Community bankers often ask examiners which internal audit or consulting firms they should use for Bank Secrecy Act/anti-money laundering (BSA/AML) independent testing. However, regulators cannot endorse or recommend products and services. Even if they could, it would not be doing the bank any favors. Bank examiners do not know all of the players in the industry, details about their staffing, specializations, or if they would be suitable for a particular institution. Banks and credit unions of all sizes are best served by learning how to vet and evaluate vendors themselves. Based on concepts in existing supervisory guidance, the following are pointers for smaller institutions considering outsourcing BSA/AML independent testing for the first time or looking to switch to another firm.1
Independent Testing Requirement
Bank, thrift and credit union regulations require independent testing for compliance to be conducted by bank personnel or an outside party as part of their BSA/AML compliance programs.2 Many smaller institutions choose to outsource this service because their existing staff does not include an individual with sufficient subject-matter knowledge who is also independent of the institution’s BSA/AML compliance program.
Starting the Due Diligence Process
A thorough due diligence process takes time and audit/consulting firm schedules fill up quickly. Therefore, it is in the institution’s best interest to identify and engage a firm that fits their specific needs as early as possible.
Understand the Institution’s Specific Needs
Before embarking on searching for a service provider to perform the audit, it is vital for the institution to understand its unique and emerging BSA/AML risks and problem areas.
For example, does the institution have a very high cash-intensive customer base? Does it provide banking services to cannabis businesses? Does it send and receive large volumes of international funds transfers? Or does it provide niche services, such as factoring? Are there any imminent changes impacting BSA/AML risks, such as branching into a new market, new products or service lines that could be rolling out in the near future? What types of BSA/AML problem areas have been identified in previous examinations?
Clearly identifying this information at the onset will help guide vetting discussions with candidates to understand what kind of coverage can be provided for these areas.
Identify Service Providers and Start the Vetting Process
When identifying a pool of candidates to be considered for outsourcing, possible leads include, but are not limited to, the following:
- The service provider used for other internal audit services
- Recommendations from peers in the industry
- Discussions with vendors at trade conferences
- Independent testing services promoted on audit and consulting firm websites
A best practice is to contact several candidate firms or individuals that appear to be a good fit for a meeting or send them a request for proposal (RFP).3 Specifics about the institution’s needs should be discussed during these meetings or captured in the RFP. Providing this information upfront will improve the likelihood that the proposal scope will be tailored appropriately to the institution’s risk profile.
Following initial contact, many service providers prepare a proposal document that contains an outline of the scope of services and pricing. A full understanding of what the scope actually entails is essential for accurate comparisons. Part of assessing each candidate should include detailed discussions with the contact from the candidate’s firm. In these discussions, it is a good idea to ask questions to get an understanding of the actual procedures that will be performed, as scope documents are often very broad statements and objectives, including the following:
- Will the firm simply document only the existence of controls via inquiry or will they perform risk-based testing over key controls to evaluate their effectiveness?
- What types of samples will be drawn and what is the methodology for selection?
- Will the proposed scope adequately cover the highest risk areas and problem areas (if any) identified in previous examinations and audits?
- Does the engagement involve testing the integrity of cash aggregation and suspicious reporting automated systems?
Another piece of the evaluation is understanding how the vendor will communicate issues during the audit process and the level of detail to expect in the final report and findings. This could be further illustrated in a copy of a sample report.
While vetting discussions may be with an owner, partner or principal, these individuals often will not actually perform the audit. It is important to ask for the resumes, bios or credentials of the individual(s) who will actually be on-site performing the work. It is also a good practice to ask how these individuals stay abreast of new topics, trends and requirements to maintain subject-matter knowledge.
Most audit and consulting firms expect these types of questions and even see them as important in order to tailor the services to best meet the institution’s needs. It is possible that the scope will need to be further tailored or refined depending on the responses. A firm unwilling to answer these questions or finetune the engagement to suit the institution’s needs may be a warning sign that the firm is not a good fit. If the firm does provide responses, but strongly advises a scope more robust than competing firms suggest, there may be a very good reason.
