A BSA/AML RISK ASSESSMENT. Page 1 of 35

Transcription

1 & A BSA/AML RISK ASSESSMENT Page 1 of 35

2 TABLE OF CONTENTS PAGE Auditing & Updating a $13 Billion Organization s BSA/AML Risk Assessment...4 Auditing the Existing BSA/AML Risk Assessment..5 Core Components of a Comprehensive BSA/AML Risk Assessment BSA/AML Risk Assessment Overview Introduction Steps in the Risk Assessment Process Detailed Bank Information Customers and Entities Money Service Businesses (MSBs) BSA/AML Compliance Program Overview Introduction Internal Controls Independent Testing BSA/AML Officer BSA/AML Training BSA/AML Operations Overview BSA/AML Policy BSA/AML Department Customer Identification Program (CIP) Currency Transaction Reports (CTRs) and Monetary Instrument Logs (MILs) Anti-Money Laundering Software Risk Assessment High Risk Determination and Tracking Regulation GG Enterprise Wide BSA/AML Exam & Audit Reports Business Units (BUs) Products and Services (Appendix A) Identifying and Evaluating BSA/AML Risk Introduction.19 Page 2 of 35

3 10.2 HIDTA and HIFCA Locations Risk Identification and Evaluation Ratings Corporation s Risk Identification and Evaluation of Business Units/Products and Services (Appendix B) Summary of Corporation s Enterprise Wide BSA/AML Quantitative Risk (Appendix D) Mergers and Acquisitions New Product Committee Projected BSA/AML Risks CONCLUSION: Think Enterprise Wide SAMPLE SPREADSHEETS: Appendix A - Business Units BSA/AML Risk Identification and Evaluation of Products and Services, Inherent Risks, Mitigating Controls and Residual Risks Appendix B Risk Evaluation of Business Units/Products and Services.. 26 Appendix C Corporation Risk Evaluation of Company/Products and Services...27 Appendix D - Summary of Corporation s Enterprise Wide BSA/AML Quantitative Risk.. 28 Appendix E - BSA Risk Analysis Chart, Customers/Accounts, Products/Services and Geographies...29 FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual Appendixes Appendix I: Risk Assessment Link to the BSA/AML Compliance Program Appendix J: Quantity of Risk Matrix. 33 Research/References/Sources Page 3 of 35

4 AUDITING & UPDATING a $13 BILLION ORGANIZATION S BSA/AML RISK ASSESSMENT By Donna Davidek, CAMS December 30, 2013 The Business Dictionary (1) defines Risk Assessment as The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards and their determination of an acceptable level of risk. The risk assessment process is not new to the Banking industry. Risk assessments have been conducted in many areas within banking organizations for years, so it seemed appropriate when the BSA area came into regulatory focus. Since at least 2005, every depository financial institution has been required to perform and document a written BSA/AML Risk Assessment. The purpose of a comprehensive risk assessment is to assess the enterprise wide BSA/AML risk profile of the organization, including the Bank and all subsidiaries. By determining the enterprise wide BSA/AML risk profile, the organization can evaluate the adequacy of existing processes and where required, modify and update the risk management processes in an effort to more effectively identify and mitigate risk. A risk assessment can serve as a valuable tool for any Banking institution that wants to manage its BSA/AML risk effectively. The key is to understand the Bank s risk exposure and develop the necessary policies, procedures, systems, and controls to mitigate the risk. The emphasis by regulators for financial institutions to conduct detailed risk assessments has increased substantially over the years. Today, there is an expectation by regulators for BSA/AML Risk assessments to provide a more granular and in-depth review of all areas of the organization. There is not one recommended methodology or format specified or method required when completing a risk assessment. As long as the risk assessment can be understood by the appropriate parties who will read it, the format should be acceptable to federal regulators. The information contained in this whitepaper does not address OFAC risk as the organization represented conducted and documented a stand-alone OFAC Risk Assessment. It is acceptable for the OFAC Risk Assessment to be incorporated into the organization s overall BSA/AML Risk Assessment; however, it is best practice for a large bank to create a stand-alone OFAC Risk Assessment. A process similar to the one outlined in this paper was also conducted when auditing and updating the OFAC Risk Assessment. Page 4 of 35

5 AUDITING THE EXISTING BSA/AML RISK ASSESSMENT When faced with the task of auditing an institution s existing BSA/AML Risk Assessment, to determine if it is adequate for the present state of the organization, the initial question is Where Do I Begin? There are many reasons why a risk assessment should or must be updated. In order to determine whether the existing risk assessment needs to be updated or whether it must be rewritten in its entirety, the auditor must thoroughly review the existing risk assessment to determine if it appropriately represents the organization s current risk profile and also conforms to regulatory standards. The reviewer must determine if necessary control points, as represented in the list below, are included within the risk assessment: 1. The risk assessment should properly reflect the current BSA/AML risk profile across the entire organization. 2. The risk assessment should clearly identify all areas within the organization and specifically identify those Business Units (BUs) within the organization with direct BSA/AML responsibilities. The risk assessment should also clearly identify each BSA/AML responsibility specific to each Business Unit. 3. The risk assessment should include a detailed, in-depth evaluation of the inherent risk of every existing, new or significantly expanded or modified added customers, geographies, products, services and systems used or offered by each BU within the organization with direct BSA/AML responsibilities, an evaluation of the effectiveness of systems and internal controls utilized by each BU and the determination of the resulting residual risk of each product, service and system used or offered through each BU. 4. Any major events or changes that have taken place within the organization should be reflected in the risk assessment, e.g., mergers, acquisitions, expansions, changes in the organization s footprint/expansion into new markets, new or changes to products or services, prior inefficiencies identified that have not been corrected, new core data processing or anti-money laundering systems, the Bank has crossed the $10 billion mark and is now by definition considered to be a large Bank. 5. The findings provided in the risk assessment should be supported by appropriate qualitative and quantitative data. 6. The institution should maintain an effective process for periodically reviewing and updating the institution s risk assessment, insuring that all changes to BUs with any BSA/AML responsibilities are represented appropriately. Page 5 of 35

