BSA: Managing Risk

The ABA/ABA Money Laundering Enforcement Conference followed the risk assessment session with one on BSA risk management. In this session, the panel, comprised primarily of regulators, shared what they consider essential to an effective risk management program.

The risk management program must be directed by the board. The Board sets the tone, reviews and approves the program. The board should also provide direction and support to management based on information the board receives and regular reports. Examiners hope to see real discussion of BSA issues at the board level. The discussion should center on issues identified in audits and exams.Management's responsibility is to ensure the effective implementation of the BSA program. The panel encouraged institutions to integrate AML objectives into management goals and the institution's compensation structure. They see the best success with this approach to goals, strategy and compensation.

Another responsibility of management is to ensure that staff has adequate expertise and information to carry out their function. Throwing BSA responsibilities to someone with little or no experience amounts to risky behavior. And, needless to say, the panel commended all the institutions represented at the conference.

In this context, it is worth noting that most of the published enforcement cases involving BSA included training as a required remedy. Training is usually specified not only for staff, but also for the BSA Officer. Money laundering issues are evolving rapidly and it is essential that any BSA Officer have the ability to stay up to date. (Attending ABA's conference is a good way to do this!)

Key Components
Bridget Neill, Manager of the FRB's Anti-laundering Policy and Compliance function, identified what she called key components and key considerations for effectively managing BSA risk. The program's key components should be familiar: risk identification, assessment and measurement; policies, procedures and controls; monitoring; information and communication; training; and testing.

Monitoring should include regular reports on the compliance system, designed based on the risk analysis. In short, you should have reports that tell you where the program stands relative to the risks identified. Boilerplate reports may fail to give you information that you need. Design reports to track your key risks.

For complex organizations, Neill recommends that training be tracked and managed at the corporate level. What people know about BSA and whether training influences how they do their jobs is a core risk for the entire organization.

Finally, the findings of all testing, internal monitoring and audits should be consolidated and rolled up.

Key Considerations
Neill's key considerations are less familiar but equally important. First, the institution should periodically reassess risks. As changes occur, risk changes. Neill likes to see this reassessment from a consolidated perspective. This captures changes of direction or changes of balance within different arms of the organization.

Next, ensure that your program responds to your risks. Over and over, speakers at the conference stressed that no two institutions are exactly alike. There is no one-size-fits-all for risk programs. Tailor yours to the risks you face and the controls available.

Any program must have clear assignments of responsibility for risk management throughout the organization. Several questions from the audience dealt with conflicts between product or sales targets and risk management. In general, speakers responded that there must be clear responsibilities and accountabilities for risk. In short, if risk isn't managed, the failure should be reflected in recognition and other rewards.

Communication is key. The program should have lines of communications for sharing findings and results. These should run from the sources, through compliance and other management, all the way up to the board of directors.

Finally, look at any findings from a consolidated standpoint. While a problem may occur for a specific type of product or in a specific location, it is also important to look at the organization's performance as a whole.

Other Risk Points
Adding new customers and new products always introduces risk. The risk management program should anticipate and incorporate these new risks.

Constant scrutiny and constant creative thinking are important. One weakness that examiners find in BSA programs is that an area is overlooked because it is assumed that someone else is handling it. This is a loose end that must be tied up with careful assignment of responsibilities and follow-through.

ACTION STEPS

Compare the suggestions in this article with the risk analysis you have done. Look for anything that should be added to the risk analysis.
Consider how much change your organization has gone through in the past 5 years. Then look at your BSA program to evaluate whether the program has incorporated increases in risk.
Look at your internal communications regarding BSA. Is the word getting to all the right people and places?