Anti-Money Laundering Training One Size Does NOT Fit Allfiles.acams.org/pdfs/2017/Anti-Money_Laundering_Training_N.Lopez… · Given its continued evolution, ... to maintain records

Anti-Money Laundering Training…

Norma I Lopez

Disclaimer: The views expressed in this paper are those of the author, and the author alone. The author is not representing the views or opinions of the institution.

…One Size Does Not

Fit All

Anti-Money Laundering Training One Size Does NOT Fit All

Lopez, Norma I Page 2

Table of Contents

Introduction…………………………………………………………………………...(3) Executive Summary…………………………………………………………………(4) The Guidance: A Look at the BSA/AML Examination Manual………………(5) What Does an Effective AML Training Program Look Like?.........................(6) Audit’s Approach and Expectations for an AML Training Program………(15) Takeaway - AML Training – One Size Does Not Fit All………………………(18)

Appendices – Quick Training Program Considerations…………………….(20) References…………………………………………………………………………..(21)



Introduction

Today’s money laundering 1 headlines show that money laundering schemes, in their various ways, shapes, or forms, continue to evolve and challenge compliance professionals to detect the activities. Given its continued evolution, compliance professionals, regardless of their respective industry sectors, must continue to strive to achieve “excellence” in detection and remain vigilant to the new and creative ways that criminals attempt to defraud the financial system. While there are various channels, such as enhancing internal controls, revamping testing, and or the hiring of role-specific individuals, in which compliance professionals can continue to achieve “excellence,” it is this author’s perspective that an elaborate AML training program can be a financial institution’s first, last, and best control in combating heightened money laundering risk. However, before we take a detailed look at the ins and outs of an AML training program, let us take a ride though history.

1 ACAMS Money Laundering.Com – January 2017

(http://www.moneylaundering.com/Calendars/Pages/Enforcements.aspx)



Executive Summary AML statutes were first introduced in the U.S. in the 1970s through the adoption of the Bank Secrecy Act (BSA). As set forth by the regulation, the “BSA requires financial institutions [FIs] in the United States to assist U.S. government agencies in the detection and prevention of money laundering activities. Specifically, the act requires financial institutions to maintain records of cash purchases of negotiable instruments, and file reports of cash purchases of these negotiable instruments of more than $10,000 (daily aggregate amount), and to report suspicious activity that might signify money laundering, tax evasion, or other criminal activities.”2 The regulation further states that FIs, regardless of their region and size, must establish and maintain a Bank Secrecy Act/anti-money laundering (BSA/AML) compliance program that includes the following four pillars:

1. A system of internal controls to ensure ongoing compliance.2 2. Independent testing of BSA compliance.2 3. A specifically designated person or persons responsible for managing BSA compliance.2

4. Training for appropriate personnel.2

In addition, the regulation is recognized as one of the first pieces of legislation within the financial regulatory framework that places an emphasis on and highlights the importance of training in the overall fight against money laundering.3 As such, BSA/AML training is a critical control in combating AML risk and, because of this, it is assumed that a FI’s BSA/AML training program should be dynamic and continuously assessed given the ever-changing financial, economical and AML risk environment. The purpose of this research paper is to analyze and discuss what an effective AML training program looks like and introduce, for the readers consideration, audit’s approach and expectations for an AML training program. Please note it is this author’s independent goal to illustrate audit’s key contributions in a FI’s design, delivery and management of BSA/AML training, which is the foundation of an effective system of controls to combat heightened AML risk. As such, throughout the next several sections, we will explore the elements of an elaborate AML training program and review case studies in which FI’s were noted to have violated the regulation and/or had an AML training program with noted deficiencies.