6 7. The risk assessment should be shared and communicated with all BUs across the organization, including management and appropriate staff. 8. The results of the organization s risk assessment should be reported to the appropriate supervisory committee and/or to the Board of Directors. 9. At a minimum, the organization s BSA/AML Risk Assessment should have been updated within the past twelve to eighteen months; however, the current standard practice for most organizations is to update the risk assessment every twelve months. Prior to changing products or services or engaging in new customers or geographies, a risk assessment update would also be warranted. Regulatory changes may also warrant a risk assessment update. After reviewing the existing risk assessment, it was determined to be inadequate. The existing risk assessment lacked major areas of detail necessary to appropriately determine the organization s risk profile. The original risk assessment was created in a format following the principles represented in the FFIEC s BSA Examination Manual Appendix J: Quantity of Risk Matrix and Appendix I: Risk Assessment Link to the BSA/AML Compliance Program. Smaller community Banks often use these matrixes to formulate summary conclusions; however, it is not particularly useful when developing a risk assessment for a large institution. Appendix J may be utilized for a baseline approach; but a large Bank s products, services, customer base, geographies and systems are often too complex for a simple matrix. The existing risk assessment consisted of a series of spreadsheets, one for each BU with BSA/AML responsibilities, including an overall summary. It was difficult to read and lacked a clear, descriptive narrative. Products, services and systems were not fully detailed. The risk assessment contained an insufficient listing of applicable red flags, inherent risks were not fully identified and risk rated, mitigating controls listed were not clearly defined and had minimal explanation and residual risk was not fully explained and/or risk rated. To summarize, the BSA/AML Risk Assessment conclusions were not adequately documented; therefore, they could not be supported. Risk assessments cannot lack supporting documentation; but should contain appropriate facts, justification and documentation in order to reach correct overall conclusions of defining the risks within an organization. Comprehensive supporting documentation should provide an auditor or regulator with the rationale that was utilized to reach overall conclusions in the risk assessment. In order to properly conclude there is a sufficient BSA/AML program in place, the risks at the institution must be appropriately identified. EXISTING BSA RISK ASSESSMENT Page 6 of 35

7 After completing the audit process, a decision had to be made to either update the existing risk assessment or rewrite it in its entirety. The Bank had transitioned to what was now defined as a large Bank and as a result, the existing risk assessment no longer adequately represented the BSA/AML risk profile of the organization. In order to be commensurate with the size and complexity of the organization, the decision was made to rewrite the risk assessment in its entirely. Core Components of a Comprehensive BSA/AML Risk Assessment Best Practice for a $13 Billion Institution After determining the existing risk assessment was outdated and did not adequately represent the current BSA/AML risk profile of the organization, a more detailed and granular risk assessment had to be developed. The objective is not solely to complete a risk assessment, as the risk assessment is not the end game but merely a tool. The risk assessment only focuses attention on inherent and residual risk. The greater objective is to create a meaningful risk assessment as a key tool to identify, prioritize and ultimately manage risk. There are numerous elements to consider when creating a risk assessment. The list below was drafted based on a great deal of research, information obtained through attending various ACAMS conferences and webinars and Appendix J and Appendix I from the FFIEC BSA Examination Manual. The following information gathered was utilized as a guide to determine what information should be included in the new risk assessment. 1. BSA/AML Risk Assessment Overview 1.1 Introduction (3) In an effort to define the purpose of the risk assessment, statements such as the following can be included: 1. The Bank has established a goal of maintaining a Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) compliance program with strong risk monitoring procedures in place. 2. To achieve this goal, the Bank continuously monitors the various risks that could directly impact the quality of the Bank s program. 3. Based on the information contained in the risk assessment, the Bank has identified its BSA/AML risk profile to be High/Inadequate, Moderate/Adequate or Low/Strong, which ever risk rating is applicable. 4. Identifying the Bank s risk profile has assisted the Bank with delegating its resources and reasonably managing the Bank s overall BSA/AML Program. Page 7 of 35

