SlideShare a Scribd company logo

Quick Reference Guide to BSA/AML Risk Assessment

M
Mayank Johri

This document provides an overview of conducting an enterprise risk assessment for anti-money laundering (AML) compliance. It discusses key challenges such as sourcing and validating data from different business lines. The document recommends that financial institutions allocate a dedicated analytics team with AML expertise to automate the risk assessment process. Automating data extraction and leveraging statistical analysis can help set risk thresholds, calculate inherent risks and control effectiveness more robustly and efficiently. This allows the AML team to focus on qualitative work rather than manual data tasks. The end goal is to build a repeatable, defensible risk assessment model that identifies the institution's residual money laundering risks.

Data & Analytics
1 of 9
Downloaded 130 times
1
2
3
4
5
6
7
8
9
Quick Reference Guide to BSA/AML Enterprise Risk Assessment By Mayank Johri & Erik De Monte 1 Introduction The AML Risk Assessment is a key pillar in a financial institution’s AML compliance program addressing BSA/AML regulations. The assessment is an essential mechanism to assist management in understanding the institution’s vulnerability to money laundering and terrorist financing including: i. Playing a critical role in the compliance governance structure. ii. Providing transparency of AML risk across businesses, product, and customer. iii. Guiding management to make informed decisions about risk appetite and implementation/prioritization of control efforts, allocation of resources, technology spend, etc. iv. Ensure both internal (i.e. senior management) and external (i.e. regulators) relevant parties are made aware of the key risks, control gaps and remediation efforts. The AML Risk Assessment calculates an aggregate AML risk rating for each line of business (LOB). The aggregate AML risk is a combination of AML risk (inherent risk) and quality of risk management (control effectiveness). The methodology is based on published regulatory guidelines and input from the institution’s AML policy office. In addition to providing insight over the points discussed above, the risk assessment acts as a foundation and an essential driver for all areas within the BSA/AML group for the period following the assessment. The following diagram outlines from a high level the risk assessment approach. Inherent risks are identified and the control environment is analyzed to understand how these risks are being mitigated. What remains is the aggregate, or residual, risk that is to be addressed. Figure 1.1 High Level Approach 2 Challenges Institutions face a myriad of challenges while conducting a risk assessment. Foremost of their challenges being sourcing data from the various LOBs which proves difficult to accomplish in a timely and efficient manner. Management of multiple documents across LOB can be extensive and reliance on LOB resources to perform data validation is time consuming. BSA/AML expertise over data is limited and the process of reviewing, cleaning up and transforming can be an onerous task. Another challenge is setting thresholds and scoring as this process is usually subjective and manual which results in an indefensible methodology to define the institution’s BSA/AML risk. 3 Solution The BSA/AML risk assessment should be considered a collaborative analytics and policy function. Across financial institutions, the acquisition and understanding of the data environment is the area in which the analytics team can act as a bridge for the BSA/AML team. Ideally, management should allocate a dedicated analytics team having BSA/AML risk expertise to take the lead by and collaborate with the policy team. Together, the team can build an automated, robust, and defensible BSA/AML risk assessment.
The investment of time and co-collaboration between Analytics and the policy office to build an automated risk assessment model will alleviate data acquisition pain points and allow the policy office to allocate more time towards their qualitative assessment (as discussed further below). The automation model can be built on a dynamic platform which will be leveraged for all subsequent year assessments. 3.1.1 Automated Data Sourcing and Extraction As discussed above, one of the largest challenges that the BSA/AML group faces is in the first phase of the assessment: data sourcing. The steps below outline the collaborative process that the BSA/AML and dedicated analytics teams can take to move towards a more efficient and technologically supported system: 1) Analytics and BSA/AML gain a collaborative understanding of data required to perform the assessment by building a comprehensive questionnaire. Review prior assessment’s data and understand any challenges that are faced in the procurement process of said data. 2) Analytics and BSA/AML map the questionnaire to data elements in various systems. Consult LOB contacts as needed. 3) Analytics team will utilize knowledge of cross-LOB systems and backend databases to build custom queries and conduct completeness and accuracy test on extracted data. Any data transformation processes which can be automated can be incorporated through data extraction queries as needed. 