September 4, 2018

Do both banks and nonbanks require an independent audit of anti-money laundering programs? What are the requirements for such audit?

THE QUESTION: Are both banks and nonbanks required to perform an independent audit of their anti-money laundering (“AML”) program?  What are the requirements for such audit?

THE ANSWER:  Absolutely.

The Bank Secrecy Act (“BSA”) requires all residential mortgage lenders and originators to perform an independent review or audit of their AML program.  Although the BSA does not specifically set forth the time frame for performing such testing, the Federal Financial Institutions Examination Council (“FFIEC”) indicated that sound practice is for an entity to perform an independent audit of its AML program at least every 12-18 months, commensurate with the entity’s risk profile.

Testing must be performed by both an independent and qualified party.  While this does not mean the audit cannot be performed by an employee, the individual or individuals completing the audit must be fully familiar with AML requirements and cannot be involved in any of the AML functions of the Company.  As such, the Company designated AML Officer would be unable to perform the audit.  For this reason, many entities engage outside service providers to perform independent audits of their AML program.

Whoever performs the review should report directly to the entity’s Board of Directors or Executive Management.  Testing should cover all of the entity’s activities and the results should be sufficiently detailed to assist the Board of Directors and/or Executive Management in identifying areas of weakness so that improvements may be made and additional controls may be established.  Among other items, the Company’s written policies and procedures should be reviewed as well as the qualifications of the AML Officer and the Company’s training materials and attendance logs.

In recent years, state regulators have commenced examining the AML programs of their supervised entities more closely.  In particular, many states now require entities to produce AML policies and procedures, as well as AML risk assessments and independent AML audit results as part of examinations.  Failure to maintain these documents can oftentimes result in an adverse finding.  Some states also maintain their own money laundering regulations, such as California, Florida, Hawaii, New Jersey, and Texas.