1. Paul Reuben and Martin Chipperfield were classmates in Business School. After a gap of 7 years they run into one another at
Chicago’s O’Hare to find that coincidentally they are programme managers in two banks; one a European giant and the other
a Community Bank. Not so coincidentally they are seized with the onerous task of staying on top of their jobs in implementing
the provisions of the US Patriot Act and its significant and rapidly increasing updates.
Their flights are late and they get to talking about their life and professional concerns. The BSA Act and compliance with its
anti money laundering provisions are on top of their minds. The risks of non-compliance are high. More than safeguards
against operational, legal and concentration risks the reputational risk as seen by the top management is severe. They
wondered why they had not considered the perils of downplaying this aspect of testing so far. They muse; if only they could
find an independent testing house that is an expert on the AML domain! If not, with the frequent ‘Federal Deposit Insurance
Corporation’ (FDIC) audits and with their CFOs on their necks to ensure strict compliance, their jobs could be on the line.
The banks were tuned to Yellow Hammer™ BSA and Prime™ AML applications. Yet, it was becoming hard to find an
independent testing house that is comprehensively competent to test and certify the system for compliance with ‘Know Your
Customer’ (KYC), ‘Enhanced Due Diligence’ (EDD), and ‘Customer Due Diligence’ (CDD) requirements, the various transaction
risk monitoring procedures and ‘Office of Foreign Asset Control’ (OFAC) validations!
Going into the details Paul and Martin find that their concerns were more or less the same and were centered on ‘Bank
Secrecy Act’ (BSA) compliance structures, Core examination procedures, Currency transaction reporting, the MT 202 COV
format, ‘Suspicious Activity Reporting’ (SAR), ‘Automatic Clearing House’ (ACH) transactions, trade finance and third parry
payment processes. Prompt compliance with FDIC audit findings was a constraint that could no longer be wished away under
the excuse of changing compliance structures. Winter was setting in. They had just a couple of months to find an independent
and competent AML testing vendor.
CASE STUDY:
TESTING FOR ANTI-MONEY LAUNDERING (AML)
COMPLIANCE
2. Case Study:Testing For Anti-money Laundering (AML) Compliance
Not having short listed any AML testing vendor they thought they
would check out with a few well known banking consultants. With
Martin’s flight to Wisconsin being announced, they parted having
decided to compare notes after a year or so.
The story thereafter: Armed with their check list and in
consultation with banking consultants and independent of one
another both Paul and Martin found vendors who inspired
confidence in them. They took the plunge.
At Paul’s Bank:: In a couple of months of being contracted, with
respect to the Yellow Hammer application, the AML testing vendor
was able to:
• Ensure that the peer group definitions for various ‘North
American Industry Classification System’ (NAICS) codes were in
order
• Help the bank’s operational users to define and set up ‘new
analysis definitions’
• Bring down the overall failure to 4.16% against the executed test
count of 1,227
• Bring down the defect distribution (percentage of showstopper
& critical defects over total defects) from the observed 9.81% to
less than the allowed 5% during UAT
• Help the bank in cleansing up all their data by initiating a
separate data quality project
• The need for cleansing arose because data analysis revealed
inconsistencies between the TIN information of customers,
appropriate NAICS codes and account closure dates
• 40 per cent of the defects were found in the base product
version in the consoles relating to reports, review risk rating and
managing peer definitions
At Martin’s Bank:: With respect to the Prime Compliance suite
application the newly contracted vendor was able to help the
bank validate CDD, BSA reporter and OFAC reporter modules
• Bring down issues raised to 1.77% against the executed test
count of 787
• Bring down the percentage of showstopper and critical defects
over total defects to less than recommended 5 % from the
observed level of 7%
• Identify business critical defects, which were found to be 58%
of the total defects identified
Seven months later Paul and Martin met up at a seminar and
that evening shared their success stories. Amazingly both had
honed in on the same AML testing expert vendor. They compared
their own experience and the formal feedback from the vendor.
With their flights being further delayed they went into the details
of how they would refine their search. They realized that they
wanted an AML testing house that would: -
• Understand their customer identification programs
• Suggest improvements to existing ‘Account Due Diligence’
(ADD) and CDD procedures
• Validate changes to a customer profile based on risk category
• Clearly understand the existing SAR and ‘Currency
Transaction Report’ (CTR) filling procedures.
