BSA/AML Risk Assessment

&
A BSA/AML
RISK ASSESSMENT
Page 1 of 35
TABLE OF CONTENTS
PAGE
Auditing & Updating a $13 Billion Organization’s BSA/AML Risk Assessment………………………………....4
Auditing the Existing BSA/AML Risk Assessment……………………………………………………………………….…….5
Core Components of a Comprehensive BSA/AML Risk Assessment…………………………………………….……7
1. BSA/AML Risk Assessment Overview……………………………………………………………………………………….…7
1.1 Introduction…………………………………………………………………………………………………………………………7
1.2 Steps in the Risk Assessment Process…………………………………………………………………………………..8
1.3 Detailed Bank Information……………………………………………………………………………………………….....8
1.4 Customers and Entities…………………………………………………………………………………………………………9
1.5 Money Service Businesses (MSBs)………………………………………………………………………………….…..10
2. BSA/AML Compliance Program Overview………………………………………………………………………….….…..11
2.1 Introduction……………………………………………………………………………………………………….….……..……11
2.2 Internal Controls………………………………………………………………………………………………….……….….…11
2.3 Independent Testing………………………………………………………………………………….………………...…….12
2.4 BSA/AML Officer…………………………………………………………………………………………….…………….…….12
2.5 BSA/AML Training...........................................................................................................…...13
3. BSA/AML Operations Overview………………………………………………………………………….………….………...13
3.1 BSA/AML Policy………………………………………………………………………………………………………………….13
3.2 BSA/AML Department……………………………………………………………………………………………….….……13
3.3 Customer Identification Program (CIP)…………………………………………………………………….…………14
4. Currency Transaction Reports (CTRs) and Monetary Instrument Logs (MILs)…………………….……...14
5. Anti-Money Laundering Software Risk Assessment……………………………………………………………..……15
6. High Risk Determination and Tracking……………………………………………………………………………………...16
7. Regulation GG…………………………………………………………………………………………………………………………..17
8. Enterprise Wide BSA/AML Exam & Audit Reports…………………………………………………….……………….17
9. Business Units (BUs)……………………………………………………………………………………………………………..….17
9.1 Products and Services (Appendix A)……………………………………………………………………………….…18
10. Identifying and Evaluating BSA/AML Risk……………………………………………………………………………….19
10.1 Introduction…………………………………………………………………………………………………………………….19
Page 2 of 35
10.2 HIDTA and HIFCA Locations…………………………………………………………………………………..……………19
10.3 Risk Identification and Evaluation Ratings......................................................................…...20
11. Corporation’s Risk Identification and Evaluation of Business Units/Products and Services
(Appendix B)…………………………………………………………………………………………………………………………...21
12. Summary of Corporation’s Enterprise Wide BSA/AML Quantitative Risk (Appendix D)……….…..21
13. Mergers and Acquisitions…………………………………………………………………………………………………….…..22
14. New Product Committee…………………………………………………………………………………………………….……22
15. Projected BSA/AML Risks......................................................................................................…...23
CONCLUSION: Think Enterprise Wide……………………………………….…………………………………………….…..…24
SAMPLE SPREADSHEETS:
Appendix A - Business Units BSA/AML Risk Identification and Evaluation of Products and Services,
Inherent Risks, Mitigating Controls and Residual Risks……………………………..…………….…25
Appendix B – Risk Evaluation of Business Units/Products and Services……………………….…………….……26
Appendix C – Corporation Risk Evaluation of Company/Products and Services……………………….……..27
Appendix D - Summary of Corporation’s Enterprise Wide BSA/AML Quantitative Risk……………..……28
Appendix E - BSA Risk Analysis Chart, Customers/Accounts, Products/Services and Geographies....29
FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual Appendixes
Appendix I: Risk Assessment Link to the BSA/AML Compliance Program ...............…...32
Appendix J: Quantity of Risk Matrix……………………………………………………………………….………33
Research/References/Sources………………………………………………………………………………..…….……35
Page 3 of 35
AUDITING & UPDATING a $13 BILLION ORGANIZATION’S BSA/AML RISK ASSESSMENT
By Donna Davidek, CAMS
December 30, 2013
The Business Dictionary (1) defines Risk Assessment as “The identification, evaluation, and estimation of
the levels of risks involved in a situation, their comparison against benchmarks or standards and their
determination of an acceptable level of risk”. The risk assessment process is not new to the Banking
industry. Risk assessments have been conducted in many areas within banking organizations for years,
so it seemed appropriate when the BSA area came into regulatory focus. Since at least 2005, every
depository financial institution has been required to perform and document a written BSA/AML Risk
Assessment. The purpose of a comprehensive risk assessment is to assess the enterprise wide BSA/AML
risk profile of the organization, including the Bank and all subsidiaries. By determining the enterprise
wide BSA/AML risk profile, the organization can evaluate the adequacy of existing processes and where
required, modify and update the risk management processes in an effort to more effectively identify and
mitigate risk. A risk assessment can serve as a valuable tool
for any Banking institution that wants to manage its
BSA/AML risk effectively. The key is to understand the
Bank’s risk exposure and develop the necessary policies,
procedures, systems, and controls to mitigate the risk. The
emphasis by regulators for financial institutions to conduct
detailed risk assessments has increased substantially over
the years. Today, there is an expectation by regulators for
BSA/AML Risk assessments to provide a more granular and
in-depth review of all areas of the organization. There is not
one recommended methodology or format specified or
method required when completing a risk assessment. As
long as the risk assessment can be understood by the
appropriate parties who will read it, the format should be
acceptable to federal regulators.
The information contained in this whitepaper does not
address OFAC risk as the organization represented conducted and documented a stand-alone OFAC Risk
Assessment. It is acceptable for the OFAC Risk Assessment to be incorporated into the organization’s
overall BSA/AML Risk Assessment; however, it is best practice for a large bank to create a stand-alone
OFAC Risk Assessment. A process similar to the one outlined in this paper was also conducted when
auditing and updating the OFAC Risk Assessment.
Page 4 of 35
AUDITING THE EXISTING BSA/AML RISK ASSESSMENT
When faced with the task of auditing an
institution’s existing BSA/AML Risk
Assessment, to determine if it is
adequate for the present state of the
organization, the initial question is
“Where Do I Begin?”
There are many reasons why a risk assessment should or must be updated. In order to determine
whether the existing risk assessment needs to be updated or whether it must be rewritten in its
entirety, the auditor must thoroughly review the existing risk assessment to determine if it appropriately
represents the organization’s current risk profile and also conforms to regulatory standards. The
reviewer must determine if necessary control points, as represented in the list below, are included
within the risk assessment:
1. The risk assessment should properly reflect the current BSA/AML risk profile across the entire
organization.
2. The risk assessment should clearly identify all areas within the
organization and specifically identify those Business Units
(BUs) within the organization with direct BSA/AML
responsibilities. The risk assessment should also clearly
identify each BSA/AML responsibility specific to each Business
Unit.
3. The risk assessment should include a detailed, in-depth
evaluation of the inherent risk of every existing, new or
significantly expanded or modified added customers, geographies, products, services and
systems used or offered by each BU within the organization with direct BSA/AML responsibilities,
an evaluation of the effectiveness of systems and internal controls utilized by each BU and the
determination of the resulting residual risk of each product, service and system used or offered
through each BU.
4. Any major events or changes that have taken place within the organization should be reflected in
the risk assessment, e.g., mergers, acquisitions, expansions, changes in the organization’s
footprint/expansion into new markets, new or changes to products or services, prior
inefficiencies identified that have not been corrected, new core data processing or anti-money
laundering systems, the Bank has crossed the $10 billion mark and is now by definition
considered to be a large Bank.
5. The findings provided in the risk assessment should be supported by appropriate qualitative and
quantitative data.
6. The institution should maintain an effective process for periodically reviewing and updating the
institution’s risk assessment, insuring that all changes to BUs with any BSA/AML responsibilities
are represented appropriately.
Page 5 of 35
7. The risk assessment should be shared and communicated with all BUs across the organization,
including management and appropriate staff.
8. The results of the organization’s risk assessment should be reported to the appropriate
