A bank wide risk assessment (memorialized in writing) is an essential prelude to implementing a defensible AML program. Its absence was noted as a factor in the AmSouth penalty assessment. This thread is an attempt to get BOL users to collaborate in designing a risk assessment that is appropriate for their institution, hopefully by receiving advice from those who have been through the process.

Current guidance from the regulatory agencies is largely limited to an appendix to the OCC handbook (see page 168 as numbered in the document, not the PDF file) and the guidance offered in the current regulation for developing an appropriate CIP:

...procedures must be based on the bank’s assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the various types of identifying information available, and the bank’s size, location, and customer base.

Attempts at collaboration in the threads are often hijacked with unrelated questions, so success with this venture depends on the self restraint of others, but it’s worth a try. I will try to prime the pump, but I am actually seeking the suggestions and experience of others. Please add any comments you have regarding whether the headings below are appropriate, whether additional headings are necessary and what you believe to be the necessary expansion of any particular heading.

Bank Size – Total assets, number of offices, FFIEC peer group, number of FTE employees, employee turnover rates. (?)

Bank Location – Cities, states, counties where offices are present and delineated community for CRA purposes, presence in or proximity to HIFCA or HIDTA designated areas, information from conversations with local law enforcement regarding level of illegal activity locally, prior losses due to fraud. (?)

Products/services offered – Inventory all bank products and services offered to customers (accountholders) and non customers. Note any restrictions on product/service availability that might mitigate risk. Evaluate wire transfers for foreign vs. domestic and overall volume. (?)

Methods for opening accounts – List all that are possible; e.g. bank premises, customer premises, Internet, mail etc. Note any restrictions on non face to face account opening such as when it is only done for existing customers. (?)

Customer base - Consumer vs. business. Stable vs. transient. Foreign vs. domestic? Presence of enclaves of non U.S. citizens from countries associated with money laundering; e.g. Black Market Peso exchange? Are there high risk businesses, particularly non bank financial institutions? Noting that the bank has already determined its own connections to HIFCAs or HIDTAs, do its customers have connections to those areas? (?)

Operations - Is there activity that suggests greater scrutiny is appropriate? How many CTRs does the bank file annually? How many phase I exempt customers does it have? Phase II? Has it had positive responses to OFAC queries? Has there been any communication from OFAC? Has it had positive responses to 314(a) queries? How many SARs does it file annually? (?)

Conclusion – Assign a risk weighting; e.g. low, moderate, high. The presence of certain factors; e.g. location in a HIFCA or HIDTA should assure something other than a low rating. It’s the rating that should dictate the strength of the AML program; i.e. the presence of a strong AML program does not reduce the rating.

Miscellaneous: Understand, this risk assessment is not a one time event. With no support from any regulatory source I will say that it should be done annually, but hasten to add that annually might not be frequent enough if a major variable changes, such as the addition of a new product or a significant influx of new people into a community. There is no suggestion that it be reviewed by the board, but if they are the folks buying the insurance policy (approving the AML program) it only makes sense that they be told the underlying risks. The accuracy and currency of the risk assessment should be reviewed in the course of the independent examination.

Two things we did that produced surprising results for a community bank: review your international wires - review the activity with lenders and branch managers. Is it what they expect? Document what they know about the customer. If no one knows, do some investigating on that customer, speak with customer. Is the customer using their debit/credit/ATM card in another country on a regular basis vs. on a vacation?

Review your customer records for accounts without TINS, pull W8s, review addresses provided. Are these customers transacting overseas? Do your branches know who these customers are, what their transactions are for? Document the results.

You need this information to complete your risk assessment. You may find international activity you didn't expect even though your bank doesn't provide "international" banking. This must be incorporated into your risk assessment.

How do you CIP new customers? Are you using an automated product to check phone, address, property databases, SSN checks? Assign a higher risk to indirectly sourced loans (auto dealers, real estate brokers) - what do you do to check those customers for CIP and fraud protection? How do you manage the risks? What problems have arisen in any products - dealer fraud, broker fraud...are any of the problems related to the individual cusotmer? How is your bank managing those risks? This must be incorporated into your risk assessment.

I have become more and more convinced that just checking ID and comparing to other ID is not enough.

Where do you see most of your SAR activity...geographically, branch, types of activity (structuring, wires, fraud, etc.) and types of customers. Those are then higher risk customers and products for your bank.

I am not at a big city bank. We have 23 branches in the suburbs. We were surprised at some of the results we found.

I don't want the unpleasant experience of my regulator reviewing accounts and pointing out "unusual" activity. I want to have found it, researched it, documented it, reported it if necessary, closed the account if necessary.

This is NOT your father's banking world, to paraphrase an old commercial.

In sitting in on today's FDIC Chicago Region Conference call on BSA/CIP/AML, much discussion was given to the Risk Assessment process. The main tip that was given was to divide your assessment into 3 risk areas (these taken from the notes e-mailed prior to the call by the FDIC):

Customer Risk: characteristics about the account holder - tends to be static

Product Risk: products and services the bank offers - change at a slow pace

Transaction Risk: daily transaction activity - very dynamic risk

Overall, it sounded as if there will be 2 assessments. One at the bank-wide level performed annually or as your environment changes. The other at your customer level at the time a relationship is established.

This is also what the FRB shared in a seminar that I attended last week Qtip - so it sounds like all the regulators are on the same level on this one.

It's likely that all that "intrinsic" regulatory wisdom comes from the new examination procedures which you just haven't had the opportunity to see yet.

I guess we will be seeing the new procedures soon! We should organize some "opening night" parties. Fancy dress optional. I will come as a Narcotics Kingpin as that is my favorite "title"...maybe a cartel member.