2 Office of the Comptroller of Currency (OCC) - Bank Secrecy Act Manual – January 2017 (https://www.occ.gov/topics/compliance-bsa/bsa/index-bsa.html) 3 (Federal Reserve Bank (FRB), Federal Deposit and Insurance Corporation (FDIC), Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of Currency (OCC), and Federal Financial Institutions Examination Council (FFIEC)



In addition, “best practices” recommendations will be presented via icon throughout the research paper. Please keep in mind that the “best practices” recommendations and “Case Study Reactions” presented throughout the paper are those of the author, and the author alone. The author is not representing the views or opinions of JPMorgan Chase.

On June 1, 2010, the Financial Crimes Enforcement Network (FinCEN) entered into a consent order 4 with Pamrapo Savings Bank, S.L.A. (Pamrapo) in which Pamrapo was imposed civil money penalties for violations of the BSA and regulations pursuant to that Act. Specifically, Pamrapo violated the requirement to fully establish and implement one of the four pillars of the BSA/AML compliance program: training. According to the consent order, Pamrapo’s BSA training program was “essentially non-existent.” “The Bank did not have formalized ongoing BSA training for all employees. In fact, the training was limited to showing a videotape and circulating memos to certain employees. The training was not job specific or documented. In addition, internal audit staff members did not receive formal BSA/AML training. Despite being told repeatedly that the bank’s BSA training was deficient, bank management failed to implement an adequate BSA training program over a period of years.”4 As a result, given the non-exsiting training program, the bank was noted to have unqualified BSA compliance personnel, which in turn resulted in the execution of an ineffective AML program, and utlimately led to civil money penalties of $1,000,0004. Case Study Reactions: It is this author’s belief that had Pamrapo formalized an efficient ongoing BSA training for all employees, as “repeatedly being told,” the bank could have positioned itself to have had an effective AML program and thus potentially avoided the consent order and imposed civil money penalties. In addition, the consent order of Pamrapo further supports the agrument that an AML training program can independently be a financial institution’s first, last and best control in combating heightened AML risk.

The Guidance: A Look at the BSA/AML Examination Manual

Given the importance and emphasis on BSA/AML training and in order to maintain consistency with the BSA/AML examination process, FinCEN, in conjunction with the federal banking regulatory agencies and the Office of Foreign Asset Control (OFAC), published the Federal Financial Institutions Examination Council’s (FFIEC) Bank Secrecy Act/Anti-Money Laundering Examination manual in June 2005. The manual, which is updated periodically, provides guidance to federal