4) QC and validate queries for across all LOBs. Consult LOB contacts as needed. 5) Engage technical support team and build an ETL structure which allows for targeted and quality data that can be pulled daily, monthly, etc. 6) Build an AML-wide data dictionary. The benefit of building an automated data sourcing process can be seen in the visual below. Time consuming challenges faced due to manual data extraction and validation can be automated by leveraging the Analytics team. The new automated process provides a peace of mind over the data that is sourced and opens up availability for the BSA/AML team to focus on subsequent steps within the risk assessment (i.e. qualitative assessment of inherent risks, control effectiveness, etc.). Figure 3.1.1.1 Data Sourcing Automation
It is important to note the benefit of using this exercise to solidify an AML-wide data dictionary. As the risk assessment not only identifies and drives much of the BSA/AML efforts throughout the year, it also incorporates understanding the customer, product, channels, etc. data which is leveraged by all functions of the BSA/AML department in their various day to day projects. 3.1.2 End to End Automated Solution Included below is the proposed process under the new Analytics driven automation model. The process still follows the structure of a standard risk assessment (Data Sourcing, Inherent Risk, Control Assignment, Threshold and Scoring Analysis, etc.) but now includes automated processes that can be implemented using the co-collaboration of BSA/AML and a dedicated Analytics team. Figure 3.1.2.1 End to End Automated Solution This effort in turn will see the following impact: a) Automate and remove the delegated responsibility of data requests from all LOBs. b) Allow data to be pulled and presented in an already agreed upon and familiar format. c) Eliminate the preliminary data pull and validation process, freeing up more time to allocate to the assessment process. d) Integrate front end forms/repositories (i.e. SharePoint) and automate calculation of scoring based on dynamic and flexible thresholds for flexibility year over year. e) Integrate advanced data visualization tools (i.e. Tableau) for a more dynamic visual UI (i.e. real-time threshold adjustment analysis, etc.).
4 Understanding the Risk Assessment and Additional Automation Opportunities Once data has been acquired, the BSA/AML team works to understand the inherent risks associated with the bank and the effectiveness of the controls in place to calculate what aggregate risk remains. The figure below depicts a high level understanding of the process. Each of these phases is elaborated on in further detail below and includes opportunities in which an analytics team can be leveraged to bring automation to each stage of the process. Figure 4.1 Understanding the Risk Assessment 4.1 Inherent Risk Inherent risk is defined as “the risk absent controls”. This assumes that the quality of the controls in place to mitigate money laundering or sanctions risk never result in an Aggregate Risk that is higher than Inherent Risk. The controls either mitigate or fail to mitigate Inherent Risk. For each line of business the Inherent Risk Rating is comprised of four attributes: Customer Risk, Product and Channel Risk, Geography Risk, and Other Risk. Each will need to be evaluated independently to understand the overall risk that the institution faces. 4.1.1 Customer Risk Customer Risk reviews the overall client landscape of the institution to understand what inherent risk the clients and their distribution poses to the institution. Customer Risk will be determined by reviewing the following attributes: 1. High Risk Customer Type (e.g., PIV’s, PSPs, PICs, cash intensive, etc.) 2. AI Governance 3. AML Subpoena 4. Entity Structure 5. Industry Risk 6. New Customer 7. OFAC 8. Prior SAR 9. Section 312 10. 314a Often times, a pre-existing Customer Risk Rating model can be leveraged, particularly if the model is built to incorporate the aforementioned attributes.
4.1.2 Product and Channel Risk Product and Channel Risk reviews the various products and services offered by the institution and the channels available to the consumer to procure, utilize, and terminate these products. An in depth understanding of financial instruments and the inherent nature of these products is key in assessing the overall risk landscape of the institution given the offered products and channels. Product Risk will be determined by the following attributes: 1. Anonymity in transaction / Difficult to ascertain ultimate beneficiaries 2. Transaction related to the product can result in wire transfers to or from high risk countries 3. Complex product (i.e., involves multiple parties) 4. Involves online account services 5. Unrelated third parties receive disbursements, provide collateral, make payments or receive released collateral 6. Speed of Funds Movement 7. International transactions possible 8. Account floor requirements 9. Transactions in Products can be done with CASH It is important to note here that engagement with the LOB directors or contacts is pinnacle at this step of the assessment, particularly for any new products offered since the last assessment. Assessment of risk should not be based solely on the inherent risk of the financial product/channel alone but also with an understanding of the way in which the client base specific to the institution uses the product/channel. This is where the LOB directors or contacts can be a resource in providing insight on the expected behavior and what risks this poses to the institution as a whole. 