8 5. The BSA/AML Risk Assessment provides a comprehensive analysis of the highest risks facing the organization and will be shared with Senior Management, the Board of Directors or whoever is applicable. The risk assessment should also indicate what it is not designed to accomplish. The risk assessment process should function as a guide in the development of applicable risk-based policies, procedures, systems and controls and is not designed to be utilized as a means of denying account relationships to specific entities or eliminating higher risk products or services. 1.2 Steps in the Risk Assessment Process (2) 1. Identification of Specific Risk Categories According to the FFIEC BSA/AML Examination Manual, the first step of the risk assessment process is to identify specific products, services, customers, entities and geographic locations. Steps in the Risk 2. Detailed Analysis The second step of the risk assessment process entails a more detailed analysis of the data obtained during the identification stage in order to more accurately assess BSA/AML risk. This step involves evaluating data pertaining to the Bank s activities (e.g., number of domestic and international funds transfers, private banking customers, geographic locations of the Bank s business area and customer transactions) in relation to Customer Identification Program (CIP) and customer due diligence (CDD) information. This detailed analysis is ultimately important because within any type of product or category of customer there will be accountholders that pose varying levels of risk. 3. Evaluation of the BSA/AML Program In this step, it is acknowledged the Bank has structured its BSA/AML Program to adequately address the concerns identified in the risk assessment; and as a result of the findings, appropriate policies and procedures were developed to monitor and control the various risks. 1.3 Detailed Bank Information A detailed description of the information that is specific and unique to the Bank should be included. 1. The current asset size of the Bank 2. The Bank s footprint: a. States where branch offices are located b. Markets within each state, including number of branch offices within each market c. Identify when and where any new branch offices were opened d. Define primary market areas by percentages of the entire Bank e. Identify location of corporate headquarters Assessment Process 1. Identification of Specific Risk Categories 2. Perform Detailed Analysis of the Gathered Data 3. Evaluation of the BSA/AML Program Page 8 of 35

9 f. List number of ATMs located throughout the Bank s footprint by state g. Indicate number of full-time associates employed by the organization and the percentage of turnover rate of associates, including key personnel h. Summarize the Bank s domestic and foreign operations, including an explanation of the Bank s policy on opening foreign business accounts 1.4 Customers and Entities The risk assessment should clearly define the entire client base, with particular concern for the identification of client/entity types conventionally associated with heightened risk of exposure for money laundering and terrorist financing. The preferred method of presenting information gathered is to create reports or spreadsheets that identify the information below by branch office, totaled by market and totaled by state, as well as the number of accounts and dollar amounts as a percentage by branch office, market and state. This process best defines the geographic regions of the client base by their share of the entire Bank. 1. Deposit Accounts number of accounts and total dollar amount, including percentages by market and percentages by state a. Personal b. Non-personal c. Time deposits 2. Loans Accounts number of accounts and total dollar amount, including percentages by market and percentages by state a. Personal b. Non-personal c. Loans secured by cash, marketable securities or cash value life insurance 3. Foreign Businesses a. Number of relationships b. Number of accounts c. Country of origin d. Occupation/Nature of business e. Type of account and dollar amount 4. Private Banking a. Definition of private banking that is exclusive to the Bank, including no international private banking clients b. List of products and or loans that are exclusive to private banking clients c. Identify deposit accounts and loan accounts, including number of accounts and dollar amount by market and state 5. Clients/Entities number of accounts and dollar amounts of: a. Entities as defined by NAICS codes b. Non-resident aliens Page 9 of 35

10 c. Resident aliens d. Sole proprietors e. Cash intensive businesses f. Politically Exposed Persons (PEPs) 1.5 Money Service Businesses (MSBs) The risk assessment should clearly state the Bank s position on opening accounts for clients determined to be MSBs. If the Bank has identified MSBs as part of their client base, a risk assessment should be performed on these entities. The MSB risk assessment should pertain to: 1. Currency dealers or exchangers 2. Check cashers 3. Issuers of traveler s checks, money orders or stored value cards 4. Sellers or redeemers of traveler s checks, money orders or stored value cards 5. Money transmitters Other factors to consider when completing the MSB risk assessment are the following: 1. Inherent risk factors of MSBs 2. Considerations for risk rating of MSB clients 3. Lower risk indicators 4. Higher risk indicators 5. Mitigating controls 6. Client base a. Identify number of high risk clients b. Type of business the MSB engages in; e.g., convenience store, grocery store, gas station, check cashing, etc. c. Total dollar amount of MSB activity: a. Credits and debits b. Cash in and cash out c. Incoming wires and outgoing wires d. Total number of transactions e. Identify top 10 MSB clients by dollar amount f. Identify top 10 MSB clients by cash: cash in, cash out and total cash d. Define demographics of all MSB clients a. Risk category of each MSB b. City and state where business in conducted c. Located in High Intensity Financial Crimes Area (HIFCA) and High Intensity Drug Trafficking Area (HIDTA), yes or no 7. Residual risk and overall risk rating of MSBs 8. Mitigating controls for MSB clients a. Customer Due Diligence (CDD) & Enhanced Due Diligence (EDD) b. FinCEN license registration c. Transaction monitoring d. Risk rating of each MSB client Page 10 of 35