4 Pamrapo Savings Bank, S.L.A. Bayonne, New Jersey Consent Order Number 2010-3

~~~~~ Case Study ~~~~~



agency examiners and auditors when conducting BSA/AML audits or exam. The manual outlines the importance of various BSA/AML themes (e.g., four pillars) and provides, for the examiner and/or auditor’s consideration, testing steps to execute in anticipation of thoroughly reviewing a FI’s compliance program and determining if the FI is compliant with the regulation.

Based on this author’s personal experience, the BSA/AML Manual has been a staple in the execution of audit/examination work and consulted regularly to confirm understanding of not only the regulation and the various standards but also to validate the creation and implementation of BSA/AML compliance program and to support noted deficiencies. In addition, the manual is said to be consulted by FIs as well. For example, should a FI find itself offering a new product or servicing a new customer type, reviewing the guidelines set forth by the manual will lay the foundation of what information the FI should consider prior to fully implementing the product or onboarding the customer.

As such, as a compliance professional with roles or responsibilities aligning with BSA/AML risk, it is my recommendation that the BSA/AML Manual be continuously considered in the execution of your respective roles and responsibilities. What does an effective AML training program look like? Prior to discussing what an effective AML training program looks like, let us review “Table A” below.

Table A5

As portrayed within the table, “Training” is regarded as one of the elements in the “Evolution of Overall Integrity and Effectiveness of Bank’s AML/BSA Program.” In

5 ACAMS Advanced Certification, Training Module, October 2016 / acams.org / [email protected]



addition, the Study Guide for the CAMS Certification Examination, Fifth Edition,6 reiterates the importance of training noting that “regulations and laws require financial institutions to have formal, written AML compliance programs that include “training for appropriate personnel.” However, when thinking about or considering an effective AML training program, one should have caution and note that not just any AML training program is appropriate for any FIs as FIs differ from one another whether it be in the their respective products, line of business, regions (U.S., international, local regulations, etc.), risk appetites, and risk profiles. Nonetheless, a successful training program should not only meet the standards set forth by the regulation, but should also satisfy the FIs respective internal policies, procedures and controls that have been established to mitigate heightened AML risk. So, what does an effective AML training program look like? An effective AML training program should take into consideration the FIs risk profile, risk appetite, region, products/services it offers, and its customer types. In addition, the AML training program should consider following questions:

Who shall be trained – “The first step in designing an effective training program is

identifying your target audience,6 ‘who shall be trained?’” While some FIs assign a basic level of training to all its personnel, other FIs deem it necessary to train those individuals within areas prone to higher AML risk. In addition, other FIs assign a more targeted training program to individuals within various roles directly impacted by money laundering (e.g., personnel with direct customer contact; operational personnel/back office; first and second line of defense personnel; compliance and audit personnel; subject-matter experts; senior management; board of directors, etc.). In the following “Case Study,” we will read about a FI’s criticism from the regulators in which the FI was noted to have deficiencies in their AML training program and as such, instructed to enhance their program to better align to the FI’s business model.

6 Study Guide for the CAMS Certification Examination, Fifth Edition – Training Section, pages 197 – 202

1. Who shall be trained? 2. What shall they be trained on? 3. How shall the training be

executed/Where shall the training be held?

4. When shall the training occur?



On July 27, 2012, the FDIC entered into a consent order with Banamex USA,7 in which Banamex USA consented, without admitting or denying any charges of unsafe or unsound banking practices relating to the bank’s BSA and AML program, to the speculations ordered within. Specifically, the bank was instructed to “provide and document training by competent staff and/or independent contractors, board members and all appropriate personnel including, without limitation, senior management, tellers, customer service representatives, lending officers, private and personal banking officers and all other customer contact personnel, in all applicable aspects of regulatory and internal policies and procedures related to the BSA. Training shall be updated on a regular basis to ensure that all personnel are provided with the most current and up-to-date information.”7 Case Study Reactions: It is this author’s opinion that competent staff and/or independent contractors, all board members and all appropriate personnel, should have knowledge of not only the regulation but also the bank’s BSA/AML program. Having such knowledge, the staff and independent contractors should be able to execute their roles and responsibilities in accordance to the regulations. Bank management should be able to assess the heightened risk associated