Introductory BSA/AML Examiner School, Providence, RI

From: Flynn, Jami (MA) Sent: Thursday, April 14, 2016 10:05 AM

To: Cook, Christopher R (DOB) < christopher.r.cook@state.ma.us >; Lindenmuth, Michele (MA) < MA27@NCUA.GOV >; Antin, Tayana (DOB) < tayana.antin@state.ma.us >; Avey, Shawna (MA) < MA03@NCUA.GOV >; Maio, Stephen (DOB) < stephen.maio@state.ma.us > Subject: RE: Internal BSA Working Group Hello Group: I don’t know if anyone out there can offer guidance but I thought I would pose my question to the group! I completed a BSA review at Fall River Muni credit union. They have never had an independent validation of their BSA monitoring program (Verafin) and they completed a core conversion in 2013. This has been a finding now for at least 4 exams. I reached out to Jane and she and I found a scope that covers all areas. This is the only institution that continues to fight this finding. Yesterday, I got an email from the BSA officer (I have it pasted below) that they are going to have their finance department complete the review. I do not feel that is adequate, I have told them multiple times that it is not incorporated into a BSA audit and that it is more concentrated in IT. Has anyone had an independent validation completed by the institution themselves? Does anyone have any insight as to how I should proceed? I reached out to Jane, but she was not very helpful and was candid that she had no insight into how I should proceed… Jami- Due to a scheduling delay with Shatswell, we are unable to include the data validation in the annual BSA Audit that is being conducted this week. In order to complete this validation promptly, we are proceeding with having our Finance Dept. conduct the review based on the following scope, which you were kind enough to provide as a sample. The Finance Dept. is not involved in any part of the bank's BSA/AML compliance program. a. Testing of transactions from Episys to Verafin, and vice-versa, to verify cash transactions (to include currency exchanges, cashed checks, currency orders, etc.) as well as foreign and domestic wires, monetary instrument sales, ACH transactions, checks, ATM transactions and internal transfers are properly accounted for in Verafin; b. Review of the transaction types and volumes that are specific to the CU in order to establish a baseline for the risk-based approach to transaction testing, followed by an assessment of the output from each rule . to determine if the parameters generate reasonable alerts of potentially suspicious activity or if the settings generate too many false positives; c. Review and test high-risk transaction types to ensure that Verafin rules properly recognize certain