If the initial firms contacted do not provide satisfactory responses or do not seem to be a good fit, the institution should identify more candidates and repeat the vetting process.
Making the Selection
The vetting and selection process should be overseen by the chief risk or internal audit manager. As a subject-matter expert, the BSA officer may be involved with interviewing candidates, asking questions and providing input. However, the selection and engagement process must be kept independent of the BSA officer and overseen by the audit committee or the board of directors, oftentimes via the chief risk or audit designee.
A common practice is to narrow the field down to two or three candidates and ask for face-to-face meetings to gain a better understanding of the top candidates and have a more extensive back and forth. If possible, the person slated to be in charge of fieldwork should also attend this meeting for the institution to gain an understanding of their knowledge and personality.
Finally, the audit committee or the board should be presented with the proposals and recommendations from the top candidates for approval prior to executing an engagement letter.
Renew or replace?
BSA regulations do not specify the frequency at which independent testing or audit must be performed. However, sound practice calls for every 12 to 18 months.4 As a result, outsourcing the BSA/AML audit is usually an annual process of assessing whether to re-engage the service provider or vet and select a new firm. Factors an institution may want to consider when making this choice include whether:
- Open lines of communication with management and the audit committee or the board were maintained
- The level of testing, dialogue with key individuals and time spent performing the audit were consistent with expectations
- Time frames were reasonably met
- A comprehensive report of all findings and recommendations was delivered to the board or audit committee
- Audit is deemed satisfactory in examinations or the firm provides reasonable assurances that any shortcomings in scope or processes identified by examiners will be corrected going forward
- The firm continues to employ auditors with the appropriate subject-matter expertise
- The proposed scope for subsequent engagements evolves with new regulatory requirements and emerging risks
If the firm is doing an effective job and meeting expectations, then the institution may choose to renew the engagement. If not, it is likely that a change is needed and the vetting process initiated to engage a new firm.
Ultimately, a properly risk-focused, outsourced BSA/AML audit conducted by a knowledgeable individual or team will aid an institution in identifying control weaknesses and gaps in the compliance program. Of course, that is just the beginning. Implementing meaningful corrective actions in response to these findings will strengthen the program and better position the institution for a successful regulatory examination. Engaging a qualified firm or individual to deliver meaningful results is key in this process. Therefore, small institutions armed with the knowledge of how to vet and engage firms for outsourced BSA/AML audits position themselves to engage quality services that best fit their unique risk profile.
Susan Cannon, CAMS-Audit, supervision and risk coordinator (BSA), Federal Reserve Bank of Dallas, Dallas, TX, USA, firstname.lastname@example.org
The views and opinions expressed here are those of the author and do not represent an official position of the Federal Reserve Bank of Dallas or the Federal Reserve System.
“Amended Interagency Guidance on the Internal Audit Function and its Outsourcing,” Board of Governors of the Federal Reserve
System, April 22, 2003, https://ithandbook.ffiec.gov/media/21938/
frb-srl-03-5-amend_ia_guid_intern_audit_outsourc.pdf; “Interagency Policy Statement on Internal Audit and Internal Audit Outsourcing,”
Comptroller of the Currency Administrator of National Banks, May 17, 2003,
- Federal Reserve Regulation H 12 CFR 208.63(c)(2), Federal Deposit Insurance Corporation 12 CFR 326.8(c)(2), Office of the Comptroller of the Currency 12 CFR 21.21(d)(2) and National Credit Union Administration 12 CFR 748.2(c)(2).
- “Sample Request for Proposal for External Quality Assessment Services,” The Institute of Internal Auditors, https://na.theiia.org/ services/quality/Public_Documents/Sample Request for Proposal.doc
- “Bank Secrecy Act/Anti-Money Laundering Examination Manual, Compliance Program-Overview,” Federal Financial Institutions Examination Council, https://bsaaml.ffiec.gov/docs/manual/BSA_AML_ Man_2014_v2_CDDBO.pdf