Skip to main content

Risk assessment is the BSA key

By William J. Showalter, CRCM; senior consultant, Young & Associates

Your bank has an opportunity to frame your next Bank Secrecy Act/Anti-Money Laundering/Countering the Financing of Terrorism (BSA/AML/CFT) examination – much as you do your Community Reinvestment Act (CRA) exam by preparing a summary of the “performance context” within which you operate.

The agencies state that a well-developed BSA/AML/CFT risk assessment assists the bank in identifying money laundering, terrorist financing, and other illicit financial activity risks and in developing appropriate internal controls – policies, procedures, and processes. Understanding its risk profile enables the bank to better apply appropriate risk management processes to the BSA/AML/CFT compliance program to mitigate and manage risk and comply with BSA regulatory requirements. The BSA/AML/CFT risk assessment process also enables the bank to better identify and mitigate any gaps in controls.

Risk-focused exam process

The interagency examination procedures provide that the extent of BSA/AML/CFT examination activities necessary to assess the bank generally depends on the bank’s risk profile and the quality of risk management processes to identify, measure, monitor, and control risks, as well as to report potential money laundering, terrorist financing, and other illicit financial activity. Given that banks vary in size, complexity, and organizational structure, the agencies acknowledge that each bank has a unique risk profile, and the scope of a BSA/AML/CFT examination varies by bank.

The first step in a BSA/AML/CFT examination is a scoping and planning process. At this preliminary stage of the activity, examiners analyze existing information about the bank – off-site monitoring information, previous examination reports and workpapers, BSA-reporting databases, other communications with the bank, and independent reviews or audits. Examiners also scrutinize request letter items completed by bank management and, perhaps most important in some ways, the bank’s BSA/AML/CFT risk assessment.

BSA examiners are charged to determine the BSA/AML/CFT risk profile of the bank as a part of the scoping and planning process. The preferred method for accomplishing this goal centers on a review of the bank’s risk assessment. While banks are not required to perform such an assessment, it is central to ensuring that a BSA/AML/CFT program is appropriate for the bank, given its product and customer mix, as well as location risk factors. The agencies consider that an effective risk assessment should be a composite of multiple factors, and depending on the circumstances, certain factors may be weighed more heavily than others.

The information contained in the BSA/AML/CFT risk assessment assists examiners in developing an understanding of the bank’s risk profile, risk-focusing the examination scope, and assessing the adequacy of the bank’s overall BSA/AML/CFT compliance program and its compliance with BSA regulatory requirements.

Examiners are directed to focus, when evaluating the bank’s BSA/AML/CFT risk assessment, on whether the bank has effective processes resulting in a well-developed risk assessment. They are not to take any single indicator as determinative of the existence of a lower- or higher-risk profile for the bank. Any assessment of risk factors is bank-specific, and a conclusion regarding the bank’s risk profile is to be based on a consideration of all pertinent information.

Examiners are to assess whether the bank has developed a BSA/AML/CFT risk assessment that identifies its money laundering, terrorist financing, and other illicit financial activity risks. Examiners are also to assess whether the bank has considered all its products, services, customers, and geographic locations in its assessment, and whether the bank analyzed the information relative to those risk categories.

If a bank has not prepared a BSA/AML/CFT risk assessment, or if its assessment is deemed inadequate, the examiner is directed to discuss this fact with management, as well as prepare their own risk assessment. The reason for this emphasis on a bank-prepared risk assessment is that the bank’s BSA/AML/CFT program should be tailored to the risks it faces, and the agencies see an assessment as an important tool to assist the bank in effectively managing BSA risks and critical in developing appropriate internal controls.

Using your risk assessment

An appropriate BSA risk assessment provides the bank with a foundation on which to build a successful compliance program addressing this area. This risk assessment is not a static document. You will have to monitor changes in the bank’s product offerings (e.g., virtual currency-related services), business environment, regulatory changes, bank personnel, and so forth – and make appropriate changes to policy and procedure – to ensure that the foundation remains strong under the bank’s BSA/AML/CFT compliance program.

The agencies expect that the bank will structure its BSA/AML/CFT compliance program to address its risk profile, based on the bank’s assessment of risks, as well as to comply with BSA regulatory requirements. Specifically, the bank should develop appropriate policies, procedures, and processes to monitor and control its money laundering, terrorist financing, and other illicit financial activity risks.

For example, the bank’s monitoring system to identify, research, and report suspicious activity should be risk-based to incorporate any necessary additional screening for higher-risk products, services, customers, and geographic locations as identified by the bank’s BSA/AML/CFT risk assessment.

Also, independent testing (audit) should review the bank’s BSA/AML/CFT risk assessment, including how it is used to develop the BSA/AML compliance program.