11 2. BSA/AML Compliance Program Overview 2.1 Introduction (2) According to the FFIEC BSA/AML Examination Manual, the Bank s BSA/AML compliance program must provide for the following: 1. A system of internal controls 2. Independent testing of BSA/AML compliance 3. Designating an individual or individuals responsible for managing BSA compliance 4. Training for appropriate personnel It is best practice to acknowledge that the Bank has a written BSA/AML compliance policy that meets FFIEC requirements and has been approved by the appropriate board or committee of the Bank. 2.2 Internal Controls (2) The Bank s Board of Directors is ultimately responsible Internal Controls are the Bank s Policies, Procedures and Processes designed to limit and control risks and to achieve compliance with the BSA. for ensuring the Bank maintains an effective BSA/AML program. As a result, management is required to develop policies and procedures designed to limit and reasonably control BSA/AML risks identified in the risk assessment. The Bank s internal controls must consist of: 1. Conducting an annual BSA/AML Risk Assessment to identify those areas posing the highest risk for money laundering, terrorist financing and/or illegal activities. 2. Appointing a BSA Officer to be responsible for the BSA Policy and Procedures and oversight of the day-to-day compliance. 3. Designation of a centralized department responsible for managing the daily responsibility of BSA/AML compliance. 4. Policies and procedures to ensure compliance with all regulatory record keeping and reporting requirements. 5. Risk-based monitoring system to identify and report appropriate transactions including SARs and CTRs. 6. Meetings/Reports with appropriate boards or committees to discuss the following: a. Key Risk Indicators (KRIs) Page 11 of 35

12 b. High risk processes c. Compliance initiatives d. Program deficiencies, including Quality Control/Quality Assurance results e. Suspicious Activity Reports (SARs) filed f. Currency Transaction Reports (CTRs) filed g. Accounts closed due to suspicious activity h. Customer Identification Program (CIP) violations i. High Risk Accounts j. Completed and outstanding Training k. Source of alerts reported and investigations completed 2.3 Independent Testing This section is intended to provide all information related to independent testing of the BSA/AML Compliance Program. Information should include: 1. Defining responsibility for managing the independent audit process 2. Who independently conducts the audit 3. Frequency of audit conducted 4. Goal of the audit 5. Scope of the audit 6. Follow up meeting on findings during the audit 7. Defining responsibility for writing responses to findings 8. Requirement for prompt management follow up on resolving deficiencies cited in findings 2.4 BSA/AML Officer The qualified, designated BSA/AML Compliance Officer should be named as appointed on the applicable date by the Board of Directors. A brief description the BSA Officer s responsibility should also be included, in addition to an overview of the BSA associates who assist with the responsibility of day-to-day administration of the BSA functions. It should also be noted that the Board of Directors is responsible for ensuring the BSA Officer has sufficient authority and recourses to administer an effective BSA/AML Compliance Program based on the Bank s risk profile. (3) Page 12 of 35

13 2.5 BSA/AML Training Training for appropriate personnel is a requirement of a BSA program. Information regarding the Bank s training program and results should be thoroughly detailed in the risk assessment. Information to include: 1. How the training is conducted, e.g., computed-based, in person, etc. 2. How often training must be completed 3. Method of assigning and tracking the training courses, as well as training for new hires 4. Types of training, e.g., job specific, Business Unit BSA/AML programs, new hires, etc. 5. In the current calendar year, number of associates who completed their assigned BSA/AML training, including percentage of completion by associates 6. Timing of training completed by newly hired associated, e.g., new associates must complete their BSA/AML training within the first 60 days of employment 7. Include an outline of all training topics and testing materials included in the annual BSA/AML training, including the responsibility for selecting and organizing the BSA training program 8. Annual training for BSA Officer and ongoing training for BSA associates 9. Annual Board of Directors training Training is one of the four pillars of a BSA Compliance Program as indentified in the FFIEC BSA Exam Manual. The importance of assigning, completing and tracking training for all appropriate personnel cannot be overlooked. 3. BSA/AML Operations Overview 3.1 BSA/AML Policy An overview of the contents of the written BSA/AML Policy should reflect the purpose and goal of the policy and how the organization complies with the overall requirements of BSA regulations and the USA Patriot Act. Approval by the Board of Directors and the date approved should also be included. 3.2 BSA/AML Department This section should reflect that the Bank has established a centralized BSA Department responsible for overseeing and implementing the Bank s BSA/AML Program and monitoring, investigating and reporting suspicious activity. Indicate management has ensured adequate staff is allocated to Page 13 of 35

14 complete all steps necessary to appropriately identify and report criminal activity. Best practice is to list the physical location of the BSA Department, number of associates assigned to BSA, combined total number of years of BSA experience of the department as well as combined number of years of overall banking experience of the BSA associates. If any of the BSA associates have achieved any certifications or advanced certifications, such as ACAMS or ACAMS Audit, include that information in this section. 3.3 Customer Identification Program (CIP) All Banks must have a CIP. The CIP is intended to enable the Bank to form a reasonable belief that it knows the true identity of each customer. The risk assessment should contain an overview of the Bank s CIP to include: 1. Customer information required to open an account 2. Summary of risk-based procedures for verifying the identity of the customer a. Verification through documentary methods b. Verification through nondocumentary methods c. Additional verification for certain customers, e.g., when the Bank cannot verify the customer s true identity using documentary or nondocumentary methods 3. Procedures for circumstances when the Bank cannot verify the customer s identity 4. Recordkeeping and retention requirements 5. Adequate customer notice, when and how notice is provided to customer 6. When reliance on another financial institution for CIP is acceptable 4. Currency Transaction Reports (CTRs) and Monetary Instrument Logs (MILs) Information about the Bank s daily work process relative to CTRs and MILs should be included in the risk assessment. The daily work process would include: 1. System used to process CTRs 2. Reports utilized to indentify all reportable CTRs and verify cash in and cash out totals are correct 3. How cash is aggregated by tax identification number 4. How CTRs are created and verified 5. E-filing and acknowledging the file 6. Number of CTRs filed Page 14 of 35

