4 Factors to Measure For Your BSA/AML Risk Profile
Both the Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) mandate that covered financial entities—and this includes all banking institutions, virtually all money service businesses, and many cash-intensive non-bank businesses—establish an Anti Money Laundering (AML) compliance program.
Compliance is not an optional choice, and that imposes costs. The good news is that the costs of compliance can be managed relative to each business’ risk profile with respect to money laundering. In other words, a smaller business with limited risk can establish an effective compliance program that will stand up to scrutiny at a lower cost than a big bank with lots of foreign transactions. FinCEN and OFAC promote risk-based compliance programs in recognition of this reality.
However, every business that is covered by BSA/AML requirements should be looking at similar factors in building a risk profile, the first step toward a compliance program. The risk factors common to all financial businesses include business lines (type of business function), customers (meaning any person or entity that can engage in financial transactions), products and services, and location.
1. Business Line
The type of business determines the typical kinds of financial transactions the business engages in. Variables might include size and frequency of transactions, the degree to which parties to transactions are stable over time, the history of the business relationships, and so forth.
Some business types will have a lower risk profile. For example, armored cars carry physical cash between long-established financial institutions and their customers, and may provide ancillary services such as a virtual vault. These transactions have a lower risk of money laundering. Other businesses, like banks that have high volumes of international transactions, would be inherently riskier.
A watchword of BSA/AML compliance is “Know Your Customer.” Compliance on this dimension means establishing due diligence protocols that help the financial entity evaluate the risk due to the customer. Long-established customers would tend to pose lower risks, but even those should be reviewed when significant changes in status or typical transactions occur.
Customer risks are more difficult today due to outsourcing and third party services. Knowing your customer means understanding the risks posed by every party that might be able to benefit from a transaction. Obviously, it is not always possible to identify every single one of these parties, especially when they are working to avoid identification. But going through the due diligence will help the financial entity to know when there is suspicious activity—the suspicious activity, not the final proof of wrong-doing, is what is reported to FinCEN.
3. Products and Services
Small retail transactions over a long period of time with an established customer obviously carry a very low risk of money laundering. In most cases, daily transactions of $10,000 or more trigger mandated reporting for AML compliance.
However, in assessing risk, the type of product or service might be generically more of a threat. For example, transactions with foreign parties are often riskier, even if the bank has branches on both sides of the transaction. Transactions involving third parties, or outsourcing involve higher risks since there are more ways for money launderers to structure the transfer of money, eventually hiding the party that benefits.
The explosive growth of digital networks and their use in managing money flows has created innumerable access points for manipulation. Payment services such as electronic cash, automated clearinghouses, and ATMs are all part of these systems that transfer huge amounts of money.
The increasing emphasis on countering terrorism and the access of terrorists to financing has made location an obvious source of risk. OFAC and other agencies maintain watch lists of countries where there is a higher risk of money laundering, and knowing whether its transactions go through these countries is an important risk factor for many businesses.
More generally, other countries may entail higher risk even if terrorism is not the source. Some countries’ laws are protective of customer identities (Switzerland) and others are known as tax havens (the Cayman Islands). Even within the United States, a location may be riskier if it is known as a High Intensive Drug Trafficking or Financial Crimes area.
Financial businesses will be well served by creating a realistic money laundering risk profile. This will not only provide the basis for BSA/AML compliance, but will help the business prevent organizational fraud, reduce liabilities for loss, and protect reputation. It’s well worth the effort.