BSA: Designing Risk Assessment
The annual Money Laundering Enforcement Conference co-sponsored by the American Bankers Association and the American Bar Association is always fertile ground for new ideas on BSA program management. This year's conference gave in-depth attention to BSA risk management, including advice on risk assessment and risk management in BSA programs.
The session on how to assess risk in your institution provided useful ideas and suggestions. First up was John Atkinson, AVP in the Atlanta Federal Reserve Bank's Supervision and Regulatory Division and a long-term expert on BSA. Atkinson, like his co-panelists, recommended using the new BSA examination manual as a primary resource and laid out a clear approach to designing a risk assessment program.
Also on the panel was John Wagner, OCC's new Director for BSA. He stressed the four elements of an effective BSA program: identify risk, measure risk, monitor risk, and control risk. The first two steps are part of the risk assessment program.
All the panelists recommended that you start with the assessment factors using the elements identified in the examination manual. Rely on and use the descriptions of each factor for low-to-high risk. A caveat in using the factors and descriptions in the manual is that you must design a program specifically for your institution. No two BSA programs should be precisely alike. This means that you can be creative as well as careful. It also means that you can't simply copy anyone else's.
First, look at the organization structure of your company. You need an inventory of the entire organization from a legal entity standpoint. For a one-bank holding company, this is not complicated. For larger, more complex institutions, the task can be daunting. An inventory for complex institutions should be careful to include all components of the organization, whether or not they seem directly related to BSA compliance concerns.
Next, look at your organizational management. How is the company managed and how are decisions made? Decision-making may run by business lines or by legal entities. You need to know how decisions can be made so that you can determine the risk-points presented by change resulting from decisions.
An important question in assessing risk is knowing who "owns" the customer. Whoever owns the customer has an interest in protecting that relationship and this could be in conflict with BSA compliance. Private banking is an excellent example, but commercial lenders may also step forward to protect their customers even in deposit relationships with the institution. Since customer relationships can affect decisions with respect to both products and customers, your assessment should include an evaluation of these relationships.
In addition, determine whether anyone is taking a cross-organizational look at customers. For example, a customer may have what appears to be a compliant and profitable relationship with commercial lending but is moving deposit account funds in odd ways that don't match their business. A trust customer may have long-standing trust accounts but be involved in a questionable business that has transaction accounts with the institution.
Any evaluation of customer risk should include assessment of the CIP program. Is it producing all the information that you need? Also look at whether it is being followed consistently. The amount or type of information you collect may vary by line of business. You might need additional information for commercial customers with respect to the type and level of their business. And remember that the CIP program provides the foundation for protecting your customers from identity theft.
Another element of risk is presented by regulatory agencies. You should know who your regulators are and how many there are. It isn't just your supervisory agency any more. The days of having one regulator are long gone. Your list should include FinCEN, OFAC, and other money-laundering enforcement agencies as well as regulators such as the SEC.
Next, map the laws and regulations for each component in your organizational structure and connect regulators with each. You can't assess risk without knowing what the rules are and where they come from.
Now look at your distribution channels. How many ways do you touch your customer? Under what circumstances do you have contact with the customer? How is that contact managed and what controls are placed on these contacts?
Looking at customers is critical, but your risk assessment must include an analysis of the ways in which your institution can be used for illicit purposes. This means looking at transaction capabilities. In addition to the basics, such as checking and savings, do you offer services that could be used to launder money? Electronic transfers and wire services present higher levels of risk than the traditional checking account. And don't forget to include the ways that funds can be moved within the institution.
Geography can be a key element in your risk. Looking at geography includes consideration of where your offices are located, the ability to track activities in those locations, and the demographics of the markets you are in.
The demographics of your market may also present risk. For this reason, you need to understand your markets, including acceptable and unacceptable uses of financial institutions. In some markets, for example, customers may regularly wire part of their paycheck to family in their country of origin. The institution should assess this risk and also determine whether it will limit the service to customers or also provide it to non-customers.
Another element to consider is whether your BSA program is in any way dependent on specific staff. The departure of one key person - who always took care of something - can blow the program apart. Risk management may involve maintaining back-up staff
At this point, we begin to look at the available methods for identifying and controlling risk. A tight control on a high risk activity, such as international wires, reduces the residual risk of the activity.
Begin with your MIS capabilities. What kind of reports can you get and do these reports provide you with adequate information to manage your risk? To determine this, look back at your customer, organization, and transaction risks and consider what information you might need. Is deposit transaction enough, or should you be able to track combined activities of a high-risk customer? Also consider what support you get from MIS and whether you have competition for service from MIS.
In addition to the typical BSA reports, consider whether you need reports on non-resident aliens, customers with foreign bank accounts, total activity of wire customers, or account activity of customers with no TINs.
Be sure that reports help you to measure the number of accounts involved in certain activities and the number of transactions by type that are occurring. These can be early risk indicators. A change in patterns may flag illegal activity.
A classic risk control is the audit and examination process. Consider the findings for the past several years and look at how the institution has responded. Look hard at what led to the finding and use that information to determine whether similar weaknesses can occur in other parts of the organization.
When looking at a compliance or risk management program, we usually start with policies and procedures. At this point in your assessment, look again at policies and procedures to be certain that they accurately reflect what the institution is doing. Also be sure that they are consistent. It is surprisingly common to find that policies say one thing while procedures say another. And, when this happens, it is very possible that staff will be doing something different from both.
Roll all this up into a uniform evaluation of the entire enterprise. The risk assessment should be shared with both senior management and the Board - especially the audit committee.
Each of the panelists stressed that a risk assessment must be fluid and frequent. It should never be considered done and on the shelf. In particular, you should revisit risk assessments when adding new products and services. Activities such as trust or asset management, non-deposit investment products and the like present a new layer of risk.
- Pull out the BSA examination manual and pour through it, pulling out guidance and resources for risk assessment.
- Chart your organization, by legal entity, product and functions. Then map where responsibilities must reside.
- List all products by the level of risk they could present for BSA.
- Now analyze the risks presented by different customers and by customer relationships.
- Use this information to identify MIS reports that you could need to identify illegal or suspicious activity.
- Study your markets and identify any risks presented.
- Review the training schedule. Compare who was trained to the list of who has responsibilities - and therefore needs training. Fill any gaps.
- Use the text guidance in the BSA examination manual to brief senior management and management and staff with BSA responsibilities. The manual should help them understand the importance of their assignments.
Copyright © 2005 Compliance Action. Originally appeared in Compliance Action, Vol. 10, No. 13, 11/05
First published on 11/01/2005