with AML and implement policies, procedures and controls to mitigate such stated risk and establish a “tone from the top” culture in which bank staff would understand the importance of compliance with such regulations. Finally, board members would be able to better understand reporting aligned with the bank’s BSA/AML program and provide targeted oversight to areas prone to such heightened risk. So, when determining who shall be trained, ultimately, the decision is yours. The decision should be made taking into consideration the respective FI, its business model, its board and senior management. However, whether basic or targeted, an AML training program should include an overview of regulatory requirements and details regarding the FI’s internal BSA/AML policies, procedures, processes, and controls, and encompass information related to the firm’s applicable products, business lines, regions and locations.

What shall they be trained on – “After a FI’s target audience has been identified and defined, the next step in designing an effective training program is identifying the AML specific topics to be taught.”6 While AML-specific topics will vary amongst FIs, the following basic themes should be considered, and if applicable, factored into an effective AML training:

7 Banamex USA, Century City, California, Consent Order FDIC-12-218b




General regulatory information.6 This may include the background and history pertaining to money laundering controls, what money laundering and terrorist financing specific activities are, why criminals execute money laundering, the implications of money laundering, not only to the FIs but also the economy, and why identifying and stopping such activities is important. In addition, this section could include real-life money laundering examples, including detail such as red flags of how the activity was first detected, its impact to the financial institutions and the overall outcome of the crime.

Legal and financial institution-specific framework.6 This should detail how AML laws apply to FIs and illustrate how important it is for FIs’ personnel to be in compliance. In addition, the FI’s internal policies, such as customer identification and verification procedures, customer due diligence policies, legal recordkeeping requirements, suspicious transaction reporting requirements, currency transaction reporting requirements; and duties and accountability of the financial institution’s personnel.

Overview of penalties for AML violations.6 This area should include an overview of criminal and civil penalties, fines, jail terms, as well as internal sanctions, such as disciplinary action up to and including termination of employment.

In addition to general regulatory information, legal and financial institution specific framework and overview of penalties for AML violations, financial institution personnel should be trained on how to react in different AML scenarios. Training could include the following:

Information on how to react when faced with a suspicious client or transaction;

Information on how to respond to customers and/or financial institution personnel who want to circumvent reporting AML requirements; and

How to escalate concerns. Moreover, in addition to the areas discussed above, FIs might expand on their AML training to be more targeted to their respective products, line of business, regions (U.S., international, local regulations, etc.), risk appetites, and risk profiles. Lastly, is it important to note that “AML training should be ongoing and incorporate current developments and changes to the BSA/AML and/or any related regulations. Changes to internal policies, procedures, processes and monitoring systems should also be covered during training. The program should reinforce the importance that the board and senior management place on the bank’s compliance with the BSA and ensure that all employees understand their role in maintaining an effective BSA/AML compliance program.”8

8 Federal Financial Institutions Examination Council Bank Secrecy Act/Anti-Money Laundering Exam Manual – January 2017



On September 24, 2010, the Comptroller of the Currency of the United States of America (OCC) conducted an examination and investigation of the Payments and Cash Management, Global Banknotes, and foreign correspondent operations of HSBC Bank USA, N.A. (HSBC). Based on its examination, “the OCC identified HSBC failed to adopt and implement a compliance program that covers the required BSA/AML program elements, including, internal controls for customer due diligence, procedures for monitoring suspicious activity, and independent testing.”9 As such, the OCC entered into a consent order with HSBC9 in which OCC imposed restrictions on HSBC’s growth, new products, and high risk lines of business. Specifically, if HSBC should intend on such activities, prior to commencing, HSBC is to provide written notification to the OCC including its plan to ensure ongoing compliance with the BSA/AML program.9 In addition, on July 10, 2015, the OCC entered into a consent order with Capital One, N.A.10 in which the bank was noted to have deficiencies in the overall execution of the BSA/AML program. Specifically, the bank was cited for failing to adopt and implement a compliance program that adequately covers the required elements of a BSA/AML program. As such, the bank was instructed to “develop, implement, and adhere to a specialized training program for all operational and supervisory personnel responsible for suspicious activity