Transcription of A BSA/AML RISK ASSESSMENT - ACAMS
1 Page 1 of 35 & A BSA/AML RISK ASSESSMENT Page 2 of 35 TABLE OF CONTENTS PAGE Auditing & Updating a $13 Billion Organization s BSA/AML Risk Auditing the Existing BSA/AML Risk Core Components of a Comprehensive BSA/AML Risk 1. BSA/AML Risk ASSESSMENT Steps in the Risk ASSESSMENT Detailed Bank Customers and Money Service Businesses (MSBs)..10 2. BSA/AML Compliance Program Internal Independent BSA/AML BSA/AML 3. BSA/AML Operations BSA/AML BSA/AML Customer Identification Program (CIP)..14 4. Currency Transaction Reports (CTRs) and Monetary Instrument Logs (MILs)..14 5. Anti-Money Laundering Software Risk 6. High Risk Determination and 7. Regulation 8. Enterprise Wide BSA/AML Exam & Audit 9. Business Units (BUs)..17 Products and Services (Appendix A)..18 10. Identifying and Evaluating BSA/AML Page 3 of 35 HIDTA and HIFCA Risk Identification and Evaluation 11.
2 Corporation s Risk Identification and Evaluation of Business Units/Products and Services (Appendix B)..21 12. Summary of Corporation s Enterprise Wide BSA/AML Quantitative Risk (Appendix D)..21 13. Mergers and 14. New Product 15. Projected BSA/AML CONCLUSION: Think Enterprise SAMPLE SPREADSHEETS: Appendix A - Business Units BSA/AML Risk Identification and Evaluation of Products and Services, Inherent risks , Mitigating Controls and Residual Appendix B Risk Evaluation of Business Units/Products and Appendix C Corporation Risk Evaluation of Company/Products and Appendix D - Summary of Corporation s Enterprise Wide BSA/AML Quantitative Appendix E - BSA Risk Analysis Chart, Customers/Accounts, Products/Services and FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual Appendixes Appendix I: Risk ASSESSMENT Link to the BSA/AML Compliance Appendix J: Quantity of Risk Research/ Page 4 of 35 AUDITING & UPDATING a $13 BILLION ORGANIZATION S BSA/AML RISK ASSESSMENT By Donna Davidek, CAMS December 30, 2013 The Business Dictionary (1) defines Risk ASSESSMENT as The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards and their determination of an acceptable level of risk.
3 The risk ASSESSMENT process is not new to the Banking industry. Risk assessments have been conducted in many areas within banking organizations for years, so it seemed appropriate when the BSA area came into regulatory focus. Since at least 2005, every depository financial institution has been required to perform and document a written BSA/AML Risk ASSESSMENT . The purpose of a comprehensive risk ASSESSMENT is to assess the enterprise wide BSA/AML risk profile of the organization, including the Bank and all subsidiaries. By determining the enterprise wide BSA/AML risk profile, the organization can evaluate the adequacy of existing processes and where required, modify and update the risk management processes in an effort to more effectively identify and mitigate risk. A risk ASSESSMENT can serve as a valuable tool for any Banking institution that wants to manage its BSA/AML risk effectively. The key is to understand the Bank s risk exposure and develop the necessary policies, procedures, systems, and controls to mitigate the risk.
4 The emphasis by regulators for financial institutions to conduct detailed risk assessments has increased substantially over the years. Today, there is an expectation by regulators for BSA/AML Risk assessments to provide a more granular and in-depth review of all areas of the organization. There is not one recommended methodology or format specified or method required when completing a risk ASSESSMENT . As long as the risk ASSESSMENT can be understood by the appropriate parties who will read it, the format should be acceptable to federal regulators. The information contained in this whitepaper does not address OFAC risk as the organization represented conducted and documented a stand-alone OFAC Risk ASSESSMENT . It is acceptable for the OFAC Risk ASSESSMENT to be incorporated into the organization s overall BSA/AML Risk ASSESSMENT ; however, it is best practice for a large bank to create a stand-alone OFAC Risk ASSESSMENT .
5 A process similar to the one outlined in this paper was also conducted when auditing and updating the OFAC Risk ASSESSMENT . Page 5 of 35 AUDITING THE EXISTING BSA/AML RISK ASSESSMENT There are many reasons why a risk ASSESSMENT should or must be updated. In order to determine whether the existing risk ASSESSMENT needs to be updated or whether it must be rewritten in its entirety, the auditor must thoroughly review the existing risk ASSESSMENT to determine if it appropriately represents the organization s current risk profile and also conforms to regulatory standards. The reviewer must determine if necessary control points, as represented in the list below, are included within the risk ASSESSMENT : 1. The risk ASSESSMENT should properly reflect the current BSA/AML risk profile across the entire organization. 2. The risk ASSESSMENT should clearly identify all areas within the organization and specifically identify those Business Units (BUs) within the organization with direct BSA/AML responsibilities.
