Wednesday, December 28, 2016






BSA Risk Assessments-What’s the Point

For those of you who have experienced a BSA examination or audit, you know one of the first things you are asked for is your BSA/OFAC risk assessment.  It has also likely been your experience to find a risk assessment deemed complete and not in need of some sort of enhancement is something of a “unicorn”.  In most cases, examinations and audits include a comment discussing the need to expand the risk assessment and to include more detail.  The detail required for a complete risk assessment is elusive at best.  Often, the right information for the risk assessment fits the famous Supreme Court definition of pornography- “you know it when you see it”. 

The FFIEC BSA manual is not exactly helpful when it comes to developing risk assessments.   The manual directs every financial institution should develop a BSA/AML and an OFAC risk assessment.  Unfortunately, the form the risk assessment should take or the minimum information required are left as open questions for the financial institution.   Thus, many financial institutions end up with a very basic document which has been developed to meet a regulatory requirement, but without much other meaning or use. 

As financial institutions continue to change and the number of financial products and type of institutions offering banking services grows, the risk assessment can be something entirely different. Taking the approach that the risk assessment can be used to formulate both the annual budget request and the strategic plan, can change the whole process. 

The FFIEC BSA examination manual specifically mentions risk assessments in the following section:

“The same risk management principles that the bank uses in traditional operational areas should be applied to assessing and managing BSA/AML risk. A well-developed risk assessment assists in identifying the bank’s BSA/AML risk profile. Understanding the risk profile enables the bank to apply appropriate risk management processes to the BSA/AML compliance program to mitigate risk. This risk assessment process enables management to better identify and mitigate gaps in the bank’s controls. The risk assessment should provide a comprehensive analysis of the BSA/AML risks in a concise and organized presentation, and should be shared and communicated with all business lines across the bank, board of directors, management, and appropriate staff; as such, it is a sound practice that the risk assessment be reduced to writing” [1]

 

This preamble has several important ideas in it.   The expectation is, management of an institution can identify:

·         Who its customers are:  including the predominant nature of the customer base- are you a consumer institution or a commercial at your core?  Who are the customers you primarily serve?   

·         What is going on in your service area?  Is it a high crime area or a high drug trafficking area, both or neither?  The expectation is you will know the types of things, both good and bad going on around you.  For example, if you live in an area where real estate is extremely high cost, there might be several “bad guys” buying property for cash as a means of laundering money.   The point is you need to know what is going on around you

·         Where are the outlier customers?  Do you know which types of customers who require being watched more than others?  There are some customers who, by the nature of what they do, require more observation and analysis than others.  The question is, have you identified these high-risk customers?

·         How well are you set up to monitor the risks at your institution?  Do you have systems in place are up to the task to discover “bad things” going?  Does the software you use really help the monitoring process?   This analysis should consider whether the staff you have   truly understand the business models your customers are using.  For example, if your customer base includes Money Service Businesses, do you have staff in place who know how money services business work and what to look for?  The best software in the world is ineffective if the people reading the output are not familiar with what normal activity at an MSB. 

·         Ties to the strategic plan: Does the BSA program have the resources to match changes in products or services planned for the institution? For example, if the institution plans to increase the number of accounts offered to money services business, does the BSA department have an increase in staff included in its budget?  

 

Effective Risk Management

 

The information and conclusions developed in the risk assessment should be used for planning the year for the BSA/AML compliance program.  The areas with the greatest areas of risk should also be the same areas with the greatest dedicated resources.   Independent audits and reviews should be directed to areas of greatest risk.  For example, if there are many electronic banking customers at the institutions while almost no MSB’s, then the audit scope should presumably focus on the electronic banking area and give MSB’s a limited review.  In addition, training should focus on the BSA/AML risks associated with electronic banking, etc.

 

Rethinking the Risk Assessment process

 

Continued development of new products and processes in finance and technology (“fintech”) and BSA/AML have opened the possibility of a vast array of potential new products for financial institutions.  Products such as digital wallets and stored value on smartphones have opened new markets for people who have been traditionally unbanked and underbanked. Financial institutions which are forward thinking should consider the possibility some of these new products have the potential to enhance income. 

