2 Critical Steps to a Risk Assessment for BSA/AML
Anti-Money Laundering (AML) regulations for financial institutions—including most cash-handling businesses like armored car services—are risk-based. That is, the regulations recognize that the tremendous variation in the regulated businesses requires an approach that adjusts based on the risks a business actually faces.
Thus, the first step toward compliance with BSA/AML requirements is to perform an assessment of risk to produce a risk profile of the business. The risk profile will form the basis for a compliance program that will be subject to review by regulators and may be exposed to enforcement actions, so it is critical to get it right.
The risk assessment is conducted in two steps: (1) identify the specific risk categories for a business, and (2) evaluate these risks as they pertain to BSA/AML.
1. Identifying Risk Categories
Businesses will vary in terms of products and services, types of customers, and geographic locations. Each of these characteristics of a business may be more or less prone to money laundering abuse. The purpose of the risk assessment is to identify which characteristics exist within your organization and how they could make your company vulnerable to money laundering.
Products and services: Products that can facilitate money laundering include those where transactions involve large amounts of cash, anonymity is possible, or ultimate control is not transparent. For example, electronic processing (funds payments, digital currencies, banking services, ACH processing, etc) may be vulnerable to hacking for a variety of purposes. Transactions that include parties across borders, such as trade finance, foreign correspondent accounts, or foreign exchange, are more difficult to track to ultimate sources. The aim is to identify the number and size of these kinds of transactions to identify levels of risk.
Customers: Customers may be natural persons, corporations, nation states, or any other entity that can enter into a financial transaction. Some customers will pose more risk than others. For example, foreign entities may be less transparent, and/or may be subject to a watchlist for suspected money laundering or terrorist activity. Know Your Customer is one of the watchwords for AML programs, and this includes third-party actors as well as the customers of your customer. Money launderers are adept at hiding or disguising true identities, so due diligence is required.
Geographic locations: Obviously, transactions from a nation suspected of terrorist activity, or of abetting terrorists, should be carefully vetted. Known offshore financial centers may be used to launder money for a variety of purposes. Some countries may be on a watch list at the Office of Foreign Assets Control (OFAC) or other regulatory bureau, so the business’ transactions should be reviewed in light of these warnings.
2. Analysis of Risk Categories
The basic aim of the analysis is to roll up the detailed risk category descriptions to attain an aggregate risk profile of the business. Essentially, the known risks will be evaluated for possible money laundering, with the probabilities used to generate a total risk picture and also to identify the areas where most effort is needed for effective AML.
This analysis is account based. Each account would be evaluated based on its products, customer type, and location. The aggregate of these account reviews constitutes the risk profile, which leads to specific AML procedures.
In every area of risk management, knowing the risks and how risky (costly) they may be is the basis for prevention and detection. AML is the same in this respect, but it has the added importance of being part of the national security/anti terrorist program. Every financial institution needs to take this seriously.