In 2004 the FFIEC quietly and subtly shifted the BSA examination paradigm with the publication of the Bank Secrecy Act / Anti-Money Laundering Examination Manual (“the Manual”). The Manual introduced to examiners the concept of determining an institution’s money laundering, terrorist financing, and OFAC risks through a matrix of pertinent topics rated as Low, Medium, and High, with a matrix for BSA and a separate matrix for OFAC; at the commencement of the examination, the examiners were to assess the institution’s risks with the matrices as a guide. Virtually simultaneously, it became an unwritten requirement that financial institutions do their own risk assessing.
As the years have passed, the assessing of risks by a simple filling in of the matrix in line with the institutions’ perceived levels of risk has transformed itself into the writing of 30, 50, 100 pages of assessments and spreadsheets of data to substantiate the 30, 50, 100 pages of written material of text and charts and diagrams. It can be a very daunting task.
One of the ways to make the task less daunting is to involve to some extent the disparate parts of the entire institution. The building of the risk assessment (RA) requires coming to a complete understanding of the institution’s business, with whom it conducts business, with whom it conducts the business, and where it conducts it. To achieve a full understanding, the business units, the operational and back-office support staff must contribute their requirements. In other words, to arrive at the final product of the RA is an institution wide collaborative effort.
One way for the BSA Compliance group to involve the disparate parts of the institution is to develop questionnaires for each group with pointed questions that will enable them to provide to Compliance a complete picture of the institution’s business. The questionnaires should include what the business leaders are planning for the coming review periods, what the back-office needs to provide strong support of the business, and what senior management’s goals are for the coming periods.
The risk assessment begins with a point-in-time statement of “this is where we were, and this was our risk level at that point.” To generate an observation as to where the program is going, we need to include in the RA the direction of risk. “Here’s how we’ve been going, and here is where we expect to be.” Knowing where we’re headed will aid us in formulating the BSA Compliance Program to meet the risks. So, involvement of the entire organization is important in getting us there.
I have had the good fortune to have worked on risk assessments both as a Compliance Officer and as a consultant. As a consultant I have participated in writing risk assessments for a number of financial institutions, including banks, credit unions, US branches of foreign banks, of small, medium, and large sizes, but unfortunately – or maybe fortunately – none in SIFI/GSFI1 categories. And I have seen and read risk assessments that go to 100+ pages, the largest having reached 194 – and that did not include supporting workpapers! And the risk assessments come in many formats. Let’s take a look at what the Exam Manual states about formats (FFIEC BSA/AML Exam Manual, BSA/AML Risk Assessment [2020]):
“Various methods and formats may be used to complete the BSA/AML risk assessment; therefore, there is no expectation for a particular method or format. Bank management designs the appropriate method or format and communicates the ML/TF and other illicit financial activity risks to all appropriate parties.”2
The Risk Assessments typically come in the form of a report, anywhere from 25-50 pages with supporting workpapers, often in the form of spreadsheets which compile the pertinent data. Less frequently, the RA appears as a spreadsheet form with many columns and rows and the supporting data built in. Even less frequently, an operational risk model was used to assess the BSA/OFAC risks, instead of the usual inherent, mitigation, residual risk model, a likelihood (probability) versus impact (cost) assessment was the risk determinant. The few occasions I have seen were in institutions that had the Risk Management division do the risk assessment as opposed to the BSA Compliance division. I prefer the inherent-mitigation-residual model. I should point out, however, that the FIs that used the operational risk model were not criticized by examiners for using it.
One of the keys to making the inherent-mitigation-residual model work well is to include in the methodology clear definitions of each. Did I mention methodology? It’s good to document that as well. Once defined, they provide a measuring stick against which the rating of each can be developed. Rating inherent risk is relatively easy because there is general industry-regulator agreement about the risk value of products and services and countries for geography. Rating customers is more nuanced, but with most transaction monitoring systems including a risk rating module, if properly used, it will provide a defensible rating.
Mitigation rating is the most difficult of the three; even with clear and precise definitions of the strong, moderate and weak categories, or more if you’re so inclined, drawing a defensible conclusion can be a challenge. Strong policies and procedures supported by periodic compliance reviews, BSA/OFAC related systems validations to ensure accurate performance, and a culture of compliance will all together make for strong mitigation. Residual Risk is what is left over after the mitigation is applied to the inherent risk.
From there comes the BSA/AML/CFT/OFAC Compliance program. We can use the RA as the foundation for building the program. We can include in the RA a section of recommendations and there place the coming needs of the department in front of the Board, who have ultimate responsibility for making the program work.
Very often overlooked, a factor which influences what we bring to the risk assessment, or any report, is how we see life as individuals. Do we see the world as a dark place with unseen dangers around every corner? Do we see the world as a bright space with dangers lurking, but overshadowed by the general goodness of people? How we see life, the world, and people will influence how we see risks and influence our mitigations to reduce them. The risk assessment may be the product of a great amount of team effort, but the final product will be presented by a single person who will have to assent to the contents. How those contents get into the report will be part and parcel of who we are. The moral of the story is that your personal perspective is a major influence on the overall assessment of the risk.
