This post is part of our occasional series on AML program fundamentals which focuses on refreshing foundational knowledge for experienced members of the AML community and providing an introduction to key topics for those new to the subject. An Enterprise Wide Risk Assessment (“EWRA”) enables Financial Institutions (“FI”) to assess their BSA/AML risk profile, incorporate appropriate risk management processes, and maintain adequate controls to mitigate risk. Moreover, the Federal Financial Institutions Examination Council (“FFIEC”) requires all FIs to maintain an EWRA. Management is responsible for communicating the EWRA to the Board of Directors. The Board, in turn, is required to ensure that the FI has adequate resources both human and technological to address the identified risk areas.
Even mature BSA / AML programs struggle to maintain a proper EWRA. Here are four common challenges FIs face in updating their AML/BSA Risk Assessments:
The starting point for a strong EWRA is a robust methodology that sets out a procedural framework on how an EWRA will be completed. The methodology offers guidance such as the data that will be accessed, the risk tiers for inherent and residual risk, and the effectiveness scale for controls. The methodology should also address EWRA cadence, roles/responsibilities, record retention, and approvals.
Strong methodologies provide guidance to the FI that should be followed when expected or unexpected events impact the EWRA. For example, trigger events such as a merger or acquisition may require off-cycle updates to the EWRA. Likewise, new business initiatives such as the addition of or changes to product or service offerings or conducting business within new geographies could similarly prompt EWRA updates.
Changes in regulations and laws may also prompt EWRA updates. The methodology should provide guidance reflecting regulatory developments, industry standards, and best practices.
An EWRA is administered by risk or compliance professionals in a second line of defense governance capacity. These individuals often have a basic or foundational understanding of the various business and operational areas across the enterprise. It is, therefore, paramount to engage individuals with a greater depth of knowledge within these areas to best understand the associated risks.
Also, it is critical to engage the business units because as the first line of defense these areas have ownership of the risks. For example, if the FI maintains a customer type identified as high risk in the FI’s AML policy, the customer-owning line of business budget would absorb losses from doing business with those customers or any regulatory fines or penalties levied against the FI for malfeasance.
A self-assessment questionnaire can assist by gathering the information needed along with the business unit responses. These questionnaires should start with foundational questions about the business area to confirm the EWRA team’s understanding of the business activities. Then, the questionnaire should elicit responses about changes in the business that may have an impact on the risk profile such as changes in customer base, product offerings, geographic market, leadership structure, etc.
The questionnaire should have the business representative confirm the value and volume of transactional activity and the statistics of high-risk customers, products and services, and geographic markets. The self-assessment questionnaire should have the business or operational area confirm the various metrics that the EWRA team will use to complete risk trending analysis.
An effective EWRA is dependent upon the quality of data used to analyze customer and transaction information. Common data issues include miscoded data fields, missing information, data duplication and incorrect mapping from the core system to the AML processing system.
Incorrect or duplicative industry or occupation codes can impact the volume of a customer type. For example, experience has indicated that a FI had identified populations of foreign banks and Money Service Businesses (“MSB”) which were actually non-existent, but were data entry errors in the customer type field. Likewise, system duplication errors at the transaction credit and posting points can artificially inflate the number of transaction types.
A method of assessing data integrity, such as through a statistical sampling of customers, accounts, and transactions for accuracy; resolving data anomalies accordingly; and formulating a comparison of historical data; enables a FI to ensure that data quality is preserved.
A proper method of data collection enables management to develop both Key Risk Indicator (“KRI”) and Key Performance Indicator (“KPI”) metrics, as well as complete a trend analysis of risk variants. KRIs are metrics that FIs develop to project future risks evaluated against the institution’s ability to handle those risks. KRIs are necessary to enhance risk monitoring efforts and identify ways to mitigate the risk. An example of a KRI would be a new initiative, which could be a development in the institution’s business practice leading to potential new inherent risks. Examples of new initiatives are mergers and acquisitions, new geographic locations, or offering of different or new products and services.
KPIs are measurable data points that indicate the effectiveness of an organization’s critical functions. KPIs measure a FI’s opportunity for improvement in BSA/AML controls through a quantitative analysis used to document trends. Examples of KPIs include Suspicious Activity Reports (“SARs”) filed, Currency Transaction Reports (“CTRs”) filed, subpoenas received, OFAC action items, and internal referrals by employees to identify and report unusual activity. Over time, an analysis of risk trends will help a FI identify potential flaws in its AML/BSA/OFAC Program.
At AML RightSource, our Financial Crimes Advisory practice has assisted numerous institutions build comprehensive EWRAs and are well-versed in industry best practices. In addition to other services such as AML strategy, testing, and policy and procedure development; our team of experts is ready to assist your institution with proper EWRA development and implementation.
Ready to learn how to improve your EWRA control effectiveness and protect your organization from financial risk? Download the whitepaper below.