Transcription of A BSA/AML RISK ASSESSMENT - ACAMS
1 Page 1 of 35 & A BSA/AML RISK ASSESSMENT Page 2 of 35 TABLE OF CONTENTS PAGE Auditing & Updating a $13 Billion organization s BSA/AML Risk Auditing the Existing BSA/AML Risk Core Components of a Comprehensive BSA/AML Risk 1. BSA/AML Risk ASSESSMENT Steps in the Risk ASSESSMENT Detailed Bank Customers and Money Service Businesses (MSBs)..10 2. BSA/AML Compliance Program Internal Independent BSA/AML BSA/AML 3. BSA/AML Operations BSA/AML BSA/AML Customer Identification Program (CIP).
2 14 4. Currency Transaction Reports (CTRs) and Monetary Instrument Logs (MILs)..14 5. Anti-Money Laundering Software Risk 6. High Risk Determination and 7. Regulation 8. Enterprise Wide BSA/AML Exam & Audit 9. Business Units (BUs)..17 Products and Services (Appendix A)..18 10. Identifying and Evaluating BSA/AML Page 3 of 35 HIDTA and HIFCA Risk Identification and Evaluation 11. Corporation s Risk Identification and Evaluation of Business Units/Products and Services (Appendix B)..21 12.
3 Summary of Corporation s Enterprise Wide BSA/AML Quantitative Risk (Appendix D)..21 13. Mergers and 14. New Product 15. Projected BSA/AML CONCLUSION: Think Enterprise SAMPLE SPREADSHEETS: Appendix A - Business Units BSA/AML Risk Identification and Evaluation of Products and Services, Inherent risks , Mitigating Controls and Residual Appendix B Risk Evaluation of Business Units/Products and Appendix C Corporation Risk Evaluation of Company/Products and Appendix D - Summary of Corporation s Enterprise Wide BSA/AML Quantitative Appendix E - BSA Risk Analysis Chart, Customers/Accounts, Products/Services and FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual Appendixes Appendix I.
4 Risk ASSESSMENT Link to the BSA/AML Compliance Appendix J: Quantity of Risk Research/ Page 4 of 35 AUDITING & UPDATING a $13 BILLION organization S BSA/AML RISK ASSESSMENT By Donna Davidek, CAMS December 30, 2013 The Business Dictionary (1) defines Risk ASSESSMENT as The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards and their determination of an acceptable level of risk . The risk ASSESSMENT process is not new to the Banking industry.
5 Risk assessments have been conducted in many areas within banking organizations for years, so it seemed appropriate when the BSA area came into regulatory focus. Since at least 2005, every depository financial institution has been required to perform and document a written BSA/AML Risk ASSESSMENT . The purpose of a comprehensive risk ASSESSMENT is to assess the enterprise wide BSA/AML risk profile of the organization , including the Bank and all subsidiaries. By determining the enterprise wide BSA/AML risk profile, the organization can evaluate the adequacy of existing processes and where required, modify and update the risk management processes in an effort to more effectively identify and mitigate risk.
6 A risk ASSESSMENT can serve as a valuable tool for any Banking institution that wants to manage its BSA/AML risk effectively. The key is to understand the Bank s risk exposure and develop the necessary policies, procedures, systems, and controls to mitigate the risk. The emphasis by regulators for financial institutions to conduct detailed risk assessments has increased substantially over the years. Today, there is an expectation by regulators for BSA/AML Risk assessments to provide a more granular and in-depth review of all areas of the organization .
7 There is not one recommended methodology or format specified or method required when completing a risk ASSESSMENT . As long as the risk ASSESSMENT can be understood by the appropriate parties who will read it, the format should be acceptable to federal regulators. The information contained in this whitepaper does not address OFAC risk as the organization represented conducted and documented a stand-alone OFAC Risk ASSESSMENT . It is acceptable for the OFAC Risk ASSESSMENT to be incorporated into the organization s overall BSA/AML Risk ASSESSMENT ; however, it is best practice for a large bank to create a stand-alone OFAC Risk ASSESSMENT .
8 A process similar to the one outlined in this paper was also conducted when auditing and updating the OFAC Risk ASSESSMENT . Page 5 of 35 AUDITING THE EXISTING BSA/AML RISK ASSESSMENT There are many reasons why a risk ASSESSMENT should or must be updated. In order to determine whether the existing risk ASSESSMENT needs to be updated or whether it must be rewritten in its entirety, the auditor must thoroughly review the existing risk ASSESSMENT to determine if it appropriately represents the organization s current risk profile and also conforms to regulatory standards.
9 The reviewer must determine if necessary control points, as represented in the list below, are included within the risk ASSESSMENT : 1. The risk ASSESSMENT should properly reflect the current BSA/AML risk profile across the entire organization . 2. The risk ASSESSMENT should clearly identify all areas within the organization and specifically identify those Business Units (BUs) within the organization with direct BSA/AML responsibilities. The risk ASSESSMENT should also clearly identify each BSA/AML responsibility specific to each Business Unit.
10 3. The risk ASSESSMENT should include a detailed, in-depth evaluation of the inherent risk of every existing, new or significantly expanded or modified added customers, geographies, products, services and systems used or offered by each BU within the organization with direct BSA/AML responsibilities, an evaluation of the effectiveness of systems and internal controls utilized by each BU and the determination of the resulting residual risk of each product, service and system used or offered through each BU.
