Welcome to TCA’s BSA Back to Basics article series!
Each month, our BSA experts will explore a section of the FFIEC BSA/AML Exam Manual, analyze the regulatory requirements, and offer insights to common findings in exams and audits. We will share best practices to help your BSA program continue to evolve.
The first section of the FFIEC manual is the BSA/AML Risk Assessment. Remember, risk assessments have become a mandatory first step to understanding and effectively managing compliance risk. The same holds true for the Bank Secrecy Act Program. The FFIEC Interagency BSA Examination Procedures (the “Manual”) stresses the importance of the BSA/AML risk assessment throughout its entirety.
The July 2019 Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision stated, “A bank’s well developed risk assessment is a critical part of sound risk management and assists examiners in understanding the bank’s risk profile.…” “Examiners review a bank’s BSA/AML risk assessment and independent testing to assess its ability to identify, measure, monitor, and control risk.” This roadmap is one key piece that multiple audiences, including examiners, the Board of Directors and senior management, are relying upon to evaluate your BSA Program.
The FFIEC began releasing updates to the BSA/AML Exam Manual in April 2020 that include revisions to the BSA/AML Risk Assessment Section. The FFIEC is going to send updates to the manual a few sections at a time. In the press release, the FFIEC emphasized that the updates do not create additional compliance responsibilities, but allow for greater transparency. One common question when developing a risk assessment relates to format and methodology. In TCA’s review of the updated BSA/AML Risk Assessment Section, we focused on the statement, “There are many effective methods and formats used in completing a BSA/AML risk assessment; therefore, examiners should not advocate a particular method or format. Bank management should decide the appropriate method or format, based on the bank’s particular risk profile. Whatever format management chooses to use for its risk assessment, it should be easily understood by all appropriate parties.”
The FFIEC statement gives financial institutions liberties in developing the methodology for the BSA/AML Risk Assessment, but that methodology needs to be easy to understand for all stakeholders. Each institution’s risk profile is different and the expectations for risk assessments are multi-dimensional. As you read this introduction, you are probably developing a list of questions: How many risk assessments does a bank need? How detailed do they need to be? Is there one formula that works best? What are current risk assessment trends? These questions have historically been a source of frustration for banks.
This article focuses on helping you understand regulator expectations for BSA and related risk assessments and empowers you to develop dynamic and relevant Assessment(s). Keep in mind that risk assessments are not a one-size-fits-all solution because the Manual stresses that the scope and depth of a risk assessment should be customized to your bank.
How many risk assessments are needed for a BSA Program?
The core procedures in the Manual identify three key risk assessments: Anti-Money Laundering (AML) Risk Assessment, CIP Risk Assessment, and OFAC Risk Assessment. Depending upon your specific circumstances (size, complexity, risk profile or appetite for risk), you may have additional assessments, such as an automated monitoring system (AMS) risk assessment. Some banks choose to combine these into one document, which is acceptable provided all components are addressed.
AML Risk Assessment – This assessment is the roadmap for your entire BSA program. Appendix J of the Manual provides a base foundation of elements and guidelines, but this is just the ending point. The instructions note that the matrix is to be used to form “conclusions.” If the assessment is limited to the statements in the matrix, it will likely not pass examiner scrutiny. In order to form reasonable conclusions regarding risk, the assessment must contain information to support the conclusions. Recent enforcement actions citing the need for “a more comprehensive BSA/AML risk assessment that identifies and considers all products and services of the branch, customer types and geographic locations, as appropriate, in determining inherent and residual risks” illustrate the increased regulatory focus. A well-designed and inclusive assessment allows for the development of appropriate risk-based controls. A comprehensive assessment identifies areas where stronger controls, such as additional or more frequent monitoring or enhancements to policy and procedure, are needed to ensure higher-risk attributes are managed according to the risk they pose.
The AML Risk Assessment is key to the ongoing identification of gaps in policies and/or procedures. For example, a previous year’s assessment indicates the bank has no clients who operate privately-owned ATMs (PO ATMs). While compiling data for the current year’s assessment, you identify three clients who operate PO ATMs. You now have a new risk attribute to consider. Client risk has increased, and you now may need to develop new processes for customer due diligence/enhanced due diligence and suspicious activity monitoring/activity analysis. Policies may need to be updated and procedures developed to enhance controls for these higher-risk customers.
