BSA Risk Assessment

Regulatory Expectations

Objective of the BSA Risk Assessment.

Determine the BSA/AML risk profile of the bank and evaluate the adequacy of the bank’s BSA/AML risk assessment process. The same risk management principles that the bank uses in traditional operational areas should be applied to assessing and managing BSA/AML risk.

The value of a BSA Risk Assessment

Understanding the risk profile enables the bank to apply appropriate risk management processes to the BSA/AML compliance program to mitigate risk.

  • This risk assessment process enables management to better identify and mitigate gaps in the bank’s controls.
  • The risk assessment should provide a comprehensive analysis of the BSA/AML risks in a concise and organized presentation, and
  • should be shared and communicated with all business lines across the bank, board of directors, management, and appropriate staff; as such, it is a sound practice that the risk assessment be reduced to writing.

Methods and Format of the BSA Risk Assessment

There are many effective methods and formats used in completing a BSA/AML risk assessment. The bank’s circumstances and product/services should dictate the assessment method and format. Whatever format management chooses to use for its risk assessment, it should be easily understood by all appropriate parties.

The development of the BSA/AML risk assessment generally involves two steps:

(1) identify the specific risk categories (i.e., products, services, customers, entities, transactions, and geographic locations) unique to the bank; and

(2) conduct a more detailed analysis of the data identified to better assess the risk within these categories.

In reviewing the risk assessment, the examiner should determine whether management has considered all products, services, customers, entities, transactions, and geographic locations, and whether management’s detailed analysis within these specific risk categories was adequate. If the bank has not developed a risk assessment, this fact should be discussed with management. For the purposes of the examination, whenever the bank has not completed a risk assessment, or the risk assessment is inadequate, the examiner must complete a risk assessment based on available information.

The BSA/AML Risk Assessment is Bank-Specific

The preparation of a Risk Assessment must be made by persons who have sufficient knowledge of the bank’s BSA/AML risks in order to determine whether the BSA/AML compliance program is adequate and provides the controls necessary to mitigate risks. For example, it may initially be determined that the bank has a high-risk profile, but the assessment reveals that the bank’s BSA/AML compliance program adequately mitigates these risks. Alternatively, it may be initially determined that the bank has a low- or moderate-risk profile; however, during the assessment, it may be discovered that the bank’s BSA/AML compliance program does not adequately mitigate these risks.

Identification of Specific Risk Categories

The first step of the risk assessment process is to identify the specific products, services, customers, entities, and geographic locations unique to the bank. Although attempts to launder money, finance terrorism, or conduct other illegal activities through a bank can emanate from many different sources, certain products, services, customers, entities, and geographic locations may be more vulnerable or have been historically abused by money launderers and criminals.

Depending on the specific characteristics of the particular product, service, or customer, the risks are not always the same. Various factors, such as the number and volume of transactions, geographic locations, and nature of the customer relationships, should be considered when the bank prepares its risk assessment. The differences in the way a bank interacts with the customer (face-to-face contact versus electronic banking) also should be considered.

Because of these factors, risks will vary from one bank to another. In reviewing the bank’s risk assessment, examiners should determine whether management has developed an accurate risk assessment that identifies the significant risks to the bank. The expanded sections in this manual provide guidance and discussions on specific lines of business, products, and customers that may present unique challenges and exposures for which banks may need to institute appropriate policies, procedures, and processes.

Absent appropriate controls, these lines of business, products, or customers could elevate aggregate BSA/AML risks. The examiner should expect the bank’s ongoing risk assessment process to address the varying degrees of risk associated with its products, services, customers, entities, and geographic locations, as applicable.

