By Liesel Bimmerle
Compliance Officers are counseled to take a risk-based approach to compliance according to the risks specific to their financial institution. In fact, a BSA/AML Risk Assessment is essentially the first topic covered by the Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act / Anti-Money Laundering Examination Manual (2010). And, just as regulatory examiners are expected to develop their examination scope based largely on the risks to your institution, it is expected that you will develop your compliance program based on your risk assessment. Your independent review firms are also likely placing emphasis on your risk assessment, because they view it as a critical step toward the design of effective controls.
The exercise of assessing risk should allow you to identify and understand illicit activity, fraud, money laundering, and terrorist financing risks, to name a few. There is no regulatory requirement for financial institutions to formally document a risk assessment, and there is no one format touted as the “Holy Grail.” However, it is difficult (if not impossible) to defend a compliance program without first determining and documenting your compliance risks.
Most of us are quite familiar with the list of basic risk categories to include in an evaluation: customers, products, services, and geography. However, it is becoming increasingly important to shine a light on many other “corners” of your compliance program to achieve a complete understanding of all risks.
Here are some additional topics and points to consider the next time you review and update your current risk assessment:
Hopefully, your institution has not been assessed penalties for non-compliance. However, civil money penalties (or informal or formal enforcement actions) are obvious indicators of increased risk.
Regulatory examination, independent review, and internal audit results may indicate patterns of lapses in controls. Being mindful not to divulge specific examination ratings, it can be helpful to consider recent regulatory examination findings and independent review recommendations in your risk assessment.
A compliance risk assessment should be a living document subjected to ongoing updates and revisions (e.g., annual). Management in all business lines and departments should contribute to the revision of a compliance risk assessment before deployment of any new product or service, and before acquisition, say of a mortgage company by a bank.
Third parties (e.g., vendors, or any entity or individual on your accounts payables list) can pose significant risk to your institution and should be a focal point of your compliance risk analysis.
A truly enterprise-wide risk assessment should be the result of collecting a wide variety of data from representatives in all areas and departments within your organization. Although it is customary for members of management to participate in risk assessment discussions, your front line employees can also contribute valuable information about the risks they see from their unique vantage points.
As a best practice measure, it is a good idea to present the compliance risk assessment to your Board of Directors for formal approval. The assessment is the starting point from which you determine a) what resources you need, what policies and procedures to implement, and how often to schedule an independent compliance review. The Board of Directors, which shoulders ultimate responsibility for compliance at your institution, can make more informed decisions if they are apprised of the results of your assessment.
The same risk management approach and business principles applied to other areas of your financial institution’s operations should align with the approach to compliance. One way to ensure that happens is to include management representatives from each business line in the creation of and regular revisions to your compliance risk assessment. The goals that drive your sales team may differ significantly from those driving your compliance staff. It is helpful to have those goals in mind as you evaluate you organizations’ appetite for risk.
Financial institutions have technological systems in place to facilitate their operations. The technology in use – and all of its strengths and weaknesses – can seriously affect compliance risks.
In most cases, financial institutions will document the things about their programs and internal controls that mitigate identified risks. It can be just as important to consider weaknesses that may provoke or aggravate inherent risks for your organization.
Although as a Compliance Officer you are assessing risks for certain purposes, a thorough risk assessment can serve multiple purposes. For example, collecting certain pieces of information from your customers may not only improve your ability to know your customers, but may help your sales team understand your market. Evaluating management’s desire to offer a new product can highlight a real and justifiable case for increasing compliance staff.
Risk assessments should not be just about the numbers (quantitative). Yours should express specific details about your bank or company such as yearly transaction volumes, current geographic footprint compared to last year, and the level of employee turnover in a given period of time, particularly in your key compliance roles (qualitative).
It is common for risk assessments to include scores or ratings for each category, which culminate in an overall risk rating for an institution. It is equally important to document your scoring methodology. In other words, if you assign a category rating of “5”, what scale is that “5” on, and how do you define it?
Or, Complaints – either written or verbal – may shed light on process gaps that leave your institution exposed to manipulation. Your complaint resolution process should dovetail with your risk analysis and mitigation plans.
Growth strategies are integral to most business plans. Whether your organization is in pursuit of additional human resources or contemplating a merger, execution of these plans can dramatically change your compliance risk profile.
The risk assessment can be used as the ultimate “pause” button for risky, or undeveloped plans. An organization focused on identifying, mitigating, and managing risks will point to the risk assessment when there are questions about new proposals. For instance, you, as the Compliance Officer may be aware of pending regulatory changes that could impact senior management’s decision about when (or if) to launch a new product or to enter a new market. The risk assessment will assist you in asking and answering those questions.
Relatedly it is more and more common for financial institutions to address their Office of Foreign Assets Control (OFAC) risks in formally documented risk assessments. Your organization may elect to do this in your overall BSA/AML compliance risk assessment, but it is also perfectly acceptable to create a separate assessment of OFAC concerns.
Developing and maintaining a thorough compliance risk assessment that considers your organization on an enterprise-wide basis is undoubtedly a time consuming endeavor. Most importantly, your risk assessment is just that…yours. It should be written by you and for your use. A comprehensive risk assessment should serve as a clear road map for planning, for cross-departmental discussions, and for allocation of resources for your institution.
Liesel Bimmerle, CAMS, is a Senior Compliance Professional. She is a former state bank and money services business regulator for the State of Colorado with more than 12 years of experience in anti-money laundering, Bank Secrecy Act, and state as well as federal regulatory compliance.