 

The ability to safely and effectively offer new products depends heavily on the ability of the compliance department to fully handle the regulatory requirements of the products.  When preparing the risk assessment, consider the resources necessary to offer new and (money making products). 

 

There are no absolute prohibitions against banking high risk clients 

Per the FFIEC BSA Examination manual higher risk accounts are defined as:

“Certain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered. Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents” [2]

The Manual goes on to detail several other factors which should be considered when monitoring high risk accounts.  We note the manual does not conclude high risk accounts should be avoided. 

The BSA/AML examination manual (“exam manual”) establishes the standard for providing banking services to clients who may have a high risk of potential money laundering.  Financial institutions are expected to: 

  1. Conduct a risk assessment on each of these clients,
  2. Consider the risks presented
  3. Consider the strengthening of internal controls to mitigate risk
  4. Determine whether the account(s) can be properly monitored and administrated;
  5. Determine if the risk presented fits within the risk tolerance established by the Board of Directors. 

Once these steps are followed to open the account, for high risk customers, there is also an expectation there will be ongoing monitoring of the account for potential suspicious activity or account abuse.    The exam manual is also clear; once a procedure is in place to determine and properly mitigate and manage risks, there is no prohibition against having high risk customers.  The risk assessment section of the exam manual notes the following:  

“The existence of BSA/AML risk within the aggregate risk profile should not be criticized as long as the bank’s BSA/AML compliance program adequately identifies, measures, monitors, and controls this risk as part of a deliberate risk strategy.”[3]

Once an account has been determined to be high risk, and an efficient monitoring plan has been developed, there can be various levels of what high risk can mean.    When a customer’s activity is consistent with the parameters which have been established and have not varied for some time, then account can technically be high risk but not in practice.   For example, Money Services Businesses are considered “high-risk” because they fit the definition from the FFIEC manual.  However, a financial institution can establish who the customers of the MSB are and what they do.  A baseline for remittance activity, check cashing and deposits and wire activity can be established.   If the MSB’s activity meets the established baseline, the account remains “high risk” only in the technical meaning of the word.   Knowing what the customers’ business line is and understanding what the customer is doing as they continue without much variation reduces the overall risk. 

 

For a more complete discussion of the effective use of the BSA/AML risk assessment, please contact us at:  

***WWW.VCM4you.com***


[1] FFIEC BSA Examination Manual- risk assessments
[2] FFIEC BSA Examination Manual
[3] Ibid
Posted by at No comments:

Tuesday, December 13, 2016





Planning Your Compliance Year

As the year comes to close, for most people, it is time to celebrate with family and friends and to look forward to the new year with anticipation.  For risk and compliance officers at financial institutions, the new year comes with a bit of a different perspective.  For many years now, each new year brings a different set of regulations and the challenge of keeping financial institutions in compliance.   This is not necessarily a bad thing.  New challenges can present an opportunity for new and more efficient solutions.   There are some steps that you can take that can truly help you get to the goal of getting on top of compliance.    

 

Step One- Information Gathering

There are several sources for regulatory changes.  It is important to consider the fact that compliance and risk expectations can be changed by more than the implementation of new regulations.   Regulatory agencies respond to world events, the political environment, resources allocations, technology and many other factors.   One valuable source of information that is often overlooked are the annual plans or statements that are issued by the prudential regulations.  All three issue a plan that addresses the areas that they will emphasize in the upcoming year.[1]  For example, the Office of the Comptrollers’ annual report points out that strategic planning will be an emphasis of the examinations teams in 2017.    In addition, there are many organizations and agencies that list the effective dates for regulations.  At VCM, we have a form that lists regulations, effective dates and whether the regulation will apply to your organization. [2] Gathering information on the new regulations and regulatory initiatives is a key first step for planning the compliance year. 

Step Two - Setting the Parameters

The next step is to complete a risk assessment.  Often, we see risk assessments that are performed specifically for meeting a regulatory requirement.  In many cases, these assessments are completed and put away until it is time to do an annual update.  We believe that the risk assessment provides an excellent opportunity to set the parameters for your own compliance program.  Your risk assessment should include:

·         The areas where there have been regulatory of? internal audit findings in the past

·         The types of products the Bank offers and the risks associated with those products

·         New products contemplated

·         The management reports currently being generated by software

·         Changes in regulations that might affect the bank

·         Changes in staff that have occurred or are planned. 

