A Brief Summary
Oddly, despite its significance in the BSA/AML/CFT/OFAC Compliance universe, the BSA Risk Assessment has no statutory requirement even though it is the foundation of any Compliance Program. As compliance professionals, we construct our transaction monitoring systems, OFAC filtering programs, and our whole Compliance Programs, on the risks that we have determined based on our customers, products and services, and geography.
The fact that there is no statutory requirement does not mean that you won’t pay dearly for not having one.
The original “form” appeared in the 2004 edition of the FFIEC Bank Secrecy Act / Anti-Money Laundering Examination Manual under Appendix J. Designed for the examination team to complete if they came across an institution without an assessment, it quickly became the basis for how banks constructed one to meet their needs. Appendix J still exists and has eleven categories of risk, graded into low, moderate, and high groupings.
The Report
The risk assessment should contain all the elements of a typical report: cover page, document history, table of contents, glossary, and institutional background as a beginning. Then comes an Executive Summary followed by the heart of the assessment, a brief description of the methodology (referring to the location of the full methodology document) and a detailed description of the risk factors and supporting information, any pertinent secondary factors, and an optional afterword and appendices.
In my experience, the “typical” document runs from 30-40 pages, prior to appendices. Given that a number of different audiences will read the assessment, including the senior executive level that has responsibility for the BSA Compliance Program, the Risk Management group, Compliance, and our favorites; auditors and examiners, an Executive Summary has an important role to play. It should briefly lay out the overall risk, the direction of risk, and carefully point out any difficult issues. A word of caution: avoid inflammatory language; point out the problems without making it sound like the ship is sinking.
Another important piece to the overall BSA Risk Assessment is the Institutional Background, as it sets the context for the report. The Institutional Background should contain a brief review of Compliance Governance, indicating the independence of Compliance from the business, operational functions of the entity and its reporting lines direct to Executive Level, or lack thereof. It will also discuss the breadth of the report: enterprise-wide, a single entity, a US Branch of a foreign bank, etc., as well as any affiliate relationships.
The heart and soul of the risk assessment is the discussion of the risk; this must have – at a minimum – a description of the customer base, all the products and services the institution offers its customers, and the geography in which the bank operates in a rather expanded sense. The description must include an evaluation of the inherent risk of each, the mitigation efforts in place to minimize the inherent risk and the leftover risk, AKA residual risk.
Any explanation of the categories’ risk elements and the level of risk should have a statistical evidential analysis to demonstrate how the bank arrived at its estimations. The FFIEC Manual provides tables of high risk entities and products and services. Appendix J provides a rough formulation of low, moderate and high for each of its eleven categories. Many institutions use a third-party source to risk rate the countries where they – and their customers – and increasingly their customers’ customers – transact business. Knowing the inherent risk and combining that with an analysis of the bank’s involvement with the category can yield an accurate assessment of the actual level of inherent risk.
The institution should have a standard for mitigating factors. A standard may consist of weak, moderate and strong characterizations of the mitigations, with a working definition for weak as “easy to circumvent,” for moderate as “more difficult to circumvent,” and strong as “nearly impossible to circumvent.” As an example, a mitigation which consisted of a review by one person without a second check would be considered a weak mitigant, since it is easy to circumvent. Whatever standard the institution adopts, it should apply across the board, without deviation. Deviation from a standard is a nice, bright ‘red flag’ to examiners and auditors that there is something which requires a more intense review on their part.
Residual risk is simple to calculate: Inherent – Mitigation = Residual. Of course, to do that one must have some basis for calculation. That may be stating the obvious, but I have seen assessments wherein the entire process was qualitative – as opposed to – quantitative, so the result sounds more like an opinion than an assessment. Another consideration to add to residual risk is the direction of risk. Is it stable? Increasing? Decreasing? Year-over-year comparisons provide a context for the evaluations.
Charts and tables should accompany the various factors noted above. The adage that a picture is worth a thousand words applies here as well. For instance:
Each tells a different story and helps to bring the message across.
Beyond the primary group of risk categories, an institution may wish to include a set of pertinent secondary risk factors. These include relative amount of SAR filings, 314(a) hits/314(b) referrals, OFAC blocking or rejecting activity, relative number of law enforcement subpoenas and national security letters, vendor management as applied to BSA/OFAC systems, and Staff Training. As a rule of thumb, a low risk or strong composite rating for these factors would not decrease the overall BSA composite risk rating, but a high risk or weak composite rating may increase the overall composite rating.
So, What’s Left?
Increasingly we have seen the inclusion of two separate sections that follow the body of the assessment; a discussion of the regulatory environment and a description of the significant BSA-related changes in the institution. The discussion on the regulatory environment notes significant changes to laws and regulations and the impact those had on the bank and its systems, e.g., new data gathering requirements as delineated in the FinCEN CDD Rule. It will also note the effect of approved, but not yet in effect, changes and perhaps a discussion of “what if certain things happen.”
The bank may mention the impact of any significant changes to its BSA/AML Program, its IT environment, or organizational changes, such as, mergers or acquisitions, senior level management changes, downsizing, etc.
Finally, there are the appendices. These optionally include a list of documents reviewed, persons interviewed, the location of the workpapers, heatmaps that show the risk calculations, etc.
An example of a heatmap:
Parting Thoughts:
- As mentioned previously, avoid inflammatory statements. Always state issues and problems clearly and up-front, but in neutral tones.
- As a corollary to the first point, keep adjectives to a minimum. The Risk Assessment is a conclusion based on carefully evaluated and presented factual evidence. Adjectives are opinions.
- There is no fixed or right format. Bank management decides on the format, and documents it of course. As noted in the FFIEC Manual (page 18), “Whatever format management chooses to use for its risk assessment, it should be easily understood by all appropriate parties.”
- Maintain consistency in the report and from year-to-year. Apply standards “across the board.”
- Rate the factors as independent items. Don’t rate a product on the basis of the rating of the customers using it or the geography where it is used; a low risk product is a low risk product, even if the customers using it are all high. In short, keep likes to likes.
- Document – or memorialize – anything and everything. There should be a supporting methodology document which describes how and why the institution does what it does.