ells Fargo’s recent disclosure of regulatory investigations related to its anti-money laundering (AML) and sanctions programs and agreement to “work with U.S. bank regulators to shore up its financial crimes risk management” serves as a timely reminder of the ongoing importance of robust compliance measures in the financial sector.
These events underscore the need for vigilance at all levels of the industry, from major institutions to smaller financial companies, and further highlight the critical role of due diligence in selecting and monitoring payment solution providers for compliance officers, risk practitioners, and internal audit executives.
To that end, here are four essential questions to ask when evaluating potential partners, informed by the latest industry developments:
1. How comprehensive is the BSA/AML compliance program?
A robust Bank Secrecy Act and Anti-Money Laundering (BSA/AML) compliance program is vital to any financial institution’s risk management strategy. When evaluating a provider’s program, look for well-defined internal policies and controls. These should include a documented BSA/AML policy that outlines the organization’s approach to identifying, assessing, and managing money laundering and terrorist financing risks.
The policy should encompass clear customer identification procedures, risk-based customer due diligence processes, and transaction monitoring systems. Additionally, it should detail suspicious activity reporting procedures and record-keeping practices that meet or exceed regulatory requirements. Equally important is a defined process for staying current with regulatory changes and implementing updates promptly.
A dedicated compliance officer should oversee these efforts. This individual should possess relevant experience in BSA/AML compliance, appropriate certifications, and have direct access to senior management and the board of directors. They should be empowered to implement necessary changes across the organization.
Another crucial element is ongoing, comprehensive training. Look for providers that offer role-specific training tailored to different departments, annual refresher courses for all staff, and ad-hoc training to address new regulations or emerging risks. The training program should include testing to ensure comprehension and retention of key concepts, with all activities documented for audit purposes.
Finally, the provider should conduct rigorous auditing and monitoring. This includes regular internal audits of all BSA/AML processes, periodic independent third-party audits, and continuous monitoring of transactions and customer activity. There should be a straightforward process for addressing and remediating audit findings, with regular reporting to senior management and the board on audit results and program effectiveness.
2. Who comprises the compliance team?
The expertise of the compliance team is crucial in navigating complex regulatory landscapes. Look for a diverse team with a mix of legal, financial, and technological expertise.
A well-rounded team might include a chief legal & compliance officer, corporate counsel, senior compliance analysts, a finance settlement manager, information security leaders, and an operations director. This diversity helps ensure a comprehensive approach to compliance and security, reducing the risk of oversight that could lead to regulatory issues.
3. How does the organization embed compliance responsibilities across all departments?
Compliance should not be confined to a single department but should be integrated throughout the organization. A company-wide commitment to compliance should be evident through clear statements from leadership emphasizing its importance, inclusion of compliance objectives in departmental and individual performance metrics, and regular compliance updates in company-wide communications.
Training should extend beyond the compliance department. Look for providers that offer role-specific training illustrating how compliance impacts different job functions. Scenario-based learning can help employees identify and respond to potential compliance issues. The use of multiple training formats can cater to different learning styles, ensuring comprehensive understanding across the organization.
Clear communication channels for reporting potential issues are essential. This includes an anonymous whistleblowing hotline or reporting system, a defined escalation process for compliance concerns, and protection for employees who report potential violations. Regular reminders about these reporting channels reinforce the importance of speaking up.
A culture of compliance is characterized by the incorporation of compliance considerations into all business decisions and processes. This might include recognition for employees who demonstrate strong compliance behavior, zero tolerance for willful non-compliance regardless of an employee’s position, and regular compliance “town halls” or Q&A sessions to foster open dialogue about compliance matters.
4. What is the approach to regular internal audits and regulatory examinations?
In light of increased regulatory scrutiny, regular, independent audits are crucial. Inquire about the frequency and scope of their audits, including how often internal audits are conducted, what areas they cover, and how findings are categorized and addressed.
The provider’s relationship with regulatory bodies and sponsor banks is also important. Ask about their interaction with regulators outside of formal examinations, participation in regulatory outreach events or industry working groups, and their track record with past regulatory examinations.
A strong provider will have a formal process for reviewing and acting on audit and examination findings. This should include tracking and validating corrective actions, measuring the effectiveness of implemented changes, and sharing learnings across the organization.
Staying updated on regulatory changes and industry best practices is crucial. Look for providers that subscribe to regulatory update services, have relationships with outside counsel or consultants for complex regulatory matters, and participate in industry associations or forums.
Finally, inquire about their approach to continuous improvement. This might include using data analytics to enhance compliance programs, conducting regular risk assessments to identify potential gaps or emerging risks, and benchmarking their practices against industry peers.
Proactive Compliance in a Complex Regulatory Environment
The recent Wells Fargo disclosure reminds us that compliance is an ongoing process requiring constant attention and proactive measures. For compliance officers, risk practitioners, and internal audit executives, this underscores the importance of thorough due diligence when selecting and monitoring payment solution providers.
By asking these four key questions and critically evaluating the responses, you can significantly mitigate risks and ensure a more secure financial ecosystem for your organization. Remember, in today’s regulatory environment, compliance isn’t just about meeting minimum requirements—it’s about fostering a culture of integrity and security that permeates every aspect of your operations.
As you evaluate potential payment solution providers, look for partners who share this philosophy and demonstrate a commitment to excellence in compliance and security. In doing so, you’ll not only meet regulatory requirements but also build a foundation of trust with your customers, stakeholders, and regulators—a crucial asset in navigating today’s financial landscape. 
Anna Fron is Chief Legal and Compliance Officer at Dash Solutions, a platform that provides digital payments and engagement program management to thousands of customers.