Customer Identification Program (CIP) Risk Assessment – This is an assessment of a financial institution’s customer base and product offerings to assess the level of risk for verifying a customer’s identity at account opening in order to help the bank determine appropriate identification requirements for different account ownership types. TCA will analyze this risk assessment as part of TCA’s CIP Back to Basics article.
OFAC Risk Assessment – This is your assessment of the likelihood or risk of processing a transaction for a prohibited entity. TCA will analyze this risk assessment as part of TCA’s OFAC Back to Basics article.
Elements for a Comprehensive Risk Assessment
The basic assessment methodology should start with identification of applicable risk attributes, documenting an understanding of inherent risk for each and analyzing the sufficiency of controls to mitigate risk. Regardless of the assessment type, the content including your assertions and conclusions should be supported by documented analysis.
Your risk assessment should continue to evolve as your risk profile evolves. It is the roadmap to your program, so make sure it is comprehensive. We suggest developing a formula, which considers the following elements depending upon your risk profile:
Inherent Risk – This is the analysis of risk without any mitigating controls. Inherent risk includes your products and services, customers and entities geographic footprint of your institution and geographic risk of customer transactions. For example, inherent risk for a geographic location may be high because you are in a High Intensity Drug Trafficking Area (HIDTA) and High Intensity Financial Crime Area (HIFCA). Geographic risk also considers transactions sent or received involving higher risk jurisdictions such as countries with weak money laundering controls as identified by the Financial Action Task Force (FATF.) In your analysis, you want to describe the potential risk if there were zero controls in place.
Qualitative Analysis – This analysis method looks at controls such as policy, procedures, internal controls, monitoring or other controls that help you manage the risk. For example, PO ATM customers may be considered low risk because the bank consistently applies account opening due diligence procedures and then performs effective monitoring to proactively identify these customers. Some common examples of internal controls that can be included:
- Know Your Customer Workflow – (CIP, CDD and EDD)
- Currency Transaction Reporting
- Suspicious Activity Reporting
- OFAC/Watchlist Screening/Response
- BSA Program Governance
- Training for Appropriate Personnel
- Independent Testing
Quantitative Analysis – Use numeric information to support your assessment of a risk attribute. For example, you may say you consider yourself low risk for PO ATM customers, but why? If you are a bank with only one customer with a PO ATM versus 25 PO ATMs, this provides support for your conclusion. For deposit and loan accounts, you may add “We have 300 accounts with total balances of $300,000.” Further stratification of the balances in these accounts gives you an even better picture for your analysis. Be aware that examiners want to see your analysis; if you cannot quantify your assessment with data points, we suggest a narrative which explains your methodology and reasons for your assignment of a risk rating or conclusion. Quantitative risk also includes transaction volume for higher risk products and services. For example, describing the dollar volume of transactions performed using remote deposit capture or wire transfers. Ensure there is consistency in time periods when documenting your year-over-year comparisons. Use of inconsistent time periods can result in potentially significant variances in customer base, transaction activities, etc. that can skew the accuracy of your conclusions.
Residual Risk – This is an analysis of risk after applying mitigating controls. For example, you have bank locations in a HIDTA or a HIFCA, which are considered inherently high-risk geographic locations. However, after performing your initial account due diligence and knowing your customer base, you may determine the risk is low as none of the customers are sending international wires, none of the customers located in this area are cash intensive, and nothing out of the ordinary is occurring in the area.
Another example is electronic banking. The product itself may be inherently high risk. However, you may not have many customers using the product and you review bill payment reports for suspicious activity which would lower the risk rating of this product because the bank is effectively monitoring the product.
Trending – Use historical numbers and volumes over time to identify patterns and trends. Evaluate whether risk is increasing, stable or decreasing. For example, compiling quantitative data over a period of three years shows trends that can be used to assess risk. This is a great way to utilize tables or charts in your risk assessment. For instance, you could design a chart that shows these trends.