supervisory committee and/or to the Board of Directors.
9. At a minimum, the organization’s BSA/AML Risk Assessment should have been updated within
the past twelve to eighteen months; however, the current standard practice for most
organizations is to update the risk assessment every twelve months. Prior to changing products
or services or engaging in new customers or geographies, a risk assessment update would also be
warranted. Regulatory changes may also warrant a risk assessment update.
After reviewing the existing risk assessment, it was determined to be inadequate. The existing risk
assessment lacked major areas of detail necessary to appropriately determine the organization’s risk
profile. The original risk assessment was created in a format following the principles represented in the
FFIEC’s BSA Examination Manual Appendix J: Quantity of Risk Matrix and Appendix I: Risk Assessment
Link to the BSA/AML Compliance Program. Smaller community Banks often use these matrixes to
formulate summary conclusions; however, it is not particularly useful when developing a risk
assessment for a large institution. Appendix J may be utilized for a baseline approach; but a large Bank’s
products, services, customer base, geographies and systems are often too complex for a simple matrix.
The existing risk assessment consisted of a series of spreadsheets, one for each BU with BSA/AML
responsibilities, including an overall summary. It was difficult to read and lacked a clear, descriptive
narrative. Products, services and systems were not fully detailed. The risk assessment contained an
insufficient listing of applicable red flags, inherent risks were not fully identified and risk rated,
mitigating controls listed were not clearly defined and had minimal explanation and residual risk was not
fully explained and/or risk rated. To summarize, the BSA/AML Risk Assessment conclusions were not
adequately documented; therefore, they could not be supported. Risk assessments cannot lack
supporting documentation; but should contain appropriate facts, justification and documentation in
order to reach correct overall conclusions of defining the risks within an organization. Comprehensive
supporting documentation should provide an auditor or regulator with the rationale that was utilized to reach
overall conclusions in the risk assessment. In order to properly conclude there is a sufficient BSA/AML
program in place, the risks at the institution must be appropriately identified.
EXISTING BSA RISK ASSESSMENT
Page 6 of 35
After completing the audit process, a
decision had to be made to either update
the existing risk assessment or rewrite it in
its entirety. The Bank had transitioned to
what was now defined as a large Bank and
as a result, the existing risk assessment no
longer
adequately
represented
the
BSA/AML risk profile of the organization. In
order to be commensurate with the size and
complexity of the organization, the decision
was made to rewrite the risk assessment in
its entirely.
Core Components of a Comprehensive BSA/AML Risk Assessment
Best Practice for a $13 Billion Institution
After determining the existing risk assessment was outdated and did not adequately represent the
current BSA/AML risk profile of the organization, a more detailed and granular risk assessment had to be
developed. The objective is not solely to complete a risk assessment, as the risk assessment is not the
end game but merely a tool. The risk assessment only focuses attention on inherent and residual risk.
The greater objective is to create a meaningful risk assessment as a key tool to identify, prioritize and
ultimately manage risk. There are numerous elements to consider when creating a risk assessment. The
list below was drafted based on a great deal of research, information obtained through attending
various ACAMS conferences and webinars and Appendix J and Appendix I from the FFIEC BSA
Examination Manual. The following information gathered was utilized as a guide to determine what
information should be included in the new risk assessment.
1.
BSA/AML Risk Assessment Overview
1.1 Introduction (3)
In an effort to define the purpose of the risk assessment, statements such as the following can be
included:
1. The Bank has established a goal of maintaining a Bank Secrecy Act (BSA) and Anti-Money
Laundering (AML) compliance program with strong risk monitoring procedures in place.
2. To achieve this goal, the Bank continuously monitors the various risks that could directly
impact the quality of the Bank’s program.
3. Based on the information contained in the risk assessment, the Bank has identified its
BSA/AML risk profile to be High/Inadequate, Moderate/Adequate or Low/Strong, which ever
risk rating is applicable.
4. Identifying the Bank’s risk profile has assisted the Bank with delegating its resources and
reasonably managing the Bank’s overall BSA/AML Program.
Page 7 of 35
5. The BSA/AML Risk Assessment provides a comprehensive analysis of the highest risks facing
the organization and will be shared with Senior Management, the Board of Directors or
whoever is applicable.
The risk assessment should also indicate what it is not designed to accomplish. The risk assessment process
should function as a guide in the development of applicable risk-based policies, procedures, systems and controls
and is not designed to be utilized as a means of denying account relationships to specific entities or eliminating
higher risk products or services.
1.2 Steps in the Risk Assessment Process (2)
1. Identification of Specific Risk Categories
According to the FFIEC BSA/AML Examination Manual, the first step of the risk assessment
process is to identify specific products, services,
customers, entities and geographic locations.
2. Detailed Analysis
Steps in the Risk
The second step of the risk assessment process
Assessment Process
entails a more detailed analysis of the data obtained
during the identification stage in order to more 1. Identification of Specific
accurately assess BSA/AML risk. This step involves
Risk Categories
evaluating data pertaining to the Bank’s activities
(e.g., number of domestic and international funds 2. Perform Detailed
transfers, private banking customers, geographic Analysis of the Gathered
locations of the Bank’s business area and customer
transactions) in relation to Customer Identification Data
Program (CIP) and customer due diligence (CDD) 3. Evaluation of the
information. This detailed analysis is ultimately
BSA/AML Program
important because within any type of product or
category of customer there will be accountholders
that pose varying levels of risk.
3. Evaluation of the BSA/AML Program
In this step, it is acknowledged the Bank has structured its BSA/AML Program to adequately
address the concerns identified in the risk assessment; and as a result of the findings,
appropriate policies and procedures were developed to monitor and control the various risks.
1.3 Detailed Bank Information
A detailed description of the information that is specific and unique to the Bank should be included.
1. The current asset size of the Bank
2. The Bank’s footprint:
a. States where branch offices are located
b. Markets within each state, including number of branch offices within each market
c. Identify when and where any new branch offices were opened
d. Define primary market areas by percentages of the entire Bank
e. Identify location of corporate headquarters
Page 8 of 35
f. List number of ATMs located throughout the Bank’s footprint by state
g. Indicate number of full-time associates employed by the organization and the
percentage of turnover rate of associates, including key personnel
h. Summarize the Bank’s domestic and foreign operations, including an explanation of
the Bank’s policy on opening foreign business accounts
1.4 Customers and Entities
The risk assessment should clearly define the entire client base, with particular concern for the
identification of client/entity types conventionally associated with heightened risk of exposure for
money laundering and terrorist financing. The preferred method of presenting information gathered
is to create reports or spreadsheets that identify the information below by branch office, totaled by
market and totaled by state, as well as the number of accounts and dollar amounts as a percentage
by branch office, market and state. This process best
defines the geographic regions of the client base by their
share of the entire Bank.
1. Deposit Accounts – number of accounts and total
dollar amount, including percentages by market
and percentages by state
a. Personal
b. Non-personal
c. Time deposits
2. Loans Accounts – number of accounts and total
dollar amount, including percentages by market
and percentages by state
a. Personal
b. Non-personal
c. Loans secured by cash, marketable
securities or cash value life insurance
3. Foreign Businesses
a. Number of relationships
b. Number of accounts
c. Country of origin
d. Occupation/Nature of business
e. Type of account and dollar amount
4. Private Banking
