By Rebecca Schauer Robertson, CAMS-Audit, CAFP, CFE EVP Director of AML Compliance, South State Bank
I have been in the regulatory compliance field for almost 20 years with the past 15 years focused solely on Bank Secrecy Act and Anti-Money Laundering Compliance. My focus as Director of AML Compliance is to continuously find a balance within business lines, especially those focused on customer service, to ensure knowledge and risk-based application of the Bank Secrecy Act and Fraud throughout the organization. In my role as Director of AML Compliance, I also have oversight of the Fraud Department to ensure cohesive collaboration among those focuses create a holistic culture between AML and Fraud.
Attending a conference like the Audit Risk Forum provides not only an educational, but a networking opportunity for peers and colleagues to collaborate and share knowledge, best practices, and considerations around regulatory guidance and what is being seen as the “hot topics” among regulatory agencies in peer and other banks alike.
Without networking opportunities such as the Audit Risk Forum, banks would work in much of a siloed forum, depleating healthy competition. The more collaboration opportunities among peers, the more consistency between organizations when it comes to regulatory compliance. If peers stick together and operate in a similar fashion, keeping in mind each organization’s risk appetite is different, consistentcy should evolve among audit and regulatory focuses. If auditors see a consistent approach to processes among peers, keeping in my each may look different but achieve the same results, the 2nd and 3rd lines of defense’s jobs will much easier.
Collaboration is the key to developing processes that work. Trial and error can be very painful. As organizations share what has or hasn’t worked, they empower each other to develop strong, consistent programs with proven, supported processes.
All successful programs are achieved through effective management within any organization and begins at the top down. Setting the tone at the top supports the expectation for every business line to understand each one’s roles and responsibilities. Ownership of regulatory compliance through solid policies and procedures and a QC function at the first line is the key to a successful enterprise- wide culture of compliance. Without collaboration and a vested interest among all business lines, validation has more than likely results in deficient and/or skewed results.
Understanding an organization’s risk tolerance is the most important element to effectively managing regulatory reviews and validating expectations. If an auditor doesn’t first take the time to understand the risk appetite of the organization, the work being performed will be less effective. An audit must be tailored not only to regulatory expectations, but the organization’s policies and procedures in relation to risk. Auditors should be cautious to not view all organizations the same. Although it would be nice if policies and procedures all looked exactly the same within the same type of departments from different organizations, there should be no expectation that a smaller organization’s risk appetite or policies and procedures look extacly like those at a larger organization. Audit focus should be centered around the organization’s risk assessment. There are absolute differences in how policies and procedures will look for organizations located in higher risk geographic areas, offer higher risk products and services, and have a customer base that caters to higher risk customer types in comparison to an organization that is very risk adverse and operates very cautiously. The basis of both organization’s policies and procedures should be the same but execution will differ and that’s acceptable.
It’s imperative not to note recommendations as regulatory deficiencies unless these can be backed up. During an audit, one must know the difference in regulatory requirement deficiencies and those “nice to haves” and call each as they actually are, either a regulatory deficiency or violation or a recommendation. These should never be confused.
When working collaboratively with regulator bodies, the Audit industry should consider these key items when developing regulations
- Business line expectations
- Programs are risk-based so not everything looks exactly the same and banks may achieve the same results with different procedures
- Auditors should strive to understand the make-up of a bank before beginning an engagement, not all banks are created equally and understanding a bank’s risk assessment and risk appetite are key factors to beginning any engagement.
Over the next 6 – 12 months, audit risk will continue to be a higher focus than it has been in the past. With several larger companies that focus on audit receiving regulatory scrutiny over the past year, this has created a more in-depth concentration on that area in relation to unidentified or unreported weaknesses within banks’ programs. The audit function is in place to identify gaps or weaknesses and ensure remediation prior to an exam; without a strong audit function, a bank will surely struggle to maintain appropriate, strong programs in the regulatory world. Auditors should be cautious, however, not operate in a fearful state of mind, diving in the minutia of the weeds and trying to find issues that don’t exist. Be able to support and back up items identified and refer to eash as they are, regulatory issues or best practices, not comingling the two.