The Bank Secrecy Act (BSA) requires that every Money Services Business (MSB) implement a BSA/anti-money laundering (AML) compliance program. Risk assessments provide a clear view as to the organization’s policies and procedures. Failure to implement a comprehensive BSA/AML compliance program may result in significant fines and/or penalties by state and federal regulators. So what does this have to do with risk management? Having a risk assessment allows the company to establish a comprehensive AML compliance program.
Regulations state that a company’s BSA/AML compliance program must be commensurate with the risks posed. This means that a comprehensive risk assessment must effectively evaluate the adequacy of policies, procedures and internal controls that have been developed to mitigate the company’s risk.
What should be included in the risk assessment?
While there is no “one-size-fits-all” approach when creating a risk assessment, it should encompass all key areas of the company. There are many formats and templates that can be used in creating a risk assessment. The method used should be based upon the company’s risk profile and should be easy to understand. It is recommended that the risk assessment contain the following four risk categories:
Are you properly managing your risk?
The first step in knowing if you are properly managing your risk is by reviewing the risk assessment on a regular basis to determine if the risks of the company are still adequately assessed.
So how do you manage your risk? The key is to understand the company’s risk exposure and develop the necessary policies, procedures and internal controls to mitigate the risk. Regulators expect MSBs to conduct an in-depth review of all areas of the organization as part of their risk management. To understand your risk and know if you are properly managing it, you should be able to answer the following questions:
- Does your risk assessment encompass all areas of the company?
- When creating the risk assessment, were all products and services offered by the company properly evaluated and assigned a risk rating?
- Did you review a list of all geographic locations where products and services are being offered? Are any of these locations in a high-risk area?
- Have you incorporated any material changes into your risk assessment, such as new products/services or expansion into new geographic areas?
- Was supporting data used to substantiate the risk assessed?
- Has the risk assessment along with the compliance program been presented to and approved by the Board of Directors?
- Does the compliance program address customer due diligence and enhanced due diligence?
- Are FinCEN license registration(s) properly filed and renewed?
- Does the company have policies and procedures in place for transaction monitoring to identify and report suspicious activity?
- Does the company have policies and procedures in place for transaction monitoring for currency transaction reporting?
- Does the company have adequate policies and procedures to mitigate the company’s overall risk?
- Does the AML/compliance designate a Board-approved AML/BSA compliance officer?
- Does the company identify products and/or services that pose a higher risk of money laundering?
- Does the company have a separate OFAC risk assessment?