Two Ways a Risk Assessment Can Benefit Your AML/CFT Program

No matter which way you read FinCEN’s proposed rule to strengthen and modernize AML/CFT programs, one take-away cannot be ignored, which is that the AML/CFT risk assessment is a critical element of any AML/CFT program. Without it, it would be difficult to have an effective, risk-based, reasonably designed program, which is a requirement under the proposed rule. Therefore, a risk assessment becomes mandatory.

There are many elements of an AML/CFT program for which a risk assessment serves as the foundation. This article will address two of them: crafting the frequency, nature, and scope of independent testing; and allocating resources – such as staff and technology – in the AML/CFT department.

For smaller institutions, the risk assessment might be outsourced, but it has to be managed by the institution, and the level of management has to be documented.

The proposed rule also includes a new twist not seen by AML professionals in the past. The proposed rule actually requires AML professionals to review government-wide AML/CFT priorities and incorporate them, as appropriate, into risk-based programs. The best way to do this is to purposely include the priorities into the risk assessment, even if some don’t pertain to the institution. By doing this, AML professionals can evidence the contemplation of the priority, and mark it as “N/A” with an explanation. (Never mark something as “N/A” without an explanation.)  Note that, although innovation isn’t necessarily a government priority for AML/CFT, institutions that are innovating within their AML/CFT program should document the risks from such activity.

We’ll review how the requirement to perform a risk assessment and map the results to the frequency, nature, and scope of independent testing, and to the deployment of resources among staff and technology, will be a positive step for institutions. We’ll also review one potential outcome from the proposed rule in terms of enhanced enforcement activity.

Independent Testing

Frequency: The AML/CFT risk assessment will help management understand where AML/CFT risk falls in relation to other risks at the institution and will show where risk resides within the program itself. This will help the institution determine the frequency of independent testing. Although most institutions perform the risk assessment every 12 months, that frequency could extend to every 18 months for a simple low-risk program. The frequency could also be shortened for high-risk programs to perform testing every 6 to 9 months. Most institutions have a 3-year testing plan, and this exercise will help determine where BSA/CFT falls on that 3-year testing plan.

Nature/Scope: Independent testers can use the AML/CFT risk assessment to determine how often to perform the testing, and craft the nature/scope of the testing to focus more on the highest risk areas. This focus could involve performing detail testing in addition to tests of controls. It could involve larger sample sizes based on risk. It could involve judgmental testing whereby samples are chosen from populations posting the highest risk.

Independent testers should take care to map the nature/scope back to the risk assessment. This is a step that examiners require of institutions, and BaaS institutions require of their Fintech partners.

Allocation of Resources

Staff: Allocating staffing resources based upon the risks identified in the AML/CFT risk assessment goes beyond the number of staff. It also touches on the skillset of the staff. For this section, given the proposed rule’s requirement to consider the national priorities, it would be wise to first determine which of the priorities present risk to the institution, and then document how AML/CFT staff have experience managing those priorities. If the institution faces significant fraud risk, and staff don’t have a background in fraud investigations or writing fraud SARs, there will be a mismatch. Similarly, if the institution faces enhanced risk from all of the national priorities but can’t address the risks given the size of the staff, then staffing might need to be reassessed.

Technology: While the availability of technology systems to manage AML/CFT risks have increased over the past few years, that growth has also brought a blurring in terms of what each system does.  Ask any AML/CFT professional about how their recent AML/CFT systems RFP went, and you’ll likely hear stories about how a solution was touted as a AML/CFT solution, when all it really addressed was negative news or CDD. The positive side of this is that there is truly an AML/CFT systems solution out there for each type of financial crimes risk. For this section, use the results of the risk assessment to match up current systems to risks, and note the gaps. Be sure to document the path forward for solving for those gaps.

The AML/CFT Officer needs to remember that a filed SAR is the endgame. They need to be able to show how systems are helping to meet the goal of identifying, investigating, and ultimately filing on activity that is suspicious.

The Path Forward

For institutions that have been conducting a AML/CFT risk assessment, and mapping the risks to resources allocated to the program, there is not much new in the proposed rule other than the consideration of the national priorities. Many institutions started considering the national priorities when they were first issued, so there isn’t an expectation that the proposed rule will be much of a new burden. However, since the above will now be required, AML/CFT Officers should expect increased enforcement action on institutions who weren’t being proactive over the past few years.

Speaking of Enforcement...

Although it feels like examiners have always had this option, it appears that examiners will be able to move to a cease-and-desist order if it encounters programs with defects that prevent it from being effective. It sounds like a shorter leash in terms of the process of issuing MRAs and providing management with an opportunity to perform corrective action, although that leash felt pretty short to begin with.

Overall, the requirement to perform a risk assessment and map the results to the frequency, nature, and scope of independent testing, and to the deployment of resources among staff and technology, can only be a good thing for institutions. It should enhance the foundation upon which AML/CFT programs are built.

Bates Group offers comprehensive advisory services to a wide range of financial institutions, MSBs, and Fintechs. We provide AML/CFT compliance program support, including Independent Reviews and Risk Assessments, Exam Preparation and Remediation, and Custom Compliance Training.

Contact Bates Group today to learn more.