Your bank’s risk assessment should assist you in effectively managing the BSA/AML risk and, therefore, is critical in the development of applicable internal controls, as required for your BSA/AML compliance program
Common Problems with Risk Assessments
If you are aware of problems commonly found, you can more efficiently conduct risk assessments. These problems include the following:
- Identification of relevant risk factors is incomplete.
- There is insufficient detail of a risk factor to evaluate potential risk.
- Mitigating controls are not identified for the risk factors.
- Mitigating controls are inconsistent with the level of risk associated with a risk factor.
- The process to periodically review or update the risk assessment is not formalized.
- Communication with the Board of Directors, regarding either the initial risk assessment or subsequent changes to the risk assessment, is not adequate.
What Regulators Look for in Your Risk Assessment
- Quantitative support for assessment conclusions
- Involvement of all department heads in assessment formulation
- Consideration of all types of high-risk customers, not just a specific business line
- Consideration of location of FI/Customers (e.g., HIDTA/HIFCA)
- Board of Directors involvement
Quantitative Support for Assessment
Here are some examples of how management might have used quantity to determine its risk for wire and monetary instrument activity.
- Wire Activity
- Provided the average daily volume of retail wires, both incoming and outgoing combined
- Used estimates by using the total monthly volume divided by the days of activity, weekly volume divided by the days of activity, or longer period
- Monetary Instruments
- Provided the average daily volume of instruments (e.g., number and total dollar of cashier’s checks, individual money orders, traveler’s checks)
- Computed the average daily volume using the actual day’s volume, or it may be based on estimates for the week, month, or longer periods (divided by the days in the period)