Understanding the BSA/AML/OFAC risk assessment and risk rating methodology
Recent regulatory enforcement actions against financial institutions have cited the lack of a detailed and complete risk assessment related to Bank Secrecy Act (BSA) and anti-money laundering compliance (AML) compliance programs. Financial institutions need to identify and properly mitigate AML risks if they want to avoid being unwittingly used by nefarious characters and avoid regulatory scrutiny and penalties. A proper risk assessment is the foundation to a sound BSA/AML/OFAC program.
A robust risk assessment can help your bank to promptly and accurately identify risks and apply appropriate controls to mitigate risk or determine unacceptable risks to avoid. Understanding what a proper assessment involves and what areas it looks at can benefit your financial institution.
Changing regulatory landscape and recent enforcement actions
The importance of a risk assessment is stressed in the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual. The Financial Action Task Force (FATF) released the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation, which further stressed the need for a risk-based approach in the design of an effective BSA/AML/OFAC program.
More recently, the New York Department of Financial Services (NYDFS) issued a written requirement that regulated institutions maintain transaction monitoring and OFAC filtering programs reasonably designed based on the BSA/AML/OFAC risk assessments of the financial institutions as part of final rule part 504 in June 2016. We have seen recent enforcement actions against banks, citing the need for a comprehensive risk assessment.
In February, a New Jersey Bank received a cease and desist order, which specifically cites a deficient risk assessment, outlines the necessary components of an assessment, and states that it should be completed by the institution.
Another recent example is the July 2017 consent order against a Miami regional bank that specifies the need for a risk assessment to analyze “the bank’s vulnerabilities to money laundering and financial crimes activity” and to provide “strategies to control risk and limit any identified vulnerabilities” in accordance with the FFIEC manual.
Foundation of BSA/AML/OFAC program
So how can financial institutions reduce the risk of being utilized to launder money, finance terrorism, and being subjected to regulatory enforcement actions? The key is understanding your AML risks and properly mitigating them.
A comprehensive risk assessment should be performed on a regular basis and include the following:
- Evaluation of AML risks associated with your institutions’ products, services, customer base, and geographic locations
- Identification of higher-risk areas
- Design and effectiveness of procedures and controls to mitigate identified risks
The risk assessment is intended to be an ongoing process and, while the approach should be tailored to each particular institution, will generally consider the factors outlined below. As these factors evolve within a financial institution, the organization should continue to update its risk assessment to account for changes in management, business growth, product lines, and technology, as well as external factors such as regulatory guidance and the overall economy.
Risk rating methodology and rating system
Four steps to consider in the risk assessment and risk rating process:
- Identify inherent risks
Inherent risk is the risk that is present without regard to mitigating controls. The first step is to review the risks inherent in the bank’s products and services, customers and entity bases, and geographic regions, then quantify this risk by calculating and assigning risk scores based on the potential impact and likelihood of an occurrence in each risk category.
Kaufman Rossin’s risk assessments look at more than 30 different factors to determine inherent risk, and the inherent risk rating is based on a five-tier rating system, ranging from “very low” to “very high.” This rating shows the bank’s overall inherent BSA/AML/OFAC risk.
- Evaluate mitigating controls
Mitigating controls are those designed to reduce the financial institution’s inherent risks to an acceptable level. This step looks at internal controls including existing policies and procedures in areas such as governance and infrastructure, customer due diligence and risk rating, and monitoring among others.
Kaufman Rossin’s BSA/AML/OFAC assessments review more than 20 different principal areas for mitigating controls and use a five-tier rating system to rate those controls from “very strong” to “weak or non-existent.” This rating categorizes the bank’s controls on the degree to which they appear to mitigate identified BSA/AML/OFAC risks.
- Calculate residual risk
Residual risk is the risk that remains after the effects of the mitigating controls on the inherent risks. This part of the risk rating methodology calculates a residual risk rating for the financial institution based on the inherent risk rating determined in step 1 and the overall control rating determined in step 2. The residual risk rating is based on a five-tier rating system, ranging from “very low” to “very high.”
It’s worth noting that while a bank’s policies, procedures and controls may appear to mitigate certain inherent high-risk customers, products and services, and geographic considerations, it is possible for the bank’s residual risk to remain unchanged when compared to the inherent risk score. This is because the residual risk rating may also take into account the compliance officer’s professional judgement and specific knowledge of the institution. The override of the calculated score could result in an increased or decreased risk score and should have a well-documented rationale for the adjustment in the assessment.
In general, a tailored risk assessment would result in a clearer and more accurate picture of the BSA/AML risks profile of the institution.
- Determine direction of risk
To determine the direction of risk in a particular risk category, Kaufman Rossin looks at, among other things, the change in the amount of activity from the prior year. The overall direction of risk is characterized as either “decreasing,” “stable,” or “increasing,” based on the change in activity, number of customers/accounts, and change in distribution channels, and other qualitative risk factors.
A robust risk assessment is a fundamental element of a sound BSA/AML/OFAC program that can help your financial institution identify risks and apply appropriate controls. Understanding what’s involved in a comprehensive risk assessment can also benefit your bottom line by helping you to avoid undue financial burden and risk that can result from regulatory enforcement actions.
Kaufman Rossin’s BSA/AML/OFAC risk assessments are based on regulatory guidance and leading practices obtained through the firm’s experience. Contact the firm’s risk advisory services team to learn more about regulatory compliance requirements and how a risk assessment may benefit your financial institution.