a. Definition of private banking that is exclusive to the Bank, including no international
private banking clients
b. List of products and or loans that are exclusive to private banking clients
c. Identify deposit accounts and loan accounts, including number of accounts and dollar
amount by market and state
5. Clients/Entities – number of accounts and dollar amounts of:
a. Entities as defined by NAICS codes
b. Non-resident aliens
Page 9 of 35
c.
d.
e.
f.
Resident aliens
Sole proprietors
Cash intensive businesses
Politically Exposed Persons (PEPs)
1.5 Money Service Businesses (MSBs)
The risk assessment should clearly state the Bank’s position on opening accounts for clients
determined to be MSBs. If the Bank has identified MSBs as part of their client base, a risk
assessment should be performed on these entities. The MSB risk assessment should pertain to:
1. Currency dealers or exchangers
2. Check cashers
3. Issuers of traveler’s checks, money orders or stored value cards
4. Sellers or redeemers of traveler’s checks, money orders or stored value cards
5. Money transmitters
Other factors to consider when completing the MSB risk assessment are the following:
1. Inherent risk factors of MSBs
2. Considerations for risk rating of MSB clients
3. Lower risk indicators
4. Higher risk indicators
5. Mitigating controls
6. Client base
a. Identify number of high risk clients
b. Type of business the MSB engages in; e.g., convenience store, grocery store, gas
station, check cashing, etc.
c. Total dollar amount of MSB activity:
a. Credits and debits
b. Cash in and cash out
c. Incoming wires and outgoing wires
d. Total number of transactions
e. Identify top 10 MSB clients by dollar amount
f. Identify top 10 MSB clients by cash: cash in, cash out and total cash
d. Define demographics of all MSB clients
a. Risk category of each MSB
b. City and state where business in conducted
c. Located in High Intensity Financial Crimes Area (HIFCA) and High Intensity
Drug Trafficking Area (HIDTA), yes or no
7. Residual risk and overall risk rating of MSBs
8. Mitigating controls for MSB clients
a. Customer Due Diligence (CDD) & Enhanced Due Diligence (EDD)
b. FinCEN license registration
c. Transaction monitoring
d. Risk rating of each MSB client
Page 10 of 35
2. BSA/AML Compliance Program Overview
2.1 Introduction
(2)
According to the FFIEC BSA/AML Examination Manual, the Bank’s BSA/AML compliance program
must provide for the following:
1. A system of internal controls
2. Independent testing of BSA/AML compliance
3. Designating an individual or individuals responsible for managing BSA compliance
4. Training for appropriate personnel
It is best practice to acknowledge that the Bank has a written BSA/AML compliance policy that meets
FFIEC requirements and has been approved by the appropriate board or committee of the Bank.
2.2 Internal Controls (2)
Internal Controls are the
Bank’s Policies, Procedures and
Processes designed to limit and
control risks and to achieve
compliance with the BSA.
The Bank’s Board of Directors is ultimately responsible
for ensuring the Bank maintains an effective BSA/AML
program. As a result, management is required to
develop policies and procedures designed to limit and reasonably control BSA/AML risks identified in
the risk assessment. The Bank’s internal controls must consist of:
1. Conducting an annual BSA/AML Risk Assessment to identify those areas posing the highest
risk for money laundering, terrorist financing and/or illegal activities.
2. Appointing a BSA Officer to be responsible for the BSA Policy and Procedures and oversight of
the day-to-day compliance.
3. Designation of a centralized department responsible for managing the daily responsibility of
BSA/AML compliance.
4. Policies and procedures to ensure compliance with all regulatory record keeping and
reporting requirements.
5. Risk-based monitoring system to identify and report appropriate transactions including SARs
and CTRs.
6. Meetings/Reports with appropriate boards or committees to discuss the following:
a. Key Risk Indicators (KRIs)
Page 11 of 35
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
High risk processes
Compliance initiatives
Program deficiencies, including Quality Control/Quality Assurance results
Suspicious Activity Reports (SARs) filed
Currency Transaction Reports (CTRs) filed
Accounts closed due to suspicious activity
Customer Identification Program (CIP) violations
High Risk Accounts
Completed and outstanding Training
Source of alerts reported and investigations completed
2.3 Independent Testing
This section is intended to provide all information related to independent testing of the BSA/AML
Compliance Program.
Information should include:
1. Defining responsibility for managing the independent audit process
2. Who independently conducts the audit
3. Frequency of audit conducted
4. Goal of the audit
5. Scope of the audit
6. Follow up meeting on findings during the audit
7. Defining responsibility for writing responses to findings
8. Requirement for prompt management follow up on resolving
deficiencies cited in findings
2.4 BSA/AML Officer
The qualified, designated BSA/AML Compliance Officer should be
named as appointed on the applicable date by the Board of Directors.
A brief description the BSA Officer’s responsibility should also be included, in addition to an overview
of the BSA associates who assist with the responsibility of day-to-day administration of the BSA
functions. It should also be noted that the Board of Directors is responsible for ensuring the BSA
Officer has sufficient authority and recourses to administer an effective BSA/AML Compliance
Program based on the Bank’s risk profile.(3)
Page 12 of 35
2.5 BSA/AML Training
Training for appropriate personnel is a requirement of a BSA program. Information regarding the
Bank’s training program and results should be thoroughly detailed in the risk assessment.
Information to include:
1. How the training is conducted, e.g., computed-based, in person, etc.
2. How often training must be completed
3. Method of assigning and tracking the training courses, as well as training for new hires
4. Types of training, e.g., job specific, Business Unit BSA/AML programs, new hires, etc.
5. In the current calendar year, number of associates who completed their assigned BSA/AML
training, including percentage of completion by associates
6. Timing of training completed by newly hired associated, e.g., new associates must complete
their BSA/AML training within the first 60 days of employment
7. Include an outline of all training topics and testing materials included in the annual BSA/AML
training, including the responsibility for selecting and organizing the BSA training program
8. Annual training for BSA Officer and ongoing training for BSA associates
9. Annual Board of Directors training
Training is one of the four pillars of a BSA Compliance Program as indentified in the FFIEC BSA Exam
Manual. The importance of assigning, completing and tracking training for all appropriate personnel
cannot be overlooked.
3. BSA/AML Operations Overview
3.1 BSA/AML Policy
An overview of the contents of the written BSA/AML Policy should reflect the purpose and goal of
the policy and how the organization complies with the overall requirements of BSA regulations and
the USA Patriot Act. Approval by the Board of Directors and the date approved should also be
included.
3.2 BSA/AML Department
This section should reflect that the Bank has established a centralized BSA Department responsible
for overseeing and implementing the Bank’s BSA/AML Program and monitoring, investigating and
reporting suspicious activity. Indicate management has ensured adequate staff is allocated to
Page 13 of 35
complete all steps necessary to appropriately identify and report criminal activity. Best practice is to
list the physical location of the BSA Department, number of associates assigned to BSA, combined
total number of years of BSA experience of the department as well as combined number of years of
overall banking experience of the BSA associates. If any of the BSA associates have achieved any
certifications or advanced certifications, such as ACAMS or ACAMS Audit, include that information in
this section.
3.3 Customer Identification Program (CIP)
All Banks must have a CIP. The CIP is intended to enable the Bank to form a reasonable belief that it
knows the true identity of each customer. The risk assessment should contain an overview of the
Bank’s CIP to include:
1. Customer information required to open an account
2. Summary of risk-based procedures for verifying the identity of the customer
a. Verification through documentary methods
b. Verification through nondocumentary methods
c. Additional verification for certain customers, e.g., when the Bank cannot verify the
customer’s true identity using documentary or nondocumentary methods
3. Procedures for circumstances when the Bank cannot verify the customer’s identity
4. Recordkeeping and retention requirements
5. Adequate customer notice, when and how notice is provided to customer