monitoring, investigating, and reporting to ensure their awareness of their responsibility for compliance with the requirements of the BSA, including the reporting requirements associated with Suspicious Activity Reporting.”10 Case Study Reactions: After reviewing the two case studies noted above, it is this author’s recommendation that prior to including new products, onboarding new customer types, and/or entering into new markets, FIs should assess the associated risk and determine the risk that it is willing to take on (risk appetite). In addition to assessing the risk, FIs should ensure that its staff is properly trained to execute their roles and responsibilities while mitigating risk associated with the newly introduced products, customer types, and/or markets. Moreover, in assessing the risk associated with said activities and properly preparing to mitigate the risk, FIs can position itself to comply with regulations and avoid criticism from the regulators. How shall the training be executed/Where shall the training be held? –

9 HSBC Bank USA, N.A., McLean, Virginia, Consent Order #2010-199 / AA-EC-10-98 10 Capital One, N.A., McLean, Virginia, Consent Order #2015-081 / AA-EC-2015-48




When executing an AML training program, consideration should be made on whether training should be onsite/in-person training, web-based, by external vendors, or internal training (training created specifically for the financial institution via compliance or an internal AML group). There are many pros and cons for the various ways training should be executed. For details on some pros and cons to consider, please refer to the table below:

Types of Training Pros Cons

Internal-Led Training Onsite and In-Person

Training course led by individuals familiar with the institution, its risk profile, its risk appetite, etc.

Training can be targeted to specific roles and responsibilities

Participants can learn from one another via questions asked or experiences shared

Training can be completed by participants all at once

Training can be offered, internally, multiple times and to various groups at once

Classroom-based setting, participants might not feel comfortable in fully participating

Participants might not be fully engaged thinking about tasks that need to be executed after the course has been completed

The development of the course can be time-consuming

Web-based Training/Telepresence/Conference

Call

Completion of training at the participant’s own time and pace

Training can be targeted to the participant’s specific roles and responsibilities

Participants might not be fully engaged in the training course as they might multi-task with other deliverables.

There is really no true monitoring of the completion of training (participants might



Training is cost efficient as it does not require classroom space or an instructor

walk away from the training and still receive full credit)

External Vendor-Led Training Training course is already established

Training course can be quickly administered / rolled out

External vendors can train and discuss on the common themes across the industry

Training course might be at a high level and not targeted towards the institution’s risk profile, risk appetite, etc.

External vendor led training course can be costly, especially if the training is held outside of the institution or if the instructor of the vendor is to travel to the various locations of the institution

When shall the training occur? – AML training may occur when most appropriate for the respective FI, whether training is executed at the beginning of the year, mid-year, or year-end, training should be current and relevant to the FIs business model. In addition, more targeted, ongoing training can be provided to individuals within the FI. Some themes that training coordinators or the training team can take into consideration in developing a supplemental effective training program can include the following6:

Specific Issue – This training will include the information related to the identification of the specific issues which are required to be communicated. This can sometimes include a memo or e-mail message that will accomplish what is needed without formal, in-person training. Or, sometimes, an e-learning can efficiently do the job. In other situations, a classroom training session is the best option.6

Roles and Responsibility Specific – This may include the training of a target audience by functional area as well as by level of personnel/management. This can be accompanied by a quick “why are they here” assessment. This may also include new hire training (e.g., orientation type training) accepting that new hire training is different from that of what is offered to seasoned personnel.6

Common Issue Themes – These training sessions shall be held on common issue themes uncovered by audits or regulatory exams, or issues created by changes to systems, products, policies, procedures, or regulations.6

Individual Knowledge Assessments – Supplemental training can be executed based on knowledge assessments completed by individuals in which an FI can gauge the level of knowledge/expertise a specific individual, group, or line of business retains.

In addition to considering the AML training program questions and themes noted above, an effective training program should include a tracking and reporting of