4.1.3 Geographic Risk To understand the geographic risk is to understand the geographic impression of the financial institution. Geographic risk will pose a risk if the institution is a regional bank with branches in HIDTA and HIFCA, large institution with operations in high risk countries or an institution with private banking. In addition, geographic risk is particularly important to reassess during each assessment as different geographic areas hold different risk year to year due to changes in economic climates or political shifts (i.e. new regulations). Geographic Risk will be determined by the following attributes: 1. Citizenship 2. NRAs 3. Residence 4. Country of Formation 5. Country of Operations 6. Country of Investment 7. Country of Investors 8. Transactions from/to high/medium/low/domestic destination Additional consideration should be allocated to the anti-bribery and corruption risk assessment which can either be performed as a part of the AML risk assessment or as a supplemental risk assessment, at the discretion of the BSA/AML management. 4.1.4 Other Risks to Consider Additional risks will need to be considered that do not particularly fall into any of the aforementioned risk categories but still contribute to the overall inherent risk that the institution faces. The following are an example of some of additional risks to consider. Relevance will vary based on financial institution. 1. Are there any planned future changes to business units related to staffing in the next year - either business or compliance staff - that could impact the ability to comply with AML and perform AML compliance related tasks? 2. Have there been significant changes in marketplace (geography, customer segments, and competition/expansion), technology (systems), business processes or products within the past year? 3. Are there any dealings with counter parties that may be used to facilitate a transaction or refer a customer? 4. Does the business or technology plans take special consideration to include details surrounding customer, geography, products and system changes?
5. What is the staff turnover for full time personnel? 6. Which channels are used to access the products offered by the business line? 7. Are there plans to grow the business inorganically through Mergers and Acquisitions? 8. Does the business rely on a vendor or a third party to carry out a process or part of a process related to compliance with AML regulations? 4.1.5 Final Calculation of Inherent Risk Once the risks have been fully vetted and quantified (at the discretion of the policy office’s procedures around quantitative assignment), the total of each of the risks are aggregated to numerate the total inherent risk. The policy office will then assess if any weights will need to be applied to any of the risk groups based on the specific financial institution. For example, if there is a considerable number of high risk customers in the population, customer risk will weigh more than other categories. Please note that this inherent risk calculation is performed separately for each LOB. Should the policy office deem it necessary, different weights will be assigned to different LOBs based on those LOB’s specific risk environment. Figure 4.1.5.1 Inherent Risk Calculation 4.2 Control Effectiveness After inherent risk is calculated for each LOB, the assessment continues to understand what controls currently exist to mitigate and address the inherent risks identified. This is performed through interviews with the respective contacts in each of the LOBs. Best practice calls for each LOB to upload all the supporting documentation on controls in a shared repository such as a SharePoint site. As needed, internal audit may be engaged at this step to provide any documentation that they hold in their repositories that would prove relevant to the assessment. The BSA/AML team then reviews the control documentation provided for each inherent risk identified. After understanding the control in place and the impact it has against the inherent risk, the BSA/AML team measures the effectiveness of the controls and each control is given a numerical value. Similar to the calculation for the inherent risk, depending on the prominence and how extensive a control is may require that a weight be applied in the calculation at the discretion of the policy office. 4.2.1 Factors and Determination Below is a table that outlines factors related to the control effectiveness of a financial institution. Included in the table are the various factors that the BSA/AML team will inquire with each LOB about and the expected documentation that would assist in the determination of the control effectiveness.
