test a SAR program. 31Alan Abel also is Global Leader, Anti-Money Laundering Compliance and Risk Management Services for PricewaterhouseCoopers LLP.
The Internal Environment
Before drilling down into sar processes and controls surrounding those processes, the auditor should consider the ?big picture? ? the overall internal control environment of the enterprise as it relates to sar. This means getting a sense of the ?tone-at-the-top? of the organization, i.e. what is senior management?s and the boards? attitude, posture and message about integrity, ethical values, and competence? Are the right messages sent internally and externally about the importance of complying with the letter and spirit of the law and about protecting the enterprise, its people, assets, operations and reputation from money launderers, money laundering, and related financial crime? Does the Boardapproved policy framework (and, by the way, are the policies Board-approved?) contain a clear policy and commitment to identify and report suspicious activity? When talking to employees, does one get a sense that these values are effectively communicated and shared? Do employees across the enterprise have a positive attitude, understand what unusual and suspicious activity are and the importance of identification and reporting to management? Do they know what to do and who to contact? How frequently does this subject show up on internal communications?
Written Compliance Program
The auditor should look for evidence of compliance program documentation about unusual and suspicious activity identification and reporting at three levels:
- Level I: Board-approved policy framework (see above). The auditor needs to gain an understanding of the specific BSA SAR regulatory requirements that apply to the enterprise. Is the organization currently required to comply with BSA SAR enterprise-wide? Is there a voluntary SAR policy anticipating future requirements or because senior management and the board believe that they are doing the right thing regardless of requirements? Does the policy fully comply with regulatory requirements? Are aspects of the policy more stringent than required? (A SAR policy that exceeds the enterprise? regulatory requirements is perfectly acceptable ? it reflects a more conservative risk appetite which few would question. It is important, however, to understand what it is). The auditor should also review the agendas and minutes of senior management and board meetings to determine whether the right discussions and actions are taking place to support a well-considered SAR policy and to get a sense of future plans or intentions to review or modify the policy.
- Level II: Enterprise-wide standards and guidance. The auditor should determine what enterprise-wide standards and guidance are articulated and promulgated by senior management that support a SAR program. What high-level standards and guidance has senior management developed and communicated to employees about the nature of unusual and suspicious activity and how to seek it out and recognize it when encountered? Does management communicate to employees the conduct and response that is expected of them? Is internal and external guidance (e.g. the SAR Activity Review) well communicated and accessible? How well does senior management articulate and convey the importance of Know Your Customer (KYC) principles and provide guidelines on how to apply them to the organization? Does senior management encourage employees to seek out and stay abreast of external guidance? How frequently do employees actually do this?
- Level III: Implementing, operating policies and procedures. Many business organizations confuse policies with procedures, as is frequently evident from reviewing compliance program documentation, and accounting professionals frequently assist their clients with revising their written compliance programs accordingly. Here?s the distinction in a nutshell ? policies are the ?what? and procedures are the ?how.? Successful implementing and operating policies and procedures will robustly apply the Board-approved policy framework and the enterprisewide standards and guidance to each of the business units and support areas of consequence. In other words, each of these areas should have a set of tailored policies and procedures that clearly describe how the overall SAR policy, standards and guidance for the enterprise as a whole applies to them ? the types of unusual and suspicious activity likely to be encountered, roles and responsibilities, specific operating procedures and controls? Are the required actions and follow-up clearly articulated? What information should be produced and what are the appropriate channels of communication? The Sar is, of course, time-sensitive and this message should come through loud and clear in the procedures.
Robust Risk Assessment Process
In the realm of suspicious activity, one size does not fit all. Merely taking SAR forms and instructions and broadcasting them across the enterprise will not likely be very effective for getting results. As is the case for other key elements of an AML and BSA compliance program, the suit needs to be tailored ? i.e. the sar process needs to be risk and business based. Business units need to assess what types of unusual and suspicious activity are more likely to occur and what employees are more likely to encounter in their respective areas. To get a good sense of whether the enterprise has a sound risk assessment process in place, auditors should look to see whether there is a hands-on AML / BSA committee, usually chaired or coordinated by the AML / BSA compliance officer) made up of individuals who properly represent the business units and support areas of consequence. Among their committee obligations and assignments, members should be actively engaged in periodic risk assessment and reporting results to the committee. The output of risk assessment should be a blueprint for the types of unusual and suspicious activity that the employees of respective areas are more likely to encounter. Frequently and a leading practice, Management will prepare a risk assessment survey (designed with SAR or other reportable conditions in mind) that will be administered by the committee. In particular, this exercise should be valuable for engaging employees in the risk assessment process, with the obvious, hoped-for benefits. Therefore, a robust risk assessment exercise is an important way of determining whether a SAR program is suitably designed and operating effectively.
