Regulators and financial institutions alike are renewing their focus on anti-money laundering (AML) and sanctions risk assessments as part of sound financial crime risk management, resource allocation, and compliance program development. Financial institutions, particularly banks, have spent years evolving their AML and sanctions risk assessment processes, which typically involve the formula of “inherent risk – controls = residual risk.” Although the formula is simple, the application of it has evolved. Banks are now expected to have sophisticated AML and sanctions risk assessment processes as part of their enterprise risk management. It has also become more commonplace for nonbank financial institutions to conduct AML and sanctions risk assessments.
While there are several benefits to a meaningful AML and sanctions risk assessment process, its primary objectives are program effectiveness and risk mitigation. Notably, in September 2020, the US Treasury Financial Crimes Enforcement Network (FinCEN) issued an Advance Notice of Proposed Rulemaking (ANPRM) on “potential regulatory amendments to establish that all covered financial institutions subject to an anti-money laundering program requirement must maintain an ‘effective and reasonably designed’ anti-money laundering program.”1 This ANPRM considers whether FinCEN will add risk assessments as a regulatory requirement, as opposed to its current status as a regulatory expectation.2 Whether the renewed focus is due to the FinCEN ANPRM or another factor, financial institutions should use AML and sanctions risk assessments to not only become more effective in mitigating risk, but also to become more efficient, by identifying and retiring controls that are ineffective and obsolete.
The enhanced focus on using risk assessments to increase AML program effectiveness is consistent with federal and state regulatory priorities. Specifically, state and federal regulators have signaled for years that the cornerstone of an effective AML program is an actionable AML risk assessment.
The following timeline displays key regulatory communications and rules that highlight the importance of AML risk assessments:
In addition, regulators often cite AML risk assessment deficiencies in AML enforcement actions. Examples include Capital One3, Habib Bank Limited4, and Industrial Bank of Korea5, which entered into consent orders in 2015, 2017, and 2020, respectively. In all cases, the regulators required the banks to take remediation actions on their AML risk assessment processes.
An actionable AML and sanctions risk assessment program is an area where financial institutions and regulators should be able to find common ground. Financial institutions are constantly evaluating ways to be more efficient as a means to limit compliance costs. Although advanced technologies like machine learning, artificial intelligence, and robotic process automation have garnered the compliance efficiency spotlight, actionable AML and sanctions risk assessments can help financial institutions focus their resources and process on high-risk customers and activities, while potentially retiring outdated or obsolete controls for lower-risk areas6. Financial institutions should identify outdated or obsolete controls as part of the identification and assessment of controls.
Furthermore, as advanced technologies become more commonplace in financial crime prevention, financial institutions can couple them with actionable AML and sanctions risk assessment processes to become even more efficient.
While the private sector looks to improve efficiency, regulators will likely continue to focus on efficacy. Although it is important that financial institutions do not sacrifice effectiveness to become more efficient, efficiency and efficacy do not have to be mutually exclusive goals. Actionable and well-designed AML and sanctions risk assessments can help bridge this gap by making AML programs more efficient and effective.
Performing an AML and sanctions risk assessment is likely not enough. Regulators want to see how financial institutions use their risk assessment to drive AML compliance programs strategically. Financial institutions should keep the following in mind as part of their AML and sanctions risk assessment process:
Both increased attention and the potential benefits of a well-executed AML and sanctions risk assessment signal that financial institutions should re-evaluate assessment processes. Financial institutions should not only ensure their risk assessment processes are fit for purpose, but also evaluate the governance regarding risk awareness and acceptance.
Guidehouse can help banks, broker-dealers, insurance companies, money service businesses, and other types of financial institutions with their AML and sanctions risk assessment processes and financial crime risk management frameworks, including:
1 "Anti-Money Laundering Program Effectiveness," Federal Register 85:181 (September 17, 2020) p. 58023.
2 New York Department of Financial Services (NYDFS) requires virtual currency licensees to conduct an initial risk assessment and additional risk assessments on an annual basis, or more frequently as risks change, pursuant to 23 New York Codes, Rules and Regulations (NYCRR) Part 200.
3 Capital One Bank (USA), N.A. entered into a consent order with OCC in 2015. The consent order states, “[T]he Bank lacks an enterprise wide BSA/AML risk assessment.” Article IV states, “The Bank shall conduct a comprehensive assessment of the Bank’s BSA/AML risk, including detailed quantification of risk to accurately assess the level of risk and the adequacy of controls.”
4 Habib Bank Limited and Habib Bank Limited New York Branch entered into a consent order with NYDFS in 2017. The consent order states, the bank shall “submit a written revised BSA/AML compliance program for the Branch acceptable to the Department. At a minimum, the program shall provide for…a comprehensive BSA/AML risk assessment that identifies and considers all products and services of the Branch, customer types, geographic locations, and transaction volumes, as appropriate, in determining inherent and residual risks.”
5 Industrial Bank of Korea and Industrial Bank of Korea New York Branch entered into a consent order with NYDFS in 2020. The consent order states, the bank “shall jointly submit a status report that is acceptable to the Department with updates on any changes to the Branch's BSA/AML compliance program that are planned and/or underway, or have been implemented since the 2019 Examination (hereinafter the Status Report). At a minimum, the Status Report shall include updates on...a comprehensive BSA/AML risk assessment that identifies and considers all products and services of the New York Branch, customer types, geographic locations, and transaction volumes, as appropriate, in determining inherent and residual risks.”
6 When retiring controls, financial institutions should conduct impact analyses and adhere to proper governance protocols.