Subject to AML Regulation? Don’t Neglect Third Party Risk Management
One of the hottest—and hardest—topics in BSA/AML compliance is managing the risks due to third parties. Regulatory agencies including FinCEN, OFAC, and others have expanded the definition of “third party” to include any business relationship between a financial entity and another party, except a customer. This includes the subcontractors of your contractors or vendors.
At the same time, changes in the financial system have greatly expanded the kinds and frequencies of third party relationships. Financial institutions may now outsource or contract for entire departments or key banking functions that used to be entirely in-house. Globalization increases the number of these relationships that are international, with related parties in two or more countries, and may trigger the scrutiny of the (OFAC) in addition to the other regulatory agencies operating within the U.S.
Finally, the emphasis on managing third party risk means that a business may be both responsible for its own risk management program and also the object of management by one or more of its business partners. For instance, a Cash-in-Transit business, which is now covered by the BSA/AML regulations, will have to create its own AML program and also respond to the risk-related requirements of its banking clients such as meetings, contract revisions, more audits, and more conflict resolution.
All of this raises the costs of doing business. It is conceivable that some third parties will conclude that it isn’t economically viable to continue providing services in the current compliance/enforcement environment.
Nevertheless, compliance is not an option for any financial institution or third party service provider that wants to stay in business. These businesses have to perform due diligence on third party organizations prior to entering into contracts. The investigation may include, among other things:
- The business practices, history, goals and legal/regulatory status of the organization and its principals.
- The compliance policies of the potential partner, including its risk management practices and reporting history.
- The further third party relationships of the partner that may transfer risk to the organization.
- The management of the potential partner’s workforce, and its quality.
- The financial status of the partner, including its insurance coverage, which may increase its risk.
Information derived from this research should be used in contract negotiations and/or re-negotiations, and periodic reviews. Contracts will cover a host of issues, as always, but should include issues specifically related to AML compliance such as the partner’s own compliance responsibilities and transparency, and its substantial third party relationships including foreign ones.
As with all aspects of BSA/AML compliance, third party relationships require active monitoring. With conditions in the financial system evolving so rapidly, third parties may experience risk-altering changes very suddenly. Mutual site visits and monitoring may be appropriate depending on the kind of risks involved.
Questions about your BSA/AML program? Looking for an objective third party viewpoint? Talk to a Lowers Risk Group consultant at (540) 338-7151 or request a meeting here.