BSA: The Examination Procedures
They're out at last. The Bank Secrecy Act examination procedures have been published. In some respects, the new procedures are a non-event because they do not contain significant changes or surprises. Instead, the procedures are the culmination of an evolution of learning how to examine for BSA.
In other respects, the new procedures are significant. The most significant aspect of the procedures does not lie in the actual charts and checklists. It is in the discussion and guidance provided with the procedures themselves. In the discussion material are answers to many questions and the solutions to some problems. The discussion sets the scope of the examination, but it also places limitations by explaining how much is enough and when it is enough.
Ever since the USA PATRIOT Act, and even earlier, risk assessment has been a high level concern. The first problem is what should a risk assessment include. This is followed by related questions such as how to determine an acceptable level of risk and what to do when risk is identified.The procedures make clear that risk is not something that financial institutions must avoid. Total risk avoidance would simply drive risky customers into less measurable channels. Instead, the procedures make clear that institutions should be aware of risk, identify the components that contribute to risk, and manage risk.
When it comes to identifying and measuring risk, however, there are some tricks. The first one is that there is no single correct system. Both the approach and the risk assessment itself must be tailored to the specific institution. You can't simply borrow another institution's approach.
What to Consider
The risk assessment process should take into account a variety of factors that can be sources of risk. These include the product lines and services offered, the market in which the products and services are offered, the marketing and delivery techniques for the products, customers of the institution, and location.
The risk elements to consider are both conceptual and fact specific. In concept, for example, the products you offer carry certain levels of risk. E-banking is considered higher risk than in-person banking. However, specific facts, such as the steps taken when opening the account and steps taken to monitor account activity, have a specific impact on the risk level.
Each risk assessment should consider not simply the risks that are inherent in a specific product, location, or service, but the dimensions of risk that are added or reduced by the specific steps the institution takes in providing products and services.
Another element of risk is the controls that the institution has in place. Controls should be considered for their effectiveness relative to the risk. The effectiveness of the control does not change the inherent nature of the risk, but it does lower the institution's exposure to risk. The institution can choose to offer a high risk product but lower its risk by having effective controls on that particular risk. The institution can also choose to lower its risk by not offering risky products. The balance between risk and controls is a business decision.
Some risk controls can be automated. Software can perform account analysis, track cash deposits and related activities, and can check the customer's name against government lists such as the OFAC List
Other controls rely on people. In evaluating the risk presented by each customer, the front line is the primary risk management control. The front line meets with the customer and conducts the transaction. The staff handling the transaction is the first to flag whether the customer and the transaction match or whether there is something odd about the juxtaposition of a particular customer and a particular type of transaction. It is the staff on the front line that must decide in each case whether two and two add up to four or some other number. Because of this, training is a critical element of any risk management program.
How often? Again there are no specific standards for how often a risk assessment should occur. There are several common sense standards. One is that a risk assessment should be at least annual. As with the more sensitive policies and banking issues, it is simply prudent to review the status at least once a year. The second common sense standard is the introduction of change. Any change, whether a new product, new customers, or a change in the market, can affect the risk the institution faces and can also alter the effectiveness of the risk controls.
The new BSA examination procedures contain a variety of tools that can be used in your risk assessment process. Several of the appendices contain charts that illustrate how to analyze risk and how to assign risk ratings. Appendices I and J present practical and visual approaches to risk analysis. Use them.
- Study the new BSA Examination Procedures. It isn't as overwhelming as it first looks.
- Consider the new procedures in the context of your last BSA exam and focus on what has changed.
- Review your risk analysis and compare it to the approach in the new procedures. Revise or redo your risk analysis to meet the examiners' expectations.
- These procedures are supposed to help you as much as the examiner. Make good use of them.
Copyright © 2005 Compliance Action. Originally appeared in Compliance Action, Vol. 10, No. 9, 8/05
First published on 08/01/2005