training completion. Personnel attendance at AML trainings should be tracked. Whether the training sessions are held onsite or off-site, attendees should sign-in as confirmation for having attended the training session. If personnel were unavailable to attend scheduled AML trainings, make-up sessions should be offered and any unexcused absence to mandatory AML training should warrant disciplinary action to the discretion of the financial institution. AML training sessions should be documented; training and testing materials, the dates of training sessions, and attendance records should be maintained by the bank and be available for audit and or examiner review.6”

The previously referenced HSBC consent order9 also instructed the bank to develop, implement, and thereafter adhere to a comprehensive training program for all appropriate operational and supervisory personnel to ensure their awareness of their responsibility for compliance with the requirements of the regulations. The training program was to be comprehensive and include strategies for mandatory attendance, the frequency of training, procedures and timing for updating training programs and materials, and the method for delivering training.9 Case Study Reactions: Throughout my professional career, it has been my experience that training, whether required, targeted, or not, has been tracked, timed, aligned to my roles and responsibilities, and materials were relevant. In addition, as an auditor, I rely on the execution and tracking of training activities either to support my conclusion of control effectiveness and/or to determine the root cause of a control breakdown. Training should be considered an investment in the institution and its personnel. Regardless of how the training is executed, the individuals within the institution must have that foundational understanding in order to remain compliant with the regulations and mitigate unwarranted risk. Based on personal experience, I have noticed that institutions have not only executed their annual BSA/AML training, but also executed “emergency” training sessions either right after an examination or audit that uncovers serious money laundering control deficiencies. I do believe that it is best practice to execute such training as it will set a standard, not only with the regulators, but also audit, and echo the importance that being in compliance with the BSA/AML regulation is a priority. In addition, when hosting an “emergency” training, the institution is clearly prioritizing the issue and making strides in addressing the deficiencies noted. Moreover, industry or news channel headlines that name the institution might prompt quick-response training. Furthermore, changes in software, systems, procedures or regulations may trigger the need for an unforeseen training session.6




All-in-all, it is the ultimate call of the institution as to when training should be executed; however, I find it important to reiterate that an AML training program can independently be a financial institution’s first, last, and best control in combating heightened AML risk.

In conclusion, in the overall creation of an effective AML training program a FI should determine who can best develop and present the training program and agree on a curriculum that addresses course goals, objectives and desired results. In addition, to the extent possible, a FI should establish a training calendar that identifies the topics and frequency of each course and considers whether or not to provide handouts, remembering, that the purpose of most training handouts is either to reinforce the message of the training or to provide a reference tool after the fact. Finally, if tests are utilized to evaluate how well the message is received, copies of the answer key should be made available. This answer key should include references/notations as to why the response selected was appropriate. Similarly, if a case study is used to illustrate a point, provide a detailed discussion of the “preferred course of action.”6



Audit’s Approach and Expectations for an AML Training Program In the sections above, we reviewed four pillars of a BSA/AML compliance program with an emphasis on training, reviewed the guidance set forth by the BSA/AML Examination Manual, determined what an effective AML training program should look like, and reviewed some case studies. Now, let us turn the tables and discuss audit’s approach and expectations for an AML training program.

As set forth within the FFIEC BSA/AML Exam Manual,8 regulatory examination procedures for a training program should include “determination as to whether the following elements are adequately addressed in an institution’s training program and materials”:8

The importance the board of directors and senior management place on ongoing education, training, and compliance8/tone from the top

Employee accountability for ensuring BSA compliance8

Comprehensiveness of training, considering specific risks of individual business lines8

Training of personnel from all applicable areas of the bank

Frequency of training8

Documentation of attendance records and training materials8

Coverage of bank policies, procedures, processes, and new

rules and regulations8

Coverage of different forms of money laundering and terrorist financing as it relates to identification and examples of suspicious activity8

Penalties for noncompliance with internal policies and regulatory requirements8



In addition to the elements noted above, we can expect audit’s approach and expectations for an AML training program to consider the following four fundamentals:8

Scoping and Planning8

BSA/AML Risk Assessment8

BSA/AML Compliance Program8

