Saturday, April 1, 2023

A Look at AML Audits - Can you Audit Without a Risk Assessment?

We deal with known risks by establishing a plan to mitigate them. In the case of AML plans for mortgage companies, we face the risk of allowing financial crimes to go undiscovered and enter the financial system through our business. 

We create compliance plans as multi-tiered tools to deal with the risk. The tiers are the four (or five, depending on your business) pillars of an AML plan 

  1. the plan itself - which identifies the risks your business encounters and how you mitigate them
  2. training - your employees learn how to identify and report red flags
  3. compliance officer - the person who implements the procedures, files reports, and ensures the activity, such as training, audits, risk assessments, etc., takes place 
  4. an audit or exam - reviews your plan, determines if it is sufficient for the risks you face, and identifies if you are following it
  5. ongoing review of accounts - if we are servicing, for instance

Static Plans DO NOT Address the Risks - Make Sure you know what they are

We conduct hundreds of AML audits, and the BIGGEST problem we see is that AML plans don't address the risks the business faces explicitly. Furthermore, the audits or tests we see focus on whether the AML plan contains arcane legal citations or reviews a sampling of closed loan files. This is not where the risk is.  

In the mortgage business, we are experts in looking for fraud - documenting sources of funds and ferreting out suspicious income and transactions. This doesn't mean that fraud and suspicious activity doesn't make it through (CoreLogic reports 1 in 131, or 0.76% of loans, are fraudulent). Still, it does mean that the MAJORITY of incidences probably aren't in the files that make it through to closing. So it makes sense to focus our efforts on loans that don't go through a complete underwriting process. 

None of the AML plans and audits we have reviewed focus on risk assessments. Hawaii is the only state we have encountered where they are requesting a specific AML risk assessment - (Bravo! Mahalo!). New York requires large-scale risk assessments of the entire operation, including AML. 

This leads me to conclude that people don't know what a risk assessment is or even why you do one. The purpose of the Risk Assessment is to look at YOUR business for areas of risk. Only then can you create a strategy to mitigate money laundering activity? 

How to Conduct a Risk Assessment?

Depending on the firm's scope, our risk assessments create a binary decision tree instead of a complex "relative risk rating" approach - e.g., low, medium, and high. We do it this way because the risk increases on an absolute basis. One red flag doesn't necessarily indicate fraud or money laundering activity; however, two levels of risk means that we should, at a minimum, document that we validated there were no red flags. We refer to this as "risk layering," where two or more inherent risks exist in a file. 

  • Higher risk components - Company-wide
    • Geography
    • Business model -
      • delegated, non-delegated, 
      • retail/wholesale, etc. 
    • Origination strategy - 
      • direct/indirect
      • relationship/transactional
  • Higher risk components - Loan Level
    • Loan Type
      • Gift Letter
      • ALT/Non-QM
      • Investment
    • Borrower Type
      • Self-employed
      • Real Estate
      • Medical
      • Cash Business
This allows us to have a methodical elevation of the review of the file. 

We do this because things that don't matter to the underwriter from an approval perspective (the loan meets guidelines) often matter for detecting and reviewing red flags. In our business, we review files for these elements, and it always surprises us how often these are overlooked. Examples include:

Deposits not needed for down payment or closing costs - the underwriter isn't concerned about whether a borrower has a $100,000 CD in one bank if he has the $20,000 he needs for closing seasoned in another account. The money has been there forever, and the account doesn't move. But does it make sense that someone who makes $60,000 a year has $100,000 stashed in an account they don't touch? Especially when they have a lot of debt? No, it doesn't. That's a SAR.

Income and Expenses from a side business - the underwriter doesn't include the borrower's side business which involves cash in the computation. He or she has enough income to qualify for the loan. The side job (documented by frequent small dollar cash deposits) is a compensating factor, and the borrower didn't need to provide tax returns because she was on salary. That makes perfect sense, except that if there is more than $5,000 of this kind of activity in the loan file (e.g., 2 months' bank statements), then that triggers a SAR report for "smurfing."

  • Focus on engagements/applications/rate quotes/pre-quals which do not complete
  • The greatest risk lies in loans or prospects not reviewed by underwriting/credit.

No comments:

Post a Comment