Prevailing FFIEC guidance indicates the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) risk assessment is fundamental to achieving an effective risk-based BSA/AML compliance program. In fact, the FFIEC BSA/AML Examination Manual emphasizes that examiners evaluate the financial institution’s risk assessment as part of the planning and scoping phase of the examination. In essence, the BSA/AML risk assessment is viewed as a roadmap for understanding the bank’s risk profile and thereby providing the foundation for performing an adequate evaluation of the institution’s BSA compliance program.
While the primary purpose of conducting an effective BSA/AML risk assessment is not simply to appease regulators, understanding the lens through which examiners view the assessment can be of value to the institution. As such, the following provides a high-level overview of the risk assessment process.
The first step in the risk assessment process is to identify the specific products, services, customers, entities, and geographic locations unique to the financial institution.
Typical products and services might include automated clearing house (ACH), automated teller machines (ATM), electronic banking, foreign exchange, lending, monetary instruments, private banking, and trust services.
Customers and entities can include business entities, cash-intensive businesses, nonbank financial institutions, nongovernmental organizations, and charities and professional service providers.
Geographic locations can be both foreign and domestic, with high-intensity drug trafficking areas and high-intensity financial crime areas often representing the most significant domestic risk.
The next step is to measure the inherent risk associated with products, services, customers, and geography and identify the specific policies, procedures, systems, and controls that serve to mitigate the inherent risk identified. This exercise can be of particular value in identifying potential gaps in internal controls or in identifying possible inefficiencies or redundancy in processes.
The net effect of the above is to identify the institutions residual BSA/AML risk in the categories mentioned above, as well as to determine the institutions aggregate BSA/AML risk profile. This allows senior management and the Board of Directors to review and assess to determine if the residual risk identified individually or in the aggregate is consistent with the risk appetite of the institution.
The above steps include:
Identify and measure risk
Assess risk mitigation
Evaluate residual risk individually and in the aggregate
Take appropriate steps to mitigate risks and/or enhance efficiency
The objective of the FFIEC risk assessment guidance is to facilitate the development of a risk-based BSA/AML compliance program. An effective BSA/AML risk assessment also serves as an integral part of an institution’s overall risk management function. Furthermore, it provides the foundation to achieve the ultimate goal of BSA/AML, which is to provide timely, relevant, actionable information to law enforcement to combat money laundering. Should you think this is your next step, your CRI Certified Anti-Money Laundering Specialist (CAMS) is ready to help you navigate the BSA/AML risk assessment process.