From: Lindenmuth, Michele (MA) Sent: Thursday, April 14, 2016 11:29 AM To: Flynn, Jami (MA) ; Cook, Christopher R (DOB) ; Antin, Tayana (DOB) ; Avey, Shawna (MA) ; Maio, Stephen (DOB) Subject: RE: Internal BSA Working Group I have not seen an internal department attempt to validate an automated monitoring system, except for the data integrity piece. Unless it was a formal Internal Audit department, I’m not sure that would fly. This is how I explain it to management, as it appears that there are there are two types of validation required: Data integrity - which is simply tracking the data from transactions to be sure it is captured accurately by the software. When someone conducts a transaction, is the dollar amount, type and method of transaction accurately reported? Are cash deposits/withdrawals reported as cash, deposit of checks reported as checks, checks being paid, ACH transactions, etc. Model Validation - which is bit more complex as that involves ensuring that the system parameters are properly set for the institution to flag those transactions that should rise to the level of requiring a review. Depending on the types of customers and volumes, a model that makes sense at one institution may not be appropriate for another institution. Management should document and be able to explain filtering criteria, thresholds used, and how both are appropriate for the bank's risks. Management should also periodically review and test the filtering criteria and thresholds established to ensure that they are still effective. (Data Integrity) In addition, the monitoring system's programming methodology and effectiveness should be independently validated to ensure that the models are detecting potentially suspicious activity. The independent validation should also verify the policies in place and that management is complying with those policies. (Model validation) That being said, in my opinion, the data integrity validation could include management involvement and should be completed within the first several months of implementation of the software. The model validation should be fully independent and completed within one year (give or take) of fully rolling-out the program. The FFIEC BSA/AML Examination Manual states:
Michele A. Lindenmuth Credit Union Examiner
Certified Anti-Money Laundering Specialist Commonwealth of MA Division of Banks 1000 Washington Street, 10 th Floor Boston, Massachusetts 02118