Regulators and financial institutions alike are renewing their focus on anti-money laundering (AML) and sanctions risk assessments as part of sound financial crime risk management, resource allocation, and compliance program development. Financial institutions, particularly banks, have spent years evolving their AML and sanctions risk assessment processes, which typically involve the formula of “inherent risk – controls = residual risk.” Although the formula is simple, the application of it has evolved. Banks are now expected to have sophisticated AML and sanctions risk assessment processes as part of their enterprise risk management. It has also become more commonplace for nonbank financial institutions to conduct AML and sanctions risk assessments.
While there are several benefits to a meaningful AML and sanctions risk assessment process, its primary objectives are program effectiveness and risk mitigation. Notably, in September 2020, the US Treasury Financial Crimes Enforcement Network (FinCEN) issued an Advance Notice of Proposed Rulemaking (ANPRM) on “potential regulatory amendments to establish that all covered financial institutions subject to an anti-money laundering program requirement must maintain an ‘effective and reasonably designed’ anti-money laundering program.”1 This ANPRM considers whether FinCEN will add risk assessments as a regulatory requirement, as opposed to its current status as a regulatory expectation.2 Whether the renewed focus is due to the FinCEN ANPRM or another factor, financial institutions should use AML and sanctions risk assessments to not only become more effective in mitigating risk, but also to become more efficient, by identifying and retiring controls that are ineffective and obsolete.
Risk Assessment Milestones to AML Program Effectiveness
The enhanced focus on using risk assessments to increase AML program effectiveness is consistent with federal and state regulatory priorities. Specifically, state and federal regulators have signaled for years that the cornerstone of an effective AML program is an actionable AML risk assessment.
The following timeline displays key regulatory communications and rules that highlight the importance of AML risk assessments:
In addition, regulators often cite AML risk assessment deficiencies in AML enforcement actions. Examples include Capital One3, Habib Bank Limited4, and Industrial Bank of Korea5, which entered into consent orders in 2015, 2017, and 2020, respectively. In all cases, the regulators required the banks to take remediation actions on their AML risk assessment processes.
Common Ground: Efficiency and Efficacy Benefits
An actionable AML and sanctions risk assessment program is an area where financial institutions and regulators should be able to find common ground. Financial institutions are constantly evaluating ways to be more efficient as a means to limit compliance costs. Although advanced technologies like machine learning, artificial intelligence, and robotic process automation have garnered the compliance efficiency spotlight, actionable AML and sanctions risk assessments can help financial institutions focus their resources and process on high-risk customers and activities, while potentially retiring outdated or obsolete controls for lower-risk areas6. Financial institutions should identify outdated or obsolete controls as part of the identification and assessment of controls.
Furthermore, as advanced technologies become more commonplace in financial crime prevention, financial institutions can couple them with actionable AML and sanctions risk assessment processes to become even more efficient.
While the private sector looks to improve efficiency, regulators will likely continue to focus on efficacy. Although it is important that financial institutions do not sacrifice effectiveness to become more efficient, efficiency and efficacy do not have to be mutually exclusive goals. Actionable and well-designed AML and sanctions risk assessments can help bridge this gap by making AML programs more efficient and effective.
Using the Risk Assessment: How to Make Your Program More Effective
Performing an AML and sanctions risk assessment is likely not enough. Regulators want to see how financial institutions use their risk assessment to drive AML compliance programs strategically. Financial institutions should keep the following in mind as part of their AML and sanctions risk assessment process:
Ensure your controls are risk-based. A meaningful AML risk assessment will identify high risk areas that require the most attention. Customer due diligence, enhanced due diligence, and transaction monitoring processes should focus on those areas identified as higher risk and less on areas identified as lower risk. For example, make sure your customer risk rating process identifies low and high risk customers appropriately and that due diligence procedures are sufficiently risk-based. If you over-identify high risk customers or apply the same due diligence standards to all customers, then you may fail to mitigate risk because your attention is spread too thin. In addition, financial institutions should conduct coverage assessments to ensure their transaction monitoring programs monitor risks appropriately. While unproductive automated rules may not be relevant to your institution, the lack of risk coverage in your automated or manual monitoring processes may cause you to underreport suspicious activity.