We might as well get some enjoyment out of this!

I have access to a draft of the new examination procedures. If you have any specific questions, I'll be glad to take a look.

Nifty! Are there specific questions that indicate what the expected elements of a risk assessment will be?

I just came across this... I have no idea where it came from, but thought I'd share it here:

Monitoring Method for AML Risk

CTR and AML Monitoring system reports; review of cash in/out reports, incident reports from branches

Monetary instrument tracking report, incident reports from branches

Monetary instrument tracking report, incident reports from branches

Incident reports from branches, CTR and AML monitoring systems

Incident reports from branches and lending areas, AML monitoring system, loan system reports

Collateral reports

Daily and monthly wire reports and AML monitoring system

Daily and monthly wire reports and AML monitoring system

Incident reports from branches, CTR and AML monitoring systems pick up cash; BSA Compliance reviews daily and monthly wire reports and

AML monitoring system wire reports

Lending area due diligence on borrowers and transactions; BSA

Compliance reviews daily and monthly wire reports and AML monitoring system wire reports

BSA Compliance reviews ATM transactions occurring in foreign countries
Suspicious ATM transactions are reported to the Security Officer and Asst Security Officer

Branches fax logs to BSA Compliance. BSA Compliance reviews logs for signs of unusual activity (frequency, $); incident reports from branches

Subpoenas are copied and sent to BSA Compliance area

Checks over $x are reviewed by Security Officer for evidence of fraud (suspicious signature, larger $ than customer generally transacts, altered checks, etc.) Information is communicated to Security Officer/BSA Compliance Officer

I reviewed the new examination procedures and it appears that the risk assessment issue is still vague. No specific elements noted, other than the following: products, customers, services, geographies. There is a "Quantity of Risk" matrix and a "Quality of Risk Matrix" that examiners will use. The Request Letter asks for "copies of management's BSA/AML risk assessment of products, services, customers and geographies", and "list of high risk accounts".

More from the FDIC Chicago Conference call on Tuesday of this week. Although there is no "matrix", it is still a good listing of what they will expect to see during an exam. This is taken from an E-mail sent from the Chicago Office prior to the call talking about Risk Assessment elements:

Tips for Performing Risk Assessments

* Three Major Risk Areas
o Customer Risk - characteristics about the account holder - tends
to be static.
o Product Risk - products and services the bank offers - change
at slow pace.
o Transaction Risk - daily transaction activity - very dynamic
risk.

* Step 1 - Quantifying Your AML Risk - Where does your institution
fit with respect to the following conditions?
1. A stable, known customer base vs. a large and growing deposit
base in a wide and diverse geographic area.
2. No electronic banking and the institution's website is
informational and not transactional vs. a wide array of ebanking products and services including account transfers, e-bill payment or accounts opened via the Internet.
3. Few or no large currency transactions vs. a large volume of
currency transactions or structured transactions.
4. Few high-risk customers or businesses vs. numerous higher risk
entities such as high cash intensive businesses and types of customers who are ineligible by definition from potential exemption of CTR reporting by the very nature of their business activity.
5. No foreign correspondent accounts or trust or private banking
services offered vs. a large number of foreign correspondent accounts including payable through and collection accounts and significant private banking and trust activities.
6. No international accounts vs. significant volume and activity
within accounts owned by foreign entities or by businesses that do business internationally.
7. The number of internal accounts with unexplained cash activity.
8. Limited number of wire transfers vs. a high number of
non-customer wire transfer transactions. Frequent wire from personal or business accounts to/from money laundering havens.
9. High transaction offices located in a high intensity drug
trafficking area (HIDTA) or money laundering area.
10. What is the bank's history of regulatory BSA/AML compliance?
Are there any problems or formal communications from FinCEN or OFAC indicating concerns?
11. Low or high amount of turnover of key personnel or frontline
personnel.
Hint: When Quantifying your risk, use some type of matrix to document your customer base, e-banking activities, accounts offered, wire transfer activity, areas you do business etc. to determine your inherent risk profile.
* Things to consider when analyzing a business account for
potential high risk activity include:
1. What type of business structure? Corporation, LLC, Association,
sole proprietor.
2. Are the owners local or non local?
3. Is the business local, interstate, or international?
4. Is this a new or mature business?
5. What is the nature of the business risk?
6. How was the account opened, in person with all parties present,
by phone, mail, website and what is the risk associated with the account opening method?
7. What is the nature and volume of the businesses normal cash and
wire activity?

* Step 2 - Assessing Your Program to Manage those Risks - Elements
of a strong risk management program include:
1. Management fully understands the risk and exhibits a strong
commitment to compliance.
2. Compliance considerations are incorporated into all products and
areas of the organization.
3. When deficiencies are identified, management promptly implements
meaningful corrective action.
4. Authority and accountability for compliance are clearly defined
and enforced, including the designation of a qualified BSA officer.
5. Independent testing is in place and effective.
6. The board has approved a BSA compliance program that includes
policies, procedures, controls and information systems that are adequate.
7. Training is appropriate, effective, covers applicable personnel,
and necessary resources have been provided to ensure compliance.
8. An effective customer identification program is in place.
9. Management has identified and developed controls that are
applied appropriately to high-risk areas, products, services and customers.
10. Compliance systems and controls quickly adapt to changes in
various lists such as OFAC.
11. Compliance systems and controls effectively identify and
appropriately report suspicious activity. Systems match the risk.
12. Low volume of correspondence from the IRS indicates that CTRs
are accurate.
13. Appropriate compliance controls and systems are implemented to
identify compliance problems and assess performance.
14.
* Risk Assessment Hot Spots
1. Wire Transfers
2. Electronic Banking
3. Cash Intensive Businesses
4. Charitable Organizations