Banks that choose to implement a consolidated or partially consolidated BSA/AML/CFT compliance program should assess risk within business lines and across activities and legal entities.

Consolidating money laundering, terrorist financing, and other illicit financial activity risks for larger or more complex banking organizations may assist senior management and the board of directors in identifying, understanding, and appropriately mitigating risks within and across the banking organization.

To understand money laundering, terrorist financing, and other illicit financial activity risk exposures, the banking organization should communicate across all business lines, activities, and legal entities. Identifying a vulnerability in one aspect of the banking organization may indicate vulnerabilities elsewhere.

Conclusion

The importance of a BSA/AML/CFT risk assessment cannot be overstated. A bank-prepared assessment can establish the direction a bank’s BSA/AML/CFT program will take, as well as guiding BSA exams and other reviews/audits. Just as with a CRA performance context, preparing your own BSA/AML/CFT risk assessment can provide the roadmap to guide your compliance – and examiners’ evaluation of your program. And the agencies have given you a roadmap to guide your risk assessment – the BSA/AML/CFT examination procedures. Use it, if you have not already, before the examiners come for their next visit.

Checking your BSA program is more important than ever

By William J. Showalter, CRCM; senior consultant, Young & Associates

Over the past year, we have seen at least 27 Bank Secrecy Act (BSA) enforcement actions from an array of financial institution supervisory agencies.  Banks of all sizes continue to be hit with cease and desist (C&D) orders, formal agreements, consent orders, and even civil money penalties (CMP).  Five of these actions involved monetary penalties of some sort totaling nearly $4 billion – all but about $109 million coming from one case with four federal agency actions against one bank, and one $100,000 CMP imposed against an individual for BSA noncompliance.  These enforcement actions remind us that even community banks and thrifts must have thorough and well-managed BSA compliance programs.

The enforcement actions do not spell out specifics of what the agencies found at each institution, but they do give us important insights into what the regulators will expect during your next BSA compliance exam.

Community banks should evaluate their BSA compliance programs in light of the corrective actions that regulators require these institutions to take.

Another important issue that financial institution management should remember is that the USA PATRIOT Act made BSA compliance as important as Community Reinvestment Act (CRA) compliance in getting an application approved.  The act adds BSA as a factor for consideration in merger transactions. The agency must take into consideration “the effectiveness of any insured depository institution involved in the proposed merger transaction in combating money laundering activities.”  This means that banks and thrifts must have more than a written BSA program.  They must be able to demonstrate that the program works.

BSA compliance programs

All insured banks and thrifts must develop, administer, and maintain a program that assures and monitors compliance with the BSA and its implementing regulations, including recordkeeping and reporting requirements. Such a program can help protect a bank against possible criminal and civil penalties and asset forfeitures.

At a minimum, the board of directors must approve a bank’s written internal compliance program and note the approval in the board meeting minutes.

The program must include at least the following elements:

  • A system of internal controls to assure ongoing compliance
  • Independent testing of compliance
  • Daily coordination and monitoring of compliance by a designated person
  • Training for appropriate personnel
  • Risk-based customer due diligence/beneficial ownership procedures

Internal controls for the BSA

Senior management is responsible for assuring an effective system of internal controls for the BSA, including suspicious activity reporting, and must demonstrate its commitment to compliance by:

  • Establishing a comprehensive program and set of controls, including account opening, monitoring, and currency reporting procedures
  • Requiring that senior management be kept informed of compliance efforts, audit reports, identified compliance deficiencies, and corrective action taken – to assure ongoing compliance
  • Making BSA compliance a condition of employment
  • Incorporating compliance with the BSA and its implementing regulations into job descriptions and performance evaluations of bank personnel

Independent testing of compliance

The bank’s internal or external auditors should be able to:

  • Attest to the overall integrity and effectiveness of management systems and controls, and BSA technical compliance
  • Test transactions in all areas of the bank with emphasis on high-risk areas, products, and services to assure the bank is following prescribed regulations
  • Assess employees’ knowledge of regulations and procedures
  • Assess adequacy, accuracy, and completeness of training programs
  • Assess adequacy of the bank’s process for identifying suspicious activity

Internal review or audit findings should be incorporated after each assessment into a board and senior management report and reviewed promptly.  Appropriate follow up should be assured.

Regulators increasingly expect the BSA audit or testing program to also include these elements:

  • Confirmation of the integrity and accuracy of management information reports used in the AML compliance program
  • Overall integrity and effectiveness of the program
  • Evaluation of management’s efforts to resolve violations deficiencies
  • Evaluation of the effectiveness of the suspicious activity monitoring systems
  • Review of the BSA risk assess­ment for reasonableness given the bank’s risk profile

BSA compliance officer

A bank or thrift must designate a qualified bank employee as its BSA compliance officer, who has day-to-day responsibility for managing all aspects of the BSA compliance program and compliance with all BSA regulations.  The BSA compliance officer may delegate certain BSA compliance duties to other employees, but not compliance responsibility.

