For more information about our consulting services that can help your anti-financial crime program, please visit our capabilities page.
Is your AML and sanctions risk assessment appropriately designed to understand and manage risk?
Since the global financial crisis, a decade ago, much has been done by financial institutions to build stronger
anti-financial crime programs. A fundamental component for a successful program is to understand the money laundering, terrorist financing, and sanctions risks inherent to an institution’s operations.
Taking a proactive, risk-based approach to anti-money laundering and sanctions has always been the right thing to do, and formal and bespoke risk assessments are critical to this
Examiners and agencies regularly use the Federal Financial Institutions Examination Council’s, or FFIEC’s, comprehensive manual to access a financial institution’s compliance with the Bank Secrecy Act (BSA) and anti-money laundering requirements (AML).
The FFIEC, recently issued an update to those risk assessments and further transparency into the BSA/AML examination process, so banks really need to make sure they get this right (See Notes 1). If banks don’t, then they will be subjected to deeper exams that will also range more widely and be less influenced by the bank’s own views.
Financial institutions need to have a readily available risk assessment that demonstrates a clear and accurate understanding of the institution’s current risk level. Those institutions who fail to do so may have adverse regulatory findings and may also be subject to a broader and more in depth examination.
Many of the revisions are designed to emphasize and enhance the examining agencies’ risk-focused approach to BSA/AML supervision and sanctions.
Our paper helps financial institutions effectively respond to the FFIEC updates, and construct, explain and demonstrate a robust risk assessment, that includes how to:
- Demonstrate an understanding of the institution’s risk profile to meet the regulatory exams.
- Place renewed emphasis on the risk assessment methodology and process, as well as the ability to articulate conclusions in an effective final report.
- Ensure a clear and accurate understanding of inherent and residual risks, and therefore the ability to implement strong and targeted controls to mitigate these risks.
- Build risk assessments that are based on relevant and comprehensive data; deliver a truthful view of control adequacy; enable identification of emerging risks; and are driven by stakeholders of appropriate seniority.
- Show evidence that the output of the risk assessment has a direct result on the overall management of the institution’s anti-financial crime program.
DESIGNING AN EFFECTIVE ANTI-FINANCIAL CRIME PROGRAM
Below, we go into detail and provide the key components for building a risk-focused approach to compliance.
Conduct risk-focused analytical reviews to demonstrate an understanding of the institution’s risk profile and meet the regulatory exams.
In the recent manual update, released on April 15, 2020, the FFIEC enhanced the focus on a financial institution’s risk profile when conducting exams. Examiners will take a more explicit risk-based approach when outlining the scope of an exam, building examination plans that pay special attention to the higher risk areas. In order to develop an understanding of the institution’s risk profile that enables them to conduct a risk-based exam, examiners will start from the review and evaluation of the risk assessment.
It is critical for financial institutions to maintain robust, up-to-date risk assessments to enable examining agencies to confidently rely on these for scoping and planning purposes. Compliance departments will need to be able to clearly and objectively articulate the risk assessment methodology and results. Weak risk assessments will result in poor findings for the financial institution, and also cause examiners to conduct a more extensive independent assessment prior to the start of the examination, potentially opening the financial institution to further findings and conclusions.
On a similar note, the recent manual update highlights that independent testing should also commensurate with the bank’s risk profile, with more frequent and targeted testing being appropriate in higher risk areas of the anti-financial crime program, and/or in areas with previously identified deficiencies. Teams tasked with conducting independent testing will therefore also need to rely on the risk assessment as a baseline for scoping and planning their work.
Design and execute strong and targeted controls to mitigate specific risks.
The updated FFIEC manual offers financial institutions the flexibility to design programs that match their risk profile and that helps streamline examination procedures related to internal controls. The key is for organizations to develop a clear understanding of their money laundering, terrorist financing, sanctions, and other illicit financial activity risk exposures, and be able to clearly identify and articulate the controls that address those identified risks.