15 7. Number of exempt clients, Phase I and Phase II, and define exemption process 8. Process of verification of monetary instrument logs 5. Anti-Money Laundering Software Risk Assessment Effective AML software provides a comprehensive enterprise-wide BSA compliance solution. By storing and evaluating data for both clients and accounts, AML software enables the BSA Department to reduce compliance risk, consistently apply BSA policies and procedures, accurately assess client risk, enforce a structured BSA review workflow to monitor transactions, facilitate management and Board oversight, and implement Customer Due Diligence and Enhanced Due Diligence programs. AML software also gives users the tools to create and manage cases for those clients and accounts requiring more thorough oversight and documentation. AML software can also provide BSA a portal for creating and filing Suspicious Activity Reports (SARs) for cases in which such action must be taken. The BSA Department is charged with the responsibility for the Bank s compliance with the BSA, including detection of money laundering, terrorist financing and/or other criminal activity. The Bank should perform a risk assessment on the AML software used by the Bank. The risk assessment should be documented and included in the overall BSA/AML risk assessment. Information should include the following keys to implementing the AML software and understanding and validating its functionality: 1. Basic concepts of the AML software 2. How the software is configured 3. Define the case management system 4. Identification or alert of unusual activity 5. Management of alerts 6. Investigative guidelines for working cases 7. Suspicious Activity Reports (SARs) a. Decision making b. Completion c. Filing 8. Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) processes 9. Questions asked of client during the account opening process, including scoring of the responses by client 10. Use of software to indentify high risk clients a. Potential high risk clients b. Risk rating of clients 11. Software change control procedures 12. How data is imported from the core processing system to the AML software 13. Independent validation of the software: testing integrity and accuracy of the AML system, including audit results 14. Understand what the system does not do a. Identify gaps b. Results of a gap analysis performed on AML software Page 15 of 35

16 15. Utilization summary for specific date range of the risk assessment a. Number of investigations as a result of the AML software b. Number of cases resulting from investigations c. Number of SARs filed 16. Risk of failure of the AML software, hardware or data. An alternative definition for the acronym SAR is SOMETHING AIN T RIGHT!! 6. High Risk Determination and Tracking The BSA Department is responsible for developing and maintaining a list of clients identified by the Bank as potentially posing a High Risk of terrorist financing or financial crimes, including money laundering. The list of High Risk clients may evolve from many different sources, such as their type of business, account activity, geographic location, etc. This section should define the various ways BSA Department personnel are alerted of potential suspicious clients/activity: 1. AML software a. Risk runs b. Peer analysis worklists c. Customer Due Diligence (CDD) questions d. Account Due Diligence (ADD) questions 2. Notification from associates outside of the BSA Department (internal notification) 3. Law enforcement requests e.g., subpoenas, national security letters, etc. 4. Cash shipment reports 5. Daily CTR processing and exemption reviews (a) matches 7. Incoming and outgoing 314(b) requests 8. SARs filed Define process used to determine and track High Risk Clients: 1. Review is conducted and based on investigation, client is determined to be high risk 2. Annual risk rating of entire data base 3. Customer Due Diligence (CDD) review consisting of responses to questions asked of client during the account opening process 4. Expanded due diligence for high risk clients 5. Identifying and tracking new potentially high risk clients Page 16 of 35

17 What defines High Risk Entities and Activities? Although attempts to launder money through a legitimate financial institution can emanate from many different sources, certain kinds of businesses, transactions or geographic locations may lend themselves more readily than other to potential criminal activity. All high risk client relationships should clearly be identified by number of accounts and type of business. The BSA Risk Analysis Chart, Appendix E, may be a useful tool when performing BSA risk analysis in an effort to identify higher risk clients. 7. Regulation GG The risk assessment should state the Bank s position to not maintain accounts with any business involved in internet gambling. The process and method utilized by the Bank to evaluate the likelihood that a potential client is engaged in an internet gambling business should be defined and included in the risk assessment. Regulation GG Unlawful Internet Gambling Enforcement Act of Enterprise Wide BSA/AML Exam & Audit Reports The information in this section should consist of the results of all exams and audits, both internal and independent and the results of any BSA/AML findings. The information can be placed in spreadsheet format and should include: 1. Business Unit and/or Subsidiary 2. Date of last audit or exam 3. BSA/AML Findings yes or no 4. Audit schedule, e.g., months, months, months, etc. 5. Detailed description of each finding 6. Management response to each finding The results of the BSA Department exams and audits should also be included in this section. 9. Business Units (BUs) There are numerous Business Units (BUs) within a banking organization. All associates within all BUs are responsible for BSA/AML compliance, but not all BUs have job specific BSA/AML responsibilities. The BUs within the organization with specific BSA/AML responsibilities should be identified in the risk assessment. Page 17 of 35

