Examiners’ Shift in Focus Calls for Institutions to Develop a Risk-Based AML Program

By: Terri Luttrell, CAMS-Audit

The burden of extensive regulatory exams on a financial institution’s BSA/AML program has taken its toll on the financial crimes industry for years. In an effort to improve the effectiveness and efficiency of those regulatory exams, the collective financial institution regulatory bodies (the Agencies) issued a Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Supervision (the Statement) on July 22, 2019. The Statement emphasizes the importance that the Agencies use a risk-based focus when scoping and planning an institution’s examination. This is not a new philosophy and has long been stated in the FFIEC Exam Manual but the Statement refocuses the Agencies to use more resources where there is higher risk among the financial institutions and fewer resources for the lower-risk institutions. This means that exam scoping for each institution will vary.

Developing a risk-based AML programUnder current regulation, each financial institution must develop a BSA/AML program commensurate with its risk profile to identify and report potential money laundering, terror financing, and other illicit financial activity. A risk-based approach begins with a comprehensive, board-approved, enterprise-wide risk assessment which will enable financial institutions to allocate compliance resources commensurate with its risk profile. The risk assessment is the first step for the examiners to understand an institution’s unique risk profile. According to the Statement, common practices for assessing the institution’s risk profile include:

  • Leveraging available information, including the institution’s BSA/AML risk assessment, independent testing or audits, through the off-site monitoring process or a request letter to the financial institution
  • Contacting institutions between examinations or prior to finalizing the scope of an examination
  • Considering the institution’s ability to identify, measure, monitor, and control risks

This Statement reminds the Agencies of where their valuable examination resources should be focused, but what does it mean for financial institutions when preparing for their regulatory exams?

Regain confidence in your BSA/AML program.
Request a demo

The first step should be a thorough review of your risk assessment:

  • The risk assessment should be current, updated every 12-18 months depending on the risk of your financial institution, or more frequently if you have had any significant institutional event such as new branches or a merger/acquisition.
  • Each category of a risk assessment should have inherent risks, mitigating controls, and residual risks.
  • The risk assessment should be a dynamic file, updated throughout the document’s life cycle with any new products, services, or customer risk profiles.

Next, an institution should be sure that past audit and/or exam findings have been tracked in an organized manner and corrected or completed. One of the worst things that can happen for an institution during an exam is for repeat findings to resurface.

And finally, the institution should be confident in their ability to monitor and control risks. Examiners review risk management practices to evaluate and assess whether a bank has developed and implemented effective processes to identify, measure, monitor, and control risks. It is critical that policies, procedures, and processes are in place identifying what risks the institution is willing to accept, and how they plan to mitigate these risks.

One of the primary sources of risk mitigation for a BSA/AML program is the institution’s suspicious activity and sanctions monitoring software. The output of the monitoring solution should be risk-based with optimized scenarios to alert on lower parameters for the institution’s riskiest transaction types. Each institution should be able to individualize the monitoring output based on their risk profile, and to demonstrate to the regulators a true understanding of the institution’s risk and mitigation decisions. Valuable investigative resources should not be spinning their wheels in areas where no risk is likely to occur, addressing alerts that never result in cases or suspicious activity reports. On the flip side of this, automated monitoring is critical in supporting a low risk assessment. Proper monitoring will validate that you know with certainty that your institution is low risk.

While machine learning and other artificial intelligence is beneficial in reducing false positives for transaction monitoring, new innovative technology should be used effectively for each unique risk profile rather than teaching the software to monitor possible suspicious activity assuming every institution’s risk profile being the same. This method is counter to what the guidance is asking of their examiners.

The Statement refocuses the Agencies to use more resources where there is higher risk among the financial institutions and fewer resources for the lower-risk institutions.
Terri Luttrell, CAMS-Audit

Financial institutions must determine what risks they are willing to accept, such as certain customer types including money services businesses (MSBs) or cannabis-related businesses (CRBs). Unlike the days of “derisking”, today’s risks in providing traditional banking services to these customers are neither prohibited nor discouraged by regulators if the financial institution has a strong BSA/AML program to effectively mitigate and control residual risks. The Statement encourages institutions to manage customer relationships rather than declining to provide services to entire categories of clients.

In conclusion, the Statement comes full circle to use Agency resources with the riskier institutions and allow the financial institutions to have less of an examination burden if they are on the lower risk spectrum. In the long run, this is good reinforcement for both financial institutions and regulatory bodies alike. If during your exam, you find that your regulator may not be using a risk-based focus, it may be worth discussing this Statement with your examiner.

If your institution needs assistance with preparing an enterprise-wide risk assessment, suspicious activity monitoring, system optimization services, or would like more information about our exam prep services, please contact our highly skilled advisory services team. They can help with a variety of BSA/AML tasks, whether you use our AML software, BAM+, or not, and even serve as an extension of your BSA team.

About the Author

Terri Luttrell, CAMS-Audit

Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size. She has successfully worked with institutions in developing BSA/OFAC programs, optimizing various automated solutions, and streamlining processes while ensuring all regulatory requirements are met. As the Senior Manager of Strategy and Engagement at Abrigo, Terri provides insights that contribute and support long-term banking strategies based on analysis of market and industry trends, competitor developments, and financial and regulatory technology changes. She is an audit-certified anti-money laundering specialist and a board member of the Central Texas chapter of the Association of Certified Anti-Money Laundering Specialists (ACAMS). Terri earned her bachelor’s degree in business administration, specializing in business and finance, from the University of North Texas.

Full Bio

About Abrigo

Abrigo is a leading technology provider of compliance, credit risk, and lending solutions that community financial institutions use to manage risk and drive growth. Our software automates key processes — from anti-money laundering to fraud detection to lending solutions — empowering our customers by addressing their Enterprise Risk Management needs.

Make Big Things Happen.

 

Looking for Banker’s Toolbox? You are in the Right Place!

Banker’s Toolbox is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to Banker’s Toolbox Community Online.

Make yourself at home!