6 The risk ASSESSMENT should also clearly identify each BSA/AML responsibility specific to each Business Unit. 3. The risk ASSESSMENT should include a detailed, in-depth evaluation of the inherent risk of every existing, new or significantly expanded or modified added customers, geographies, products, services and systems used or offered by each BU within the organization with direct BSA/AML responsibilities, an evaluation of the effectiveness of systems and internal controls utilized by each BU and the determination of the resulting residual risk of each product, service and system used or offered through each BU. 4. Any major events or changes that have taken place within the organization should be reflected in the risk ASSESSMENT , , mergers, acquisitions, expansions, changes in the organization s footprint/expansion into new markets, new or changes to products or services, prior inefficiencies identified that have not been corrected, new core data processing or anti-money laundering systems, the Bank has crossed the $10 billion mark and is now by definition considered to be a large Bank.
7 5. The findings provided in the risk ASSESSMENT should be supported by appropriate qualitative and quantitative data. 6. The institution should maintain an effective process for periodically reviewing and updating the institution s risk ASSESSMENT , insuring that all changes to BUs with any BSA/AML responsibilities are represented appropriately. When faced with the task of auditing an institution s existing BSA/AML Risk ASSESSMENT , to determine if it is adequate for the present state of the organization, the initial question is Where Do I Begin? Page 6 of 35 7. The risk ASSESSMENT should be shared and communicated with all BUs across the organization, including management and appropriate staff. 8. The results of the organization s risk ASSESSMENT should be reported to the appropriate supervisory committee and/or to the Board of Directors. 9. At a minimum, the organization s BSA/AML Risk ASSESSMENT should have been updated within the past twelve to eighteen months; however, the current standard practice for most organizations is to update the risk ASSESSMENT every twelve months.
8 Prior to changing products or services or engaging in new customers or geographies, a risk ASSESSMENT update would also be warranted. Regulatory changes may also warrant a risk ASSESSMENT update. After reviewing the existing risk ASSESSMENT , it was determined to be inadequate. The existing risk ASSESSMENT lacked major areas of detail necessary to appropriately determine the organization s risk profile. The original risk ASSESSMENT was created in a format following the principles represented in the FFIEC s BSA Examination Manual Appendix J: Quantity of Risk Matrix and Appendix I: Risk ASSESSMENT Link to the BSA/AML Compliance Program. Smaller community Banks often use these matrixes to formulate summary conclusions; however, it is not particularly useful when developing a risk ASSESSMENT for a large institution. Appendix J may be utilized for a baseline approach; but a large Bank s products, services, customer base, geographies and systems are often too complex for a simple matrix.
9 The existing risk ASSESSMENT consisted of a series of spreadsheets, one for each BU with BSA/AML responsibilities, including an overall summary. It was difficult to read and lacked a clear, descriptive narrative. Products, services and systems were not fully detailed. The risk ASSESSMENT contained an insufficient listing of applicable red flags, inherent risks were not fully identified and risk rated, mitigating controls listed were not clearly defined and had minimal explanation and residual risk was not fully explained and/or risk rated. To summarize, the BSA/AML Risk ASSESSMENT conclusions were not adequately documented; therefore, they could not be supported. Risk assessments cannot lack supporting documentation; but should contain appropriate facts, justification and documentation in order to reach correct overall conclusions of defining the risks within an organization. Comprehensive supporting documentation should provide an auditor or regulator with the rationale that was utilized to reach overall conclusions in the risk ASSESSMENT .
10 In order to properly conclude there is a sufficient BSA/AML program in place, the risks at the institution must be appropriately identified. EXISTING BSA RISK ASSESSMENT Page 7 of 35 Core Components of a Comprehensive BSA/AML Risk ASSESSMENT Best Practice for a $13 Billion Institution After determining the existing risk ASSESSMENT was outdated and did not adequately represent the current BSA/AML risk profile of the organization, a more detailed and granular risk ASSESSMENT had to be developed. The objective is not solely to complete a risk ASSESSMENT , as the risk ASSESSMENT is not the end game but merely a tool. The risk ASSESSMENT only focuses attention on inherent and residual risk. The greater objective is to create a meaningful risk ASSESSMENT as a key tool to identify, prioritize and ultimately manage risk. There are numerous elements to consider when creating a risk ASSESSMENT .
