Selecting and Implementing BSA/AML Monitoring Software

Evaluating, selecting, purchasing, installing and implementing BSA/AML monitoring software can be a daunting task. Convincing senior management to make the investment, establishing a project team, and coordinating with IT are among the many challenges that you will face. How do you select the best software vendor for your particular financial institution and how, after you have made this selection and purchased the needed software, do you best incorporate the software into your BSA/AML monitoring system? These are important questions that require careful consideration. To assist you in addressing these and the many other related questions, the following is a framework for addressing the principal questions and concerns that accompany the evaluation, selection, purchase, installation and implementation of BSA/AML monitoring software.

A. Evaluating and Selecting BSA/AML Monitoring Software

1. Determine Your Institution’s BSA/AML Software Needs

• Determine how your institution intends to use the BSA/AML monitoring software. Does your institution intend to use the software to: (i) create CTRs; (ii) assist in verifying the identity of new customers; (iii) screen for suspicious activities; (iv) monitor high-risk customers; and/or, (v) conduct OFAC or FinCEN 314(a) screenings?
• Determine the information and/or capacities that are not available with your institution’s present software.
• Determine which portion of the customer universe (e.g., new and/or existing customers) the software will consider. What transactions will the software consider? On which portion of the institution will the software concentrate? Will the software concentrate on one or more of the following: (i) retail banking; (ii) commercial banking; (iii) credit union; (iv) private banking; (v) broker-dealer; and/or, (vi) insurance?

2. Determine Vendor Qualifications, Products and Services

• Determine basic information about the vendor, including: (i) vendor name and location; (ii) corporate affiliations; (iii) number of years the vendor has been providing BSA/AML solutions; and, (iv) number of employees supporting BSA/AML solutions.
• Determine basic information about the BSA/AML services that the vendor provides, including: (i) where the database is maintained, whether on the vendor’s mainframe or on your institution’s mainframe; (ii) how the vendor’s BSA/AML software aggregates transactions, whether by account, TIN, or related-accounts; (iii) whether the software flags unusual transactions; (iv) the basis on which unusual transactions are flagged; (v) how investigative files are maintained; and, (vi) whether there is a case management tool for investigations.
• Determine whether the vendor provides only one type of BSA/AML software. Does the vendor provide software for: (i) only CTR reporting; (ii) only SAR monitoring; or, (iii) only SAR reporting?
• Determine what size institution the vendor’s software can manage (e.g., community bank, regional bank, multi-national bank or credit union).
• Determine what products and services the vendor’s software can manage (e.g., retail banking, commercial banking, private banking, credit union, broker-dealer, and/or insurance).
• Determine who are among the vendor’s current clients. Determine if you may contact one or more of these clients and, if so, obtain contact information.

3. Determine the Distinctiveness of the Vendor’s BSA/AML Software

• To determine the distinctiveness of the vendor’s BSA/AML software, identify: (i) the vendor’s sources of information; (ii) the AML techniques used in screening; (iii) whether the software can be customized; (iv) how information is kept confidential; (v) if the system is batch or on-line processing; (vi) how the system accommodates new transactions or products; (vii) how the system accommodates regulatory changes; (viii) the types of reports that are generated; (ix) how the software manages identified transactions; (x) the percentage of false-hit investigations; and, (xi) whether the system can be used for the following screenings: OFAC, FinCEN 314(a), FATF Non-Cooperative Countries or Terrorists, and/or security databases.

4. Preview the Vendor’s BSA/AML Software in a Live Demonstration

• Preview the vendor’s BSA/AML software in a live demonstration to gain a better understanding of the software’s operation and capabilities.

5. Evaluate the Vendor’s BSA/AML Software Installation Processes

• In evaluating the vendor’s BSA/AML software installation processes, the following questions should be addressed: Is there a trial period? How long does the installation take? Is there any back-loading of transaction history or customer information? What types of training support are provided? What is the upgrade history of the software?

6. Identify Security Concerns

• In identifying security concerns, the following questions should be addressed: What are the security safeguards? Is there an audit trail? Can the software work with your institution’s existing security systems?

7. Determine the Vendor’s Fees

• The following are among the types of fees that vendors typically charge: (i) training fees; (ii) customer service fees; (iii) maintenance fees; and, (iv) upgrade fees.

8. Evaluate the Vendor’s Customer Service Support

• In evaluating the vendor’s customer service support, it is important to determine how this support is provided. Is this support provided via telephone? Also, is there a “Help Desk” and what are the vendor’s hours of operation?

B. Installing and Implementing BSA/AML Monitoring Software

1. Establish Project Objectives

• The BSA/AML monitoring system should reflect your institution’s BSA/AML compliance program, including your institution’s BSA/AML policy, procedures and risk assessment. Determine what you want the BSA/AML monitoring software to accomplish.

2. Create a Project Team

• The composition of the project team should be based on the size and financial capacity of your institution. You may wish to consult with your software vendor for guidance or contact other institutions your size that have purchased the same software. Involve all affected parties. If you will be extracting data from multiple hosts, develop alliances with various departments. There should be communication between IT and the compliance department. A project manager should be designated and be responsible for ensuring the following: (i) the project supports the objectives; (ii) the project’s goals and expectations are clearly defined; (iii) project tasks are identified, scheduled and completed; and, (iv) monitoring and reporting the project’s status to senior management.