6. When reliance on another financial institution for CIP is acceptable
4. Currency Transaction Reports (CTRs) and Monetary Instrument Logs (MILs)
Information about the Bank’s daily work process relative to CTRs and MILs should be included in the risk
assessment. The daily work process would include:
1. System used to process CTRs
2. Reports utilized to indentify all reportable CTRs and verify cash in and cash out totals are correct
3. How cash is aggregated by tax identification number
4. How CTRs are created and verified
5. E-filing and acknowledging the file
6. Number of CTRs filed
Page 14 of 35
7. Number of exempt clients, Phase I and Phase II, and define exemption process
8. Process of verification of monetary instrument logs
5. Anti-Money Laundering Software Risk Assessment
Effective AML software provides a comprehensive enterprise-wide BSA compliance solution. By storing
and evaluating data for both clients and accounts, AML software enables the BSA Department to reduce
compliance risk, consistently apply BSA policies and procedures, accurately assess client risk, enforce a
structured BSA review workflow to monitor transactions, facilitate management and Board oversight,
and implement Customer Due Diligence and Enhanced Due Diligence programs. AML software also
gives users the tools to create and manage cases for those clients and accounts requiring more thorough
oversight and documentation. AML software can also provide BSA a portal for creating and filing
Suspicious Activity Reports (SARs) for cases in which such action must be taken.
The BSA Department is charged with the responsibility for the Bank’s compliance with the BSA, including
detection of money laundering, terrorist financing and/or other criminal activity. The Bank should
perform a risk assessment on the AML software used by the Bank. The risk assessment should be
documented and included in the overall BSA/AML risk assessment. Information should include the
following keys to implementing the AML software and understanding and validating its functionality:
1. Basic concepts of the AML software
2. How the software is configured
3. Define the case management system
4. Identification or alert of unusual activity
5. Management of alerts
6. Investigative guidelines for working cases
7. Suspicious Activity Reports (SARs)
a. Decision making
b. Completion
c. Filing
8. Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) processes
9. Questions asked of client during the account opening process, including scoring of the responses
by client
10. Use of software to indentify high risk clients
a. Potential high risk clients
b. Risk rating of clients
11. Software change control procedures
12. How data is imported from the core processing system to the AML software
13. Independent validation of the software: testing integrity and accuracy of the AML system,
including audit results
14. Understand what the system does not do
a. Identify gaps
b. Results of a gap analysis performed on AML software
Page 15 of 35
15. Utilization summary for specific date range of the risk assessment
a. Number of investigations as a result of the AML software
b. Number of cases resulting from investigations
c. Number of SARs filed
16. Risk of failure of the AML software, hardware or data.
An alternative definition
for the acronym SAR is
“SOMETHING
AIN’T RIGHT!!”
6. High Risk Determination and Tracking
The BSA Department is responsible for developing and maintaining a list of clients identified by the Bank
as potentially posing a High Risk of terrorist financing or financial crimes, including money laundering.
The list of High Risk clients may evolve from many different sources, such as their type of business,
account activity, geographic location, etc. This section should define the various ways BSA Department
personnel are alerted of potential suspicious clients/activity:
1. AML software
a. Risk runs
b. Peer analysis worklists
c. Customer Due Diligence (CDD) questions
d. Account Due Diligence (ADD) questions
2. Notification from associates outside of the BSA Department (internal notification)
3. Law enforcement requests e.g., subpoenas, national security letters, etc.
4. Cash shipment reports
5. Daily CTR processing and exemption reviews
6. 314(a) matches
7. Incoming and outgoing 314(b) requests
8. SARs filed
Define process used to determine and track High Risk Clients:
1. Review is conducted and based on investigation, client is determined to be high risk
2. Annual risk rating of entire data base
3. Customer Due Diligence (CDD) review consisting of responses to questions asked of client during
the account opening process
4. Expanded due diligence for high risk clients
5. Identifying and tracking new potentially high risk clients
Page 16 of 35
What defines High Risk Entities and Activities? Although attempts to launder money through a
legitimate financial institution can emanate from many different sources, certain kinds of businesses,
transactions or geographic locations may lend themselves more readily than other to potential criminal
activity. All high risk client relationships should clearly be identified by number of accounts and type of
business. The BSA Risk Analysis Chart, Appendix E, may be a useful tool when performing BSA risk
analysis in an effort to identify higher risk clients.
7. Regulation GG
The risk assessment should state the Bank’s position to not
maintain accounts with any business involved in internet
gambling. The process and method utilized by the Bank to
evaluate the likelihood that a potential client is engaged in an
internet gambling business should be defined and included in
the risk assessment.
Regulation GG
Unlawful Internet Gambling
Enforcement Act of 2006
8. Enterprise Wide BSA/AML Exam & Audit Reports
The information in this section should consist of the results of all exams and audits, both internal and
independent and the results of any BSA/AML findings. The information can be placed in spreadsheet
format and should include:
1. Business Unit and/or Subsidiary
2. Date of last audit or exam
3. BSA/AML Findings – yes or no
4. Audit schedule, e.g., 12 – 18 months, 19 – 24 months, 24 – 26 months, etc.
5. Detailed description of each finding
6. Management response to each finding
The results of the BSA Department exams and audits should also be included in this section.
9. Business Units (BUs)
There are numerous Business Units (BUs) within a banking organization. All associates within all BUs are
responsible for BSA/AML compliance, but not all BUs have job specific BSA/AML responsibilities. The
BUs within the organization with specific BSA/AML responsibilities should be identified in the risk
assessment.
Page 17 of 35
9.1 Products and Services (Appendix A)
(2)
Certain products/services pose a higher risk of
money laundering or terrorist financing depending
on specifics as offered by the Bank. Such products
may facilitate a high degree of anonymity or involve
the handling of high volumes of currency or funds
transfers or practices with limited paper trails
making it difficult to follow the money. There may
be products with high volumes of transactions that
make it challenging to identify the legitimate
transactions. Some of these products and services
are listed below, but the list is not all inclusive:
Trust &
Asset
Mgmt.
Lending
Activities
Remote
Deposit
Capture
ACH
PRODUCTS
Funds
Transfers
&
Electronic
Banking
SERVICES
Private
Banking
Credit
Mobile
Banking Payroll Cards
Cards
1. Electronic funds payment services – electronic cash (e.g., prepaid and payroll cards),
funds transfers (domestic and international), third-party payment processors, automated
clearing house (ACH) transactions and automated teller machines (ATMs)
2. Electronic banking
3. Private banking (domestic and international)
4. Trust and asset management services
5. Monetary instruments
6. Lending activities, particularly loans secured by cash collateral and marketable securities
7. Nondeposit account services (e.g., nondeposit investment products and services)
8. Foreign correspondent accounts
9. Trade finance
10. Services provided to third party payment processors or senders
11. Foreign exchange
12. Special use or concentration accounts
The expanded sections of the FFIEC BSA/AML Examination Manual provide guidance and discussion on
specific products and services detailed above.
The risk assessment should identify all products and services within the organization and indicate the BU
specifically responsible for each product/service. The risk assessment must take into consideration all of
the organization’s BUs and operating subsidiaries and how the risk of one BU is interrelated to another
BU. Think enterprise wide when performing the risk assessment related to BU’s and their respective
products, services, systems and controls:
1. Identify each BU and define all of its functions in detail
2. Identify and list each product and service offered through the BU
a. Identify and list inherent risks associated with each product/service
b. Include a risk rating for the inherent risks identified of each product/service, e.g.,
