It’s that time of year, scheduling the independent review. You call your provider, discuss available dates for the onsite visit and request the proposal of a new provider or if your provider is returning, the engagement letter.
The proposal or engagement letter will outline the who, why, what, when, and where, much like we see in other aspects of an AML program but in a different order:
- The Who: A background of the firm and their experience in the financial services industry and AML specialty as well as biographies of the AML specialists
- The What: The overall independent AML review plan and scope of activities to be covered
- The When and Where: The location and timing of the onsite visit
Understanding the Scope of Work
Remember, that this AML pillar calls for an independent audit function to test the program. The independent review is risk-based, just as the AML compliance program is expected to be. That means the scope of work will include transaction testing that may be limited in some areas and expanded in others. It is the reviewers’ expertise combined with the institution’s risk and program controls that will drive these decisions. There is no exact number or percentage of transaction testing delineated in the engagement agreement but methodology and type should be included. The quantity and quality of testing is determined by risk and is often expanded and contracted while onsite and can be based on a variety of factors.
Some regulatory examiners have attempted to usurp the provider’s scope by asking their banks to engage a provider that will include exact numbers or percentages of transaction testing in the engagement agreement. That, however, is not the intention of an independent review. The independent review provider is supposed to be just that – independent, and that independence calls for a risk-based judgment. Banks will sometimes push back on examiners who make these requests.
The Time and Cost Investment of an Independent Review
The AML independent review can take a minimum of 40 to 60 hours for the smallest institution or company. Hours are based on many factors including the size and complexity of the institution, and the volume of financial services offered. You can expect the provider to request information about these key items and more to determine the anticipated hours to complete the service. Remember too, the service isn’t over when the provider walks out the door. More often than not they visit to perform only those activities that need be done in person. In the aftermath of the onsite visit much more work is done, including preparing the report and workpapers.
The independent review experience should not be fraught with tension or adversarial behaviors. When you engage a provider, they become your institution’s agent. They work for you to independently review the program’s adequacy and effectiveness to detect, prevent, monitor and report under the BSA and its promulgated regulations. In other words, the provider is not the enemy but rather your partner in managing an effective AML compliance program.
Choosing a Provider for Your Independent Review…Comparing Apples with Apples
You have a plethora of providers to choose from. Get referrals from other BSA/AML officers in your network. Take a look at LinkedIn. Perform a Google search using a simple phrase like AML audit, independent testing or AML review. From the small consultancy to the big name, comparison shopping will benefit you in the long run. Obtain a few proposals, not just quotes.
You may get a low quote for a less than an optimal scope. But remember, regulators and financial partners have refused reports that are not sufficient or comprehensive in nature due to limited scopes and other factors. Smart institutions will budget their review annually and should expect periodic increases over multiple years with the same providers.
It is somewhat of a standard in the internal audit world to limit a provider to three consecutive reviews. In the AML world, this is not necessarily the standard. As with the very theme of your program being risk-based, so too must the decision be to engage the same provider year after year. If your provider is on top of AML industry issues, they will always push you to enhance your program based on new guidance and industry practices. If you receive the exact same report year over year, then having new eyes might be a good idea. I know of skilled and experienced providers who have serviced the same institutions for 10 reviews or more. When the review team is skilled, qualified and knowledgeable, and pushes your institution to improve, then why change? It is a risk-based decision just like your program.