Need to Know - How Risky is your Risk Assessment?
By Ken Simmons, Managing Director, SEDA Experts LLC
Risk assessments (RA) continue to evolve along with supervisory expectations.
Almost a decade ago the most important step in an RA was to identify the quantity of risk. Then and now, Often we find RA’s only included information about higher-risk customers and only focus on high risk subjects.
Similar to other risk models, RAs are now expected to address current trending of products, services, customers and their transaction habits. The CDD rules provide for financial institutions to develop a risk profile of their customers.
The rule does NOT say develop a risk profile of only higher-risk customers.
Following in-line with enterprise risk assessments; monitoring and evaluation of these relationships should be risk-based and ongoing throughout the lifecycle of a relationship. The customer profiles should be placed into groupings of similar characteristics and evaluated to identify common themes and outliers.
One concept many institutions have overlooked is that a RA should provide as much focus on lower-risk subjects as higher-risk ones. By doing so, the volume of lower risk products, services and customers help mitigate the smaller subset of higher risk products, services and customers.
It is important to describe the strong controls designed to mitigate risk across your program (even for lower risk areas). This narrative of risks and controls tell your story and assists auditors/ examiners to focus their work on higher risk components. Without a clear picture of risk & controls, auditors are forced to evaluate all components.
Key objectives of an effective Risk Assessment include:
Quantity of Risk including volumes of new and existing customers, products and services.
Trending of products, customers and services for the “current” period.
Discussion of customer profile groups to include trends and outliers for key groupings.
An understanding of your “Highest” volume customers for key services (e.g. cash, wire, monetary instruments, RDC, and Mobile Deposit, etc…)
Tell your story by describing all aspects of risk and controls.
So, How Risky is your Risk Assessment?
Shifting into High Gear, BSA/AML enforcement actions
Heightened BSA/AML expectations are reaching their 20th anniversary. Since 2001, Supervisory Agencies have been cycling uphill to ensure institutions understand risk and develop effective controls. While the pressure has been applied consistently to larger banks (representing larger risk) through the recent economic crisis; smaller community-based institutions saw somewhat a reprieve during this same period. The economic crunch is over, and agencies are focusing on risk functions once again. Their intent seems to be focused on bringing these smaller institutions into line with larger ones.
The following are primary focuses from recent FDIC and OCC examination reports:
In order to identify higher risk customers, financial institutions must develop risk-profiles of all “customers” to figure out which ones are Higher Risk.
Adding trends to BSA/AML Risk Assessments is critical. Evaluating your “top 10” is an important step to understanding your highest risk customers products and services. Do you know who your “top 10” cash, RDC or wire customers are (for example)? Have you evaluated their risk?
Developing focal groups and evaluating outliers is an effective way to identify “higher risk” customers. For example, Place all liquor stores in a focal group. How are their transactions similar? Are their outliers? FFIEC Examination Guidelines establishes there are varying degrees of risk in every focal group. Controls must be commensurate with risk.
Ongoing Customer Due Diligence is “now” a requirement. Define triggering events for due diligence. Controls must be deep and wide in order to meet supervisory expectations.
Earlier this year, Rabobank received a whopping fine of over $1.1mm. Management’s AML Program was not designed to establish risk profiles of their lowest risk customers. Because the bank did not evaluate their “low risk” customers, management could not support these low risk customers actually constituted low risk. According to RaboBank “We were not fined for money laundering crimes, but rather for our files or records… to detect and prevent money laundering were deficient”. Failure to incorporate sufficient controls and a comprehensive BSA/AML Program may result in significant MRAs and other “more severe” supervisory actions. Shift into High Gear! Ensure your program meets increased supervisory expectations. The focus on S&S has shifted to Compliance.
Kenneth Simmons, with over 30 years of industry experience as Executive Vice President at leading financial institutions, and as Bank Examiner at OCC and FDIC, is a top expert in regulatory compliance, anti-money laundering, bank secrecy act, and financial crimes risk management.
Mr. Simmons is a Review Board Member & Faculty at the Association of Certified Anti-Money Laundering Specialists, and the North & South Metro Atlanta Compliance Roundtable Founder & Chairperson at the Community Bankers Association, and the founder and CEO of Compliance and AML Solutions.