I am writing a new compliance program. I see the top risks areas as BSA/OFAC, RESPA, Privacy, Flood. I also would like to make the program risk based, and use penalties as one factor, prior ex results, audit and errors as other factors. Does anyone know if there is anything published that states what the top risks is for the bankng industry? If not can you post your thoughts on my idea of the program.

In order to develop a risk rating system, you must first decide what type of risks you are rating: violations? discovery? penalty? incarceration? loss of franchise?

I always worked with a tierred system to rate risks.

My top tier was limited to any infraction that could result in bank employees (especially me) going to jail, or the company losing its franchise. These risks were considered to be to high to take chances, and so there were no constraints on the resources that could be consumed to control them. This category included much of BSA, CRA, Section 8 of RESPA, and willful violation of almost anything.

The second tier was repeat violations, violations subject to enforcement policies, or violations with crippling penalties that were actually were being assessed against banks (Reg. Z restitution, for example).

The third tier was everything else.