Financial Institutions Must Assess Risk Profiles to Meet New BSA Requirements

Financial Institutions Must Assess Risk Profiles to Meet New BSA Requirements
In 2006, the Federal Financial Institutions Examination Council (FFIEC) issued a revised version of the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual. The manual has been updated to incorporate regulatory changes since the manual was first released in 2005 and to clarify supervisory expectations. Financial institutions need to understand what these changes mean for their regulatory compliance programs.

The changes include an enhanced discussion of the risk assessment process which a financial institution uses to identify and develop its overall BSA/AML risk profile, a new section discussing Automated Clearing House (ACH) transactions, and updates for emerging money-laundering risks.

Development of a BSA/AML risk assessment involves two steps: first, identify specific risk categories (such as products, services, customers, entities, or geographic locations) unique to a particular financial institution, and second, conduct a detailed analysis of the data identified in order to better assess risk.

In the second step, a financial institution should evaluate data related to information gathered in the Customer Identification Program and customer due diligence processes. Activities should include the number of domestic and international wire transfers a financial institution processes each day, the number of foreign correspondent and private customers, and the geographic locations of the financial institution’s transactions.

The manual poses two hypothetical examples for comparison. Two financial institutions--Financial institution A and Financial institution B—each process 100 international funds transfers per day. For Financial institution A, 90% of the transfers are recurring, well-documented transactions for long-term customers. For Financial institution B, 90% of the transfers are nonrecurring or are for non-customers. Although the number of transactions is the same for each financial institution, the risks are clearly greater for Financial institution B. The analysis performed in the second step—identifying the character of daily transactions and for whom the transactions are processed—is key to understanding its overall BSA/AML risk profile.

The manual states that a financial institution should reassess its BSA/AML risks every 12 to 18 months, or whenever changes occur to its risk profile due to new product or service introductions, mergers and acquisitions, etc.

The manual no longer requires financial institutions to provide for dual controls and segregation of duties, such that employees that complete reporting forms (e.g., SARs, CTRs, and CTR exemptions are not also responsible for filing the reports or granting the exemptions. Instead, the manual recommends that a financial institution provide sufficient controls and systems for filing CTRs and CTR exemptions. By deleting the dual controls requirement, the revised manual provides a financial institution with more flexibility in designing internal controls with respect to SARs, CTRs, and CTR exemptions.

The majority of changes to the Suspicious Activity Reporting section of the manual incorporate guidance issued by the regulatory agencies during the previous 12 months. The manual states that the transaction monitoring procedures of a financial institution should include various sorting criteria in order to identify patterns of suspicious activity, such as name, customer number, tax identification number, and geographic locations involved in the transaction. The need to sort transactions by various criteria will increase the burden to monitor transactions using a manual monitoring system. In addition, a financial institution that employs an automated monitoring system should evaluate whether the system is capable of analyzing transaction data using various sorting criteria.

To comply with these increasingly complex regulations, financial institutions are implementing software that streamlines the reporting functions for BSA/AML activates. First American Bank, a financial institution headquartered in Illinois, installed such software in October 2006. “We were looking for technology to help us meet our compliance obligations and protect our customers from fraudulent activities,” says Sara Savanelli, senior VP. The software “offers a single system of record and functionality to automate our customer identification programs, ongoing transaction monitoring, case management, and government reporting.”

The software provides BSA/AML functions and reporting for Know Your Customer and customer identification programs. The software provides heightened awareness of politically exposed persons and financial fraudsters on a global basis. It also provides regulatory, legal, and reputational due diligence data culled from countries around the world; the data enhances sanctions filtering efforts.

The revised manual contains a more detailed description of money laundering risks associated with electronic cash and stored value cards. Because some stored value cards are easy to fund and transport without creating a paper trail, they are attractive to money launderers. Drug dealers in the United States have been known to purchase stored value cards and send them as payment to their non-U.S. suppliers.

In sum, the manual emphasizes a financial institution’s responsibility to establish and implement risk-based policies, procedures, and processes top comply with BSA/AML and safeguard its operations from terrorists and money launderers.


About the Author

Andrew Miller

Andrew Miller is a freelance writer specializing in financial services and information technology. He holds an MBA from Columbia University and a Master's in computer science from Rensselaer Polytechnic Institute. He has held jobs at CMP Media, MetLife, and Gartner.




Around the Network