Currency Transaction Reports (CTRs)
Year | Volume of Accounts | % Change |
2017 | 75 | NA |
2018 | 81 | 7% |
2019 | 106 | 24% |
This analysis demonstrates there was an increase in CTR volumes. Using the quantitative data, the qualitative analysis should explain the change in risk. Has the institution onboarded several new cash intensive customers? Was there a recent acquisition or branch opening that increased the customer base? The numbers tell us that risk changed; we should also demonstrate that we understand why the risk changed. You should also document and enhancements to internal controls that have been implemented to mitigate increasing risk.
Direction of Risk – Risk is not static, so an assessment should be projected over time based on the strategic plan, competition, political environment and more. For example, if the strategic plan calls for introducing remote deposit capture, risk will be increasing due to the addition of new product or service. If an existing product is being phased out and volumes are going down, risk may be decreasing. Direction of risk typically is a forward-looking indicator of how you see risk changing over the next six months to a year, or a comparable period.
Again, these are just some of the methodologies TCA sees utilized in risk assessments. Ultimately, each risk assessment should allow you to identify a roadmap that explains your financial institution’s risk profile for your Board, Management Team, Auditors/Examiners and, most importantly, yourself as the BSA Officer managing a risk-based BSA Program.
Do I need to assign an overall rating?
Risk Assessments serve as a snapshot of how you see your risk and a roadmap for enhancements; there should be some form of an overall risk exposure conclusion. The Board of Directors needs to know the bank’s risk profile so they can fulfill their fiduciary responsibility. If the Board’s responsibility to determine whether Management is adequately mitigating risk and to provide adequate resources to address risks identified in the Assessment. If the bank’s decision to open MSB accounts results in a higher risk rating, the Board needs to weigh the risk and the revenue considering the regulatory and reputation risk.
Examiners tell us that they consider your risk assessments to be “a snapshot of how the institution sees their risk.” A risk assessment needs to communicate “what does this all mean?” Your overall conclusion should be stated after considering the ratings of the individual factors.
What are some common concerns that TCA identifies in risk assessment reviews during BSA Audits?
TCA finds BSA risk assessments vary in size, methodology, structure, etc. We see some assessments that are only a few pages and others in multiple three-ring binders, but we do note common analysis methodologies.
Include all products or services – We have found general statements, such as “We offer traditional banking products.” A good risk assessment should be more descriptive and include specific products and services such as types of loans, checking, savings, non-deposit accounts, credit and prepaid cards, delivery channels, locations, outsourcing arrangements and more. Remember: Product and service risks are a major component of your institution’s overall risk profile. Therefore, it is important to recognize all products and services are not the same – pay special attention to those that inherently pose increased risk. For example, does a certificate of deposit pose the same risk as a transaction account? Also, make sure all business lines are included. For example, does your bank have any subsidiaries or affiliates?
Include all customer types – The risk assessment should identify customer types such as those listed in the FFIEC Manual. For example, an assessment said there were no high-risk customers, but were there money service businesses and accounts for foreign persons? Keep in mind, there is a difference between customers who are defined as being inherently higher risk in accordance with the FFIEC Manual, and those your BSA Program might define as high risk.
Periodic Updates – Most banks update their risk assessments on an annual basis, but there can be new products and services offered between updates. In addition, we have come across risk assessments where the quantitative analysis has not been updated annually. The bank will provide us a list of high-risk customers with 20 names on it; however, the risk assessment may state the bank has 10 high-risk customers. Be sure to update the quantitative data annually. Risk assessments are living dynamic documents. The risk assessment should state that updates will occur annually and as needed.
Address emerging risks – The BSA/AML landscape is constantly changing: marijuana businesses, virtual currency, video gaming, and third-party service providers. Addressing the Bank’s stance regarding these businesses or services is critical – and, if offered, what will be the mitigating controls?
Remember, it is critical to step back and answer the question “Does the risk assessment methodology effectively identify and evaluate risk?” This is the most critical question to be able to answer, and all readers should be able to draw the same conclusion. If your BSA/AML Risk Assessment does not tell the story of your institution’s BSA risk profile, TCA hopes this article provided some ideas to help the assessment continue to evolve.
TCA BSA consultants work with clients to prepare BSA/AML Risk Assessments or consult to prepare them for financial institutions. Contact TCA for more information at [email protected].