How effective is your financial institution (“FI”) at assessing the overall inherent risk within your organization? Where is the highest amount of risk concentrated within the enterprise? How is risk even assessed? The responses to these questions all converge to one locale—the foundation for maintaining and safeguarding the integrity of your FI begins and ends with your AML and OFAC Enterprise-Wide Risk Assessment (“ERA”). In this post, we examine the mechanism behind developing a resilient ERA and how FIs can effectively sustain a low-risk enterprise utilizing a methodical framework. Although you may think your institution maintains a strong ERA, this post may prompt you to reexamine your ERA.
The AML and OFAC Enterprise-Wide Risk Assessment Methodology
Though many FIs possess an AML/OFAC ERA, the actual methodology for how to appropriately conduct an ERA is oftentimes absent. In fact, many FIs do not implement this critical first step with an appropriately documented ERA methodology. The ERA should not be confused with the ERA methodology. The ERA methodology is basically akin to a user-friendly handbook that enables a FI to delineate in detail its approach to the who, what, when, where, why, and how elements involved in assessing risk, such as which databases and platforms the FI will be exploiting to obtain the information necessary to conduct the ERA, or the strategic framework for how risk will be assigned.
Has your FI taken the time and effort to develop a comprehensive ERA methodology? The ERA methodology is an invaluable precursor to ensuring that your ERA is comprehensive and is methodically and precisely crafted. The ERA methodology also establishes standards for execution of qualitative and quantitative analysis in the ERA. Additionally, the methodology describes the process of conducting an ERA so that FIs can follow established guidelines and replicate or modify the ERA on a periodic basis to accurately reflect the institution’s risk. The value derived from investing the time to develop an ERA methodology is prodigious.
In addition to the existing AML Officer, who is customarily tasked with developing the ERA, it is essential for FIs to establish a line of succession with qualified individuals who possess a thorough understanding of the ERA and ERA methodology. This line of succession ensures continuity of AML and OFAC operations in the event the AML Officer is displaced. A preexisting ERA methodology provides the framework for conducting the ERA, which makes it easier to build a new ERA, if necessary, based on meticulous standards that have already been instituted in the methodology, as opposed to starting anew or lacking an understanding of how the prior ERA was conducted. Do you have a plan in place for how a new AML officer would go about recreating an ERA?
The ERA methodology should systematically detail four (4) primary areas that will formulate the basis for the ERA: 1) how and where inherent risk will be assessed; 2) how and where change risk will be assessed; 3) how and which controls will be evaluated; and 4) how the resulting residual risk for the enterprise will be ascertained. This fourth area, residual risk, will ultimately determine the risk direction in which the FI is headed. Formulation of a risk scoring system within the ERA methodology, with precisely defined levels of risk, sets the framework for analyzing risk and controls in the ERA.
Assessment of Inherent Risk
In its assessment of inherent AML risk at the enterprise level, an FI should evaluate AML and OFAC risk inherent in its customers, geographies, products, services, channels, and transactions. Particular customer types, geographic locations, products, services, channels, and transactions generally pose a higher risk of money laundering and terrorism financing due to their vulnerability. Within each of these risk categories, risk should be assessed across multiple factors, such as risk assignation based on the length of the customers’ relationship with the FI, as one factor to be evaluated within the customers risk category. After ascertaining the inherent risk present within each of the aforementioned risk categories, the overall inherent risk for the enterprise can be ascertained.
FIs can either assess inherent OFAC risk within each of the risk categories, can assess inherent OFAC risk independently, or conduct a hybrid OFAC analysis. Many FIs choose to conduct a separate enterprise-wide OFAC risk assessment. Is your institution taking OFAC risk factors into account in its ERA and methodology?
Assessment of Change Risk
Change risk can be defined as the change in inherent risk resulting from a comparative analysis of past and present metrics. FIs should continually assess change risk to gauge how the overall enterprise risk has shifted and which metrics are responsible for effectuating the shift. For example, substantial growth in your FI’s enterprise portfolio from the prior year may lead to an increase in your FI’s current inherent risk.
FIs should also anticipate future change risk based on projected metrics for the following year. The anticipated introduction of new products and services in the following year has the potential of increasing your institution’s enterprise-wide inherent risk. If your FI can predict with relative certainty where inherent risk will increase, you can begin to institute appropriate safeguards early on or at the very least, begin formulating a plan of action as to how to account for the anticipated increase in risk.
Are you identifying the potential impact of change risk within your ERA?
Assessment of Controls
In its assessment of existing AML controls at the enterprise level, an FI’s task is to evaluate the effectiveness of the enterprise’s controls at mitigating the inherent risk posed by the enterprise. At a minimum, the results of the institution’s most recent regulatory examination, audit/independent testing results, and compliance testing results should be assessed. Since each of these sources have already derived AML and/or OFAC inherent risk from their own independent examinations, most of the time each component addressed will be associated with a unique risk score based on established guidelines set forth by the examining agency.
A critical component of the ERA within the AML controls sphere involves an assessment of adherence to the five (5) required pillars of an institution’s AML program—1) AML policies, procedures, and controls; 2) AML training; 3) designated AML officer; 4) independent testing of the AML program; and 5) AML customer due diligence (including beneficial ownership identification). How often are you gauging compliance to these pillars when examining your controls? These five pillars formulate the foundation from which examining agencies develop their criteria for compliance. Insufficient compliance with these pillars may result in a violation from regulatory agencies and subject your FI to penalties. FIs should always strive to remain cognizant of what potential deficiencies or inadequacies can be identified by independent examinations, so they can avoid regulatory penalties.
Residual Risk Determination
What is residual risk, and how is it calculated? Residual risk can be defined as the risk that remains after controls are applied against the inherent risk. The level of inherent enterprise risk and the effectiveness of the controls the FI has implemented to mitigate that risk will determine the residual risk and the ultimate risk direction in which the FI is headed. FIs oftentimes derive enterprise risk solely from categorical inherent risk determined by evaluating the aforementioned components of inherent risk (customers, geographies, products, services, channels, transactions) without taking controls into account to accurately yield residual risk. Failure to consider AML and OFAC controls results in an incorrect characterization of an institution’s enterprise-wide risk. In fact, actual enterprise-wide risk may differ substantially once the residual risk is calculated. Take a look at your FI’s ERA—how have you determined your FI’s residual risk?
Time and effort spent in developing a systematic ERA methodology that guides the development of an intelligently crafted ERA will be worth the investment for your institution. When risk is appropriately identified, it can be promptly mitigated, and you can salvage your FI from being exploited by criminal endeavors. As a reputable FI, it is essential that you know your institution better than anyone else, and a well-developed ERA can empower you with the tools to sustain the integrity of your institution.
Is your financial institution evaluating its risk effectively? At AML RightSource, our Financial Crimes Advisory practice has helped multiple financial institutions build a robust and comprehensive framework for identification and evaluation of enterprise risk, in addition to developing long-term risk mitigation strategies.