The FFIEC BSA/AML Manual states-
Management should periodically review and test the filtering criteria and thresholds established to ensure that they are still effective. In addition, the monitoring system’s programming methodology and effectiveness should be independently validated to ensure that the models are detecting potentially suspicious activity. The independent validation should also verify the policies in place and that management is complying with those policies.
Is this required ANNUALLY? We outsource our audits since we are so small and our engagement letter has it as optional. BSA Audit with our without validation.
There's no specific period dictated and there's no definition of how independent the validation must be. Going internal is tough because the folks with the most expertise (BSA Dept) aren't independent enough.
With that being said, I haven't seen or heard of too many mid to small banks getting criticized for this unless there are other systemic issues. However, given the ever increasing focus in this area, I foresee more exam comments on this topic.
Also, you
should aim to perform your self-testing at appropriate risk-based intervals. Read the OCC's guidance and identify
all of the models you use. This means the ETL process, OFAC/list checks, 314a scans, case management functions, detection parameters, etc. Think of a strategy to self-validate each - it shows that you have a strong model governance program.
I would argue the following:
- AML Software data loads: Daily reconciliation
- OFAC: Validation at SDN update
- 314a: Validate after each run
- Case Management Functions/Processes: Annually
- Detection Parameters:
- Quarterly - Review of select ineffective parameters
- Annual full parameter review/gap analysis:
- Poor scoring rules targeted