The risk assessment should be designed to determine the areas where your institution has the greatest risk for violations or findings.  The assessment should be brutally honest and unflinching in its assessment of the compliance needs for your institution.  

The most important part of this step is to remember to USE the document that you have prepared!  The risk assessment should be the basic document that helps you make the case to senior management for additional staff and/or resources.   The risk assessment should also be used to help set the scope of the internal audits that are performed.  It is very rare that there will be time to cover every potential issue in a year so the risk assessment should help prioritize resources.    The risk assessment should also be used to set the training calendar.  

Step Three- Checking Twice  

In addition to going through the regulations, it is necessary to make sure your policies and procedures match the requirements.  For example, have you developed a solid method for making sure that you comply with the “valuations rules” of regulations B and Z?  Do you know what these are and how they affect you? 

It is also a very good idea to sign up for all the “Free stuff” that the regulators publish about compliance.   These can be used as useful supplemental training tools.  There is a great deal of very helpful information made available by the Federal Reserve and the CFPB. [3]

Step Four-Call for Help!

One of the benefits of completing a comprehensive compliance risk assessment is that the results can help you determine the level of support that is needed.   Far too often compliance departments get additional resources only after the staff has been overwhelmed or has experienced a poor result from an audit or examination.  However, as the saying goes, an ounce of prevention is worth a pound of cure.  Identifying the areas that are the highest risk and asking for help in those areas before they become a problem is a best practice that will enhance your compliance program and the quality of your life! 

One of the best areas to get support for compliance is through the staff at your bank.   At the end of the day, compliance is a team effort that requires the input of the whole bank to be most effective.  One of the themes that we have noticed over the years is that people tend to buy in more when they understand the how’s and whys of compliance.  While online training classes are clearly efficient and relatively inexpensive, they sometimes can lack the perspective that gives the staff members the reason why the regulation exists.   For example, we have found that taking the time to explain what it is that BSA laws and rules are trying to accomplish to the staff members who are opening accounts has dramatically improved the collection of data for CIP.  The same is true for Regulation B and a host of other areas.  By helping bank staff understand that there really are good reasons why you are so insistent on complete and accurate disclosures, you can greatly reduce the error rate in these disclosures.   The more help from staff that you get, the more efficient you can be. 

 

Step Five- Execute the Plan

Once you have completed the risk assessment, prioritize the risks and asked for help, it is time to execute the plan.   Make sure that the scope of the audits that you are getting will meet your needs and give you information on how things are going.   Regulators have become increasingly critical of audit scopes that are too general or that do not cover specific areas of compliance weakness at the bank.   The internal audit is an important tool that should be used to help find areas that need attention.  It is true that the auditor is your friend.  The results of audits should be taken seriously and positively as this is your opportunity to determine levels of compliance without having regulatory problems.  

Like all good coaches, as a compliance officer you know the areas where your team is the weakest.  Make sure that your compliance plan is designed to address these areas from the outset.  If training has been a concern for example, then make sure that you have addressed the root of the problem. 

Step Six-Remain Flexible

There is a parable that says that if you want to prove that God has a sense of humor- then try making your own plans.  There is no question that the best-laid plans can sometimes go awry.  Therefore, it is important that you build flexibility into your plan.  For example, even though you may have wanted to do flood insurance testing in the first quarter, you might find that the more urgent area of risk is compliance with HMDA.  Even though flood insurance will always be a “hot button” issue, there are times when the greater area of risk can be somewhere else.  The point is that your plan can hit all the highest areas of risk to ensure that your program is successful. 

 
Planning your compliance year cannot only keep you ahead of trouble; it can help you start making different New Year’s resolutions! 

[1] See for example, http://www.occ.gov/news-issuances/news-releases/2015/nr-occ-2015-130.html, https://www.fdic.gov/about/strategic/performance/supervision.html
 
[2] This form can be found on our website at www.vcm4you.com
[3] http://www.philadelphiafed.org/results.cfm?sort=rel&start=0&text=compliance`1

 
Posted by at No comments:
Subscribe to: Posts (Atom)