Bank Compliance - September/October 2009

Using

MetriCs

to Assess Your AML

Compliance Program

By Kevin M. AnDerson, CAMs

OW CAN AN INSTITUTION MEASURE

the effectiveness of its AML compliance
program—before an examiner comes in
and gives an assessment?

One approach to determining the effectiveness of the program is to rely on the fourth pillar of an AML compliance program: an independent audit. While AML might not be as hot a topic as it was in years past, this is a very risky approach. A company relying on an independent audit is basically betting everything that the audit will assess the entire program and find everything that an examiner would. That is a tall order for many audit departments, most of which need to take a risk-based approach to determining what areas need review instead of auditing every aspect of AML.

Audits generally provide an overall assessment, but transaction testing is done on a sampling basis because it is not feasible in most cases to survey the entire population. From a practical standpoint, audits are lengthy, labor-intensive efforts, requiring weeks if not months to complete.

These factors limit the ability of the audit department to get a comprehensive view of the institution in a cost-effective or timely manner. A well-designed audit program will provide general comfort to an institution that it is in compliance with applicable laws and regulations and such a program is a critical independent assessment for the BSA officer to use to fulfill the responsibility of overseeing the

program. However, it is not likely to provide the level of day-to-day oversight expected of the institution, being too limited in scope and frequency to be of use.

Another approach would be for a compliance department to conduct risk-based reviews of business units. These can be directed in part by the internal risk assessment, with some consideration of planned examination activity (to the extent known), to determine what should be reviewed. While these can usually be done more frequently and in more depth than audits, they often are done too infrequently and are too limited in scope to effectively assess the overall day-to-day compliance program.

An alternative to both of these approaches is to use metrics: the art of numbers. This approach is already part of the nature of financial institutions, which regularly use and study metrics to inform business decisions as to what products are successful, what customer segments to focus on, and which areas of the company are most profitable. Why not leverage this capability by applying it to compliance?

The idea here is to generate metrics that allow the institution to get a picture of compliance efforts. Metrics are really numbers, distinct ways to quantify something to be measured. Compared with audits and reviews, metrics provide a more granular assessment. They enable more informed decision making as to what areas a company needs to focus on.

With a factual basis, a compliance officer is better able to quantify a problem and build a business case for improvements or funding of projects. Why is this important? Man-