Products and Services

Certain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered. Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents. Some of these products and services are listed below, but the list is not all inclusive:

  • Electronic funds payment services — electronic cash (e.g., prepaid and payroll cards), funds transfers (domestic and international), payable upon proper identification (PUPID) transactions, third-party payment processors, remittance activity, automated clearing house (ACH) transactions, and automated teller machines (ATM)
  • Electronic banking
  • Private banking (domestic and international)
  • Trust and asset management services
  • Monetary instruments
  • Foreign correspondent accounts (e.g., bulk shipments of currency, pouch activity, payable through accounts (PTA), and U.S. dollar drafts)
  • Trade finance services provided to third party payment processors or senders
  • Foreign exchange
  • Special use or concentration accounts
  • Lending activities, particularly loans secured by cash collateral and marketable securities
  • Non-deposit account services (e.g., non-deposit investment products and insurance).

The expanded sections of the manual provide guidance and discussion on specific products and services detailed above.

Customers and Entities

Although any type of account is potentially vulnerable to money laundering or terrorist financing, by the nature of their business, occupation, or anticipated transaction activity, certain customers and entities may pose specific risks. At this stage of the risk assessment process, it is essential that banks exercise judgment and neither define nor treat all members of a specific category of customer as posing the same level of risk. In assessing customer risk, banks should consider other variables, such as services sought and geographic locations. The expanded sections of the manual provide guidance and discussion on specific customers and entities that are detailed below:

  • Foreign financial institutions, including banks and foreign money services providers (e.g., casas de cambio, currency exchanges, and money transmitters).
  • Nonbank financial institutions (e.g., money services businesses; casinos and card clubs; brokers/dealers in securities; and dealers in precious metals, stones, or jewels).
  • Senior foreign political figures and their immediate family members and close associates (collectively known as politically exposed persons (PEP)).
  • Nonresident alien (NRA) and accounts of foreign individuals.
  • Foreign corporations and domestic business entities, particularly offshore corporations (such as domestic shell companies and Private Investment Companies (PIC) and international business corporations (IBC)) located in higher-risk geographic locations.
  • Deposit brokers, particularly foreign deposit brokers.
  • Cash-intensive businesses (e.g., convenience stores, restaurants, retail stores, liquor stores, cigarette distributors, privately owned ATMs, vending machine operators, and parking garages).
  • Nongovernmental organizations and charities (foreign and domestic).
  • Professional service providers (e.g., attorneys, accountants, doctors, or real estate brokers).

Geographic Locations

Identifying geographic locations that may pose a higher risk is essential to a bank’s BSA/AML compliance program. U.S. banks should understand and evaluate the specific risks associated with doing business in, opening accounts for customers from, or facilitating transactions involving certain geographic locations. However, geographic risk alone does not necessarily determine a customer’s or transaction’s risk level, either positively or negatively.

Higher-risk geographic locations can be either international or domestic.  International higher-risk geographic locations generally include:

  • Countries subject to OFAC sanctions, including state sponsors of terrorism.
  • Countries identified as supporting international terrorism under section 6(j) of the Export Administration Act of 1979, as determined by the Secretary of State.
  • Jurisdictions determined to be “of primary money laundering concern” by the Secretary of the Treasury, and jurisdictions subject to special measures imposed by the Secretary of the Treasury, through FinCEN, pursuant to section 311 of the USA PATRIOT Act.
  • Jurisdictions or countries monitored for deficiencies in their regimes to combat money laundering and terrorist financing by international entities such as the Financial Action Task Force (FATF).
  • Major money laundering countries and jurisdictions identified in the U.S. Department of State’s annual International Narcotics Control Strategy Report (INCSR), in particular, countries which are identified as jurisdictions of primary concern.
  • Offshore financial centers (OFC).
  • Other countries identified by the bank as higher-risk because of its prior experiences or other factors (e.g., legal considerations, or allegations of official corruption).
  • Domestic higher-risk geographic locations may include, but are not limited to, banking offices doing business within, or having customers located within, a U.S. government-designated higher-risk geographic location. Domestic higher-risk geographic locations include:
  • High Intensity Drug Trafficking Areas (HIDTA).
  • High Intensity Financial Crime Areas (HIFCA).

