Using a risk assessment to clarify your AML picture
The first step to solving any problem is defining it. The risk assessment process is an opportunity for management to gain an understanding of their institution's activity in regard to several areas within the institution and from various angles. For example, an IT risk assessment allows management to identify risks in system access and controls, while a fair lending risk assessment allows management to identify risks in underwriting and pricing in loan products. The BSA/AML risk assessment is an opportunity for management to gain insight into its products, services, customers, entities and geographic locations that they serve.
The BSA/AML risk assessment is the most important step for your institution to understand its AML risk profile. While getting the information together can be tedious, the results of a well-planned and executed risk assessment can deliver two key benefits:
- It allows management to define and understand its AML risk level.
- It provides the framework to develop controls for higher-risk variants.
Coordinating with key individuals from every business line within your institution is an integral part of obtaining accurate information to fully understand products, services and customers and how these variants make up the risk profile. It can also be an opportunity to stress with staff the importance and awareness of BSA risks.
A risk assessment should be framed around the key areas that drive AML risk. At a minimum, your risk assessment should address the following questions:
- What are your products and services and what level of money-laundering risk is involved with each? Not all products are created equal when it comes to AML risk. Low balance consumer depository accounts do not require the same level of scrutiny as higher-balance commercial accounts. Certain services, such as international wire transfers, inherently carry a higher level of risk. So inventory your product and services and determine the level of risk associated with each.
- What geographies do you serve? Obviously, the more international your operations, the greater your concerns, and certain countries are higher-risk markets than others. Keep in mind that this was an easier question to answer when everyone did their banking in person. Now, you have to evaluate your virtual customers, too.
- What are your delivery channels? The more separate the connection between customer and institution, the greater the risk. Customers who visit branch locations and come face to face with employees pose a much lower risk than customers who interact with the institution solely through the use of technology.
- What is your customer base? Foreign customers or customers who make frequent foreign transactions deserve special consideration. Commercial customers may require closer scrutiny than individual account holders. Certain industries dealing in high cash volumes present unique concerns. Money services businesses (MSBs) deserve special scrutiny.
- Are you planning on entering new markets or offering new products and services? Assessing your current AML risk is not enough if you know that your risk parameters may soon expand. If you have near-term plans to enter new markets or add new products, include those in your risk assessment. A common flaw is the failure to include the AML function in strategic discussions. Too often the AML team is the last to learn about expansion plans. Keep them in the loop.
Consider two similarly sized single-location banks, one in Tulsa, Oklahoma, the other on the Texas-Mexico border. Both almost exclusively serve local customers and make local business loans. Yet “local” for the Texas bank includes a number of cross-border accounts and wires from foreign-owned customers. While the two banks are similar in many ways, the Texas bank has higher AML risk across almost all categories and thus, requires stronger staffing, identification and monitoring controls, and systems.
Emerging technologies present new AML challenges. Internet banking, mobile banking and services like remote deposit capture make it harder to accurately track the geographic footprint of your customer base. Be sure you know how your products work and where transactions are originating. If allowing for online account opening, define what geographies you intend to serve and what documentation is required to open an account. Review the recently updated BSA/AML Examination Manual to determine whether any of the products or services or persons and entities addressed in the expanded section of the manual should be included in your risk assessment.
Knowing your customers also means knowing their patterns. Significant or unexpected fluctuations can indicate risk. Does a business customer in an industry that does not usually have numerous cash transactions regularly deposit large amounts of cash? Do the customer's transactions match expected patterns for its business? For example, suppose you have a florist shop as a customer who deposits the same amount almost every week. Typically, a florist would see significant spikes around certain days like Valentine's Day and Mother's Day. Those are the sorts of red flags your controls should be designed to identify for closer examination.
Obtaining quantitative information throughout the process can be a learning experience for executive management and the board of directors. Seeing how particular products, services or customers have a higher (or lower) risk to the institution can help guide them toward appropriate resources and software needs. Having 10 MSBs with an average balance of $10,000 each can be drastically different when analyzing risk than having five MSBs with an average balance of $1 million.
Once you have conducted an AML risk assessment and adjusted your controls accordingly, you should revisit the assessment at least annually. However, if there is a significant change in any of the key areas outlined above, the assessment should be updated immediately. Acquisitions should trigger an assessment of the acquired entity's risk and that of the new, combined entity. In fact, AML risk should be included in pre-acquisition due diligence.
AML compliance is a growing and real concern for all banks. Conducting and regularly updating an AML risk assessment is vital to your AML compliance effort.