Financial institutions must show that controls have been implemented to mitigate the product, service, customer, and geographic risks inherent to their operations. To accomplish this, the compliance department must have processes and procedures in place to identify changes to their products, services, customers, and geographies serviced by the organization and quickly determine if controls need to be enhanced or calibrated to address these changes.
There should be clearly established control monitoring thresholds, which when triggered will prompt a review of the control and determine if an enhancement is necessary. In this context, the risk assessment again plays an important role in enabling the compliance department to identify the material changes to the financial institution’s products, services, customers, and geographies. Simply put, it’s critical that financial institutions design and execute a program designed to mitigate their specific risk, not simply leverage “off the shelf” programmatic materials.
In the latest iteration of the FFIEC manual, further transparency has been given into the BSA/AML examination process. The primary guidance stresses that the risk assessment be fit for purpose, and a specific format and the presence of certain methodology components have been deemphasized.
The FFIEC has clarified that there is no specific requirement on the timing and frequency of the risk assessment, and a related reasoning extends to the fact that various methods and formats may be used to conduct a risk assessment. Similarly, there are also no specific requirements applied to independent testing, which should be conducted at periodic intervals in line with an institution’s risk profile and risk management strategy.
In either case, the key for compliance departments is to have clear and objective standards, defining when the risk assessment and independent testing will be performed, as well as establishing thresholds for when these will be partially or completely performed and updated.
It is critical that financial institutions guard against complacency in their risk assessment and independent testing processes. Strong controls need to be in place to ensure these processes are being conducted and accurately reflect the institution’s current risk exposures. At the same time, financial institutions should embed the ability to increase the sophistication of the risk assessment and independent testing processes as the organization becomes more complex operationally.
It is critical that financial institutions guard against complacency in their risk assessment and independent testing processes
Retain flexibility in the design of anti-financial crime programs.
Recent updates to the FFIEC manual, combined with requirements in the New York State Department of Financial Services (NYS DFS), Part 504 AML regulation, emphasize the role of the risk assessment as the cornerstone of a well-functioning anti-financial crime program.
These recent regulatory guidelines make it imperative for compliance departments to have a robust risk assessment methodology and process to ensure a clear understanding of money laundering, terrorist financing, sanctions, and other illicit financial activity risks.
Effective risk assessments typically have four distinct characteristics that enable organizations to maintain risk-based anti-financial crime programs, and hence satisfy the requirements set forth in the FFIEC manual.
Designing risk assessment methodologies and processes that maintain these four principles will position organizations to promote a risk-focused approach to money laundering, terrorist financing, sanctions, and other illicit financial activity risks, while also retaining the flexibility for their anti-financial crime programs.
FOUR KEYS TO EFFECTIVE RISK ASSESSMENT
THE PATH FORWARD
Taking a proactive, risk-based approach to anti-money laundering has always been the right thing to do, and formal and bespoke risk assessments are critical to this. With the recent FFIEC manual update for examiners, banks really need to make sure they have a robust risk assessment methodology and process to ensure a clear understanding of money laundering, terrorist financing, sanctions, and other illicit financial activity risks. If banks don’t, then they will be subjected to deeper exams that will also range more widely and be less influenced by the bank’s own views.
It is critical that financial institutions guard against complacency in their risk assessment and independent testing processes. Strong controls need to be in place to ensure these processes are being conducted and accurately reflect the institution’s current risk exposures.
When designing and maintaining risk assessment processes, banks should retain flexibility for their anti-financial crime programs. This will be crucial as the financial institution becomes more complex operationally.
How Oliver Wyman can help your anti-financial crime program
At Oliver Wyman, we can help your financial institution move forward and meet these evolving needs. Our global team brings a diverse set of skill-sets that augments our distinctive understanding of regulatory expectations and industry practices. We often work with the heads and senior executives of anti-financial crime programs at leading corporations and financial institutions. Our proven track record has delivered impactful results across multiple dimensions. To begin the path forward, please reach out to team.