FinCEN Has Proposed New AML/CFT Rules; Here Are 2 Areas Where Risk Assessment Can Make a Difference

No matter which way you read FinCEN’s proposed rule to strengthen and modernize anti-money launder/countering terrorism financing (AML/CFT) programs, one takeaway cannot be ignored: Risk assessment is a critical element of an AML/CFT program. Without it, it would be difficult to have an effective, risk-based, reasonably designed program, which is a requirement in the proposed rule. 

The proposed rule also includes a new twist not seen by AML professionals in the past. The proposed rule requires AML professionals to review government-wide AML/CFT priorities and incorporate them, as appropriate, into risk-based programs. The best way to do this is to purposely include the priorities into the risk assessment, even if some don’t pertain to the institution. By doing this, AML professionals can evidence the contemplation of the priority and mark it as “N/A” with an explanation. (Never mark something as “N/A” without an explanation.) Note that although innovation isn’t necessarily a government priority for AML/CFT, institutions that are innovating within the AML/CFT program should document the risks from such activities.

There are many elements of an AML/CFT program where the risk assessment serves as a foundation, including when crafting the frequency, nature and scope of independent testing and when allocating resources — such as staff and technology — in the AML/CFT department. For smaller institutions, the risk assessment might be outsourced, but it has to be managed by the institution.

Independent testing

The AML/CFT risk assessment will help management understand where AML/CFT risk falls in relation to other risks at the institution and will show where risk resides within the program itself. This will help the institution determine the frequency of independent testing. Although most institutions perform the risk assessment every 12 months, that could extend to every 18 months for a simple, low-risk program. On the other hand, high-risk programs could shorten the frequency to six or nine months. 

Testers can also use the AML/CFT risk assessment to craft the nature/scope of the testing to focus more on the highest risk areas. This could involve performing detailed testing in addition to tests of controls. It could involve larger sample sizes based on risk, and it could involve judgmental testing in which samples are chosen from populations posing the highest risk.

Independent testers should take care to map the nature/scope back to the risk assessment. This is a step that examiners require of institutions and banking-as-a-service institutions require of their fintech partners.

Financial Services

It’s Time for the C-Suite to Prioritize AML Compliance

by Bion Behdin

June 18, 2024

As a UK regulator cracks down, why are budgets falling in some organizations?

Read moreDetails

Allocation of resources

Allocating staffing resources based upon the risks identified in the AML/CFT risk assessment goes beyond the number of staff. It also touches on the skillset of the staff. Given the proposed rule’s requirement to consider national priorities, it would be wise to first determine which of the priorities present risk to the institution, and then document how AML/CFT staff have experience managing those priorities. If the institution faces significant fraud risk and staff don’t have a background in fraud investigations or writing fraud suspicious activity reports (SARs), there will be a mismatch. Similarly, if the institution faces enhanced risk from all of the national priorities but can’t address the risks given the size of the staff, then staffing might need to be reassessed.

While the availability of technology systems to manage AML/CFT risks have increased over the past few years, that growth has also brought a blurring in terms of what each system does. Ask any AML/CFT professional about how their recent AML/CFT systems RFP went and you’ll likely hear stories about how a solution was touted as a AML/CFT solution, when all it really addressed was negative news or customer due diligence. The positive side of this is that there is truly an AML/CFT systems solution out there for each type of financial crimes risk. Use the results of the risk assessment to match current systems to risks, and note the gaps — and be sure to document the path forward for solving for those.

The AML/CFT officer needs to be able to show how systems are helping to meet the goal of identifying, investigating and ultimately filing on activity that is suspicious.

The path forward

For institutions that have been conducting an AML/CFT risk assessment and mapping the risks to resources allocated to the program, there is not much new in the proposed rule other than the consideration of national priorities. Many institutions started considering national priorities when they were first issued, so there isn’t an expectation that the proposed rule will be much of a new burden. However, since the above will now be required, AML/CFT officers should expect increased enforcement action on institutions who weren’t being proactive over the past few years. 

Speaking of enforcement …

Although it feels like examiners have always had this option, it appears they will be able to move to a cease-and-desist order when encountering programs with defects that create ineffectiveness. It sounds like a shorter leash in terms of the process of issuing matters requiring attention reports (MRAs) and providing management with an opportunity to perform corrective action, although it seems like that leash was pretty short to begin with. 

Overall, the requirement to perform a risk assessment and map the results to the frequency, nature and scope of independent testing and to the deployment of resources among staff and technology can only be a good thing for institutions. It should enhance the foundation upon which AML/CFT programs are built.