“Those who cannot remember the past are condemned to repeat it.”
-George Santayana-
Introduction
George Santayana said once, “Those who cannot remember the past are condemned to repeat it.” In order to learn from it, we have to start by looking back. As of April 20th, 2020, 45 states or territories within the United States are under “stay at home” orders.[1] While we protect ourselves and others by staying home, we should begin looking beyond COVID-19. None of us knows exactly what that will look like or when it will happen, but we need to prepare for it with more than an “everything’s back to normal” approach. With that many people working from home or remotely, the questions will start to become, if they haven’t already, how did our Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) teams do?
The Importance of our Past
We have to learn from the good and the bad. The last few weeks, and the next couple more, depending on what state and local governments do moving forward, will tell us what went well and what didn’t. We will learn how thorough and effective our overall business continuity plan (BCP) was, but also specific effects on our BSA department. The value in this assessment is immeasurable. It will cover the usual suspects, such as controls, mitigations, etc., but it will also tell us how things actually worked rather than just how we thought they would work. Further, it will tell us what changed – for example, did the activities or behaviors of our customers change, and how that affected our team, which is something we may not have considered when writing the BCP.
Gathering the Past
There will be two major parts for us to measure the past. The first is gathering the answers to a number of questions. See how you fare:
1. How was your team impacted? Were they on alternating on-site schedules, entirely work-from-home, access to the proper network infrastructure at home, families/pets at home, no families/pets at home, did they/their immediate family fall ill, etc. Did you lose any staff during the crisis, either for reasons of lay-off, quitting, or due to illness? These are all factors to weigh later on during the assessment.
2. Did your BCP include the ability to work-from-home before this started? If so, was the institution prepared from a technological perspective to support a work-from-home scenario, or if they had to prepare, was there an impact to supporting the BSA and OFAC functions while that was being mobilized? Be prepared to speak to what it took to get you up and running under the current scenario.
3. Putting the overall institution’s BCP aside, how was BSA specifically prepared? Was there any policy on how to maintain the same level of compliance despite being short-staffed, remote access, etc., if applicable? How did you fare? Taking technological requirements a step further, note any challenges to accessing the BSA required systems in order to maintain compliance.
4. If you were splitting staff on an alternating schedule or had technological challenges in reviewing cases or running Office of Foreign Assets Control (OFAC) scans, how did that impact processing time? Did it create a backlog or are you running just fine in this area? Did your alert/case volume go up or down? We’ll get into the statistics a bit later, but here’s a big part of where the clear data comes in – knowing your alert/case volume before, noticing whether you experienced a dip or spike, and if the average number of minutes to escalate or clear an alert/case went up or down during this period.
5. What impact, if at all, did the stay-at-home order have on your procedures in completing Enhanced Due Diligence (EDD) required on all Payroll Protection Program (PPP) loans? Again, being aware of any challenges you faced during this time, along with any controls, will give you a picture for the future.
6. What BSA/AML projects did you have plan to start or complete in the second or third quarter of 2020 that have now been put on hold? Were you looking to customize or tune your software, complete an AML model validation, or even an independent risk assessment? If so, what backlog of projects does that leave for you to complete this year? It’s not always about the immediate impacts (i.e. alert/case review), but the long-term projects that are always on the schedule that have now been impacted too.
7. Did your pandemic plan pass the "test"? Overall, how did you fare? If you were to really create an assessment/questionnaire, how would the results rate? This could be a great benchmark if you assess this process in a matrix format identifying your successes and challenges.
ARC Risk and Compliance can help you gather and access how your Business Continuity Plan performed during COVID-19. Contact us today for how we can help.
Assessing the Past
The second part of assessing our past will be reviewing all the data we’ve gathered. Now that we’ve gathered all the answers to the questions above, what’s next? It’s time for us to look beyond the business impacts of COVID-19 and see what we can do next. We’re not likely to walk away without any observations of the process. Even for the best, most agile companies, there is always something to learn. For some, it could be that they don’t have a mitigation in place in the event something like this happens and they lose staff, what will they do? What happens if alert/case volume drops right now and staff was cut, or staff was lost (via illness or being unwilling to risk commuting to high-risk locations), but once we “return to work”, the alert/case volume spikes – will your institution be prepared? Even if that part is under control, what about the long-term projects that need to be complete? Were EDD high-risk reviews maintained according to schedule during the COVID-19 crisis, or were those put on the back burner for now? It is at this stage in the process that we need to weigh the answers and data gathered in order to plan out the future. And that is our next stop.
Conclusion
Now that we’ve done the research, looked at the past, learned from it and are ready to make decisions based on it, we can talk about where we are going. From here, we’re going to start planning for the future. We need to plan today for what will be needed once things start returning to (a new) normal.
[1] https://www.nytimes.com/interactive/2020/us/coronavirus-stay-at-home-order.html
