Assessing Inherent BSA/AML Risk at Community Banks
by Bronwen Macro, BSA/AML Risk Coordinator, Federal Reserve Bank of San Francisco
Every community bank faces some degree of inherent Bank Secrecy Act/Anti-Money Laundering (BSA/AML) risk. This inherent risk comes from a bank's products and services, customers and entities, and the geographical locations in which the institution and its customers operate. Effective BSA/AML compliance programs incorporate appropriate controls to mitigate these risks. However, with the rapid speed of innovation in the banking industry and a continued regulatory focus on BSA/AML compliance, accurately assessing inherent BSA/AML risk is an important first step in the BSA/AML compliance process.
This article is intended to help community bankers understand potential indicators that can be indicative of elevated levels of inherent BSA/AML risk and heightened legal and compliance risk that may bring greater regulatory focus.1 The article begins by reviewing some of the factors regulators may assess to identify institutions' inherent BSA/AML risk and discussing the evolving nature of that risk. It then offers observations on key characteristics of effective risk identification programs and examiner expectations for analysis and mitigation of community bank BSA/AML compliance risks. It concludes with a specific discussion of two important areas: (1) setting the right compliance tone at the top of the organization and (2) including the BSA compliance officer in new product development discussions.
Evolving Nature of BSA/AML Risk
Over the past 40 years, both the BSA/AML regulatory environment and the financial services environment have evolved. When the Bank Secrecy Act was enacted in 1970, the primary intent was to combat drug trafficking, with regulations focused on the domestic banking system and on cash transactions, which were most often conducted face-to-face. In 2001, with the passage of the USA PATRIOT Act, the AML framework in the United States and the BSA itself were significantly amended in recognition of the changed landscape of financial crimes and systems. BSA/AML regulatory requirements were expanded to confront a broader set of criminal activities, including terrorist financing. Regulations address the complex financial services environment that has continued to evolve since the BSA was first enacted; this environment now relies to a large extent on fast-paced, anonymous transactions within a globally intertwined financial system.
Increasingly complex product offerings complicate risk assessment activities, as these offerings, by their very nature, are more difficult to assess than traditional banking products and services. For example, electronic banking systems, the purpose of which are to expedite the delivery of banking products and services, have replaced traditional face-to-face contact with remote, electronic account opening and transaction initiation. Likewise, electronic cash, including mobile payments and pre-paid cards, provide similar conveniences but also greater risks associated with reduced transparency of transactions.
While these innovations deliver numerous benefits to customers and bankers, the change in delivery systems often increases the risks of what previously were lower-risk services. For example, online account openings present challenges in verifying the account holder's true identity and geographic origin or business footprint; these challenges are further exacerbated by the almost instantaneous processing and settlement of transactions. All these issues affect an institution's ability to predict the type and frequency of transactions the customer is likely to make; without a firm understanding of the customer's risk profile, monitoring for suspicious activity and, by extension, the reporting of suspicious activity can be more challenging.
In addition to the fast pace of innovation, banks are facing a sustained low interest rate environment, and many institutions find themselves facing added pressure to offer new and competitive services, sometimes without adequately reviewing and assessing the risk of these services. Implementation of these products without appropriate vetting can mean that the inherent risk profile of the institution increases without a commensurate enhancement to risk mitigants. At the same time, the low interest rate environment also introduces pressure to cut costs, and operational areas such as compliance are often prime targets for trimming. Institutions with increasing BSA/AML risk profiles and dwindling resources may be vulnerable to having weakened BSA/AML programs.
As BSA/AML risk increased, the financial crisis may have diverted some management teams' focus away from BSA/AML as they addressed their institutions' financial viability. Consequently, some BSA/AML programs became stagnant and did not keep pace with the institutions' subsequent growth, expansion, and changing risk profile.
Throughout this time, the core BSA/AML program elements have remained the same; however, as banking products and services became more complex and electronic in nature, accurately assessing these risks became even more challenging and critical. At the same time, the consequences of noncompliance have become more severe.
Importance of Proper Risk Assessment
Identifying the inherent BSA/AML risk of an institution's products and services, customers and entities, and the geographic locations in which the institution and its customers operate is the first step in developing an effective BSA/AML compliance program. It is only after these risks are identified and analyzed that an institution can begin to develop a compliance program tailored to and commensurate with the risk profile of the institution. Understanding the inherent risk faced by the institution will determine how it approaches the four pillars2 of BSA compliance. For example, the level of inherent risk should determine (1) the nature and extent of internal controls, (2) the scope of independent testing, (3) the skills and expertise required of the BSA compliance officer, and (4) the focus of and approach to training. The board of directors and senior management at community banks should develop compliance programs tailored to the specific inherent risks of their institutions. Likewise, the nature and extent of mitigating controls, including investments in infrastructure and human resources, should be commensurate with a bank's risk profile.