Prioritize and respond. As part of the AML and sanctions risk assessment process, financial institutions may uncover new risks and control gaps. Financial institutions, however, should not treat all residual risks the same. It is important to remember that prioritizing is not the same as ignoring. Financial institutions should develop an action plan and prioritize risks and controls based on severity.
Assess substantial change. AML and sanctions risk assessments often have a defined scope, but it is important to consider changes in risk over time. For example, consider whether there are fluctuations in high risk customers, transaction volumes for high risk products or transactions with high risk geographies. It’s also important to consider expected changes in the future, such as planned acquisitions or control enhancements. Financial institutions should also have mechanisms to monitor changes in risk in between assessment cycles so that they can act proactively instead of reactively.
Board participation is key. The board sets the tone at the top and their involvement in understanding the results of an AML and sanctions risk assessment is critical. Financial institutions may establish board committees or internal compliance committees, but the information needs to reach the most senior levels of institutions to ensure they understand its risk profile.
Define your financial crime risk appetite and accept the risk. It is important to be able to measure whether the results of an AML and sanctions risk assessment exceeds your risk appetite. To do that, the board and senior management need to define their financial crime risk appetite and establish governance for risk acceptance. Financial institutions can leverage existing risk appetite and risk acceptance processes in place, but tailor them to financial crime risk. While the mechanics are less important, financial institutions need to document their process and decisions formally.
What Does This Mean for You?
Both increased attention and the potential benefits of a well-executed AML and sanctions risk assessment signal that financial institutions should re-evaluate assessment processes. Financial institutions should not only ensure their risk assessment processes are fit for purpose, but also evaluate the governance regarding risk awareness and acceptance.
Are the board and/or relevant governance committees aware of the results?
Who has the authority to accept financial crime risk? Is it commensurate with your risk profile?
Do you have a process or mechanism to assess internal and external changes that require updating a risk assessment off cycle?
Do your risk assessments yield actionable steps?
How Guidehouse Can Help
Guidehouse can help banks, broker-dealers, insurance companies, money service businesses, and other types of financial institutions with their AML and sanctions risk assessment processes and financial crime risk management frameworks, including:
AML and sanctions risk assessment methodology development, review, and/or validation.
AML and sanctions risk assessment execution.
AML and sanctions risk management framework development, including financial crime risk appetite statements and risk acceptance procedures.
AML and sanctions board training.
AML and sanctions risk assessment training.
AML and sanctions gap analyses.
Special thanks to contributing author Gene Bolton.
1 "Anti-Money Laundering Program Effectiveness," Federal Register 85:181 (September 17, 2020) p. 58023. 2 New York Department of Financial Services (NYDFS) requires virtual currency licensees to conduct an initial risk assessment and additional risk assessments on an annual basis, or more frequently as risks change, pursuant to 23 New York Codes, Rules and Regulations (NYCRR) Part 200. 3 Capital One Bank (USA), N.A. entered into a consent order with OCC in 2015. The consent order states, “[T]he Bank lacks an enterprise wide BSA/AML risk assessment.” Article IV states, “The Bank shall conduct a comprehensive assessment of the Bank’s BSA/AML risk, including detailed quantification of risk to accurately assess the level of risk and the adequacy of controls.” 4 Habib Bank Limited and Habib Bank Limited New York Branch entered into a consent order with NYDFS in 2017. The consent order states, the bank shall “submit a written revised BSA/AML compliance program for the Branch acceptable to the Department. At a minimum, the program shall provide for…a comprehensive BSA/AML risk assessment that identifies and considers all products and services of the Branch, customer types, geographic locations, and transaction volumes, as appropriate, in determining inherent and residual risks.” 5 Industrial Bank of Korea and Industrial Bank of Korea New York Branch entered into a consent order with NYDFS in 2020. The consent order states, the bank “shall jointly submit a status report that is acceptable to the Department with updates on any changes to the Branch's BSA/AML compliance program that are planned and/or underway, or have been implemented since the 2019 Examination (hereinafter the Status Report). At a minimum, the Status Report shall include updates on...a comprehensive BSA/AML risk assessment that identifies and considers all products and services of the New York Branch, customer types, geographic locations, and transaction volumes, as appropriate, in determining inherent and residual risks.” 6 When retiring controls, financial institutions should conduct impact analyses and adhere to proper governance protocols.