3. Establish a Project Timeline

• Establish a project timeline for “deliverables” for each phase of the project, and include action steps, timeframes, responsible parties, completion dates, etc.

4. Determine Tasks to be Implemented

• Although your software vendor will most likely aid you in this process, your institution will need to ensure the software is customized to your institution’s business and customer profile. Do not inappropriately assume that with vendor implementation of the software no further effort by your institution will be required. Keep in mind that, when initially changing to an automated system, an institution is likely to find a significantly greater number of unusual transactions to investigate than under its manual monitoring process.
• Setting system parameters will be the most challenging task in the implementation process. Some suggestions for handling this include: (i) consulting with your software vendor; (ii) setting parameters consistent with your BSA/AML risk assessment, focusing on your high-risk areas first, and starting with broad parameters and then narrowing the parameters based on experience; and, (iii) documenting your decisions and rationale regarding the setting of parameters.
• Be aware that initial outcomes may leave you with unmanageable results. This can result from one or a more of the following factors: (i) the criteria for generating alerts is not fully customized to the size and customer profile of the institution; (ii) insufficient historical data within the system; (iii) not conducting a sufficient review of existing customer activity to be able to exempt certain customers from routine review; and, (iv) setting overly conservative parameters. Parameters should reflect your institution’s risk assessment. Continue to narrow the parameters until they result in meaningful, effective output.
• The authority to establish or change expected activity profiles should be clearly defined and should generally require the approval of the BSA Officer or senior management. Controls should ensure limited access to the monitoring system. Management should document or be able to explain the filtering criteria, thresholds used, and how both are appropriate for your institution’s risks.

5. Test the System

• After initial implementation, you are ready to test. In testing the system, address the following questions: Is the system doing what you want it to do? Is the system a reflection of your institution’s BSA/AML program? Is the system meeting the objectives of the project plan? Are the results manageable? Are the results accurate? Even the most sophisticated technology will produce a level of false alerts.

6. Fine Tune the System

• Allocate sufficient time to fine tune and adjust the system based on the results of your testing. This will ensure the most effective system.

7. Validate the Data

• The software data must accurately match the data on the host system. All account information fields and transaction fields should be reviewed. Check output from the BSA/AML system against output from the host system; then, check host system reports back to the BSA/AML system. Maintain records of testing for upcoming audits and/or examinations.

8. Develop Written Policies and Procedures

• Develop written policies and procedures for the BSA/AML monitoring software which, at a minimum, include: (i) identification of the business units and/or individuals responsible for monitoring each of your institution’s products and services; (ii) identification of the report information that will be used for monitoring; (iii) determination of the frequency with which monitoring will occur; and, (iv) clarification of the process for investigating flagged transactions, including responsible parties and timeframes for investigation.

9. Provide Training

• Those responsible for BSA/AML compliance must understand how the automated system works and must be able to explain the system’s design and parameters. Qualified staff members must know how to read and interpret output reports and information generated by the system. They must also be able to determine whether or not a SAR should be filed.
• Staff at all levels should understand that BSA/AML monitoring software is a tool that supplements existing controls at your institution. While BSA/AML software can notably improve your institution’s ability to monitor transactions for suspicious activity, it is only a tool – not a solution. Manual monitoring must remain part of the process. Staff must fully understand the automated system and what information it does and does not capture. Since staff who deal directly with customers are in the best position to know and understand their customers’ transactions, staff must be aware of BSA/AML requirements and be fully trained to identify unusual or potentially suspicious transactions.

10. Audits and Examinations

• Continue to refine and enhance your BSA/AML automated system based on recommendations from auditors and/or examiners. Document your reasoning for implementing or not implementing recommendations.
• In the expectation of auditor and examiner scrutiny, ensure that all documentation related to software selection and implementation is retained, including the rationale for vendor selection, project plans, vendor contracts, testing, documentation and contingency plans.

11. Going Forward

• The following are additional recommendations: (i) periodically evaluate the appropriateness of the filtering criteria and thresholds used in the monitoring process; (ii) pay attention to the operation of your automated system; (iii) test your system at least annually to ensure that it is working appropriately and that it is producing complete and accurate information; (iv) keep in mind that changes made to other applications that interface with the BSA/AML software could impact the integrity of your system; (v) continually re-evaluate your BSA/AML risk assessment based on new product offerings, new market service areas, new criminal activities of which you become aware, etc., and update your automated systems accordingly; and, (vi) document the reasons for making changes to the system’s parameters following initial implementation.

As you can see, the tasks of evaluating, selecting, purchasing, installing and implementing the right BSA/AML monitoring software for your institution require careful consideration and a significant investment of institution resources. However, if you utilize the above framework, you will be in a strong position to make the best decisions for your institution.

Author: Clarissa A. Rudinsky, CAMS, CRCM

For customized guidance for your institution with (1) identifying potential vendors, (2) developing a vendor evaluation and/or implementation action plan, or (3) conducting a BSA/AML risk assessment, contact Clarissa Rudinsky, Director of BSA/AML Services, Integrated Compliance Solutions, at 516-984-6811 or crudinsky@icscompliance.com.