The stakes for failing to comply with BSA/AML regulations have never been higher. Not only has noncompliance in some recent cases resulted in significant fines and penalties, but weak programs can also stall expansionary plans. In 2012, various regulatory agencies assessed fines and penalties against a number of institutions that in aggregate exceeded $3.2 billion;3 this represented the largest amount in BSA/AML and Office of Foreign Assets Control penalties ever imposed over a one-year period. In addition to the monetary penalties and fines, these banks incurred significant expenses associated with remediating their compliance programs, such as increases in staffing and investments in technology, as well as related legal expenses. But even if compliance program shortcomings are not significant enough to warrant monetary penalties, material deficiencies that are deemed to make a program less than satisfactory can curtail an institution's expansionary activities. Section 327 of the USA PATRIOT Act requires federal banking agencies to consider an institution's BSA/AML compliance program when reviewing a bank's application. The Board of Governors of the Federal Reserve System (Board) has published a supervisory letter on Section 327 for institutions submitting applications to the Board that states:
On a case-by-case basis, depending on information contained in examination reports and obtained from other regulators, further information about the effectiveness of an applicant's anti-money laundering activities may be required from the applicant to complete the Federal Reserve's analysis of an application. The applications record maintained by the Board and the Reserve Banks should continue to include documentation relating to the review of an applicant's efforts to combat money laundering activities, including information about contacts with other regulators.4
Thus, inadequate BSA/AML compliance could adversely affect a banking application.
Most of the recent high-profile enforcement actions have focused on internal control deficiencies at large, globally active financial institutions. Although not often in the public realm, deficiencies at community banks have also been noted, and similar to findings at the large institutions, weaknesses at smaller institutions often involve a deficient customer risk-rating process. For both large and small institutions, the ability to identify high-risk customers directly impacts the efficacy of monitoring regimes; if risk identification and follow-through are weak, institutions may fail to file Suspicious Activity Reports when necessary.
The problem often lies in inadequate customer due diligence because banks may not fully understand their customers' business. For example, a money services business (MSB) engaged solely in payroll check cashing likely poses less risk than an MSB providing multiple lines of products, including high volumes of cross-border money transfers. Understanding the specifics of the business and making distinctions between high- and low-risk customers are crucial first steps in being able to calibrate risk monitoring and identify and report any suspicious activity.
Key Categories of BSA/AML Risk for Community Banks
Inherent BSA/AML risk falls into three main categories: (1) products and services, (2) customers and entities, and (3) geographic location. The first step in understanding the inherent risk is to identify the extent to which these categories present risk for the institution; the second step is to analyze these risks more thoroughly so that the true nature of the risk is known and appropriate controls can be developed.
Within the three categories, certain characteristics present higher levels of inherent BSA/AML risk. Specifically, customers, products, and services that obscure financial transparency, allow for anonymity, or include multiple parties along the payment chain are especially vulnerable to money laundering. For example, financial intermediaries, such as third-party payment processors, MSBs, or foreign correspondents, pose higher risks because banks lack direct access to, or knowledge of, their customers' customers; due diligence and suspicious activity monitoring efforts are thus more challenging and more critical for mitigating risks. Similarly, prepaid cards and virtual currencies both offer anonymity and can involve many parties, again making it difficult for banks to identify specific customer activity and determine whether that activity is suspicious. As such, community bank management should ask itself several questions to help identify some of these areas of heightened BSA/AML risk.
Higher-Risk Products and Services
- Do we have significant volumes of electronic payments, such as wire transfers, ACH, prepaid cards, and remittances?
- Do our customers actively engage in, or have we recently implemented, electronic banking services, such as remote deposit capture, online account opening, and/or Internet transactions?
- Do we provide services to third-party payment processors or senders?
Higher-Risk Customers and Entities
- Do we have a significant portfolio of cash-intensive business customers, such as privately owned ATMs or convenience, liquor, or retail stores?
- Does our customer base include foreign entities, such as financial institutions (banks and foreign money service providers, including exchange houses, money transmitters, etc.), corporations, and/or individuals?
- Do we have significant business related to nonbank financial institutions, including MSBs and casinos?
- Do we have a significant number of professional service provider customers, including attorneys, accountants, real estate brokers, etc.?
- Do we maintain accounts for domestic and/or foreign nongovernmental organizations?
- Does our customer base include a significant number of politically exposed persons?
Higher-Risk Geographic Locations
- Do our customers engage in or process transactions involving international locations identified by the U.S. State and/or Treasury Departments, the Financial Action Task Force, or other international bodies as having strategic deficiencies in their countries' AML frameworks or being susceptible to corruption, and/or geographic locations outside of our normal business area?
- Are any of our customers located in, or do they conduct transactions with, offshore financial centers?
- Do we maintain branches in or have significant customer populations located within domestic locales designated as High Intensity Drug Trafficking Areas and/or High Intensity Financial Crimes Areas?
