Answer:
A bank wide risk assessment (memorialized in writing) is an essential prelude to implementing a defensible AML program.
...procedures must be based on the bank’s assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the various types of identifying information available, and the bank’s size, location, and customer base.
I'm not aware that anyone has boiled the process of conducting the assessment down to a form that you can complete. Here are some suggestions on where to start.
Bank Size - Total assets, number of offices, FFIEC peer group, number of FTE employees, employee turnover rates.
Bank Location - Cities, states, counties where offices are present and delineated community for CRA purposes, presence in or proximity to HIFCA or HIDTA designated areas, information from conversations with local law enforcement regarding level of illegal activity locally, prior losses due to fraud.
Products/services offered - Inventory all bank products and services offered to customers (accountholders) and non customers. Note any restrictions on product/service availability that might mitigate risk. Evaluate wire transfers for foreign vs. domestic and overall volume.
Methods for opening accounts - List all that are possible; e.g. bank premises, customer premises, Internet, mail etc. Note any restrictions on non face to face account opening such as when it is only done for existing customers.
Customer base - Consumer vs. business. Stable vs. transient. Foreign vs. domestic? Presence of enclaves of non U.S. citizens from countries associated with money laundering; e.g. Black Market Peso exchange? Are there high risk businesses, particularly non bank financial institutions? Noting that the bank has already determined its own connections to HIFCAs or HIDTAs, do its customers have connections to those areas?
Operations - Is there activity that suggests greater scrutiny is appropriate? How many CTRs does the bank file annually? How many phase I exempt customers does it have? Phase II? Has it had positive responses to OFAC queries? Has there been any communication from OFAC? Has it had positive responses to 314(a) queries? How many SARs does it file annually?
After you have established the basic facts about your bank, I suggest you go to http://www.occ.treas.gov/handbook/cbsh2003appendixes.pdf. That's the OCC handbook (see page 168 as numbered in the document, not the PDF file). It will allow you to take your key factors, label them low, high or moderate and then give yourself some overall classification as well.
Conclusion - Assign a risk weighting; e.g. low, moderate, high. The presence of certain factors; e.g. location in a HIFCA or HIDTA should assure something other than a low rating. It’s the rating that should dictate the strength of the AML program; i.e. the presence of a strong AML program does not reduce the rating.
Miscellaneous: Understand, this risk assessment is not a one time event. With no support from any regulatory source I will say that it should be done annually, but hasten to add that annually might not be frequent enough if a major variable changes, such as the addition of a new product or a significant influx of new people into a community. There is no suggestion that it be reviewed by the board, but if they are the folks buying the insurance policy (approving the AML program) it only makes sense that they be told the underlying risks. The accuracy and currency of the risk assessment should be reviewed in the course of the independent examination.
First published on BankersOnline.com 5/16/05
print
share