• Effectively validate risk assessment models and execute
multiple data manipulations to ascertain the effectiveness of the
current risk assessment
• Conduct link analysis and link unrelated accounts based on
transactional patterns (type, volume, amount etc.)
• Provide accurate measures of the level of alerts generated by
the system.
• Validate the system’s accuracy in migrating data and provide
risk based analytics
3. Value Additions by the champion AML tester
• Recommended operational procedures to tie up the CTR
related communication between Yellow Hammer and vertex
(Back-end system) which will improve operational efficiency of
the business users
• Quality of the defects raised enabled the bank to identify
customers and accounts involved in suspicious and fraudulent
transactions and thereby install effective control procedures
• Early and accurate unearthing of defects helped the bank to
comply with BSA norms within the agreed timelines
• Effective root-cause analysis performed on the data
integrity/inconsistencies issues formed a basis for the banks to
take corrective action in their respective source systems.
• Identification of inconsistencies in risk rating console enabled
the bank to enhance their current risk modeling and risk
grouping
• Proven business scenarios from the repository were reused to
ensure a robust system against the existing suspicious activities.
• Made the banks realize that AML testing was not to be treated
as a one short exercise. It was to be an ongoing process, with
testing to be done at least once in 6 months in addition to being
in sync with new releases or when application/system changes
are carried out.
Now who is this champion AML testing vendor that both Paul and
Marin were gung ho about? None other than Thinksoft Global
Services Ltd.
Some challenges faced by the AML testing vendor:
• Lack of clarity within the bank in the definition of functional
requirements and scattered documentation.
• Access restrictions on the vendor due to the Data Protection
Act.
• Limited time window available to the vendor for testing the
system
Suggesting that a competent AML vendor be identified early in
the core software acceptance phase!
• Limited access to the test environment to set up new transaction
rules, reports and work lists
Suggesting that the business user needs to play a proactive role
in having the software developer willingly coordinate with the
independent AML testing vendor!
• The vendor’s personnel had the necessary technical skills and
people skills to overcome all the constraints with the minimal of
friction
Project Highlights
• Business critical transaction related gaps were identified in the
AML application during initial discussions with the business
users as part of strategy discussions.
• Loopholes linked with instruments other than cash were
plugged
• Issues relating to data mapping were identified during the
planning phase resulting in eliminating down-time during
execution.
• Based on extensive experience the vendor was able to guess
the clerical errors that could have crept up in mapping
customers to their rightful NAICS codes
• Functional scenarios were prepared for different consoles and
reports
• Transactional rule & risk assessments tested with masked
production data.
• The CTR console was tested for both CTR filing and exemptions
to ensure effective monitoring of cash transactions
• Appropriate data selection through effective analysis of
transaction pattern covering different category of customers and
periods to detect potential structuring and Smurfing activities
• Periodical reports validated for different peer group
Matching text algorithms and sanction data rules were validated as
a part of OFAC programs
4. Disclaimer: All the documentation and other material contained herein is the property of Thinksoft Global Services and all intellectual
property rights in and to the same are owned by Thinksoft Global Services. You shall not, unless previously authorized by Thinksoft
Global Services in writing, copy, reproduce, market, license, lease or in any other way, dispose of, or utilize for profit, or exercise any
ownership rights over the same. In no event, unless required by applicable law or agreed to in writing, shall Thinksoft Global Services,
or any person be liable for any loss, expense or damage, of any type or nature arising out of the use of, or inability to use any material
contained herein. Any such material is provided “as is”, without warranty of any type or nature, either express or implied. All names,
logos are used for identification purposes only and are trademarks or registered trademarks of their respective companies.
For more details visit, www.thinksoftglobal.com
Case Study:Testing For Anti-money Laundering (AML) Compliance
Thinksoft’s AML testing framework
• Identify High Risk banking areas
(products, services, customers,
entities, and geographic locations)
• Derive and agree on Project Scope
• Understand KYC Procedures /
Customer Identification
Programs/Transsactional Monitoring
• Analyze the Risk identification
Programs
• Business scenarios designed to
ensure optimum coverage
• Data selection to validate Boundary
value and Negative testing
scenarios
• Functional matrix to highlight
coverage
• Risk based execution based on
business criticality and functional
complexity (e.g customer due
diligence)
• Structured Testing and Timely
reporting
• Agile Planning methods ensuring
faster delivery