The following sections provide additional detail and potential questions to aid in conducting an analysis of each risk factor as part of the BSA/AML risk assessment.
Products and services
Understanding the financial institution's products and services involves knowing how many customers or members use these services, as well as the risks involved in those products or services. For example, the following questions may be asked:
Although not all-inclusive, other products and services that you may want to include in your review are:
- Foreign correspondent accounts
- Special use accounts
- Trade finance
- Bulk cash
- Consumer or business loan portfolios
- Online account access/opening
- ATM services
- Remote deposit capture
Remember, for each of these, it’s important to understand whether these volumes are increasing or decreasing and what controls are in place to mitigate the inherent risk. Once again, all supporting documentation of your analysis must be retained.
To analyze geography, understanding the branch footprint of the financial institution is critical. Specific questions to ask include:
- What are the area's populations of cities and towns?
- Are the branches located within High-Intensity Financial Crime Areas or High-Intensity Drug Trafficking Areas?
- Does the financial institution have a presence on the U.S.-Mexico border?
- Does the institution file many suspicious activity reports (SARs) annually compared to the other institutions in the same geographical area? If not, what might be the reason?
Determine whether these volumes are increasing or decreasing and what controls the bank or credit union has in place for each.
Customer or Member Base
The customer or member base should be evaluated on several factors, such as how many high-risk customers or members the financial institution has. Consider the following types of customers in your account base:
- Non-Resident Aliens (NRAs)
- Politically exposed persons (PEPs)
- Cash-intensive businesses (including marijuana-related businesses)
- Money Services Businesses (MSBs)
- Virtual currency exchanges
- Non-bank financial institutions (NBFIs)
- Professional service providers
In addition, the risk assessment will want to include assessing how well the financial institution collects beneficial ownership information and whether the customer due diligence (CDD) and enhanced due diligence (EDD) processes are sufficient. Again, determine if these volumes are increasing or decreasing and what controls are in place. These questions will need to be answered to understand the customer or member risk fully.
Transactions will require a review of both volumes and frequencies. Analyze processes such as:
- Number of currency transaction reports (CTRs) filed annually
- Number of SARs filled annually
- Volumes and frequencies of international wires compared to domestic
- Number of international ACH transactions compared to domestic transactions
- The volume of Private ATM customers, if any
- The volume of loan transactions
Adequate compliance staffing is critical to any AML program. When analyzing human resources for your risk assessment, consider the following:
- Number of full-time and part-time employees in AML function
- How these numbers compare to the previous year
- Qualifications and experience level of the AML staff
- What training is provided for the team (and the financial institution staff more broadly)
- Whether background checks are conducted when hiring
Regulatory Audit and Exams
Regulatory audit and exam results demonstrate a picture of your AML program's health and any gaps that may be present in the program. If the institution has a history of violations, particularly repeat findings, the risk of the financial institution should be increased in the risk assessment. Suppose the board of directors has been adequately apprised of the audit or exam outcomes and repeat violations occur. In that case, this could indicate a lack of a strong culture of compliance, which will ultimately lead to further increased risk. The following other items should also be addressed within an audit or exam:
- Policies and procedures should be checked and updated when necessary.
- A designated officer should be appointed and approved by the board of directors as responsible for BSA/AML and OFAC compliance.
- SARs and CTRs should be filed regularly and in a timely manner, following FinCEN guidelines.
Adequate OFAC compliance is essential for mitigating risk of a financial institution, and a robust OFAC risk assessment supporting the program is critical to avoid costly monetary penalties or regulatory consent orders. Certain transactions, such as wire transfers and ACH, must be checked for OFAC matches before being sent. A financial institution should have a clear set of policies and procedures for OFAC compliance and provide training to all stakeholders. If the institution has a history of OFAC violations, the OFAC risk should be classified as elevated and tightened with mitigating factors.
The above considerations do not cover every aspect of evaluating and documenting the risk of a financial institution. However, they should provide a solid roadmap to completing a thorough risk assessment so that management understands the actual risk profile of the institution. Some financial institutions find they need assistance creating or updating a risk assessment, either due to a lack of time, staffing, or expertise. Expert advisory consultants can partner with the financial institution to provide a risk assessment that evaluates and documents your aggregate risk profile and solidifies confidence in your BSA/AML program.