18 9.1 Products and Services (Appendix A) (2) Certain products/services pose a higher risk of money laundering or terrorist financing depending on specifics as offered by the Bank. Such products may facilitate a high degree of anonymity or involve the handling of high volumes of currency or funds transfers or practices with limited paper trails making it difficult to follow the money. There may be products with high volumes of transactions that make it challenging to identify the legitimate transactions. Some of these products and services are listed below, but the list is not all inclusive: Lending Activities Electronic Banking Trust & Asset Mgmt. Mobile Banking Remote Deposit Capture PRODUCTS & SERVICES Payroll Cards ACH Credit Cards Funds Transfers Private Banking 1. Electronic funds payment services electronic cash (e.g., prepaid and payroll cards), funds transfers (domestic and international), third-party payment processors, automated clearing house (ACH) transactions and automated teller machines (ATMs) 2. Electronic banking 3. Private banking (domestic and international) 4. Trust and asset management services 5. Monetary instruments 6. Lending activities, particularly loans secured by cash collateral and marketable securities 7. Nondeposit account services (e.g., nondeposit investment products and services) 8. Foreign correspondent accounts 9. Trade finance 10. Services provided to third party payment processors or senders 11. Foreign exchange 12. Special use or concentration accounts The expanded sections of the FFIEC BSA/AML Examination Manual provide guidance and discussion on specific products and services detailed above. The risk assessment should identify all products and services within the organization and indicate the BU specifically responsible for each product/service. The risk assessment must take into consideration all of the organization s BUs and operating subsidiaries and how the risk of one BU is interrelated to another BU. Think enterprise wide when performing the risk assessment related to BU s and their respective products, services, systems and controls: 1. Identify each BU and define all of its functions in detail 2. Identify and list each product and service offered through the BU a. Identify and list inherent risks associated with each product/service b. Include a risk rating for the inherent risks identified of each product/service, e.g., high, moderate or low Page 18 of 35

19 c. Identify and list the controls in place to mitigate each risk identified, including all systems utilized by the BU d. Include a risk rating of the residual risks identified after mitigating controls were analyzed, e.g., high, moderate or low e. Include a chart that summarizes activity for specific products/services, e.g., funds transfers. Information should include number of wires, dollar amount of wires, monthly totals of each category including overall percentages of domestic and foreign, personal and non-personal. This process can be achieved through a series of spreadsheets that represents each BU in its entirety. By gathering information relative to each BU and maintaining all documentation to support the reported data, the auditor can be confident that sufficient data has been gathered and analyzed to support the findings and resulting risk ratings. See Appendix A. The BU risk information will be summarized and recorded on a Risk Evaluation of Business Units/Products and Services spreadsheet. See Appendix B. 10. Identifying and Evaluating BSA/AML Risk 10.1 Introduction (3) The Bank should focus on developing a BSA/AML Risk Assessment by identifying risk categories unique to the Bank and analyzing the data identified to better assess the Bank s risk within these categories. The detailed analysis identifies the products, services, customers, entities and geographies that pose risk to the Bank. Joint participation with various departments and BUs across the Bank, management and appropriate staff should be considered to achieve the best results. Through the risk assessment process, the Bank will lay a foundation for the efficient allocation of the organization s time and resources. By allocating its resources to the areas of highest risk, the Bank can effectively manage and reduce its BSA/AML risk High Intensity Drug Trafficking Areas (HIDTA) and High Intensity Financial Crimes Areas (HIFCA) Locations The total number of the Bank s branch office locations should be included, indicating the number of locations in HIDTAs and HIFCAs. At the time of this writing, there are 28 HIDTAs, which include approximately 16 percent of all counties in the United States and 60 percent of the U.S. population. HIDTA-designated counties are located in 46 states, as well as in Puerto Rico, the U.S. Virgin Islands, and the District of Columbia. At the time of this writing, there are 7 states in the U.S. with areas of jurisdiction by counties that are considered HIFCAs. They are California, Arizona, counties bordering and adjacent to those bordering the U.S. and Mexico boundary in Texas, Illinois, (Chicago), New York, New Jersey, and South Florida. All areas of Puerto Rico and all areas of the U.S. Virgin Islands are also Page 19 of 35

20 considered HIFCAs. The Bank s branch locations should be identified by name, address, city, state, zip code, county and HIDTA yes or no and HIFCA yes or no. This information can be placed on a spreadsheet and included in the risk assessment. HIDTA information can be obtained at: HIFCA information can be obtained at: Each of these various levels of risk for each of the items listed below should include a brief description as defined by the Bank. The definitions of the risk listed below will be utilized when analyzing all information gathered to determine the Bank s Final BSA/AML Risk Score: 1. Inherent Risk define what determines a rating of High, Moderate or Low 2. International transactions Yes or No 3. Geographic Risk define what determines a rating High, Moderate or Low 4. Cash Intensive Yes or No 5. Monitoring/Mitigating Controls define what determines controls considered to be Strong, Adequate or Weak 6. Residual Risk define what determines a rating of High, Moderate or Low Page 20 of 35

