Complying with Bank Secrecy Act/Anti-Money Laundering (BSA/AML) regulations is a major challenge for financial institutions. Those found with deficient practices are subject to receive a Matter Requiring Attention (MRA) notification. The Office of the Comptroller of the Currency (OCC) states, “MRAs communicate specific supervisory concerns identified during examinations in writing to boards and management teams of regulated institutions. MRAs must receive timely and effective corrective action by bank management and follow-up by OCC examiners.”
This combined requirement of timeliness and proof of effectiveness makes delivering an acceptable response particularly challenging. Unfortunately, MRAs are not uncommon. The article Get to Know the “5 Cs” — BSA Matters Requiring Attention notes, “Most banks receive some sort of finding or ‘Matter Requiring Attention’ (MRA) or ‘Matter Requiring Immediate Attention’ (MRIA) regarding their BSA Program during a BSA exam.” Given the likelihood of receiving an MRA, and the burden associated with the response, developing a robust process to handle them is essential.
This post will examine how the right Enterprise Risk Management (ERM) system is uniquely suited to not only help efficiently and effectively respond to the challenges associated with MRAs, but also (when properly configured) help minimize them.
To understand how this is possible it is useful to “learn from the mistakes of others.”
MRA root cause analysis
Kenneth Simmons, calling the BSA/AML “the most challenging compliance requirement facing financial institutions of any decade,” presented an analysis of OCC data to examine what drives MRAs and to learn how others could avoid them. In describing the purpose behind analyzing proprietary OCC information from 137 financial institutions issued reports during a four-year period, Simons quotes Elanor Roosevelt: “Learn from the mistakes of others. You can’t live long enough to make them all yourself.”
Internal controls driving MRAs
Simmons’s study revealed that insufficient internal controls account for 84% of the MRAs issued. He states that this category of deficiencies is “the most difficult area for financial institutions to manage regarding BSA/AML.”
Part of the difficulty in managing controls can be attributed to the fragmented nature of non-ERM processes. Without a single source of truth, documentation can be spread out across multiple departments (or missing entirely) and vary considerably from owner to owner. This can make it difficult to demonstrate effectiveness in a BSA examination and complicate the response process to any control-triggered MRA.
Importance of risk assessments
In addition to internal controls, the study also cites risk assessments as another potential driver of MRAs. “While the FFIEC guidance indicates internal controls are the cornerstone of an effective BSA program; results of examinations without significant BSA deficiencies indicates the risk assessment may be the ‘new’ cornerstone. A well-devised risk assessment clearly defines risk and the areas of risk needing mitigation.” According to the study, issues related to risk assessments were responsible for 13% of MRAs.
Specifically, examiners require enough supporting documentation regarding assessments to understand the rationale behind them. Simmons observes, “They may not disagree with your overall conclusions but, in order to properly examine that you have a sufficient BSA program, they have to understand the risks at your institution. Without any supporting documentation, they will not know how you came to your conclusions.”
Audits: the third line of defense
In the traditional “Three lines of defense” model, audits are the last line of defense (following front line staff and compliance initiatives). Simmons observes that examiners typically begin with the risk assessment first. They then review the most recent BSA audit report conducted since the last examination. “The bank’s risk assessment and internal audit are the two key components utilized to scope the examination,” he notes.
What Simmons establishes as the requisite components—robust controls, documented risk assessments, and integrated audit capabilities—are precisely what an ERM approach provides. Shifting from a traditional model to an ERM program not only shifts focus to the most common causes of MRAs, but also allows your organization to utilize technology that can help reduce the burden associated with responding to MRAs.
Traditional approach vs. an ERM approach
In a presentation to the Society of Corporate Compliance and Ethics, consultant Jason Lunday compared the differences in controls between a traditional compliance approach and those with ERM programs. The traditional method results in fragmented methodologies, inconsistent ownership, and controls that are layered over processes. With ERM, Lunday notes, controls are better aligned, ownership is established centrally, and controls are embedded into processes. This results in standardized methodologies across the enterprise and processes that are easier to explain to regulators.
How ERM technology helps
The right ERM system provides several critical capabilities:
- Links risk assessments with controls
- Establishes centralized assignment and accountability
- Creates a single source of truth for reporting
These features allow your organization to develop action plans for MRA responses with timelines and assignments, update reports automatically when controls are adjusted, and audit their effectiveness. Having the ability to coordinate a rapid, effective response to the most common MRAs reduces the associated burden and the drain on resources. This functionality can also help align risk assessment and controls management with strategic objectives, leading to more proactive risk management and the potential to lower the odds of receiving the next MRA.
ERM technology is so effective in this regard that regulators may require that a financial organization deploy the technology in response to deficiencies cited in an MRA. This mandate compresses the selection/implementation process and has regulators dictating timelines instead of the organization choosing the path it prefers. If your organization is still using a spreadsheet-based process to manage risk assessments and controls, seizing control of the migration path not only puts your organization in charge of the process but also puts you closer to having the tools best suited for responding to MRAs.
Talk to our experts to find out how an ERM could help your organization handle MRAs better.