Once the areas of inherent risk are identified, further analysis is needed to fully understand the risks of each category. For example, a first level of analysis may include the review of data pertaining to the volume of transactions and the number of higher-risk customers. Pairing these data with customer due diligence information, such as the purpose of the account, the products and services used, transaction and dollar volumes, and jurisdictions involved, allows management to make necessary distinctions between seemingly similar customers. For example, a local doctor who has been a longstanding customer and uses remote deposit capture to collect low-dollar payments for office visits from her customers likely presents a lower level of risk than an MSB that deals with customers and parties located in a foreign jurisdiction. After conducting such analyses, management is better equipped to build monitoring systems calibrated to the specific risks of the bank's customers.
Getting It Right
How can management ensure that the bank is adequately assessing inherent risk? Institutions with strong BSA/AML risk assessment programs take a dynamic approach to risk assessment, as opposed to viewing it as a static exercise only performed once every few years. These institutions also ensure that the BSA compliance officer is a fixture in any new product discussion. Finally, the board of directors and senior management at these institutions set the right compliance tone from the top by demonstrating the importance of understanding, monitoring, and controlling BSA risk.
A dynamic BSA/AML program is one that revisits its risk assessment regularly, or even on an ongoing basis, depending on its risk profile, by comparing the assessment with the bank's current products, service offerings, and customer mix. A good assessment appropriately considers the products, services, customers, transactions, and jurisdictions that currently pose risks to the institution. If the institution has recently implemented new products and services, these risks should be reflected in the risk assessment and control environment. Integral to this process is a strong "know your customer" program in which customer information is collected on an ongoing basis to maintain up-to-date information on activity and product utilization and the associated risks. Not only is this practice good for BSA/AML compliance purposes, it is also good for business. Building customer relationships, especially with small businesses, includes demonstrating a current understanding of the customer's specific business and industry and showing that the bank can anticipate and fulfill the customer's banking needs as they arise.
Along with periodic updates to the risk assessment, examiners expect banks to perform a review of the control framework and make updates and enhancements to address any gaps presented by new or heightened risks. This includes reevaluating and recalibrating automated monitoring systems to ensure that they continue to make sense for the types of transactions the bank is trying to identify or control, especially given the bank's updated risk profile.
Another important step in the inherent risk assessment process is to include the BSA compliance officer in any new product or service development activities.5 It is crucial that the BSA compliance officer be involved from the very beginning so that potential risks are identified and understood early, prior to implementation. As new technologies are developed, the associated risks are often unknown. These risks have the potential to affect not only inherent risk but also the control framework. In this regard, management should consider the following questions:
- How does the new product or service affect our risk profile?
- What steps need to be taken to appropriately mitigate the risks?
- Do we have the expertise, capacity, and compliance resources to take on the new product or service and/or the various associated service providers?
These types of questions should be discussed with all appropriate stakeholders, and adequate planning should be in place before any new product or service is implemented.
Finally, effective BSA/AML compliance programs reflect a strong commitment to compliance from the board of directors and senior management. This extends to all aspects of the program, including risk identification and analysis. Discussions about BSA/AML risk should be conducted at all levels of the organization, including the board of directors, executive management, line management, and staff. Assigning proper priority to the BSA compliance program also includes investing in compliance talent and resources, empowering compliance officers with the necessary authority to resolve identified issues, and creating a formal mechanism for reporting on BSA/AML risks and issues to the highest levels of the organization.
Understanding an institution's inherent risk is the first step in developing a strong BSA/AML compliance program, and getting it right has never been more challenging. At the same time, the stakes for noncompliance have increased. Banks with strong BSA/AML compliance programs have made ongoing risk assessment a priority for their institutions, included their BSA compliance officer in new product development discussions, and set the right tone at the top of the organization.
Back to top
- 1 While this article focuses on community banks, these principles are relevant to banks of all sizes.
- 2 BSA/AML programs must include the following minimum requirements (also known as the four pillars): (1) a system of internal controls, (2) independent testing of BSA/AML compliance, (3) designation of an individual or individuals responsible for managing BSA compliance (BSA compliance officer), and (4) training for appropriate personnel.
- 3 See details of fines and penalties assessed in 2012 by OFAC at www.treasury.gov/resource-center/sanctions/CivPen/Pages/2012.aspx; FinCEN at www.fincen.gov/news_room/nr/; and the Federal Reserve at www.federalreserve.gov/newsevents/press/enforcement/20121210a.htm.
- 4 See SR Letter 02-8, "Implementation of Section 327 of the USA Patriot Act in the Applications Process," March 20, 2002, at www.federalreserve.gov/boarddocs/srletters/2002/sr0208.htm.
- 5 For a more expansive discussion of best practices around new product development, reference "Considerations When Introducing a New Product or Service at a Community Bank," Community Banking Connections, First Quarter 2013, available at www.cbcfrs.org/articles/2013/Q1/Considerations-When-Introducing-A-New-Product.