Risk assessment is a familiar term in the banking industry. Bank management regularly performs risk assessments for information technology, safeguarding customer information, and audit programs. However, the first release of the Federal Financial Institution Examination Council's (FFIEC) Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual on June 30, 2005, was the first document to provide guidance on developing a risk assessment for an institution's BSA/AML program. So while assessing risk is not a new process for bank management, many bankers continue to struggle with developing a detailed and appropriate risk assessment for their bank's BSA/AML program.
Many institutions, particularly community banks, simply do not know where to begin when attempting to develop a BSA/AML risk assessment. An important element to keep in mind throughout the process is that the risk assessment will dictate the institution's overall BSA/AML compliance program, including the content of the institution's policies and procedures, the necessary qualifications and experience of the institution's BSA officer, the comprehensiveness of training and internal controls, the scope of the independent test, and the requirements set forth by the institution's customer identification program.
So, how should bank management determine whether the institution's BSA/AML risk assessment is adequate to identify, measure, monitor, and control BSA/AML risks before the regulators conduct their next examination? Many institutions have used Appendix J in the FFIEC BSA/AML Examination Manual as a template, and while this is definitely a good reference point, Appendix J is only intended for regulators to determine BSA/AML regulatory risk. The following pointers should provide bank management with a better understanding of the overall regulatory expectations.
One of the most common deficiencies noted by examiners is that the organization's risk assessment does not take into consideration all of the institution's business lines and operating subsidiaries. This is particularly true for companies that administer the BSA/AML compliance program at the holding company level or at the lead bank. Management must consider how the risks of one business line are interrelated with other business lines within the organization.
Some smaller institutions with less complex structures often forget to incorporate trust, broker/dealer, and mortgage activities. However the institution is structured, management must exhibit cross-organizational awareness and reassess risks periodically in order to keep pace with the changing business environment.
Identify Risk Categories
After all business lines and entities that should be included in the risk assessment have been identified, all products, services, customers, and geographic locations that are unique to the institution should be documented. While management should assess AML risks associated with each risk category, there are certain products, services, customers, and geographic locations that are more susceptible to AML risks or have been used historically for illicit means. Management must also consider how the institution interacts with its customers, whether it is face-to-face contact or through an online banking product.
Products and services. Management should identify all of the products and services offered by the bank and the risk that each could be used for money laundering. Special consideration should be given to products or services that may facilitate a higher degree of anonymity or involve the handling of high volumes of cash or cash equivalents. One example would include electronic funds payment services, such as stored value cards, funds transfers, pay upon proper identification transactions, third party payment processors, remittance activity, and automated clearing house transactions. Other examples include automated teller machines, electronic banking, private banking, trust and asset management services, monetary instruments, foreign correspondent accounts, trade finance, special use or concentration accounts, lending activities, and nondeposit account services. This list is not meant to be all-inclusive, and products and services will vary by institution.
Customers and entities. A very important part of a strong risk assessment is knowing your customer. Management must understand the relationship between its institution's Customer Identification Program (CIP) and the institution's overall customer risk. Management is expected to assess the risk of the institution's customer base. This process was introduced in October 2003, with the implementation of Section 326 of the U.S.A. PATRIOT Act, which requires institutions to establish a CIP.1 According to the CIP, management must ensure that a customer's risk is determined at account opening. In order to get a full understanding of the risks posed by the institution's customers, institutions were expected to review all existing customer relationships.
An important point to remember, which is something frequently noted by examiners, is that the prescribed list of businesses ineligible for exemption under 31 C.F.R. 103.22 (d)(6)(viii) is not sufficient for determining the level of risk associated with each customer.2 Management is expected to take certain factors into consideration when making the determination, including which types of customers have been historically associated with money laundering or illicit activities. However, management must make the final determination based on factors unique to the specific customer and take actual transaction volumes into consideration.
The analysis of the customer base for risk assessment purposes should be granular. For example, the FFIEC BSA/AML Examination Manual discusses various groups of customers and entities that are considered to be high risk for money laundering, such as professional service providers, cash-intensive businesses, nonbank financial institutions, non-resident aliens, etc. However, management may narrow the list even further and identify the risk associated with each customer or entity type. An example of this is lawyers, who are a type of professional service provider. Some concerns with lawyers include the layer of anonymity between the client and the lawyer and the potential for commingled funds in interest on lawyers' trust accounts. Simply stating that the institution has several customers that are professional service providers is not acceptable.
Geographic locations. Examiners often note that bank management has only listed the geographic areas where the institution operates within the risk assessment. However, bank management should also determine the areas that all of the institution's branches, entities, customers, and transactions reach. The next step is to determine which areas, both foreign and domestic, bank management considers to be high risk.
Management should give special consideration to locations with a higher level of perceived risk, including:
The more detailed information provided in the risk assessment, the better the quality of the overall product. After management identifies all risk categories, it should quantify the risk for each category. This may require some research.
Management should quantify risk using actual numbers. Some examples include volume of wire transfer activity and cash, percentages of customers in certain geographies, number of customers by customer type, etc. However, sometimes nonfinancial indicators are more appropriate. For example, the institution may be in the position to determine the risk associated with a customer that is a nonbank financial institution, such as a money services business (MSB). Management should understand specifically which products and services the MSB offers, as well as the extent of the MSB's operations, whether they are foreign or domestic.
Finally, management should make an overall evaluation of the institution's BSA/AML risk. Is the level of risk low, moderate, or high? The evaluation should be based on the various risk categories included in the institution's risk assessment. The overall risk profile and the level of risk in the various risk categories should assist management with establishing risk mitigants when designing an appropriate BSA/AML compliance program.
Update Often and Seek Approval
Similar to other risk assessments management may prepare, the BSA/AML risk assessment should be approved by the board of directors and updated at least every 12 to 18 months. Furthermore, the risk assessment should be considered a living document and should be updated and approved on an as-needed basis. Bank management with proactive risk management programs always evaluate BSA/AML risk upon the development of new products or services.
Don't Forget About OFAC
Even though OFAC compliance is separate and distinct from BSA/AML compliance, the regulatory expectation is that management should evaluate the institution's OFAC risk by developing a risk assessment that evaluates the institution's OFAC risks. This could be prepared as part of the same document as the BSA/AML risk assessment, or it can be a stand-alone document. However, consistent with the BSA/AML risk assessment, the expectation is that the bank's OFAC compliance program should be dictated by management's assessment of overall OFAC risk.
Developing an appropriate BSA/AML risk assessment for your institution does require a significant time and resource commitment, especially for more complex organizations. However, the quality of the institution's risk assessment often dictates management's ability to develop appropriate risk mitigants and administer an effective BSA/AML compliance program.
For more information about BSA/AML compliance, please visit www.ffiec.gov (the FFIEC's BSA/AML Infobase) or contact Manager Adina Himes (firstname.lastname@example.org) at (215) 574-6443.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.