BSA/AML and OFAC risk assessment: Best practices for financial organizations

Several questions can keep risk leaders at financial institutions up at night. Do we know where our organization may be at risk? Do we have controls in place to mitigate these risks? Is our risk assessment up to date? However, developing an effective strategy for risk assessments for regulations like the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) and Office of Foreign Assets Control (OFAC) can help alleviate these common concerns.

Although having a risk assessment is not a legal requirement, regulators expect financial organizations to have one documented. The Federal Financial Institutions Examination Council (FFIEC) manual provides general guidance on developing and updating a BSA/AML and OFAC risk assessment for financial organizations. Appendix J of the FFIEC online manual includes a Quantity of Risk Matrix and Appendix M includes a Quantity of Risk Matrix—OFAC Procedures. Both appendices provide a baseline for assessing BSA/AML and OFAC risks.

By performing a risk assessment, your financial services organization can gather a holistic view of where your risks lie for your customers, products, services and geographical presence. It also allows you to identify any control gaps that may put institutions at risk of regulatory exposures leading to monetary fines.

Since risk assessments are specific to each organization, no two risk assessments will be exactly alike; however, the approach to conducting them should be similar. Below are some best practices to be mindful of when developing or enhancing a risk assessment:

• Complete a thorough review to confirm that all customer types, products, services and geographical locations are included in the risk assessment. If specific risk areas are not applicable, institutions should still include them as a line item in the risk assessment and state why they are not applicable.
• Provide a distinction between inherent risks and residual risks. Each risk area in the risk assessment should have an inherent risk rating and residual risk rating. Standard inherent and residual risk ratings are low, moderate or high, and the definitions for each risk level are to be determined by your organization.
  • Inherent risks—the level of risk present without consideration of the effectiveness of existing controls. Qualitative and quantitative data are used to determine the level of risk.
  • Residual risks—the level of risk remaining after considering the effectiveness of existing controls.
• A majority of risk assessments do a good job of including mitigating controls; however, the part that is frequently left out is determining the effectiveness of the mitigating controls that are in place. Determining the effectiveness of the mitigating controls is critical in understanding the residual risk for each risk area. Standard ratings are strong, adequate or inadequate. Again, the definitions for each rating are to be determined by your organization.
• Once the inherent risk rating and the control effectiveness rating are determined, the residual risk can be calculated for each risk area. The residual risk rating should not be determined by the individual(s) completing the risk assessment, and a methodology should be in place to limit the subjectivity of the process. Below is a residual risk rating matrix, commonly used for calculating the residual risk rating. As you can see, the inherent risk and effectiveness of the mitigating controls drive the residual risk rating.
   

• A methodology should be in place to determine the overall risk of the organization. Common overall risk ratings are low, moderate or high, and the threshold band (i.e., low risk is 0-2.5, moderate risk is 2.6-5, etc.) is determined by your organization.
• When completing the risk assessment, keep the BSA/AML and OFAC risks separate. It is best to have two separate risks assessments that are tailored to the specific risks and controls. It is not uncommon for your overall BSA/AML and OFAC risks to be different. Again, it will depend on the customer base, products/services and geographical presence.
• The FFIEC online manual states that the risk assessment should be updated when there is a change in customers, products, services or geographic locations. Outside of that, the manual does not provide specific timelines for when organizations should update their risk assessments. However, it is a best practice to update your risk assessment every 12-18 months. When the updates are made, the compliance team should inform the board of directors, so they know where current BSA/AML and OFAC risks exist.

A common misconception regarding risk assessments is that they only apply to traditional banking entities when, in reality, they apply to all non-traditional financial institutions, such as, but not limited to, broker-dealers, auto-lenders and fintech companies. With the continuous development of technology, the risk profile of organizations is constantly changing. Understanding the risk profile for non-traditional financial institutions is even more important because of the unique customers, products, services and geographical presence they may have. The risk assessment is the most important and critical point of understanding the risks and controls that are in place and helps drive the next steps for the future state of the organization.

For more information on developing and enhancing BSA/AML risk assessments, contact RSM’s AML and Regulatory Compliance practice.