21 11. Corporation s Risk Identification & Evaluation of Business Units/Products and Services (Appendix B) In an effort to determine the Bank s Final BSA/AML Weighted Risk Score, information determined from the risk identification and evaluation must be analyzed. In the first step above, the inherent risk, mitigating controls and resulting residual risk of each product/service was determined and documented on the Business Units BSA/AML Risk Identification and Evaluation of Products and Services (Appendix A). The second step is to create a spreadsheet to record the various risk levels determined in the risk evaluation conducted as outlined in Appendix A. In this step, additional information will be analyzed to determine the Bank s final BSA/AML scoring. The additional information includes International Transactions, Geographic Risk, Cash Intensive, the Business Unit Risk Rating, the Risk Weight of each BU and the Final Risk Weighted Score of the entire Bank. See Appendix B. Appendix A: Represents the risk identification and evaluation of each BU within the Bank. Appendix B: Represents the Bank and all of its BUs. Appendix C: The same process represented in Appendix A and Appendix B should be repeated for each subsidiary of the Bank and each subsidiary of the organization, as represented by Appendix C. An additional column can be added to spreadsheets containing identified risks to indicate whether the residual risk trend is increasing, decreasing or stable. The risk trend can be measured as indicated below: Increasing Decreasing Stable 12. Summary of Corporation s Enterprise Wide BSA/AML Quantitative Risk (Appendix D) The final stage in determining the Corporation s Enterprise Wide BSA/AML Risk Score is to create a final spreadsheet containing a summary of the quantitative risk results by company. Each company within the corporation should be listed, along with each BSA/AML rating that has been determined after performing a detailed analysis of the data gathered during the identification stage. The analysis process gives management a better understanding of the Bank s risk profile in order to develop the appropriate policies, procedures and processes to mitigate the overall BSA/AML risk. In this step, the Risk Weight of each division of the corporation must be determined. In the sample spreadsheet represented by Appendix D, the Bank and Subsidiaries owned by the Bank represent 90% of the Risk Weight of the corporation. A Subsidiary owned by the Corporation represents 2% of the Risk Weight and an additional Subsidiary along with Companies owned by the Subsidiary represent 8% of the Risk Weight of the organization. The information on Appendix D represents the final process in summarizing the Corporation s Enterprise Wide BSA/AML Quantitative Risk as determined by the risk assessment process. Page 21 of 35

22 13. Mergers and Acquisitions If the organization has participated in recent mergers or acquisitions, the enterprises wide risk assessment should be updated to include a due diligence review of the newly acquired entity. This section should indicate any findings that may impact implementation, integration, financial considerations, and non-financial risk that could potentially impact the organization. Information gathered related to client base, products and services offered, international entities/transactions, high risk clients/entities indentified, SARs and CTRs filed, information on the existing BSA Compliance Program, etc. should also be included in the risk assessment. Based on the information gathered and analyzed, the due diligence team should determine the initial overall BSA/AML risk of the newly acquired entity. Anticipated integration timelines should also be recorded. As soon as possible, the risk assessment should be updated to include all information relative to the newly acquired entity. 14. New Product Committee In addition to the Bank having a comprehensive risk management program designed to identify measure, monitor and control risks related to existing products and services, the Bank should also have clearly defined objectives, expectations and risk limitations for all new products and services. To review, understand and approve projected risks of new products and services, the Bank s New Product Committee process should be defined in this section. The enterprise wide risk assessment should define the purpose of the committee and the process by which the committee will review and approve all new or significantly expanded or modified products and services. Not all organizations utilize a New Product Committee to review and approve new or significantly expanded or modified products and services. If the organization does not utilize a New Product Committee, indicate here the process the organization utilizes to identify, measure, monitor and control risks related to new or significantly expanded or modified existing products and services. products and services. Page 22 of 35

23 15. Projected BSA/AML Risks This section would include any projected strategic and regulatory BSA/AML risks identified that may have an impact on the corporation such as: 1. Products and services currently under consideration by the New Product Committee 2. Future mergers or acquisitions 3. Upcoming changes in regulations, e.g., FinCEN s Advanced Notice of Proposed Rule Making on Beneficial Owners The risk assessment should include any BSA/AML projected risks and management s plan on how to mitigate the risks identified. Page 23 of 35

24 CONCLUSION: THINK ENTERPRISE WIDE Auditing to determine the adequacy of a BSA/AML risk assessment requires significant time and commitment. The larger and more complex the organization, the more detailed both the audit and risk assessment process will be. Don t forget to Think Enterprise Wide. When auditing the risk assessment, the risks of each Business Unit are a major consideration. How the risks are interrelated among BUs across the entire enterprise must be considered and subjected to detailed analysis. The risk assessment process should be comprehensive, transparent and well documented. When completing the risk assessment process effectively, the end result will create the reliable conclusions necessary to establish appropriate policies, procedures, processes and systems required to develop the organization s Enterprise Wide BSA/AML Compliance Program, which is ultimately designed to measure and minimize risks associated with BSA/AML laws and regulations. RISK VS. REWARD Page 24 of 35