Also, it is a leading practice for an enterprise-wide SAR program to be active (as opposed to passive) and pre-emptive. The more effective SAR program is one characterized by high-energy outreach versus one where management passively waits for internal reports to (maybe) come forward. Getting to and sustaining the state of ?high-energy active? requires continuously deploying the other program elements and identifying and engaging opportunities for continuous improvement.
Risk Profiling and Benchmarking
As part of the risk assessment process, it is a good idea to periodically compare and report to senior management the enterprise? sar performance with industry performance. (Of course, the leading source of sar performance benchmarking information is the SAR Activity Review). The auditor may wish to make an independent determination and compare it to management?s. It is important for compliance management to highlight, report and explain material SAR filing variances to senior management. There are usually some very compelling reasons for variances ? everyone has a different risk profile, and no two enterprises have the same profile of customers, products and services, geographies, distribution channels, employees, and other business relationships. However, it?s a good idea for senior management to articulate the enterprise? risk profile in any event and to explain SAR filing performance variances in the context of that profile. Supervisors and law enforcement may walk in the door with a set of expectations with respect to character and volume of SARs, and senior management should be prepared to present, discuss and explain their SAR filing performance.
Training and Awareness
Training is of course, a core BSA program requirement. The auditor should determine whether or not there is a sufficient KYC and SAR component to the training materials. The auditor should assess the effectiveness of training through talking to employees and through reviewing test results where applicable. Training materials should show signs of freshness and meaningfulness.
While not a hard and fast requirement, it is a good practice for SARs to emanate from one portal out-the-door to law enforcement. Ideally, the enterprise will have an internal mechanism for employees to report events or situations that they believe are unusual or suspicious that is separate and distinct from the SAR that may ultimately be prepared and filed. (Most enterprises have a name for this internal mechanism or report that distinguishes it from ?SAR? to avoid confusion). There should be controls in place to make sure that only specifically authorized and designated individuals are part of the event escalation, analysis and reporting stream. Your supervisors and law enforcement expect to see SAR filings come from one or very few designated individuals ? usually an AML / BSA compliance officer. The auditor should test SARs filed to determine whether these procedures are being followed and should note exceptions. Auditors should ask for process flow charts or descriptions of reporting process flows, and the test the process to see if it works as designed.
For frequently compelling and also ?legacy? reasons, enterprises frequently have their sar processes fragmented, (the euphemisms are ?shared, distributed, and allocated?) and often in a manner where corporate security (internal law enforcement) handles the ?fraud SARs? and compliance handles the money laundering, structuring, and BSA-related SARs (or a distinction is made between the ?internal? SARs and the ?external? SARs). While this approach may be functional in many respects, sar process fragmentation allows opportunities for control deficiencies. SARs and their supporting cases may ?fall through the cracks,? and ?need-to-know,? while important to the objective of confidentiality, frequently becomes a barrier to the balanced level of communication required for an effective sar process.
It is the better practice for one office (usually the AML /BSA Officer) to be the conductor of the SAR orchestra of players. Obviously, corporate security plays a critical role in conducting and supporting investigations. In fact, auditors should review corporate security and other investigations, analysis, and reporting staff in view of caseload to determine whether there are sufficient, competent, technical resources to adequately cover the volume of existing and anticipated activity.
