This is the third article in a series on the topic of Quality Considerations for Financial Crime Teams.
- Click here for the first article which set out some high-level definitions for Quality Assurance (QA) and Quality Control (QC) and how they need to work together.
- Click here for the second article which goes into further detail about QC in the first line.
This article will focus on Quality Assurance for financial crime teams.
The terms ‘Quality Assurance’ and ‘Quality Control’ are sometimes used interchangeably. Whatever you call it, there are different types of quality processes that need to be in place to make sure that risk – in this case, financial crime risk – is being managed effectively. Typically, QA is a second line process – usually the responsibility of the compliance team. QA should complement the QC that is performed by the first line of assurance teams to ensure quality in the overall financial crime processes in use by the organisation. Rather than focusing on the quality of the individual outputs and decisions of the first line, QA should provide an overall view of how effectively financial crime systems, processes and controls are operating.
Management should use the findings of QA to make strategic decisions on the management of financial crime processes. For example, decisions on:
- Processes: whether the firm’s financial crime processes are operating effectively and efficiently.
- Controls: whether the firm’s controls are effective and are aligned to the firm’s risk appetite.
- Resourcing: whether the number of resources employed in the first line for such activities as screening and transaction monitoring alert management sufficient
- Training: whether there are skills gaps in the first line that require additional training.
We would expect QA to include the following components:
1. Planning and Preparation
It goes without saying that there should be a QA plan in place to make sure that QA activities have the right coverage and there is clarity about who is doing what and when.
QA methodologies, processes and templates should be drafted and approved to ensure that QA activities are performed consistently and to the right standard.
Governance and escalation paths should be agreed to ensure that there is a clear process to follow when an issue is identified.
Metrics showing both the effectiveness of controls and of the QA itself should be agreed.
2. Controls Assessment
Ideally, financial crime controls would have been implemented in line with a firm’s risk assessment and each control would mitigate a particular risk or set of risks. A key objective of QA should be to determine whether the controls are effective in addressing those risks. Assessment of the controls in place is usually split out into two types of testing:
- Is the design of the control effective? Essentially this looks at whether the control if properly applied, would address the particular risk in question. As an example, a team might have different access profiles for their screening system to ensure that only managers can approve a new high-risk customer. The QA analyst might want to examine whether this addresses the risk that a customer is onboarded that does not meet the firm’s risk profile. Often, a number of controls will be working in parallel to address each risk.
- Is the operation of the control effective? Once it has been confirmed that a control’s design is effective, QA should review whether it is operating effectively. This means that it is working as intended in practice, not just in theory. This type of testing can include sample testing, walkthroughs, interviews or document reviews.
The QA plan should ensure that all relevant controls are considered. As well as operational controls such as screening, transaction monitoring and Client Due Diligence, the following types of controls should be included:
- Governance and Reporting
- Training and communications
- Data Governance
- Policies and Standards
3. Programme and Project Assurance
In addition to day to day controls testing, QA support might be required on compliance programmes and projects. This could involve activities such as validating governance processes, confirming the viability of plans, reviewing key project deliverables or simply being an independent ‘voice of reason’ to make sure that key decisions are appropriate.
4. MI and Feedback
The results from the QA activities should be collated (as defined by the planning process) and fed into a suitable forum – one that has appropriate representation from relevant parts of the business and one that has authority to effect changes to processes or controls that are not working.
It is also critical that there is an effective feedback loop so that QA findings are fed back to team leaders and into training where necessary.
SQA Consulting helps organisations ensure their financial crime frameworks are effective. If you would like to hear more about our work, then please contact us.