By Debra Cope
How can bank directors equip themselves to do the best job possible when it comes to approving compliance programs and policies for anti-money laundering and other financial crimes?
Part of the answer is to insist on incisive, reliable and understandable information. Because of the complexity and potential risks of AML violations, boards and their risk committees require clear and effective reporting built on a foundation of excellent metrics of known risk indicators, or KRIs.
“Many mid-size and community banks could do a better job of raising the level of reporting to an executive-summary level,” said Clayton Mitchell, a principal in the financial services practice of Crowe in Indianapolis. And more, of course, is not necessarily better. “The goal is to tell the board what is important and why it matters. If you are relying on your risk assessment to inform your board with tens or even hundreds of pages, chances are high that the board won’t get the message.”
If directors are looking at the review of AML board reporting and the underlying data as a compliance exercise where they have to review and approve a report and move on, they risk missing the boat, Mitchell added. “They need to credibly challenge the data to understand what the risks are, determine how they align to business strategy, and how the management is mitigating these risks, within the confines of the defined risk appetite,” he said.
In a recent briefing for American Bankers Association members, two banking industry compliance executives outlined how to ensure the quality of KRIs and other metrics for senior management and the board. This includes knowing the source of the data, knowing how often it is updated, validating it, and expecting scrutiny.
“KRI reporting is absolutely critical for conveying the complexities around the AML program succinctly and well to management to get the support you need,” said Megan Hodge, executive compliance director at Ally Financial. “It’s not just about filling out a template when it’s due. Strong reporting facilitates governance to communicate with leadership.” The goal is to “make sure AML is well understood within the organization and that you have the right level of support to execute on the AML program.”
The compliance team that is responsible for developing reporting should envision its audience as occupying three distinct levels of a pyramid.
Hands-on professionals—line-of-business managers and risk managers who make up the first and second lines of defense—form the bottom layer, with management committees in the middle, and the board and its committee at the top. The same core data should be used to drive reporting to all three audiences, said Tyler Reynolds, senior director for enterprise finance crimes compliance policy and risk management at U.S. Bank.
Most boards recognize that “they are accountable for the whole program,” Reynolds said. But with so many issues vying for board attention, directors depend on management to deliver succinct reports tailored to their specific concerns, he added.
Effective board reporting on BSA/ AML risks focuses on the overall health of the program by highlighting trends and summaries, Reynolds said. The bullet points or one-page summary that makes it to the board of directors are typically derived from 20 pages or more of core. How much information the board needs depends on “where you are in your AML journey,” Reynolds said. An institution that is working through adverse examination findings or enforcement actions related to AML generally requires more reporting than one without such worries.
Both the risk committee and the full board should come away from any AML briefing with a grasp of how management is executing and maintaining the program, what training is occurring, and what issues are being addressed at the moment, Reynolds said.
Every board has a different philosophy, Hodge said. One board may want to see a green/yellow/red stoplight report, while another may want one-page narratives. “With some boards, you’d better come in with no more than five bullet points,” she added. The most important thing is to substantiate the overall rating of the program, Hodge said. “You really need to pin down what is causing risks and issues.”
Directors should probe to understand what constitutes acceptable performance, because the answer isn’t always intuitive, Hodge said. For example, Suspicious Activity Reports must be filed within 30 days of determining the need to do so. “An untrained person might see a 95 percent on-time filing rate and say, ‘95 percent—that’s an A!’” But regulators may not be tolerant of late-filing rates of more than zero to 2 percent, she added.