Sound Judgment and Quality Process
As indicated above, it is important to distinguish the internal detection and escalation process from the external SAR filing process. Employees should be sufficiently trained and engaged, and written policies and procedures should be sufficiently clear and robust so that the internal detection, reporting and escalation process can be effective. Typically, employees prepare an internal report of unusual or suspicious activity in consultation with a supervisor and the designated compliance liaison. The internal report should be quickly escalated for analysis and investigation (i.e. the internal report becomes a case) that is tracked, and then quickly routed or further escalated to a committee to review the case and to make the ?suspicious? determination. The committee members (the decision-makers) should be persons of sufficient authority and judgment to make the determination. It is conventional for the AML / BSA Officer to present the case and make a recommendation to the Committee. Because SAR filings are time sensitive, it is a good practice for a draft SAR, already reviewed for completeness, quality, and risk to be presented to the Committee for case review. The auditor should obtain a thorough understanding of the entire sar process and the controls in place governing the process.
Quality Case Tracking
Regulators typically require businesses to maintain a ?SAR log.? While minimally adequate to ?check off the box,? anything less than a flexible, storable, well-maintained case-tracking database does not generally provide adequate control over the SAR process, except for a lower-risk, lower-reportable event volume environment. Frequently, a conventional software spreadsheet or low-end data base management system with indexing and sorting capability will suffice.
While not all internally reported incidents, events or situations will ultimately result in a SAR immediately, they may result in or contribute to a SAR down the road. Therefore, it?s a good practice to track all internal reports and their disposition. Obviously, there should be good record-keeping and security controls over the case tracking system. While making the investment, the system should also provide flexible database management and meaningful reporting. Auditors should review the case tracking mechanism and identify any control deficiencies and opportunities for improvement.
Compliance Monitoring and Assessment
The BSA requirement for a strong monitoring function applies squarely to SAR programs where applicable. Auditors should review the compliance review, assessment, or monitoring program (different terms are used from business to business) to make sure that this requirement is being adequately addressed. Complian
e assessment is the primary mechanism through which the compliance function can assess the quality and effectiveness of the SAR program in place. The auditor should determine whether or not this program is in place and whether qualified professional staff is performing periodic assessment, and the results being reported and acted upon.
Confidentiality and Security
While virtually everyone has KYC and event reporting roles and responsibilities, far fewer will play a role in subsequent investigation, analysis, determination, tracking and ultimate SAR reporting. For very compelling reasons, not the least of which are confidence, the risk of tipping off, safety, and safe harbor, strong controls surrounding sar process flow, recordkeeping and reporting are critical. In reviewing the overall sar process, the auditor should review controls in place and should test them to see that they are functioning as designed. This includes testing to make sure that SARs don?t leave the ?four walls? of the enterprise, except for those filed with law enforcement through proper channels. The auditor should consider another important aspect of confidentiality ? the ability for employees to make confidential reports of unusual or suspicious activity directly to designated compliance officials. This ability requires welldefined channels of access and communication, e.g. an employee hot line.
Information and Communication
Also consistent with the Profession?s COSO methodology, the auditor should examine and assess the quality of strategic, compliance and operational information surrounding and driving the sar process and the adequacy of the channels of communication.
Enabling and strengthening the program elements and practices described above require quality information, information processing, and well-defined and working channels of communication to be effective. The sar and SAR flows themselves as well as management information regarding program performance, risk assessment and response has to be accurate, meaningful and timely to enable senior management to make well-informed decisions governing the sar process. Assessing the quality of information and information processing connected with the operational sar process itself may require some in-depth analysis. This will likely include assessing the timeliness, accuracy, efficiency, effectiveness, quality and usefulness of the mechanisms, reports and reporting tools used by designated employees to support the monitoring, escalation, investigation, analysis and reporting of unusual and suspicious activity. Here it may be prudent to assign an IT auditor to look at the automated processes. (However, don?t loose sight of the total quality process surrounding the production and flow of information inherent in the other SAR program criteria ? the technology tools in place are only at least as effective as the human processes that drive and respond to them).
Similarly, the auditor needs to identify the channels of communication surrounding the sar process and evaluate their effectiveness. Channels should and conventionally include: internal conveyances of written compliance program (usually email, web-site postings and employee manuals, compliance and business unit meetings, training and awareness sessions, and ?kitchen posters (e.g. ?Do You Know Suspicious Activity When You See It?)?
Excerpted from SAR Activity Review Issue 6, page 71
First published on 11/01/2003