Developing Conclusions & Finalizing the Review8

Scoping and Planning – In preparing to review a respective institution’s AML training program, management can expect the auditors to begin asking questions to understand the institution’s or line of business’ risk profile, risk appetite, locations, products offered, customers served, etc. This information should be relatively available and align with the risk assessment, if applicable. In addition, in the scoping and planning stage, management can expect the request for prior audit and other testing documentation relating to the AML training program of the institution. This could include, however is not limited to, reviewing related work papers, opining on the impact of open issues (whether business identified or audit identified), and reviewing management’s responses to any previously identified BSA/AML issues identified internally through testing or externally through the examiners or consulting firms. In reviewing prior documentation, the auditor can begin to assess the current environment of the respective AML training ad begin to determine which areas of concerns/risk might be highlighted in the audit scope. In addition, management can anticipate the request of policies and procedures relevant to the training program. This information will be beneficial to the auditor as they will begin to understand the processes and controls in place to mitigate risk. Moreover, management should anticipate the auditor will want to review the institution’s most recent BSA/AML compliance program and any criticisms that the program might have. Lastly, throughout the scoping and planning stage, auditors may request interviews with management and internal hold discussions amongst the audit team and subject matter experts. BSA/AML Risk Assessment – As auditors begin to prepare for the execution of an audit, regardless of its objective, they should consider the institution’s most recent BSA/AML risk assessment and how it captures the AML training program. In reviewing the risk assessment, the auditors should be able to assess the institution’s or line of business’ risk profile and determine whether the institution or line of business has included all risk areas, including any new products, services, customers, entities and geographic locations. If the respective area has recently introduced new products, services, or customer types, it is expected that the risk assessment was updated to include such changes. In addition to reviewing the respective area’s risk assessment, the auditors should have an assessment of their own in which they have identified key areas of heightened risk and focus.



BSA/AML Compliance Program – Prior to successfully executing an audit, the auditors should have reviewed the institution’s board approved BSA/AML compliance program to not only ensure it contains the four “Elements of an AML Program,” also referred to as the four pillars, but confirm that the training of appropriate personnel was incorporated. While audit is specifically looking at the training aspect of the compliance program, as a best practice, management should also ensure that the institution’s compliance program is commensurate with the risk profile and include the identification of the risk associated with operations relevant to the business. The program should determine which areas are more prone to heightened AML risk and evaluate the required level of targeted training individuals within the respective areas that should be complete. Developing Conclusions & Finalizing the Review – In concluding the audit, management should expect the auditors to gather all pertinent findings and conclude as to whether or not the findings are considered reportable. In addition, management, as well as the auditors, should determine the severity of the issues and the overall root cause of the control breakdown, an action plan to address the exceptions should be developed, and both management and the auditor should agree on a feasible timeframe to correct the breakdown. Finally, the conclusion of the audit should be documented in a final audit report. While audit reports might differ within the various institutions, it is best practice that a final audit report provides an overview of the training program, opines on the controls in place to mitigate risk, and concludes on the exceptions noted.

On January 14, 2013, the OCC entered into a consent order11 with JPMorgan Chase Bank, N.A., Columbus, Ohio; JPMorgan Bank and Trust Company, N.A., San Francisco, California; and Chase Bank USA, N.A., Newark, Delaware (collectively, JPMC) in which the bank was cited with deficiencies in the overall program for BSA/AML compliance, including, but not limited to the audit program. Specifically, the consent order outlined their expectations of an effective audit program. Among the expectations, JPMC was to ensure that the audit program evaluates internal controls and identifies non-compliance with policy, laws, rules, and regulations across lines of business. In addition, the regulator’s expectations included that at least annually, the audit program was to evaluate the adequacy of the bank’s BSA program. This should take into consideration the results of the independent testing, and any changes in the quantity of AML risk or AML risk management. Moreover, the bank was to ensure that its audit function was adequately staffed with experience level and specialty expertise regarding BSA/AML and OFAC, and lastly, the audit program was instructed to report “all