Analysis of Specific Risk Categories

The second step of the risk assessment process entails a more detailed analysis of the data obtained during the identification stage in order to more accurately assess BSA/AML risk. This step involves evaluating data pertaining to the bank’s activities (e.g., number of: domestic and international funds transfers; private banking customers; foreign correspondent accounts; PTAs; and domestic and international geographic locations of the bank’s business area and customer transactions) in relation to Customer Identification Program (CIP) and customer due diligence (CDD) information.

The level and sophistication of analysis may vary by bank. The detailed analysis is important because, within any type of product or category of customer, there will be account holders that pose varying levels of risk. This step in the risk assessment process gives management a better understanding of the bank’s risk profile in order to develop the appropriate policies, procedures, and processes to mitigate the overall risk.

Specifically, the analysis of the data pertaining to the bank’s activities should consider, as appropriate, the following factors:

  • Purpose of the account.
  • Actual or anticipated activity in the account.
  • Nature of the customer’s business/occupation.
  • Customer’s location.
  • Types of products and services used by the customer.

The value of a two-step risk assessment process is illustrated in the following example.

The data collected in the first step of the risk assessment process reflects that a bank sends out 100 international funds transfers per day. Further analysis may show that approximately 90 percent of the funds transfers are recurring, well-documented transactions for long-term customers. On the other hand, the analysis may show that 90 percent of these transfers are nonrecurring or are for non-customers. While the numbers are the same for these two examples, the overall risks are different. As illustrated above, the bank’s CIP and CDD information take on important roles in this process. Refer to the core overview sections, “Customer Identification Program” and “Customer Due Diligence,” found on pages 52 to 58 and 63 to 65, respectively, for additional guidance.

Developing the Bank’s BSA/AML Compliance Program Based Upon Its Risk Assessment

Management should structure the bank’s BSA/AML compliance program to adequately address its risk profile, as identified by the risk assessment. Management should understand the bank’s BSA/AML risk exposure and develop the appropriate policies, procedures, and processes to monitor and control BSA/AML risks.

  • For example, the bank’s monitoring systems to identify, research, and report suspicious activity should be risk-based, with particular emphasis on higher-risk products, services, customers, entities, and geographic locations as identified by the bank’s BSA/AML risk assessment.
  • Independent testing (audit) should review the bank’s risk assessment for reasonableness.
  • Additionally, management should consider the staffing resources and the level of training necessary to promote adherence with these policies, procedures, and processes.
  • For those banks that assume a higher-risk BSA/AML profile, management should provide a more robust BSA/AML compliance program that specifically monitors and controls the higher risks that management and the board have accepted.

Consolidated BSA/AML Compliance Risk Assessment

Banks that implement a consolidated or partially consolidated BSA/AML compliance program should assess risks both individually within business lines and across all activities and legal entities. Aggregating BSA/AML risks on a consolidated basis for larger or more complex organizations may enable an organization to better identify risks and risk exposures within and across specific lines of business or product categories.

Consolidated information also assists senior management and the board of directors in understanding and appropriately mitigating risks across the organization. To avoid having an outdated understanding of the BSA/AML risk exposures, the banking organization should continually reassess its BSA/AML risks and communicate with business units, functions, and legal entities. The identification of a BSA/AML risk or deficiency in one area of business may indicate concerns elsewhere in the organization, which management should identify and control.

Bank’s Updating of the Risk Assessment

An effective BSA/AML compliance program controls risks associated with the bank’s products, services, customers, entities, and geographic locations; therefore, an effective risk assessment should be an ongoing process, not a one-time exercise. Management should update its risk assessment to identify changes in the bank’s risk profile, as necessary (e.g., when new products and services are introduced, existing products and services change, higher-risk customers open and close accounts, or the bank expands through mergers and acquisitions). Even in the absence of such changes, it is a sound practice for banks to periodically reassess their BSA/AML risks at least every 12 to 18 months.

We brought this firm to help us when our compliance program got out of control back in 1998. They’ve been a big help to us ever since… in fact, they are the longest-lived consultant our banker ever had.

BSA Customer