high, moderate or low
Page 18 of 35
c. Identify and list the controls in place to mitigate each risk identified, including all
systems utilized by the BU
d. Include a risk rating of the residual risks identified after mitigating controls were
analyzed, e.g., high, moderate or low
e. Include a chart that summarizes activity for specific products/services, e.g., funds
transfers. Information should include number of wires, dollar amount of wires,
monthly totals of each category including overall percentages of domestic and
foreign, personal and non-personal.
This process can be achieved through a series of spreadsheets that represents each BU in its entirety. By
gathering information relative to each BU and maintaining all documentation to support the reported
data, the auditor can be confident that sufficient data has been gathered and analyzed to support the
findings and resulting risk ratings. See Appendix A. The BU risk information will be summarized and
recorded on a Risk Evaluation of Business Units/Products and Services spreadsheet. See Appendix B.
10. Identifying and Evaluating
BSA/AML Risk
10.1 Introduction (3)
The Bank should focus on developing a BSA/AML
Risk Assessment by identifying risk categories
unique to the Bank and analyzing the data
identified to better assess the Bank’s risk within
these categories. The detailed analysis identifies
the products, services, customers, entities and
geographies that pose risk to the Bank.
Joint participation with various departments and BUs across the Bank, management and appropriate
staff should be considered to achieve the best results. Through the risk assessment process, the Bank
will lay a foundation for the efficient allocation of the organization’s time and resources. By allocating
its resources to the areas of highest risk, the Bank can effectively manage and reduce its BSA/AML risk.
10.2 High Intensity Drug Trafficking Areas (HIDTA) and High Intensity Financial Crimes
Areas (HIFCA) Locations
The total number of the Bank’s branch office locations should be included, indicating the number of
locations in HIDTAs and HIFCAs. At the time of this writing, there are 28 HIDTAs, which include
approximately 16 percent of all counties in the United States and 60 percent of the U.S. population.
HIDTA-designated counties are located in 46 states, as well as in Puerto Rico, the U.S. Virgin Islands, and
the District of Columbia. At the time of this writing, there are 7 states in the U.S. with areas of
jurisdiction by counties that are considered HIFCAs. They are California, Arizona, counties bordering and
adjacent to those bordering the U.S. and Mexico boundary in Texas, Illinois, (Chicago), New York, New
Jersey, and South Florida. All areas of Puerto Rico and all areas of the U.S. Virgin Islands are also
Page 19 of 35
considered HIFCAs. The Bank’s branch locations should be identified by name, address, city, state, zip
code, county and HIDTA yes or no and HIFCA yes or no. This information can be placed on a spreadsheet
and included in the risk assessment.
HIDTA information can be obtained at:
http://www.whitehouse.gov/ondcp/high-intensity-drug-trafficking-areas-program.
HIFCA information can be obtained at:
http://www.fincen.gov/law_enforcement/hifca/index.html#map_hifca.
Each of these various levels of risk for each of the items
listed below should include a brief description as defined
by the Bank. The definitions of the risk listed below will be
utilized when analyzing all information gathered to
determine the Bank’s Final BSA/AML Risk Score:
1. Inherent Risk – define what determines a rating of
High, Moderate or Low
2. International transactions – Yes or No
3. Geographic Risk – define what determines a rating
High, Moderate or Low
4. Cash Intensive – Yes or No
5. Monitoring/Mitigating Controls – define what determines controls considered to be Strong,
Adequate or Weak
6. Residual Risk – define what determines a rating of High, Moderate or Low
Page 20 of 35
11. Corporation’s Risk Identification & Evaluation of Business Units/Products
and Services (Appendix B)
In an effort to determine the Bank’s Final BSA/AML Weighted Risk Score, information determined from
the risk identification and evaluation must be analyzed. In the first step above, the inherent risk,
mitigating controls and resulting residual risk of each product/service was determined and documented
on the Business Units BSA/AML Risk Identification and Evaluation of Products and Services (Appendix A).
The second step is to create a spreadsheet to record the various risk levels determined in the risk
evaluation conducted as outlined in Appendix A. In this step, additional information will be analyzed to
determine the Bank’s final BSA/AML scoring. The additional information includes International
Transactions, Geographic Risk, Cash Intensive, the Business Unit Risk Rating, the Risk Weight of each BU
and the Final Risk Weighted Score of the entire Bank. See Appendix B.
Appendix A: Represents the risk identification and evaluation of each BU within the Bank.
Appendix B: Represents the Bank and all of its BUs.
Appendix C: The same process represented in Appendix A and Appendix B should be repeated for
each subsidiary of the Bank and each subsidiary of the organization, as represented by Appendix C.
An additional column can be added to spreadsheets containing identified risks to indicate whether the residual
risk trend is increasing, decreasing or stable. The risk trend can be measured as indicated below:
Increasing
Decreasing
Stable
12. Summary of Corporation’s Enterprise Wide BSA/AML Quantitative Risk
(Appendix D)
The final stage in determining the Corporation’s Enterprise Wide BSA/AML Risk Score is to create a final
spreadsheet containing a summary of the quantitative risk results by company. Each company within
the corporation should be listed, along with each BSA/AML rating that has been determined after
performing a detailed analysis of the data gathered during the identification stage. The analysis process
gives management a better understanding of the Bank’s risk profile in order to develop the appropriate
policies, procedures and processes to mitigate the overall BSA/AML risk.
In this step, the Risk Weight of each division of the corporation must be determined. In the sample
spreadsheet represented by Appendix D, the Bank and Subsidiaries owned by the Bank represent 90% of
the Risk Weight of the corporation. A Subsidiary owned by the Corporation represents 2% of the Risk
Weight and an additional Subsidiary along with Companies owned by the Subsidiary represent 8% of the
Risk Weight of the organization. The information on Appendix D represents the final process in
summarizing the Corporation’s Enterprise Wide BSA/AML Quantitative Risk as determined by the risk
assessment process.
Page 21 of 35
13. Mergers and Acquisitions
If the organization has participated in recent mergers or acquisitions, the enterprises wide risk
assessment should be updated to include a due diligence review of the newly acquired entity. This
section should indicate any findings that may impact implementation, integration, financial
considerations, and non-financial risk that could potentially impact the organization. Information
gathered related to client base, products and services offered, international entities/transactions, high
risk clients/entities indentified, SARs and CTRs filed, information on the existing BSA Compliance
Program, etc. should also be included in the risk assessment. Based on the information gathered and
analyzed, the due diligence team should determine the initial overall BSA/AML risk of the newly
acquired entity. Anticipated integration timelines should also be recorded. As soon as possible, the risk
assessment should be updated to include all information relative to the newly acquired entity.
14. New Product Committee
In addition to the Bank having a comprehensive risk management program designed to identify
measure, monitor and control risks related to existing products and services, the Bank should also have
clearly defined objectives, expectations and risk limitations for all new products and services. To review,
understand and approve projected risks of new products and services, the Bank’s New Product
Committee process should be defined in this section. The enterprise wide risk assessment should define
the purpose of the committee and the process by which the committee will review and approve all new
or significantly expanded or modified products and services.
Not all organizations utilize a New Product Committee to review and approve new or significantly
expanded or modified products and services. If the organization does not utilize a New Product
Committee, indicate here the process the organization utilizes to identify, measure, monitor and control
risks related to new or significantly expanded or modified existing products and services.
products and services.
Page 22 of 35
15. Projected BSA/AML Risks
This section would include any projected strategic and regulatory BSA/AML risks identified that may
have an impact on the corporation such as:
