Skip to content
BOL Conferences
Thread Options
#1769469 - 12/20/12 07:53 PM BSA Independent Test Done Remotely / Offsite
JollyBanker Offline
New Poster
Joined: Jan 2011
Posts: 13
Is there any requirement that requires the BSA independent test to be done onsite / prohibits it from being done remotely? Conducting this test remotely would allow us to select from a wider pool of auditors and to save on the travel expense associated with auditors.

Return to Top
BSA/AML/CIP/OFAC Forum
#1769496 - 12/20/12 08:19 PM Re: BSA Independent Test Done Remotely / Offsite JollyBanker
Elwood P. Dowd Offline
10K Club
Elwood P. Dowd
Joined: Aug 2001
Posts: 21,939
Next to Harvey
So, you are thinking that you could provide all of the required documentation, more or less like you do in response to a pre-examination questionaire, and that would allow the reviewer to form an opinion about your BSA program?

It's not prohibited, but keep in mind that your regulator will evaluate your independent audit when they are on-site. They will have more information and could find it easy to poke holes.

You might have better luck selling the results of a review where the auditor spent a minimal amount of time on site. I've believed for a long time that much of the "on-site" activity is unnecessary; if the documentation had been provided in advance and thoroughly analyzed, the on-site activity could be minimal. (The same would be true for bank examinations by regulatory personnel.)

I acknowledge that's an entirely academic opinion on my part. If I'm wrong, one of those BOL'ers who does this type of work will hasten to point it out to me.

In your shoes, I look for an auditor who could demonstrate that it could be done, but I would discuss it with my EIC from the last exam before signing an engagement letter.
_________________________
In this world you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant.

Return to Top
#1769504 - 12/20/12 08:25 PM Re: BSA Independent Test Done Remotely / Offsite JollyBanker
JollyBanker Offline
New Poster
Joined: Jan 2011
Posts: 13
Ken: Exactly - all documentation would be scanned and emailed, most of it is imaged already anyway. We would communicate with the auditor via telephone.

I don't think anything in regs prohibits this, I just don't think this method was contemplated when regs were written.

Thanks for your response!

Return to Top
#1769521 - 12/20/12 08:50 PM Re: BSA Independent Test Done Remotely / Offsite JollyBanker
BFrame Offline
Gold Star
BFrame
Joined: Nov 2011
Posts: 402
USA
We have an external auditor come annually and spend a few days auditing BSA here. When I think about the request list that he sends for me to prepare before he gets here & the other items he requests once he's in the bank, all of it could be scanned and e-mailed, it would just be tedious to go through all of my Exemption customer files/MSB files/RDC files/etc. to scan each page. But it's possible.

I'm a little old fashioned. I've always found a lot of value in face-to-face conversations regarding recommendations made by the auditor.
_________________________
~

Return to Top
#1769561 - 12/20/12 09:49 PM Re: BSA Independent Test Done Remotely / Offsite JollyBanker
Kathleen O. Blanchard Offline

10K Club
Kathleen O. Blanchard
Joined: Dec 2000
Posts: 21,293
In my opinion, a good part of the audit can be offsite (review of the policies, procedures, training materials, some reports of data) but certain things do (in my opinion anyway) need to be done onsite such as review of SARs filed, not filed, alerts generated and resolution, anything else containing highly confidential data.

Some tasks depend upon how your bank retains and presents data. I have audited banks where the original CIP data is retained in a system and an electronic report is provided with all required information. Needed discussions can be conference call or onsite.

Some things, in addition to highly confidential data, lend themselves to onsite...observing a CTR process for example, sitting and chatting about how you manage your high risk customers and MSBs - it may be necessary to look at computer systems.

Security of data can be dealt with (but no matter how secure the delivery I would not send SARs and other confidential customer data). Dealing with that, you can certainly move big chunks of this to offsite and save time and money while getting a quality BSA audit.
_________________________
Kathleen O. Blanchard, CRCM "Kaybee"
HMDA/CRA Training/Consulting/Mapping
The HMDA Academy
www.kaybeescomplianceinsights.com

Return to Top
#1769578 - 12/20/12 10:19 PM Re: BSA Independent Test Done Remotely / Offsite JollyBanker
John Burnett Offline
10K Club
John Burnett
Joined: Oct 2000
Posts: 40,086
Cape Cod
I only want to emphasize Kaybee's thoughts about the SAR process review. It really needs to be done on-site, since you don't want any of those files outside your control, and should not be sending copies off via email, whether or not encrypted. The reviewer should also surrender to you all workpapers concerning the SAR process once the final report is issued.
_________________________
John S. Burnett
BankersOnline.com
Fighting for Compliance since 1976
Bankers' Threads User #8

Return to Top
#1769628 - 12/21/12 01:42 PM Re: BSA Independent Test Done Remotely / Offsite JollyBanker
rlcarey Offline
10K Club
rlcarey
Joined: Jul 2001
Posts: 83,227
Galveston, TX
I can tell you from experience, only an off-site audit is not going to be acceptable. Unless the auditors have access to your systems in order to research and test for SAR compliance, they are going to cite you for an inadeqaute audit. The auditors are expected to not just look at what you have done, but to conduct enough independent testing to figure out what you haven't.

Personally, I will not contract a BSA/AML audit without the bank granting me full inquiry access to their deposit, lending and any image systems they may have (checks, documents, etc.). It is impossible to do a comprehensive audit without it.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#1769701 - 12/21/12 03:17 PM Re: BSA Independent Test Done Remotely / Offsite JollyBanker
Elwood P. Dowd Offline
10K Club
Elwood P. Dowd
Joined: Aug 2001
Posts: 21,939
Next to Harvey
JollyBanker,

FYI, the two people I hoped would respond are Kaybee and rlcarey. They perform these audits routinely and theirs are the opinions I value most.

As noted, the risk you run would be that your regulator would conclude the audit was inadequate. In my experience they treat an inadequate audit the same way they treat "no audit." It will be cited as a pillar violation.

While we can conceptualize about much of the work being conducted off site, I think your regulator would burrow deeply in order to find inadequacies if everything was done off site. I'm pretty sure they would find them.
_________________________
In this world you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant.

Return to Top
#1769748 - 12/21/12 04:01 PM Re: BSA Independent Test Done Remotely / Offsite JollyBanker
ACBbank Offline
Power Poster
ACBbank
Joined: Jul 2006
Posts: 4,344
New York City
We are currently running an IA for a very large FI in the mid west. As a few posters have already mentioned, it cannot be done 100% offsite. We are working offsite currently, but that's after a few months of onsite work to complete the field work.
_________________________
"100 victories in 100 battles isnt the most skillful. Subduing the other's military w/o battle is the most skillful." Sun-Tzu

Return to Top
#1769916 - 12/21/12 08:06 PM Re: BSA Independent Test Done Remotely / Offsite JollyBanker
JollyBanker Offline
New Poster
Joined: Jan 2011
Posts: 13
Many thanks to everyone for all of the very helpful comments. Happy holidays!

Return to Top

Moderator:  Andy_Z