Bruce Rumbold, CCBCO
Manager | Risk Advisory Services
I recently attended a very informative webinar by BankWebinars.com regarding the April 2020 update to the BSA-AML Examination Manual. While I had read the update, essentially a re-format of the previous examination manual’s first 40 pages, it was insightful to listen to somebody talk through the update and hear a different perspective than my own. The writing is on the wall – your risk assessment is of paramount importance.
There was originally a joint statement on risk-focused Bank Secrecy Act / Anti-Money Laundering supervision on July 22, 2019. We often hear from regulators that your compliance program should be reflective of the size and complexity of your institution and this is more of the same. That said, there is not a lot that’s new for BSA, it is truly just the risk-based focus of regulators during their exams.
This means that the first thing that they will want to see is the institution’s BSA/AML risk assessment but all of the pillars are important. Questions to ask yourself:
- Does our risk assessment match the size and complexity of our organization? More on that later but if you organization is a billion-dollar bank, your risk assessment should probably look a bit different than it did when your institution was $300M in size.
- Is our independent testing adequate? Do we have strong internal controls in place and operating? Does your independent testing program include reviewing the risk assessment and how it is used to develop the BSA/AML compliance program?
- Are our policies and procedures aligned with the examination material?
- Is our AML system adequate for the size and complexity of our institution?
- Do the monitoring parameters in our AML system match the risks that the institution faces (i.e. are we getting alerts surrounding the highest risk areas?
- Does training reflect the risks in your institution?
- Are we dedicating appropriate resources, even if they are scarce, to the appropriate areas of risk?
BSA/AML Risk Assessment Considerations
What is the content of your risk assessment and is it understandable to people outside of the compliance organization? The best guidance is that your risk assessment should be a matrix that includes all products and services offered as well as balances and/or number of annual transactions, customer types and mix, and geographies. Does the risk assessment carve out the number of accounts opened remotely? Does the risk assessment highlight any new products or services, new business lines, new geographies? Has the customer mix changed in the last year and if so, what’s different? Does the matrix contain the number of CTRs and SARs filed? Remember, the examiners look at these volumes as well as perform peer comparisons as part of their examination planning. Does it contain the number of blocked accounts? Does the risk assessment segregate wires and ACH transactions by domestic and international transactions? Are you documenting loan and other types of fraud? Are you delineating for High Intensity Financial Crimes and Drug Trafficking Areas (HIFCA / HIDTA)?
What can be helpful for management and boards, is for them to be able to understand where balances and transactions are increasing or decreasing. It can be beneficial to trend the data where possible to include multiple years. It is also a good practice to list high risk account types or activities in the risk assessment whether or not you are holding / performing any of them. For example, the risk assessment should include money services businesses, correspondent accounts, private banking accounts, foreign accounts or NRA accounts, third party senders and pay through accounts. Another good idea is to segregate the standard high-risk businesses such as professional services, dealers, jewelers, pawn shops, liquor stores, cash intensive businesses, customers with ATMs, etc. This list goes on and I’m sure that you catch my drift. It's better to include more information on the risk assessment with a not applicable designation (N/A) rather than forgetting to look for some of these categories of transaction types and miss them the next year.
Hopefully, you are also capturing the North American Industry Classification System (NAICS) code for all appropriate customers.
Other considerations for BSA Compliance
There is a lot more space devoted to internal controls in the April update. Compliance professionals need to understand that testing internal control functionality is different than performing compliance testing. Is there a system of internal controls?
Example: What are the controls in place to ensure cash reports are generated and reviewed for required and timely CTR filings? Control testing would require select random days to determine if reports are generated. Much different than selecting CTRs and checking for accuracy and timely filing date. This is when internal auditors talk about the second line of defense – is somebody checking the checker on a sample basis?
Is the scope of the independent testing adequate and aligned with the risk assessment, and are the people (internal or external) that are performing the exam qualified to do so? Does the independent exam include reviewing controls around various processes or is it simply a transaction-based “check-the-box” mentality review? If high error rates are noted in any processes, a review of the process controls is needed to find the root cause.
- For larger community banks, is the BSA Officer in the weeds performing tasks or managing the function? Are they able to keep an eye on the big picture and understand what is going on in your marketplace, at your institution, and in the regulatory environment?
- Is there a mentoring program in terms of succession planning?
- Have BSA staff had the proper training to perform their roles? Can you prove it? Is the staff size adequate?
- Are training programs adequate and focused for departmental areas?
- Does the BSA Compliance Officer have the appropriate authority within the organization? Is the BSA Officer (and other compliance personnel) privy to all of the information they need to perform their jobs?
Ultimately, is the quality of the risk management process to identify, measure, monitor, and control risks, and report potential money laundering, terrorist financing and other illicit financial activity adequate and is it commensurate with the size and complexity of your institution.
Having a rock-solid risk assessment, and strong independent testing, may well reduce the amount of time that regulators spend on site, leading to a less disruptive exam for you.
There are many other sections (the Pillars) that have not been discussed here but the long and short of this is that examination procedures will be risk-based, including ongoing customer due diligence (CDD) and beneficial ownership requirements.
Again, there is a renewed focus on internal controls surrounding the BSA/AML compliance program.
Also, please don’t forget the OFAC risk assessment and Red Flags if they are separated from your risk assessment documents.
Call our financial institution risk management team for a free review of your risk assessment.