Your bank has an opportunity to frame your next Bank Secrecy Act/Anti-Money Laundering/Countering the Financing of Terrorism (BSA/AML/CFT) examination, much as you do your Community Reinvestment Act (CRA) exam, by preparing a summary of the “performance context” within which you operate.

The agencies state that a well-developed BSA/AML/CFT risk assessment assists the bank in identifying money laundering, terrorist financing and other illicit financial activity risks and in developing appropriate internal controls — policies, procedures and processes. Understanding its risk profile enables the bank to better apply appropriate risk management processes to the BSA/AML/CFT compliance program to mitigate and manage risk and comply with BSA regulatory requirements. The BSA/AML/CFT risk assessment process also enables the bank to better identify and mitigate any gaps in controls.

Risk-Focused Exam Process

The interagency examination procedures provide that the extent of BSA/AML/CFT examination activities necessary to assess the bank generally depends on the bank’s risk profile and the quality of risk management processes to identify, measure, monitor and control risks, as well as to report potential money laundering, terrorist financing and other illicit financial activity. Given that banks vary in size, complexity and organizational structure, the agencies acknowledge that each bank has a unique risk profile, and the scope of a BSA/AML/CFT examination varies by bank.

The first step in a BSA/AML/CFT examination is a scoping and planning process. At this preliminary stage of the activity, examiners analyze existing information about the bank — off-site monitoring information, previous examination reports and workpapers, BSA-reporting databases, other communications with the bank, and independent reviews or audits. Examiners also scrutinize request letter items completed by bank management and, perhaps most important in some ways, the bank’s BSA/AML/CFT risk assessment.

BSA examiners are charged with determining the BSA/AML/CFT risk profile of the bank as a part of the scoping and planning process. The preferred method for accomplishing this goal centers on a review of the bank’s risk assessment. While banks are not required to perform such an assessment, it is central to ensuring that a BSA/AML/CFT program is appropriate for the bank, given its product and customer mix, as well as location risk factors. The agencies consider that an effective risk assessment should be a composite of multiple factors, and depending on the circumstances, certain factors may be weighed more heavily than others.

The information contained in the BSA/AML/CFT risk assessment assists examiners in developing an understanding of the bank’s risk profile, risk-focusing the examination scope, and assessing the adequacy of the bank’s overall BSA/AML/CFT compliance program and its compliance with BSA regulatory requirements.

Examiners are directed to focus, when evaluating the bank’s BSA/AML/CFT risk assessment, on whether the bank has effective processes resulting in a well-developed risk assessment. They are not to take any single indicator as determinative of the existence of a lower- or higher-risk profile for the bank. Any assessment of risk factors is bank-specific, and a conclusion regarding the bank’s risk profile is to be based on a consideration of all pertinent information.

Examiners are to assess whether the bank has developed a BSA/AML/CFT risk assessment that identifies its money laundering, terrorist financing and other illicit financial activity risks. Examiners are also to assess whether the bank has considered all its products, services, customers and geographic locations in its assessment, and whether the bank analyzed the information relative to those risk categories.

If a bank has not prepared a BSA/AML/CFT risk assessment, or if its assessment is deemed inadequate, the examiner is directed to discuss this fact with management, as well as prepare their own risk assessment. The reason for this emphasis on a bank-prepared risk assessment is that the bank’s BSA/AML/CFT program should be tailored to the risks it faces, and the agencies see an assessment as an important tool to assist the bank in effectively managing BSA risks and critical in developing appropriate internal controls.

Using Your Risk Assessment

An appropriate BSA risk assessment provides the bank with a foundation on which to build a successful compliance program addressing this area. This risk assessment is not a static document. You will have to monitor changes in the bank’s product offerings (e.g., virtual currency-related services), business environment, regulatory changes, bank personnel and so forth — and make appropriate changes to policy and procedure — to ensure that the foundation remains strong under the bank’s BSA/AML/CFT compliance program.

The agencies expect that the bank will structure its BSA/AML/CFT compliance program to address its risk profile, based on the bank’s assessment of risks, as well as to comply with BSA regulatory requirements. Specifically, the bank should develop appropriate policies, procedures and processes to monitor and control its money laundering, terrorist financing and other illicit financial activity risks. 

For example, the bank’s monitoring system to identify, research and report suspicious activity should be risk-based to incorporate any necessary additional screening for higher-risk products, services, customers and geographic locations as identified by the bank’s BSA/AML/CFT risk assessment. 

Also, independent testing (audit) should review the bank’s BSA/AML/CFT risk assessment, including how it is used to develop the BSA/AML compliance program.

Banks that choose to implement a consolidated or partially consolidated BSA/AML/CFT compliance program should assess risk within business lines and across activities and legal entities. 

Consolidating money laundering, terrorist financing and other illicit financial activity risks for larger or more complex banking organizations may assist senior management and the board of directors in identifying, understanding, and appropriately mitigating risks within and across the banking organization. 

To understand money laundering, terrorist financing and other illicit financial activity risk exposures, the banking organization should communicate across all business lines, activities and legal entities. Identifying a vulnerability in one aspect of the banking organization may indicate vulnerabilities elsewhere.

Conclusion

The importance of a BSA/AML/CFT risk assessment cannot be overstated. A bank-prepared assessment can establish the direction a bank’s BSA/AML/CFT program will take, as well as guide BSA exams and other reviews/audits. Just as with a CRA performance context, preparing your own BSA/AML/CFT risk assessment can provide the roadmap to guide your compliance and examiners’ evaluation of your program. And the agencies have given you a roadmap to guide your risk assessment — the BSA/AML/CFT examination procedures. Use it, if you have not already, before the examiners come for their next visit.