1. Products and services currently under consideration by the New Product Committee
2. Future mergers or acquisitions
3. Upcoming changes in regulations, e.g., FinCEN’s Advanced Notice of Proposed Rule Making on
Beneficial Owners
The risk assessment should include any BSA/AML projected risks and management’s plan on how to
mitigate the risks identified.
Page 23 of 35
CONCLUSION:
THINK
ENTERPRISE
WIDE
Auditing to determine the adequacy of a BSA/AML risk assessment requires significant time and
commitment. The larger and more complex the organization, the more detailed both the audit and risk
assessment process will be. Don’t forget to “Think Enterprise Wide”. When auditing the risk
assessment, the risks of each Business Unit are a major consideration. How the risks are interrelated
among BUs across the entire enterprise must be considered and subjected to detailed analysis. The risk
assessment process should be comprehensive, transparent and well documented. When completing the
risk assessment process effectively, the end result will create the reliable conclusions necessary to
establish appropriate policies, procedures, processes and systems required to develop the organization’s
Enterprise Wide BSA/AML Compliance Program, which is ultimately designed to measure and minimize
risks associated with BSA/AML laws and regulations.
RISK VS.
REWARD
Page 24 of 35
Appendix A
SAMPLE SPREADSHEET
Business Units BSA/AML Risk Identification and Evaluation
Of Products and Services, Inherent Risks, Mitigating Controls and Residual Risks
Business Unit Name
Products/Services
*List each product/service
offered through BU
*List applicable BU
responsibilities & duties
specific to each, including how
they comply with duties such
as the examples listed below:
Inherent Risks
*List inherent risk of each
product/service.
*List red flags indentified.
*Indicate inherent risk rating
of each product/service/red
flag identified.
Mitigation/Controls
Risk
Rating
High,
Mod
or
Low
Residual Risk
Risk Rating
* List each mitigating control for each
product or red flag identified for each
product/ service.
*List systems used for
mitigation/controls.
*Indicate residual risk rating of each
product/service/red flag identified.
High, Moderate or
Low risk rating after
analysis of
mitigating controls
# of Associates/Training
Suspicious Activity Monitoring
Client Services Offered
314a Requirements
CTR Requirements
MIL Requirements
Funds Transfer Requirements
Internal Risk Assessment
CIP Requirements
Include a chart to summarize all products and services listed to include, number of clients, number of
transactions, dollar amounts, and all information that applies to each specific BU. The goal of each
spreadsheet is to define each BU, products/services they offer, the BSA/AML responsibilities specific
to each BU and how each BU complies with their BSA/AML responsibilities, including monitoring for
suspicious activity. Each BU spreadsheet should also list every product or service offered by the BU,
including any associated red flags; identify the inherent risks associated with each risk identified, the
associated mitigating controls and the resulting residual risk. The BU, products/services and
applicable risk ratings are recorded on Appendix B.
Page 25 of 35
Appendix B
SAMPLE SPREADSHEET
RISK EVALUATION OF BUSINESS UNITS/PRODUCTS AND SERVICES
Date:
BUSINESS UNIT
BANK NAME
Retail Banking
• Personal Checking
• Non-Personal
Checking
Alternative Delivery
Services
• Personal Online
Banking
• Personal Bill Pay
• Mobile Banking
Deposit Services
Facility Services
Human Resources
Mortgage Company
• ABC Mortgages
Loan Operations
Loan Review
Security Department
Treasury Management
• ACH/IAT Services
• Remote Deposit
Capture (RDC)
• Wire Transfers
List each BU & related
product/service
Determine applicable
ratings & Final Risk
Weight
FINAL BSA/AML
WEIGHTED RISK
SCORES
Inherent
Risk
Intl
Trans
Geo Risk
Cash
Inten
sive
High
High
High
Yes
Yes
Yes
Moderate
Moderate
Moderate
Yes
Yes
Yes
Monitoring
/
Mitigating
Controls
Residual
Risk
Adequate
Adequate
Adequate
High
High
High
Business
Unit Risk
Rating
Final Risk
Numeric
Equivalent
Final
Risk
Weight
Final Risk
Weighted
Score
MODERATE
2
50%
1.0000
MODERATE
LOW
LOW
MODERATE
2
1
1
2
5%
0.25%
0.25%
2.5%
0.1000
0.0025
0.0025
0.0500
LOW
LOW
MODERATE
HIGH
1
1
2
3
1%
1%
5%
15%
0.0100
0.0100
0.1000
0.4500
20%
.295
100%
2.0200
Moderate
High
No
Moderate
No
Adequate
Moderate
High
High
No
No
Moderate
Moderate
No
No
Adequate
Adequate
Moderate
Moderate
High
Low
Low
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Strong
Adequate
Strong
Moderate
Low
Low
Moderate
Low
Low
High
No
N/A
N/A
N/A
Low
N/A
N/A
N/A
No
N/A
N/A
N/A
Adequate
Strong
Strong
Strong
Moderate
Low
Low
Moderate
High
Yes
Moderate
No
Adequate
Moderate
High
High
No
Yes
Moderate
High
No
No
Adequate
Adequate
Moderate
High
HIGH
YES
MODERATE
YES
ADEQUATE
MODERATE
Bank Name FINAL BSA/AML WEIGHTED RISK SCORE
MODERATE
RISK NUMERIC EQUIVALENT
0 to 1.9999 = LOW RISK
2 to 2.9999 = MODERATE RISK
3 + = HIGH RISK
This chart represents a sample of a partial list of Business Units and their related products/services within the organization. All BUs
should be included on the chart, along with applicable ratings and the Final Risk Weight of each BU as determined after completing
appropriate analysis. The Final Risk Weighted Score can then be calculated to determine the Bank’s Final BSA/AML Weighted Risk
Score, which will be recorded on Appendix D.
Page 26 of 35
Appendix C
SAMPLE SPREADSHEET
CORPORATION RISK EVALUATION OF COMPANY/PRODUCTS AND SERVICES
Date:
Business Unit
Subsidiary
owned by Bank
*Company
owned by
subsidiary
*Company
owned by
subsidiary
Inherent
Risk
High
Intl Trans
Yes
Geo
Risk
High
Cash
Intensive
Monitoring /
Mitigating
Controls
Residual
Risk
No
Adequate
Moderate
Final Risk
Final Risk
Numeric
Equivalent
Final
Risk
Weight
Final Risk
Weighted
Score
MODERATE
2
100%
2.0000
MODERATE
NAME OF SUBSIDIARY OWNED BY BANK
BSA/AML RISK ASSESSMENT
Summary of Quantitative Risk by Company
Date:
Company
Subsidiary
owned by Bank
*Company
owned by
subsidiary
*Company
owned by
subsidiary
BSA/AML FINAL
WEIGHTED RISK
SCORE of
SUBSIDIARY
OWNED by
BANK
BSA/AML
Rating
Risk
Numeric
Equivalent
Risk
Weight
Risk
Weighted
Score
MODERATE
2.000
60%
1.200
MODERATE
2.000
15%
0.300
MODERATE
2.000
25%
0.500
100%
2.000
MODERATE
RISK NUMERIC EQUIVALENT
0 to 1.9999 = LOW RISK
2 to 2.9999 = MODERATE RISK
3 + = HIGH RISK
Page 27 of 35
Appendix D
SAMPLE SPREADSHEET
Summary of Corporation’s Enterprise Wide BSA/AML Quantitative Risk
CORPORATION NAME
ENTERPRISE WIDE
BSA/AML RISK ASSESSMENT
Sample Summary of Quantitative Risk by Company
Date:
Company
BANK NAME owned by the Corporation
•Subsidiary owned by the Bank
•Subsidiary owned by the Bank
•Subsidiary owned by the Bank
•Company owned by the Subsidiary
Subsidiary owned by the Corporation
Subsidiary owned by the Corporation
•Company owned by the subsidiary
•Company owned by the subsidiary
BSA/AML
Rating
MODERATE
MODERATE
MODERATE
MODERATE
LOW
LOW
MODERATE
MODERATE
Risk
Numeric
Equivalent
Risk
Weight
Risk
Weighted
Score
2.000
90%
1.800
1.000
2.000
2%
8%
0.020
0.160
100%
1.980
MODERATE
CORPORATION NAME ENTERPRISE WIDE BSA/AML FINAL WEIGHTED
RISK SCORE
MODERATE
RISK NUMERIC EQUIVALENT
0 to 1.4999= LOW RISK
1.5000 to 2.9999 = MODERATE RISK
3 + = HIGH RISK
This chart represents a summary of the Final BSA/AML Weighted Risk Scores of the Bank and all
Subsidiaries and Companies owned by the Corporation. Information recorded on this chart is
transferred from Appendix B & Appendix C. The Risk Weight and Risk Weighted Score of each entity
is calculated to determine the Corporation’s Enterprise Wide BSA/AML Final Weighted Risk Score.
Page 28 of 35
Appendix E
BSA RISK ANALYSIS
CUSTOMERS/ACCOUNTS, PRODUCTS/SERVICES AND GEOGRAPHIES
(4)
This chart primarily represents general federally defined BSA related risk categories which present “heightened risk” from the BSA/AML
perspective. BSA risks applicable to each bank can vary depending on the specific risk characteristics associated within each category of
risk. By identifying bank unique risk characteristics within each category, the bank can reasonably ascertain its overall general risk within
each category in order to develop a risk based and focused BSA/AML program to address and mitigate those risks.
Sources: Federally defined categories of high-risk products found in the SAR Activity Reviews, the FFIEC BSA/AML Examination Manual,
and the Treasury Department’s National Money Laundering Strategy documents, etc.
Categories:
RISK:
Customers/Accounts
Products/Services
Geographies
Whether individuals and business
customers create AML risk based on
financial situation, occupation, reasons for
accounts, currency activity in accounts,
etc.
Whether products and services are the type
most likely used by money launderers to
hide and disguise illegitimate monies.
Whether branch, service locations,
means of service delivery and
demographics create AML risk due to
higher criminal money laundering
activity in the area.
Characteristics
LOW