Factors Proposed Weight Determination Oversight/Culture, AML Corporate Governance/Organization xx% Culture of compliance from management, with clear roles, responsibilities, and reporting lines; number of FTEs or equivalents and skill levels Training & Staffing xx% AML training for all staff, including performance reviews IT Tools & Information Systems/Management Information/Management Reporting Record Keeping and Retention xx% Transaction monitoring systems, data platforms, systems integration Policies & Procedures / Quality Assurance/Independent Testing and Oversight (including recent Internal Audit, most recent Compliance Testing or regulatory examination specific to AML policies, procedures, or programs or Other Material Findings/Other Risk Assessments) Action Plan items noted during annual risk assessment and Action Plan items are tracked xx% AML policies and procedures, including KRIs and updates based on changes in industry practices and regulatory expectations; KYC adherence; independent monitoring (pre- and post-on boarding) and testing Monitoring/Investigations/Detection and CTR/SAR filing xx% Implementation of policies and procedures; record retention, tracking, and documentation of investigations for CTR and SAR filings Exceptions to policy or obtained approval for any exceptions to policy xx% Approval process for exceptions Know Your Customer (“KYC”); Client Due Diligence (“CDD”); Enhanced Due Diligence (“EDD”) xx% Robust KYC and EDD program FIU’s documented procedures for transaction monitoring and reporting Independent assessment for effectiveness annually xx% Third party validation of process and procedures Internal controls over general ledger suspense, sweep or other concentration accounts used to process customer funds xx% Documented controls of general ledger accounts 4.2.2 Setting Thresholds & Scoring Once inherent risk and control effectiveness assessment have been completed, the policy office will now assess: What constitutes a “high” risk? What constitutes a "moderate" risk? What constitutes a "low" risk? Without established thresholds, the policy office cannot effectively answer these questions. And without the answers to those questions, they cannot effectively determine aggregate risk.
This is where an Analytics team can be leveraged to cluster the data for threshold identification. The basic approach to clustering is to partition objects/observations into several similar subsets. By extracting data and using the clustering functions in a statistically dynamic coding language (such as R, python, etc.) these datasets can be broken down into groups of distinct clusters around one common entity within the dataset (which represents the group). As such, a single data point in a cluster happens to have the minimal average dissimilarity to all other data points assigned to the same cluster. This partition more accurately allows the assignment of a boundary (such as a target threshold to distinguish normal from unusual). Subsequently, thresholds can be set by determining the outliers and the percentile population in this outlier cluster. The advantage of using a statistically dynamic coding language is that as long as the data inputs remain consistent through each year, the same code can be run year after year to automate the threshold identification process. This allows BSA/AML to allocate more time for qualitative analysis as well as provides a defensible model backed by quantitative validation for the threshold selection process. Refer to figure5.2.2.1 below for a visual understanding behind the clustering concept in identification of thresholds for a risk attribute. Figure 4.2.2.1 Clustering and Outlier Identification 4.3 Aggregate Risk Once both the inherent risk and the effectiveness of the internal control environment have been considered, the aggregate risk can be determined. Aggregate risk is the risk that remains after controls are applied to the inherent risk. The aggregate risk rating is used to indicate whether the money laundering risks within each of the line of business are being adequately managed. Illustration of a three (3) tier risk calculation is included in the visual below: Inherent Risks Controls Strength Aggregate Risks Low 90-100% Low 80-89% Moderate <80% High Moderate 90-100% Low 80-89% Moderate <80% High High 90-100% Low
80-89% Moderate <80% High 4.3.1 Aggregate Financial Institution Risk Once aggregate risk has been calculated for each line of business, the BSA/AML team is now able to assess the overall risk for the financial institution at an aggregate level. As discussed in section 5.1.5, the inherent risk is calculated for each line of business using the formula below. Inherent RiskLOBn = (Customer RiskLOBn )(Customer Risk Weight LOBn ) + (Geography RiskLOBn )(Geography Risk Weight LOBn ) + (Products and Channels RiskLOBn )(Products and Channels Risk Weight LOBn ) + (Other RiskLOBn )(Other Risk Weight LOBn ) As discussed in the section above, the Aggregate Risk is calculated by subtracting the control effectiveness score from the inherent risk score for each LOB. Aggregate RiskLOBn = (Inherent RiskLOBn ) − (Control EffectivenessLOBn ) Lastly, the total risk for the financial institution is calculated by aggregating each LOB’s aggregate risk where x is equal the total number of LOBs. Per the policy office’s discretion, a weight can be applied for each of the LOBs. Aggregate Financial Institution Risk = ∑(Aggregate RiskLOBn )(WeightLOBn ) x n=1

