The following sections provide additional detail and potential questions to aid in analyzing each risk factor as part of the AML/CFT risk assessment.
Products and services
Understanding the financial institution's products and services involves knowing how many customers or members use these services and the risks involved in those products or services. For example, the following questions may be asked:
- Does the FI offer the sale of monetary instruments?
- Are monetary instruments allowed to be sold to non-accountholders?
- Do you allow customers or members to send outgoing international wires?
- If so, how is this monitored?
- How many accounts and to which countries are they sent?
- Do you offer services to those without a Tax ID Number (TIN)?
- If so, how many customers or members?
Although not all-inclusive, other products and services that you may want to include in your review are:
- Foreign correspondent accounts
- Special use accounts
- Trade finance
- Bulk cash
- Consumer or business loan portfolios
- Online account access/opening
- ATM services
- Remote deposit capture
Remember, it’s essential to understand whether these volumes are increasing or decreasing and what controls are in place to mitigate the inherent risk. Once again, all supporting documentation of your analysis must be retained.
To analyze geography, understanding the branch footprint of the financial institution is critical. Specific questions to ask include:
- What are the area's populations of cities and towns?
- Are the branches located within High-Intensity Financial Crime Areas or High-Intensity Drug Trafficking Areas?
- Does the financial institution have a presence on the U.S.-Mexico border?
- Does the institution file many suspicious activity reports (SARs) annually compared to the other institutions in the same geographical area? If not, what might be the reason?
Determine whether these volumes are increasing or decreasing and what controls the bank or credit union has for each customer or Member Base.
The customer or member base should be evaluated on several factors, such as the number of high-risk customers or members of the financial institution. Consider the following types of customers in your account base:
- Non-Resident Aliens (NRAs)
- Politically exposed persons (PEPs)
- Cash-intensive businesses (including marijuana-related businesses)
- Money Services Businesses (MSBs)
- Virtual currency exchanges
- Non-bank financial institutions (NBFIs)
- Professional service providers
In addition, the risk assessment will want to include assessing how well the financial institution collects beneficial ownership information and whether the customer due diligence (CDD) and enhanced due diligence (EDD) processes are sufficient. Again, determine if these volumes are increasing or decreasing and what controls are in place. These questions must be answered to understand the customer or member risk fully.
Transactions will require a review of both volumes and frequencies. Analyze processes such as:
- Number of currency transaction reports (CTRs) filed annually
- Number of SARs filled annually
- Volumes and frequencies of international wires compared to domestic
- Number of international ACH transactions compared to domestic transactions
- The volume of Private ATM customers, if any
- The volume of loan transactions
FinCEN issued eight National AML/CFT priorities in June 2021. Each of the following priorities should have a section within the risk assessment addressing the institution’s risk and any mitigating factors available for each risk:
- Cybercrime and related cybersecurity, including virtual currency considerations
- Foreign and domestic terrorist financing
- Transnational criminal organizations (TCO) activity
- Drug trafficking organizations (DTO) activity
- Human trafficking and human smuggling
- Proliferation financing (weapons and materials of mass destruction)
Adequate compliance staffing is critical to any AML program. When analyzing human resources for your risk assessment, consider the following:
- Number of full-time and part-time employees in AML function
- How these numbers compare to the previous year
- Qualifications and experience level of the AML staff
- What training is provided for the team (and the financial institution staff more broadly)
- Whether background checks are conducted when hiring
Regulatory audit and exams
Regulatory audit and exam results demonstrate a picture of your AML program's health and any gaps that may be present in the program. If the institution has a history of violations, particularly repeat findings, the risk of the financial institution should be increased in the risk assessment. Suppose the board of directors has been adequately apprised of the audit or exam outcomes, and repeat violations occur. In that case, this could indicate a need for a strong culture of compliance, which will ultimately lead to further increased risk. The following other items should also be addressed within an audit or exam:
- Policies and procedures should be checked and updated when necessary.
- A designated officer should be appointed and approved by the board of directors as responsible for AML/CFT and OFAC compliance.
- SARs and CTRs should be filed regularly and promptly, following FinCEN guidelines.
Adequate OFAC compliance is essential for mitigating a financial institution’s risk. A robust OFAC risk assessment supporting the program is critical to avoid costly monetary penalties or regulatory consent orders. Certain transactions, such as wire transfers and ACH, must be checked for OFAC matches before being sent. A financial institution should have a clear set of policies and procedures for OFAC compliance and provide training to all stakeholders. If the institution has a history of OFAC violations, the OFAC risk should be classified as elevated and tightened with mitigating factors.