Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

Examiners’ Shift in Focus Calls for Institutions to Develop a Risk-Based AML Program

Terri Luttrell, CAMS-Audit, CFCS
September 16, 2019
Read Time: 0 min

The burden of extensive regulatory exams on a financial institution’s BSA/AML program has taken its toll on the financial crimes industry for years. In an effort to improve the effectiveness and efficiency of those regulatory exams, the collective financial institution regulatory bodies (the Agencies) issued a Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Supervision (the Statement) on July 22, 2019. The Statement emphasizes the importance that the Agencies use a risk-based focus when scoping and planning an institution’s examination. This is not a new philosophy and has long been stated in the FFIEC Exam Manual but the Statement refocuses the Agencies to use more resources where there is higher risk among the financial institutions and fewer resources for the lower-risk institutions. This means that exam scoping for each institution will vary.

Developing a risk-based AML programUnder current regulation, each financial institution must develop a BSA/AML program commensurate with its risk profile to identify and report potential money laundering, terror financing, and other illicit financial activity. A risk-based approach begins with a comprehensive, board-approved, enterprise-wide risk assessment which will enable financial institutions to allocate compliance resources commensurate with its risk profile. The risk assessment is the first step for the examiners to understand an institution’s unique risk profile. According to the Statement, common practices for assessing the institution’s risk profile include:

  • Leveraging available information, including the institution’s BSA/AML risk assessment, independent testing or audits, through the off-site monitoring process or a request letter to the financial institution
  • Contacting institutions between examinations or prior to finalizing the scope of an examination
  • Considering the institution’s ability to identify, measure, monitor, and control risks

This Statement reminds the Agencies of where their valuable examination resources should be focused, but what does it mean for financial institutions when preparing for their regulatory exams?

Regain confidence in your BSA/AML program.

Request a demo

The first step should be a thorough review of your risk assessment:

  • The risk assessment should be current, updated every 12-18 months depending on the risk of your financial institution, or more frequently if you have had any significant institutional event such as new branches or a merger/acquisition.
  • Each category of a risk assessment should have inherent risks, mitigating controls, and residual risks.
  • The risk assessment should be a dynamic file, updated throughout the document’s life cycle with any new products, services, or customer risk profiles.

Next, an institution should be sure that past audit and/or exam findings have been tracked in an organized manner and corrected or completed. One of the worst things that can happen for an institution during an exam is for repeat findings to resurface.

And finally, the institution should be confident in their ability to monitor and control risks. Examiners review risk management practices to evaluate and assess whether a bank has developed and implemented effective processes to identify, measure, monitor, and control risks. It is critical that policies, procedures, and processes are in place identifying what risks the institution is willing to accept, and how they plan to mitigate these risks.

One of the primary sources of risk mitigation for a BSA/AML program is the institution’s suspicious activity and sanctions monitoring software. The output of the monitoring solution should be risk-based with optimized scenarios to alert on lower parameters for the institution’s riskiest transaction types. Each institution should be able to individualize the monitoring output based on their risk profile, and to demonstrate to the regulators a true understanding of the institution’s risk and mitigation decisions. Valuable investigative resources should not be spinning their wheels in areas where no risk is likely to occur, addressing alerts that never result in cases or suspicious activity reports. On the flip side of this, automated monitoring is critical in supporting a low risk assessment. Proper monitoring will validate that you know with certainty that your institution is low risk.

While machine learning and other artificial intelligence is beneficial in reducing false positives for transaction monitoring, new innovative technology should be used effectively for each unique risk profile rather than teaching the software to monitor possible suspicious activity assuming every institution’s risk profile being the same. This method is counter to what the guidance is asking of their examiners.

The Statement refocuses the Agencies to use more resources where there is higher risk among the financial institutions and fewer resources for the lower-risk institutions.
Terri Luttrell, CAMS-Audit

Financial institutions must determine what risks they are willing to accept, such as certain customer types including money services businesses (MSBs) or cannabis-related businesses (CRBs). Unlike the days of “derisking”, today’s risks in providing traditional banking services to these customers are neither prohibited nor discouraged by regulators if the financial institution has a strong BSA/AML program to effectively mitigate and control residual risks. The Statement encourages institutions to manage customer relationships rather than declining to provide services to entire categories of clients.

In conclusion, the Statement comes full circle to use Agency resources with the riskier institutions and allow the financial institutions to have less of an examination burden if they are on the lower risk spectrum. In the long run, this is good reinforcement for both financial institutions and regulatory bodies alike. If during your exam, you find that your regulator may not be using a risk-based focus, it may be worth discussing this Statement with your examiner.

If your institution needs assistance with preparing an enterprise-wide risk assessment, suspicious activity monitoring, system optimization services, or would like more information about our exam prep services, please contact our highly skilled advisory services team. They can help with a variety of BSA/AML tasks, whether you use our AML software, BAM+, or not, and even serve as an extension of your BSA team.

About the Author

Terri Luttrell, CAMS-Audit, CFCS

Compliance and Engagement Director
Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.