Common Examination Criticisms with Data and Technology Systems

Recent reports indicate an increase in the issuance of Bank Secrecy Act (BSA) consent orders. While the importance of robust data and technology systems is widely recognized by professionals working in BSA/AML/CFT/OFAC/Fraud compliance, it's noteworthy that consent orders rarely include a dedicated section titled "Data and Technology Systems." Instead, regulators integrate concerns regarding data and technology systems throughout the consent order document, emphasizing their significance across various compliance areas.

For example, over the past year we’ve seen data and technology systems discussed in the following areas:

• The Risk Assessment
• Customer Due Diligence
• Transaction Monitoring
• ACH and Wire Transfers
• Information Requests (314a)
• Model Validation
• Fintech-Specific areas

While data is usually discussed in a straight forward terms – usually ‘data’ or ‘gathered information,’ technology systems might be discussed using a more generic term of ‘resources,’ as in “The AML/CFT Officer shall have sufficient delegated authority and suitable resources, including staffing and systems, to effectively coordinate and monitor day-to-day compliance, and administer all aspects of the AML/CFT Program.” Occasionally, consent order language may appear as it the regulator is concerned there are too many manual tasks, such as when an institution is required to perform “a coverage assessment of automated systems based on a comprehensive BSA/AML risk assessment.” 

In this article, we’ll discuss an interesting nuance about technology systems, and then explore how data and technology systems are mentioned in consent orders in the areas mentioned above.

Regulators will seldom require that any specific type of technology system be used in an institution, but they will require outcomes – outcomes that are close to impossible to achieve without certain technology systems. The one exception we’ve seen in this area in recent consent orders is a requirement that an institution use a Negative News Screening system for CDD.  But that is a rare exception. What is more typical is language that requires a certain outcome, such as “monitor activity from disparate sources;” “monitor activity that deviates from the customer’s expected activity;” or “report on KRIs and KPIs.” These outcomes can only be achieved with some type of technology system. 

Let’s review some examples of how data and technology systems are mentioned in consent orders:

The Risk Assessment: 

Sample Langauge:  “Processes to ensure the quality and reliability of data collection and provide for the accurate identification and inventory of specific risk categories to ensure coverage in the risk assessment.”  

• This is telling readers that we can’t just have data, we need accurate data. A risk assessment could be deemed ineffective if the institution cannot demonstrate the completeness and accuracy of the data that was analyzed as part of the assessment, and this excerpt describes that:

Sample Language: “Processes for the second line of defense to credibly challenge the qualitative and quantitative data provided by the first line of defense and across compliance functions.” 

• Most institutions have a BSA/AML/CFT risk assessment procedure and an OFAC risk assessment procedure. This is telling readers that the procedure should include documented steps for providing credible challenge on the data obtained for the risk assessment.

Customer Due Diligence:

Sample Language: “Procedures for identifying and timely remediating instances where required CDD information is missing or incomplete.” 

• This is telling the reader that one cannot perform CDD if one doesn’t have complete and accurate data.

Transaction Monitoring:

Sample Language: “Documented evidence of transactional analysis, including comparing expected, historical, and current activity, the source and use of funds, trends, and activity patterns;”   and  “Documented critical analysis of all significant information in the file, including the identification of significant disparities.” 

• While this excerpt doesn’t specifically indicate data or technology systems, it effectively communicates the desired outcome, which would be difficult without complete and accurate data to analyze, using appropriate systems. It is telling the reader that sufficient data is needed to perform trending.

ACH and Wire Transfers:

Sample Language:  “A documented process is implemented to monitor transactions for potential suspicious activity, including ACH transactions.”  

• This excerpt is typically related to a high volume of Fintech-related ACH activity. Although the consent order content doesn’t specifically mention it, one has to ingest complete ACH data into the monitoring system in order to monitor for suspicious activity. Many AML systems ingest basic ACH information, but not full information needed to drill down on each ACH to monitor for suspicious activity or fraud. This is telling the reader to have sufficient ACH data in order to monitor.

Model Validation:

Sample Language:  “Completing a thorough, independent model validation of …models used to determine customer risk and suspicious activity monitoring, including data integrity assessment of model inputs.” 

• This is a subtle reminder to the reader that before one performs a model validation, one should perform a data validation first.

Sample Language:  “All identified data gaps are appropriately addressed;  all customer and transaction data is accurate, complete, and consistent; and models and methodologies are appropriately updated as data gaps are resolved and new data becomes available.”

• This is telling the reader that one has to monitor for data gaps, and update data as new data is available. In reading between the lines, this could be directed at institutions that are growing fast with new lines of business, new products, services, and even acquisitions (M&A activity.)

Fintech-Specific Areas:

Sample Language: “Information systems associated with Fintech Partners provide timely and accurate information” and “readiness of management information systems for processing transactions relating to the potential Fintech Partner.”

• This is telling the reader that the technology systems and data of a Fintech partner must be able to produce the data the partnering institution requires to perform BSA/AML/CFT and OFAC tasks.

Although we may never see a specific section or article of a BSA-related consent order entitled “Data and technology systems,” we’re still provided with numerous requirements that are discussed throughout the other BSA-related sections. 

BSA/AML Officers looking to steer clear of findings surrounding data and technology systems should download all BSA-related consent orders from the prior 12 months across all regulators, and carve out the remaining requirements for data and technology systems that are discussed throughout the document.  Make a list of such requirements and use them to perform a self-review on how you are managing data and technology systems in your institution.

Bates Group offers ongoing advisory services to a wide range of financial institutions and Fintechs. We offer Independent Reviews and Risk Assessments, Compliance Program Support, and Custom Compliance Training.

Contact Bates Group today to learn more.