Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Division of Banks

March 23, 2017 · Read the full official report (PDF) ↗

Published March 23, 2017 Audit covers July 1, 2014 – June 30, 2016 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that the Division of Banks generally oversaw foreign money-transfer businesses, but it missed some important checks: confirming record retention, keeping its internal controls current, and promptly reporting missing property.
source
“DOB does not confirm that FTAs conducting business in Massachusetts maintain three years’ worth of records.”
Read the plain-English breakdown
What is this?

This is a 2017 Massachusetts State Auditor performance audit of the Division of Banks, covering July 1, 2014 through June 30, 2016.

“I am pleased to provide this performance audit of the Division of Banks.”
Why was it audited?

Auditors reviewed whether the Division of Banks properly oversaw foreign transmittal agencies, which are businesses that send money from Massachusetts consumers to people in other countries.

“FTAs receive funds from consumers for transfer to recipients located in foreign countries.”
What's in it for me?

If you use money-transfer services, this audit is about whether the state is checking that those companies keep required records and follow rules meant to protect consumers and prevent illegal financial activity.

“Section 2 of Chapter 169 of the General Laws requires an FTA to submit a surety bond to DOB for consumer protection against the FTA’s insolvency, bankruptcy, or failure to transfer funds.”
The bottom line

The auditors found three main problems: DOB did not fully confirm three years of required records, had an outdated internal control plan, and delayed reporting missing laptops.

“DOB did not immediately report unaccounted-for losses of property to OSA.”
What happens next

The audit recommended that DOB strengthen examiner checks, update its internal control plan, report losses right away, and improve business-continuity planning.

“DOB should require its examiners to verify that licensees maintain three years’ worth of records in accordance with applicable statutory and regulatory requirements and should communicate this requirement to its examiners.”
Why it's significant

This was not a finding that DOB failed at everything: auditors said DOB did properly check surety bonds and anti-money-laundering programs, but needed to fix specific oversight and internal-control gaps.

“Does DOB ensure that FTAs establish effective anti-money-laundering (AML) programs as required by regulations related to the federal Bank Secrecy Act?”
Jargon, unpacked

DOB means Division of Banks, OSA means Office of the State Auditor, FTA means foreign transmittal agency, AML means anti-money-laundering, and ICP means internal control plan.

“DOB does not confirm that FTAs conducting business in Massachusetts maintain three years’ worth of records.”

What the Auditor checked

What the Auditor found

DOB did not verify that foreign transmittal agencies maintained three years of required records.
recordkeeping/documentationlicensing/inspectionsinternal controls

Why it matters: There was a higher-than-acceptable risk that compliance with consumer protection and anti-money-laundering requirements was unsupported and that noncompliance would go undetected.

Standard: Section 10 of Chapter 169 of the Massachusetts General Laws and Sections 44 and 48 of Title 209 of the Code of Massachusetts Regulations ( Section 10 of Chapter 169 of the Massachusetts General Laws; Section 48 of Title 209 of the Code of Massachusetts Regulations; Section 44 of Title 209 of the Code of Massachusetts Regulations )

2 recommendations
  • DOB should require its examiners to verify that licensees maintain three years’ worth of records in accordance with applicable statutory and regulatory requirements and should communicate this requirement to its examiners.
  • DOB should follow up with the licensee whose policies did not define a record-retention period to ensure that it updates its policies to include this information.
Agency response & Auditor reply
Agency: "However, while the division believes its current practices are appropriate and have been effective in ensuring Licensees maintain adequate records, the Division is expanding its transaction testing of remittance records to ensure that licensees are maintaining records for a full three years as required by state law."
Auditor: "Although the division's Foreign Transmittal Examination Workprogram instructs examiners to confirm that licensees preserve their records in compliance with the applicable state and federal recordkeeping requirements, in practice DOB does not actually verify that they do so."
DOB’s internal control plan was outdated and did not include key enterprise risk management components.
internal controls

Why it matters: The weakness could hinder DOB’s ability to achieve its mission and objectives effectively, efficiently, and in compliance with applicable laws, rules, and regulations.

Standard: Office of the State Comptroller internal control guidelines and Internal Control Guide; COSO Enterprise Risk Management—Integrated Framework ( Enterprise Risk Management—Integrated Framework; OSC’s Internal Control Guide )

2 recommendations
  • DOB should ensure that it adheres to all of OSC’s requirements for developing and maintaining its ICP.
  • If necessary, DOB should continue to seek out training opportunities and guidance from OSC on this matter.
Agency response & Auditor reply
Agency: "The Division will incorporate [OSA’s] suggestion to ensure that the ICP addresses critical components of enterprise risk management in accordance with the Office of the State Comptroller’s guidance."
DOB did not immediately report missing laptops to the Office of the State Auditor.
asset/inventory controlreporting timelinessinternal controls

Why it matters: Delayed reporting can prevent or delay independent assessment of internal control weaknesses, and inaccurate ICQ information prevents OSC from assessing DOB’s internal controls effectively.

Standard: Chapter 647 of the Acts of 1989 ( Chapter 647 of the Acts of 1989 )

3 recommendations
  • DOB should ensure that all unaccounted-for losses are immediately reported to OSA.
  • DOB should update its ICP to include the immediate-reporting requirement and ensure that the requirement is communicated to its employees.
  • When necessary, DOB should seek advice and clarification from OSC on ICQ questions before completing its ICQ and submitting it to OSC.

Verified dollar findings

Projected / estimated $200 not in headline

Estimated or sample-projected amounts - shown separately because they are not a hard-identified dollar figure.

$200 - estimated value per laptop

Prior findings revisited

Being worked on
"We also followed up on a finding from a prior audit (No. 2011-0100-7T) related to DOB’s business continuity plan and management’s corrective action and found that management had not completely addressed the finding (Other Matters)."

More audits of this entity

Other Office of the State Auditor reports on Division of Banks , including the prior audits referenced above.

See this entity's page with all 4 audits →