11 JPMorgan Chase Bank, N.A., Columbus, Ohio; JPMorgan Bank and Trust Company, N.A., San Francisco, California; and Chase Bank USA, N.A., Newark, Delaware, Consent Order #2013-002 / AA-EC-113-04




internal audit- and OCC-identified deficiencies to the Compliance Committee, the Bank’s Audit Committee, and to senior compliance management. The reports shall indicate the severity of the deficiencies, the risks, the corrective actions, and timeframes.”11 Case Study Reactions: In reviewing the OCCs consent order with JPMC, it is this auditor’s impression that the consent order collectively reiterates the importance of an overall effective BSA/AML compliance program, a common theme we have discussed throughout this research paper. In addition, the consent order noted that importance of management accountability, compliance with regulations, and an effective internal audit program. Moreover, while the consent order reminds us of the minute details of approvals, implementation and reporting, it emphasizes on its importance.

Takeaway: AML Training—One Size Does Not Fit All

If I can leave you with one closing thought, it is this: Not all AML training programs are alike, just as not all institutions are alike. There are various institutions in the industry that have its unique niche, sector, regions, products, services, customer types, etc. As such, how can we expect that one training program will address all the heightened AML risk that one institution can be prone to? We cannot. A training program should be specific to the institution and it should align with the institutions’ risk profile and risk appetite, and, as compliance professionals, that is what we should expect, an AML training program that is commensurate with the institution. In turn, as auditors, examiners, and bank management, we should recognize the differences and execute our testing in accordance to the institution; however, always remembering and taking into considerations the foundation of an AML training program, as set forth by the guidance provided by the regulators.



In addition, I would like to reiterate the importance of an elaborate AML training program. As previously mentioned, an elaborate training program can independently be a financial institution’s first, last, and best control in combating heightened AML risk. As highlighted within the consent order case studies of this research paper, an institution’s AML training program can always be enhanced.



Appendices – Quick Training Program Considerations

Elements of an BSA/AML Training Program5

o Training of appropriate personnel to include applicable aspects of the BSA, including regulatory requirements and the bank’s internal BSA/AML policies, procedures, and controls

o Training specific on individual’s roles and responsibilities, encompassing information related to applicable business lines and aligning with the institution’s risk profile and risk appetite

o Training should be offered on an annual basis or periodically, as deemed relevant and appropriate

o Institutions should remained informed of changes and new developments in the regulations and determine the impact to its overall risk profile

Elements of an Auditable Training Program5 o A training program should ensure an individual’s

awareness of their responsibility to be complaint with regulations, which should be commensurate to the institution’s risk profile

o Appropriateness of targeted training for individual’s specific roles and responsibilities

o Accuracy of training program to determine level of content that is appropriate for the institution

o Assignment of mandatory training, attendance, program materials, delivery methods, and frequency.

o Confirmation from senior management to ensure that training is regarded as a mandatory business activity

o Effectiveness of tracking and record keeping of training completion. In addition, an auditable inventory of BSA/AML training programs



References

ACAMS Money Laundering.Com – January 2017 (http://www.moneylaundering.com/Calendars/Pages/Enforcements.aspx) Office of the Comptroller of Currency (OCC) - Bank Secrecy Act – January 2017 (https://www.occ.gov/topics/compliance-bsa/bsa/index-bsa.html) (Federal Reserve Bank (FRB), Federal Deposit and Insurance Corporation (FDIC), Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of Currency (OCC), and Federal Financial Institutions Examination Council (FFIEC) Pamrapo Savings Bank, S.L.A. Bayonne, New Jersey Consent Order Number 2010-3 Federal Financial Institutions Examination Council Bank Secrecy Act/Anti-Money Laundering Exam Manual – January 2017 ACAMS Advanced Certification, Training Module, October 2016 / acams.org / [email protected] Study Guide for the CAMS Certification Examination, Fifth Edition – Training Section, pages 197 – 202 Banamex USA, Century City, California, Consent Order FDIC-12-218b HSBC Bank USA, N.A., McLean, Virginia, Consent Order #2010-199 / AA-EC-10-98 Capital One, N.A., McLean, Virginia, Consent Order #2015-081 / AA-EC-2015-48 JPMorgan Chase Bank, N.A., Columbus, Ohio; JPMorgan Bank and Trust Company, N.A., San Francisco, California; and Chase Bank USA, N.A., Newark, Delaware, Consent Order #2013-002 / AA-EC-113-04

http://www.moneylaundering.com/Calendars/Pages/Enforcements.aspx

https://www.occ.gov/topics/compliance-bsa/bsa/index-bsa.html

mailto:[email protected]

Documents

Anti-Money Laundering Training One Size Does NOT Fit Allfiles.acams.org/pdfs/2017/Anti-Money_Laundering_Training_N.Lopez… · Given its continued evolution, ... to maintain records