June 25, 2020

The Role of IT in an Institution’s BSA\AML Model Validation – WST

Financial institutions of all sizes are using more technology to improve their processes.  For example, models can help an institution budget, price liabilities, and identify risks.   One particular model that has seen growth in the past few years is for BSA/AML monitoring.

A BSA/AML model validation obviously involves compliance personnel, but a key part of the assessment involves direct input from technology staff.  During a BSA/AML model validation, the auditor will likely ask to speak with the IT Director to discuss Information Security controls associated with the BSA\AML model solution and interfacing systems.  Why is that you ask?  Because the IT department has the responsibility for establishing and maintaining controls that ensure the security, integrity and availability of model data.  Specifically, controls relating to both data and user security along with system changes as explained below:

  • Data Security – Controls designed to prevent the unauthorized and/or inadvertent disclosure, modification or destruction of model data. The auditor will be looking for evidence that confirms the existence of controls, including, but not limited to, the following:
    • A detailed network diagram that identifies all systems that interface with the model.
    • Evidence of secure data transmission between interfacing systems.
    • System configuration(s) depicting enablement of security settings.
    • System/data backup and data retention procedures.
  • User Security – Logical access are controls designed to prevent unauthorized access to sensitive data. User access should be assigned according to “least privilege” based on role and/or job function.  For example, tellers or other non-BSA staff should be restricted from viewing Suspicious Activity Reports (SARs) and customer reporting.   Access permissions should be reviewed on a scheduled basis to ensure appropriateness of user access considering routine staff and job changes.
  • Change Management – Change controls are designed to prevent unauthorized and/or inappropriate system modifications. These controls ensure all system changes are properly initiated, approved and implemented.  System changes, including version updates and server hosting changes, should be categorized based on impact and tested accordingly with appropriate stakeholder involvement to minimize system disruptions.

In summary, while the BSA/AML model may be considered a specialized solution owned and operated by the compliance department, the controls outlined above are the same as those surrounding other key applications.  For this reason, IT should not feel an enhanced sense of panic when the BSA/AML auditor comes calling!

Past Weekly Security Tips – WST