The bank’s board of directors and senior management must assure that the BSA compliance officer has sufficient authority and resources – time, funding, staffing – to administer effectively a comprehensive BSA compliance program.  And, the BSA officer must have a direct reporting channel to the board of directors.

Board of directors

The board must ensure that it exercises supervision and direction of the BSA/AML program.  This involves making sure that the institution develops sound BSA/AML policies, procedures, and processes that are approved by the board and implemented by management.  The board also has to ensure that the bank maintains a designated BSA officer with qualifications commensurate with the bank’s situation.  As noted above, the BSA officer must report directly to the board and be vested with sufficient authority, time, and resources.  The board must provide for an adequate independent testing of BSA/AML compliance.  The board should bear in mind that it has the ultimate responsibility for the institution’s BSA compliance.

Training

Financial institutions must ensure that appropriate bank personnel are trained in all aspects of the regulatory requirements of the BSA and the bank’s internal BSA compliance and anti-money laundering (AML) policies and procedures.

An effective training program includes provisions to assure that all bank personnel, including senior management, who have contact with customers (whether in person or by phone), who see customer transaction activity, or who handle cash in any way, receive appropriate training.  Board members also need to receive regular BSA/AML training, though at a much higher level with less detail than institution line employees.

The training needs to be ongoing and incorporate current developments and changes to the BSA, AML laws, and agency regulations.  Banks should address new and different money laundering schemes involving customers and financial institutions. The program should also include examples of money laundering schemes and cases, tailor them to the audience, and explain how the audience can detect or resolve such activities.

Another focus of the training should be on the consequences of an employee’s failure to comply with established policy and procedures (e.g., fines or termination).  These programs also should provide personnel with guidance and direction in terms of bank policies and available resources.

Beneficial ownership procedures

The beneficial ownership rule contains three core requirements:

  • Identifying and verifying the identity of the beneficial owners of companies opening accounts
  • Understanding the nature and purpose of customer relationships to develop customer risk profiles, and
  • Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information

A beneficial owner is an individual who owns more than 25 percent of the equity interest in a company or is the single individual who exercises control.  Also subject to these requirements is the one person who has control of each legal entity customer.

Beyond the basics

BSA enforcement actions continue to raise the bar for all financial institutions. BSA compliance programs must meet additional standards to be considered adequate to address the ever‑evolving challenges that arise over time.

  • Customer due diligence (CDD). Verifying a customer’s name, address, date of birth and identification number will satisfy the basic BSA customer identification requirements.  However, these four pieces of information will not be enough to help an institution deter­mine a customer’s typical account activity.  The recent C&D orders make clear that regulators expect community bank managers to use information collected as part of the institution’s CDD process to predict the type, dollar amount, and volume of transactions that a customer is likely to conduct.  This expectation goes beyond the new beneficial ownership rule to extend CDD expectations to the broader customer base. Regulators directed several institutions subject to the recent round of enforcement actions to develop specific procedures to describe how the institution will conduct customer due diligence. As computer and software technology has improved, regulators have come to expect small and large banks to gather and review information about the normal range of a customer’s banking activities.  They view the CDD processes and analysis as providing the framework that enables institutions to comply with suspicious activity reporting requirements.
  • Account & transaction monitoring. A number of institutions that received the most recent orders did not have adequate, or any, procedures for detecting and reporting suspi­cious activities. The enforcement actions make clear that community banks must specify in writing how the institu­tion will analyze and use customer information to detect suspicious activities.  As this area gets more complex, it becomes more difficult to try to maintain an adequate suspicious activity monitoring regimen without some form of automated monitoring.

Conclusion

The costs of being subject to an enforce­ment action go beyond extra regulatory scrutiny in subsequent examinations.  Institutions under the latest round of actions must report the enforcement action in communications with their shareholders and spend significant sums of money to hire outside consultants to train employees, audit the revised BSA programs and backfile required reports.  They also must submit planned actions to the regulators involved for prior approval, as well as report regularly (usually quarterly) on their progress in remediating the deficiencies that led to their particular enforcement action.

An interagency BSA enforcement policy statement clarifies that regulators will not issue formal enforcement actions for minor BSA infractions.  These enforcement actions are levied against financial institutions – including community banks – with significant breakdowns in their BSA compliance systems. The consent and other orders show that regulators expect all banks to have very specific procedures for collecting customer information, predicting customer account activity, utilizing transaction monitoring reports, and training and managing employees with BSA-related responsibilities.

Be sure that you are not an object lesson for your banking fellows.  If we can help, contact us today.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question