25 Appendix A SAMPLE SPREADSHEET Business Units BSA/AML Risk Identification and Evaluation Of Products and Services, Inherent Risks, Mitigating Controls and Residual Risks Business Unit Name Products/Services Inherent Risks Mitigation/Controls Residual Risk *List each product/service offered through BU *List applicable BU responsibilities & duties specific to each, including how they comply with duties such as the examples listed below: *List inherent risk of each product/service. *List red flags indentified. *Indicate inherent risk rating of each product/service/red flag identified. Risk Rating High, Mod or Low * List each mitigating control for each product or red flag identified for each product/ service. *List systems used for mitigation/controls. *Indicate residual risk rating of each product/service/red flag identified. Risk Rating High, Moderate or Low risk rating after analysis of mitigating controls # of Associates/Training Suspicious Activity Monitoring Client Services Offered 314a Requirements CTR Requirements MIL Requirements Funds Transfer Requirements Internal Risk Assessment CIP Requirements Include a chart to summarize all products and services listed to include, number of clients, number of transactions, dollar amounts, and all information that applies to each specific BU. The goal of each spreadsheet is to define each BU, products/services they offer, the BSA/AML responsibilities specific to each BU and how each BU complies with their BSA/AML responsibilities, including monitoring for suspicious activity. Each BU spreadsheet should also list every product or service offered by the BU, including any associated red flags; identify the inherent risks associated with each risk identified, the associated mitigating controls and the resulting residual risk. The BU, products/services and applicable risk ratings are recorded on Appendix B. Page 25 of 35

26 Appendix B SAMPLE SPREADSHEET Date: RISK EVALUATION OF BUSINESS UNITS/PRODUCTS AND SERVICES BUSINESS UNIT Inherent Risk Intl Trans Geo Risk Cash Inten sive Monitoring / Mitigating Controls Residual Risk Business Unit Risk Rating Final Risk Numeric Equivalent Final Risk Weight Final Risk Weighted Score BANK NAME MODERATE 2 50% Retail Banking High Yes Moderate Yes Adequate High Personal Checking High Yes Moderate Yes Adequate High Non-Personal High Yes Moderate Yes Adequate High Checking Alternative Delivery Moderate Services Personal Online High No Moderate No Adequate Moderate Banking Personal Bill Pay High No Moderate No Adequate Moderate Mobile Banking High No Moderate No Adequate Moderate Deposit Services High N/A N/A N/A Strong Moderate MODERATE 2 5% Facility Services Low N/A N/A N/A Adequate Low LOW % Human Resources Low N/A N/A N/A Strong Low LOW % Mortgage Company MODERATE 2 2.5% ABC Mortgages Moderate No Low No Adequate Moderate Loan Operations Low N/A N/A N/A Strong Low LOW 1 1% Loan Review Low N/A N/A N/A Strong Low LOW 1 1% Security Department High N/A N/A N/A Strong Moderate MODERATE 2 5% Treasury Management HIGH 3 15% ACH/IAT Services High Yes Moderate No Adequate Moderate Remote Deposit Capture (RDC) High No Moderate No Adequate Moderate Wire Transfers High Yes High No Adequate High List each BU & related product/service Determine applicable ratings & Final Risk Weight 20%.295 FINAL BSA/AML WEIGHTED RISK SCORES HIGH YES MODERATE YES ADEQUATE MODERATE Bank Name FINAL BSA/AML WEIGHTED RISK SCORE 100% MODERATE RISK NUMERIC EQUIVALENT 0 to = LOW RISK 2 to = MODERATE RISK 3 + = HIGH RISK This chart represents a sample of a partial list of Business Units and their related products/services within the organization. All BUs should be included on the chart, along with applicable ratings and the Final Risk Weight of each BU as determined after completing appropriate analysis. The Final Risk Weighted Score can then be calculated to determine the Bank s Final BSA/AML Weighted Risk Score, which will be recorded on Appendix D. Page 26 of 35

27 Appendix C SAMPLE SPREADSHEET Date: CORPORATION RISK EVALUATION OF COMPANY/PRODUCTS AND SERVICES Inherent Risk Geo Risk Cash Intensive Monitoring / Mitigating Controls Residual Risk Final Risk Numeric Equivalent Final Risk Weight Final Risk Weighted Score Business Unit Intl Trans Final Risk Subsidiary owned by Bank High Yes High No Adequate Moderate MODERATE 2 100% *Company owned by subsidiary *Company owned by subsidiary MODERATE NAME OF SUBSIDIARY OWNED BY BANK BSA/AML RISK ASSESSMENT Summary of Quantitative Risk by Company Date: Company BSA/AML Rating Risk Numeric Equivalent Risk Weight Risk Weighted Score Subsidiary owned by Bank MODERATE % *Company owned by subsidiary MODERATE % *Company owned by subsidiary MODERATE % BSA/AML FINAL WEIGHTED RISK SCORE of SUBSIDIARY OWNED by BANK MODERATE 100% RISK NUMERIC EQUIVALENT 0 to = LOW RISK 2 to = MODERATE RISK 3 + = HIGH RISK Page 27 of 35