BSA Risk Assessments-What’s the Point 

For those of you who have experienced a BSA examination or audit, you know one of the first things you are asked for is your BSA/OFAC risk assessment.  It has also likely been your experience to find a risk assessment deemed complete and not in need of some sort of enhancement is something of a “unicorn”.  In most cases, examinations and audits include a comment discussing the need to expand the risk assessment and to include more detail.  The detail required for a complete risk assessment is elusive at best.  Often, the right information for the risk assessment fits the famous Supreme Court definition of pornography- “you know it when you see it”. 

The FFIEC BSA manual is not exactly helpful when it comes to developing risk assessments.   The manual directs every financial institution should develop a BSA/AML and an OFAC risk assessment.  Unfortunately, the form the risk assessment should take, or the minimum information required are left as open questions for the financial institution.   Thus, many financial institutions end up with a very basic document which has been developed to meet a regulatory requirement, but without much other meaning or use. 

As financial institutions continue to change and the number of financial products and type of institutions offering banking services grows, the risk assessment can be something entirely different. Taking the approach that the risk assessment can be used to formulate both the annual budget request and the strategic plan can change the whole process.  

The FFIEC BSA examination manual specifically mentions risk assessments in the following section:

“The same risk management principles that the bank uses in traditional operational areas should be applied to assessing and managing BSA/AML risk. A well-developed risk assessment assists in identifying the bank’s BSA/AML risk profile. Understanding the risk profile enables the bank to apply appropriate risk management processes to the BSA/AML compliance program to mitigate risk. This risk assessment process enables management to better identify and mitigate gaps in the bank’s controls. The risk assessment should provide a comprehensive analysis of the BSA/AML risks in a concise and organized presentation, and should be shared and communicated with all business lines across the bank, board of directors, management, and appropriate staff; as such, it is a sound practice that the risk assessment be reduced to writing” [1]

 This preamble has several important ideas in it.   The expectation is, management of an institution can identify:

Who its customers are:  including the predominant nature of the customer base- are you a consumer institution or a commercial at your core?  Who are the customers you primarily serve?   

What is going on in your service area:  Is it a high crime area or a high drug-trafficking area, both or neither?  The expectation is you will know the types of things, both good and bad going on around you.  For example, if you live in an area where real estate is extremely high cost, there might be several “bad guys” buying property for cash as a means of laundering money.   The point is you need to know what is going on around you at all times.

Where are the outlier customers:  Do you know which types of customers who require being watched more than others?  There are some customers who, by the nature of what they do, require more observation and analysis than others.  The question is, have you identified these high-risk customers?

How well are you set up to monitor the risks at your institution:  Do you have systems in place are up to the task to discover “bad things” going?  Does the software you use really help the monitoring process?   This analysis should consider whether the staff you have   truly understand the business models your customers are using.  For example, if your customer base includes Money Service Businesses, do you have staff in place who know how money services business work and what to look for?  The best software in the world is ineffective if the people reading the output are not familiar with what normal activity at an MSB. 

Ties to the strategic plan: Does the BSA program have the resources to match changes in products or services planned for the institution? For example, if the institution plans to increase the number of accounts offered to the money services business, does the BSA department have an increase in staff included in its budget?  

 Effective Risk Management

The information and conclusions developed in the risk assessment should be used for planning the year for the BSA/AML compliance program.  The areas with the greatest areas of risk should also be the same areas with the greatest dedicated resources.   Independent audits and reviews should be directed to areas of greatest risk.  For example, if there are many electronic banking customers at the institutions while almost no MSB’s, then the audit scope should presumably focus on the electronic banking area and give MSB’s a limited review.  In addition, training should focus on the BSA/AML risks associated with electronic banking, etc.

Rethinking the Risk Assessment Process

Continued development of new products and processes in finance and technology (“fintech”) and BSA/AML have opened the possibility of a vast array of potential new products for financial institutions.  Products such as digital wallets and stored value on smartphones have opened new markets for people who have been traditionally unbanked and underbanked. Financial institutions which are forward thinking should consider the possibility some of these new products have the potential to enhance income. 

The ability to safely and effectively offer new products depends heavily on the ability of the compliance department to fully handle the regulatory requirements of the products.  When preparing the risk assessment, consider the resources necessary to offer new and (money making products). 

There are no absolute prohibitions against banking high risk clients 

Per the FFIEC BSA Examination manual higher risk accounts are defined as:

“Certain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered. Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents” ^[2]

The Manual goes on to detail several other factors which should be considered when monitoring high risk accounts.  We note the manual does not conclude high risk accounts should be avoided. 

The BSA/AML examination manual (“exam manual”) establishes the standard for providing banking services to clients who may have a high risk of potential money laundering.  Financial institutions are expected to: 

1.       Conduct a risk assessment on each of these clients,

2.       Consider the risks presented

3.       Consider the strengthening of internal controls to mitigate risk

4.       Determine whether the account(s) can be properly monitored and administrated;

5.       Determine if the risk presented fits within the risk tolerance established by the Board of Directors. 

Once these steps are followed to open the account, for high risk customers, there is also an expectation there will be ongoing monitoring of the account for potential suspicious activity or account abuse.    The exam manual is also clear; once a procedure is in place to determine and properly mitigate and manage risks, there is no prohibition against having high risk customers.  The risk assessment section of the exam manual notes the following:  

“The existence of BSA/AML risk within the aggregate risk profile should not be criticized as long as the bank’s BSA/AML compliance program adequately identifies, measures, monitors, and controls this risk as part of a deliberate risk strategy.”^[3]

Once an account has been determined to be high risk, and an efficient monitoring plan has been developed, there can be various levels of what high risk can mean.    When a customer’s activity is consistent with the parameters which have been established and have not varied for some time, then account can technically be high risk but not in practice.   For example, Money Services Businesses are considered “high-risk” because they fit the definition from the FFIEC manual.  However, a financial institution can establish who the customers of the MSB are and what they do.  A baseline for remittance activity, check cashing and deposits and wire activity can be established.   If the MSB’s activity meets the established baseline, the account remains “high risk” only in the technical meaning of the word.   Knowing what the customers’ business line is and understanding what the customer is doing as they continue without much variation reduces the overall risk.