314a “hits” – no positive hits
Exempt customers – none to less
than 5
Existing, stable, known, long time
customers with little change
Family/living trust deposit accounts
High risk customers/businesses –
none to few
Non-governmental organizations and
foreign charities - none to few
OFAC “hits” – no positive hits
Personal investment companies
(PICS) accounts in Charleston, SC (or
other designated cities/states) –
none to few
Professional Service Providers –
intermediaries between its client and
the bank – lawyers, accountants,
investment brokers and other such
third parties – none to few
Retail banking customers (checking
and savings accounts) – mostly
SARs filed on customers
Subpoenas or summonses – few
received from law enforcement, IRS,
etc.
US Resident Customers/Accounts
only (no international)




















MEDIUM











314a “hits” – history of a few
positives
Commercial customers with minimal
cash activity or foreign wires or
customers
Customer base increasing due to
branching
Domestic LLC’s, LLP’s
Domestic none profit accounts
Exempt customers – moderate
number
Growing customer base due to
expanding business
High risk customers/business –
(check cashers, conv. stores, non-res.
aliens, foreign customer) moderate
number
International accounts – few
accounts or such accounts with
unexplained cash activity
Mail drop address on account
Medicare supplies sales due to













Account opening – in-person only
ACH services – none offered or offered
domestic only
Brokered deposit accounts – not
offered
Commercial loans – domestic only
Consumer loans – domestic only
Electronic banking (online account
opening, internal banking transactions
and telephone banking) – not offered
Foreign correspondent accounts –
none/not offered
International accounts – not offered
Internet banking – not offered
Large currency transactions – few to
limited activity
Monetary Instruments - - travelers
checks, official bank checks and
money orders – sold to existing
customers only
Mortgage loans
Night deposit
Private banking services offered (high
net worth individuals) – not offered
Safe deposit boxes
Savings and CD’s
Telephone transfer availability
Trust services – none/not offered
Website informational, not
transactional
Wire transfers – limited and domestic
only
ACH services – high domestic activity
and some international
Brokered deposit accounts – few
domestic only
Checking and NOW accounts –
domestic
Commercial loans – international
Consumer loans – international
Credit cards/cash advances
Drafting of funds from other banks
Electronic Banking – Bank does or is
beginning to offer e-banking services
Electronic payment services offered
Foreign correspondent – few
accounts, but no payable thru
accounts
Home equity loans
Internet banking (transactional)
offered to domestic and existing
customers only
Large currency transactions –
moderate to large volume or















Acquisitions, branching or
mergers – none recently
Branches – few in number – 1 or
less
Deposits taking only facilities none
Domestic operations only (no
foreign)
HIDTAs or HIFCA’s or other high
risk geographies – no offices
(none identified in SC)
Market Area – narrow and
defined – mostly small towns and
rural
No formal communications from
OFAC indicating compliance
problems
Personnel – Low turnover of key
or frontline
Acquisitions, branching or
mergers – Some recent local and
domestic activity
Branches – moderate number
Communications from OFAC
include warning letters only, no
OFAC violations noted
Domestic operations only with
some in high risk geographies (no
foreign)
Market Area – broader (multiple
counties, within the same state –
all cities, suburbs)
Personnel – Lower turnover of key
but frontline staff in branches
may have changed
The bank is located in or
conducting major business
transactions in either an HIDTA or
HIFCA area
Page 29 of 35








Medicare fraud
Mostly US Resident
Customers/Accounts and a few
international
Movie Theaters
New customers – moderate number
Non resident aliens – none to few
OFAC “hits” – few positive hits
Personal investment companies
(PICS) accounts – moderate number
SAR’s – moderate number filed
US resident customers assigning POA









HIGH












































314a “hits” – history of a large
number of positive
Accountants/Tax Preparers
Adult book stores/massage parlors
Antique dealers
Art dealers – high end
Attorneys
Auctioneers
Auto dealers – new and used
Auto salvage or collision repair shops
Auto wash
Bail bond companies
Bank insiders
Barbers, hair dressers & nail salons
Bartenders and dancers
Boat captains
Bowling alleys/leagues
Brothel houses
Cash intensive businesses
(convenience, liquor stores,
restaurants, truck stops)
Casinos
Cattle buyers
Charitable and non-governmental
organizations
Cigarette outlets
Cleaning services
Commercial customers with high
cash activity
Commercial customers with
international business including
foreign wires
Coin or gold bullion dealers
Construction companies/contractors
Convenience stores
Customers sending or receiving funds
from any NCCT nation
Customers with foreign business
Customers with privately owned
ATM’s
Day care centers
Drug stores
Embassy and Foreign Consulates
Ethnic groceries
Exempt customers – high number
Flea markets
Foreign corporation accounts with
transactions
Foreign LLC’s, LLP’s
Fruit stands - generic and ethnic
Furniture rental stores
Gas stations
Gun dealers
High risk customers – (check cashers,
conv. stores, non-res. aliens, foreign


























structured transactions
Loans secured by savings/CD’s
Loans to closely held corporations
MMDA’s offered
Monetary Instruments - - travelers
checks, official bank checks and
money orders – sold to non customers
but limited activity
Non deposit investment products
(such as insurance)
Private banking services offered –
moderate number mostly domestic
and few/no foreign customers
Telephone delivery system for new
accounts
Trust services – moderate number
offered
Wire transfers – moderate number w/
few international
Accounts opened through the
internet, mail, wire or by phone (non
branch; non face to face)
ACH services – high domestic and/or
international activity
Brokerage Department/Operations
Brokered deposit accounts – large
number Domestic and/or international
Business cash management accounts
Customer directed (non discretionary)
accounts such as custodial, investment
advisory and revocable trusts
Electronic banking products and
services – wide array offered including
account transfers, e-bill payment or
accounts opened via internet
Electronic cash
Embassy Banking
Foreign branches
Foreign Correspondent bank
relationships
International Transportation of
Currency and Monetary Instruments
Internet banking (transactional)
offered to and accessible by new and
international customers
Investment Advisory/Management
Large Currency transactions – high
volume; may include some structured
transactions
Lending activities (CD or stock
secured, etc.)
Loan guarantee schemes
Monetary Instruments Sales –
travelers checks, official bank checks
and money orders – especially large
numbers or amounts or consecutively
numbered or sold to non customers
New products and services (assess risk
early to build in controls to mitigate
risks)
Offshore activity
Parallel Banking – domestic and
foreign bank controlled by one
person/entity
Payable thru accounts – Large number
of foreign correspondent accounts
including payable thru
Payroll cards offered
Pouch services w/ foreign banks,
persons or businesses
Private Banking activities (domestic
and foreign) – significant activity
PUPID – pay upon proper ID wire
transfers









Acquisitions, branching or
mergers recent local/domestic
and international activity
Branches – high number
Deposit taking facilities
HIDTA’s – Bank has branches
located in a High Intensity Drug
Trafficking Areas
HIFCA’s – Bank has branches
located in High Risk Financial
Crime Areas
Highly diverse metro areas or
universities located nearby
Large and growing deposit base in
a wide and diverse geographic
area
OFAC has sent bank reprimand or
penalty notification letter
Personnel – High amount of
turnover especially in key
personnel positions
BANK OPERATING OR CUSTOMERS
DOING BUSINESS IN:












Bank secrecy havens
Countries identified in FINCEN
advisories
Countries in which production or
transportation of illegal drugs may
be occurring
Emerging countries that may be
seeking hard currency
investments
FATF – Countries identified as non
cooperative
High risk locations for sending and
receiving wires
INSCR – designated money
laundering countries and
jurisdictions
Market Area – interstate, large
diverse metro areas and/or
international
NCCTS – Non cooperative
countries territories (Myanmar
and Nigeria)
OFAC sanctioned countries,
including state sponsors of
terrorism
OFCs Offshore Financial Centers
Other countries identified by the
bank or FINCEN as high risk
because of prior experiences,
transaction history or other
factors
Page 30 of 35






















































customer) significant number
Home Health services
Import/export companies
Internal accounts with unexplained
cash activity – high number
International customers/accounts/
activity – substantial
Internet companies
Jewelry, Gem and precious metal
dealer (retail and wholesale)
Laundromats/dry cleaners
Lawn mowing/landscaping
Large customer base over a diverse
geographic area
Leather goods stores
Liquor stores
Money Service Businesses
Motels especially no name
New customers – large number
Newsstands
Night clubs
Non resident alien assigning POA
Non-bank financial institution
(MSB’s) relationships to include
domestic and foreign currency
exchanges, money transmitters,
check cashing, smart cards and ecash
Non-resident aliens
OFAC “hits” – large number of
positive hits
Out of market customers – significant
numbers
Painters
Pay day lenders
Phone card sales/companies
Plumbers
Physicians
Pawnbrokers, loan or finance
companies
Personal investment companies
(PICS) accounts
Pizza Parlors
Politically exposed persons (PEP’s)
Preachers
Real estate agents – cash sales of RE
Restaurants – ethnic
Retail stores
SAR’s filed – large number filed
Seafood distributors/shrimp boats
Securities Brokers
Self storage facilities
Senior Foreign Political Figures
Stock brokerage (broker dealer)
Subpoenas or summonses – high
number received from law
enforcement, IRS, etc.
Subprime lenders
Tanning booths
Tattoo/body piercing parlors
Taxi cabs/cab companies
Telemarketers
Title companies
Travel agencies
Trucking companies – especially on
US border
Trucks – ice cream/hot dog, etc.
Insurance companies serving
uninsurable
Used car dealers
Vending machine companies
Video gaming/poker businesses












Remote deposit capture
Special use or concentration accounts
(intra-day, suspense, etc.)
Stored value/smart cards offered
Telephone banking with significant
international accounts
Third party payment processors
Trade financing with unusual pricing
features
Trust Accounts – significant number
including charitable trusts and
foundations (domestic and foreign)
Trust accounts with foreign grantors
or beneficiaries
US Dollar Drafts
Wire transfers – frequent wires from
personal or business accounts to/from
money laundering havens
Wire transfers – high number of noncustomer wires
Wire Transfers – large number of
international wires


Section 311 Countries
State Dept. identified countries
supporting international terrorism
aka “Patterns of Global Terrorism”
Page 31 of 35
APPENDIX I: RISK ASSESSMENT LINK TO THE
BSA/AML COMPLIANCE PROGRAM
FFIEC Bank Secrecy Act/Anti -Money Laundering Examination M anual
Page 32 of 35
APPENDIX J: QUANTITY OF RISK MATRIX
Banks and examiners may use the following matrix to formulate summary conclusions. Prior to
using this matrix, they should complete the identification and quantification steps detailed in the
BSA/AML Risk Assessment Overview s ection at pages 22 to 30 of the FFIEC Bank Secrecy
Act/Anti-Money Laundering Examination Manual.
Low
Moderate
High
Stable, known customer
base.
Customer base increasing due
to branching, merger, or
acquisition.
A large and growing customer
base in a wide and diverse
geographic area.
No electronic banking (ebanking) or the Web site is
informational or
nontransactional.
The bank is beginning ebanking and offers limited
products and services.
The bank offers a wide array of e banking products and services
(i.e., account transfers, e-bill
payment, or accounts opened via
the Internet).
On the basis of information
received from the BSAreporting database, there
are few or no large currency
or structured transactions.
On the basis of information
received from the BSAreporting database, there is a
moderate volume of large
currency or structured
transactions.
On the basis of information
received from the BSA-reporting
database, there is a significant
volume of large currency or
structured transactions.
Identified a few higher-risk
customers and businesses.
Identified a moderate number
of higher-risk customers and
businesses.
Identified a large number of
higher-risk customers and
businesses.
No foreign correspondent
financial institution
accounts. The bank does
not engage in pouch
activities, offer special-use
accounts, or offer payable
through accounts (PTA), or
provide U.S. dollar draft
services.
The bank has a few foreign
correspondent financial
institution accounts, but
typically with financial
institutions with adequate
AML policies and procedures
from lower-risk countries,
and minimal pouch activities,
special-use accounts, PTAs,
or U.S. dollar draft services.
The bank maintains a large
number of foreign correspondent
financial institution accounts with
financial institutions with
inadequate AML policies and
procedures, particularly those
located in higher-risk
jurisdictions, or offers substantial
pouch activities, special-use
accounts, PTAs, or U.S. dollar
draft services.
The bank offers limited or no
private banking services or
trust and asset management
products or services.
The bank offers limited
domestic private banking
services or trust and asset
management products or
services over which the bank
has investment discretion.
Strategic plan may be to
increase trust business.
The bank offers significant
domestic and international private
banking or trust and asset
management products or
services. Private banking or trust
and asset management services
are growing. Products offered
include investment management
services, and trust accounts are
predominantly nondiscretionary
versus where the bank has full
investment discretion.
Few international accounts
Moderate level of
Large number of international
Page 33 of 35
or very low volume of
currency activity in the
accounts.
international accounts with
unexplained currency
activity.
accounts with unexplained
currency activity.
A limited number of funds
transfers for customers,
noncustomers, limited thirdparty transactions, and no
foreign funds transfers.
A moderate number of funds
transfers. A few international
funds transfers from personal
or business accounts with
typically lower-risk countries.
A large number of noncustomer
funds transfer transactions and
payable upon proper identification
(PUPID) transactions. Frequent
funds from personal or business
accounts to or from higher-risk
jurisdictions, and financial secrecy
havens or jurisdictions.
The bank is not located in a
High Intensity Drug
Trafficking Area (HIDTA) 2 7 1
or High Intensity Financial
Crime Area (HIFCA). No
fund transfers or account
relationships involve HIDTAs
or HIFCAs.
The bank is located in an
HIDTA or an HIFCA. Bank
has some fund transfers or
account relationships that
involve HIDTAs or HIFCAs.
Bank is located in an HIDTA and
an HIFCA. A large number of fund
transfers or account relationships
involve HIDTAs or HIFCAs.
No transactions with higherrisk geographic locations.
Minimal transactions with
higher-risk geographic
locations.
Significant volume of transactions
with higher-risk geographic
locations.
Low turnover of key
personnel or frontline
personnel (e.g., customer
service representatives,
tellers, or other branch
personnel).
Low turnover of key
personnel, but frontline
personnel in branches may
have changed.
High turnover, especially in key
personnel positions.
Page 34 of 35
Research/References/Sources
1. http://www.businessdictionary.com
2. FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual
http://www.ffiec.gov/bsa_aml_infobase/pages_manual/manual_online.htm
3. BSA/AML/OFAC Risk Assessment, by System Administrator, Community Bank Oct ober
2008
http://www.encierrosolutions.com/bsaaml/bsa%20aml%20ofac%20sample%20report.
pdf
4. BSA Risk Analysis Chart by Gail Askins Cole, Compliance & Risk Management
consulting, LLC, (modified chart)
bankcrmconsulting.com/forms/BSA_Risk_Analysis_Chart.pdf
5. Crowe-Horwath LLP, Public Accounting & Consulting Firm - Scope of BSA Secrecy Act
Review of IBERIABANK – June 2013
6. An Examiner’s Perspective on Understanding & Implementing BSA/AML Recommendations
by Ivy Washington
7. Is Your Institution’s BSA/AML Risk Assessment Adequate? By Adina Himes
http://www.phil.frb.org/bank-resources/publications/src-insights/2007/thirdquarter/q3si1_07.cfm
8. Risky Business Products, Persons & Places by Phillips Gay, Profit Protection, LLC
9. IBERIABANK BSA/AML Risk Assessment by Donna Davidek – April 2013
Page 35 of 35