Thread Options
#2150991 - 10/24/17 06:39 PM BSA Risk Assessment - Inherent and Mitigated Risk
fmissle Offline
Platinum Poster
Joined: Jul 2007
Posts: 953
Pac NW
Working on a new BSA Risk Assessment, as we received some comments from examiners about making it a little more robust.

When creating it, I'm breaking into categories (Geograph/Service area, Products and Services, etc.) similar to the FFIEC examiner handbook. I had originally planned to list products and services we don't offer (PUPID, for example) and list the inherent risk as high and the fact we don't allow that as our mitigation, leaving the residual at low.

Now I'm wondering if I should even include all of these products/services that we don't have. It seems like we should, but maybe I'm creating extra work for myself.

thoughts?

Return to Top
BSA/AML/CIP/OFAC Forum
#2150997 - 10/24/17 06:51 PM Re: BSA Risk Assessment - Inherent and Mitigated Risk fmissle
Elwood P. Dowd Offline
10K Club
Elwood P. Dowd
Joined: Aug 2001
Posts: 21,939
Next to Harvey
Talk about what you do and how you mitigate those risks; e.g. "We send and receive wire transfers using the Federal Reserve Bank as an intermediary, but only for established customers as defined in the BSA regulation."

The exam manual is indeed your primer. In this instance, the section on "Expanded Examination Overview and Procedures for Products and Services." List your inventory of products based on the terminology used there; e.g. remote deposit capture is an electronic banking product. Show reviewers something familiar, something where they do not need any imagination...
_________________________
In this world you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant.

Return to Top
#2150998 - 10/24/17 06:54 PM Re: BSA Risk Assessment - Inherent and Mitigated Risk fmissle
fmissle Offline
Platinum Poster
Joined: Jul 2007
Posts: 953
Pac NW
Thanks for the response Ken. So you don't believe I need to list those products and services that we don't have/do. If we would do them even occaisionally, I'd include it but to use my example above I see no circumstance in which I would ever allow a PUPID.

Return to Top
#2151008 - 10/24/17 07:30 PM Re: BSA Risk Assessment - Inherent and Mitigated Risk fmissle
kw004h Offline
100 Club
Joined: Nov 2009
Posts: 219
Chicagoland, IL
I have experience with examiners expecting to see ALL sections of the examination manual accounted for, even if the product/service/customer type is not applicable. Ratings for that section were Low or N/A or null, or something like that.

The rationalization was that the board and management needed to understand that a particular product/service/customer type might present greater risk, and why. That way, if/when future operations consider entering into those types of activities, they are not caught unawares.

Return to Top
#2151021 - 10/24/17 07:50 PM Re: BSA Risk Assessment - Inherent and Mitigated Risk fmissle
bcompliance Offline
Diamond Poster
Joined: Sep 2014
Posts: 1,224
I wouldn't do more work than you need to. There is no requirement to list products or services that you don't have. I'd do what Ken suggested and list your products and mitigating controls you have in place to reduce the risks.
_________________________
CRCM, CAMS

Return to Top
#2151026 - 10/24/17 08:02 PM Re: BSA Risk Assessment - Inherent and Mitigated Risk fmissle
rlcarey Offline
10K Club
rlcarey
Joined: Jul 2001
Posts: 77,009
Galveston, TX
Unfortunately, my experience in the banks and their examiners that I have been in more closely align with kw004h's comments. It is really going to depend on the expectations (right or wrong) of your examiners
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#2151031 - 10/24/17 08:07 PM Re: BSA Risk Assessment - Inherent and Mitigated Risk fmissle
fmissle Offline
Platinum Poster
Joined: Jul 2007
Posts: 953
Pac NW
I appreciate the responses, even if they are contradictory but with justification.

I'll probably just add evertyhing and then N/A a lot as we don't offer this.

Return to Top
#2151035 - 10/24/17 08:14 PM Re: BSA Risk Assessment - Inherent and Mitigated Risk fmissle
BrianC Offline
Power Poster
BrianC
Joined: Nov 2004
Posts: 5,977
Illinois
An compromise to the two options is to have a bulleted list at the beginning of the Assessment that states, "The following risk factors are not applicable..." rather than inserting them into the matrix and taking the time to spell out the inherent risks of each when they are not applicable, as much as the BSA Nerd in me loves reading about pouch accounts and parallel banking arrangements.

Of course, I'd also love to see a kangaroo court try to hang me with an enforcement action for not considering pouch accounts!
Last edited by BrianC; 10/24/17 08:15 PM.
_________________________
Sola Gratia, Sola Fides, Sola Scriptura, Solus Christus, Soli Deo Gloria!
www.tcaregs.com

Return to Top
#2151050 - 10/24/17 09:16 PM Re: BSA Risk Assessment - Inherent and Mitigated Risk fmissle
McFly Offline
Member
Joined: Nov 2016
Posts: 73
I follow the course of what Brian recommends, and our examiners had no issues.

This question is really form over substance, as you should focus more of your time on actually assessing the inherent risk and the mitigating controls of your applicable risks from the FFIEC manual.
_________________________
CRCM, CAMS

Return to Top
#2151101 - 10/25/17 04:14 PM Re: BSA Risk Assessment - Inherent and Mitigated Risk fmissle
P*Q Offline

Power Poster
P*Q
Joined: May 2001
Posts: 8,434
Somewhere
Same here , bullet list of all things in the manual that could pose a higher risk, a statement we don't participate in them and that we will assess risk should things change. Simple and easy enough to do.

Return to Top
#2151161 - 10/25/17 07:32 PM Re: BSA Risk Assessment - Inherent and Mitigated Risk fmissle
fmissle Offline
Platinum Poster
Joined: Jul 2007
Posts: 953
Pac NW
I thought I typed a response yesterday, but I ended up basically following Brian's suggestion with a little more meat to each type that we might in the near future consider.

Thanks everyone!

Return to Top

Moderator:  Andy_Z