More Related Content

PPTX
Anti-Money Laundering (AML) Risk Assessment Process
accenture
 
PDF
How to conduct an AML risk assessment
Asia Pacific AML
 
PPTX
Risk management in healthcare
Mujeeb Kandy, MASc, MS, CPHQ, RHIA.
 
PPTX
Introducing KRI model know your customers
Baby Sirota
 
PDF
A compliance officer's guide to third party risk management
SALIH AHMED ISLAM
 
PPTX
Enterprise Risk Management in Healthcare Organisations “Going Beyond Patient ...
Hossam Elamir
 
PDF
Trends in AML Compliance and Technology
SAS Institute India Pvt. Ltd
 
PPT
MIS Presentation
Dhiren Gala
 
Anti-Money Laundering (AML) Risk Assessment Process
accenture
 
How to conduct an AML risk assessment
Asia Pacific AML
 
Risk management in healthcare
Mujeeb Kandy, MASc, MS, CPHQ, RHIA.
 
Introducing KRI model know your customers
Baby Sirota
 
A compliance officer's guide to third party risk management
SALIH AHMED ISLAM
 
Enterprise Risk Management in Healthcare Organisations “Going Beyond Patient ...
Hossam Elamir
 
Trends in AML Compliance and Technology
SAS Institute India Pvt. Ltd
 
MIS Presentation
Dhiren Gala
 

What's hot (20)

PDF
Internal control and Control Self Assessment
Manoj Agarwal
 
PPT
Introduction to Risk Management
FAA Safety Team Central Florida
 
PPTX
Governance risk and compliance
Magdalena Matell
 
PPTX
Third-Party Risk Management: A Case Study in Oversight
NICSA
 
PPTX
Risk based approach
Pierre Simon, CCEP-I
 
PDF
Key Risk Indicators - Concepts and Examples (Deloitte, 2014).pdf
Pars Six Sigma Excellence
 
PPT
Types Of Information System
guestead93f3
 
PPTX
Governance, risk and compliance framework
Ceyeap
 
PDF
ERP Training
Soumya De
 
PPT
Corporate Compliance Management
Pavan Kumar Vijay
 
PPTX
Grc governance, risk management & compliance
HR Globe Consulting
 
PPT
Risk Assessment1.ppt
MdSahedulHoque
 
PDF
Board effectiveness and performance beyond the annual evaluation
Institute of Chartered Secretaries and Administrators
 
PPTX
Introduction to Risk Governance
The Windsdor Consulting Group, Inc.
 
PPTX
Anti Money Laundering Framework
nikatmalik
 
PPT
goAML
jwsong127
 
PPT
Customer Due Diligence: Improving Screening Processes for OFAC Entities and O...
SHAUN HASSETT
 
PPTX
Understanding Its Suspicious Activity Reporting (SAR) Requirement
complianceonline123
 
PPTX
Governance, Risk & Compliance Management Solution
Rishabh Software
 
PDF
Risk assessment principles and guidelines
Haris Tahir
 
Internal control and Control Self Assessment
Manoj Agarwal
 
Introduction to Risk Management
FAA Safety Team Central Florida
 
Governance risk and compliance
Magdalena Matell
 
Third-Party Risk Management: A Case Study in Oversight
NICSA
 
Risk based approach
Pierre Simon, CCEP-I
 
Key Risk Indicators - Concepts and Examples (Deloitte, 2014).pdf
Pars Six Sigma Excellence
 
Types Of Information System
guestead93f3
 
Governance, risk and compliance framework
Ceyeap
 
ERP Training
Soumya De
 
Corporate Compliance Management
Pavan Kumar Vijay
 
Grc governance, risk management & compliance
HR Globe Consulting
 
Risk Assessment1.ppt
MdSahedulHoque
 
Board effectiveness and performance beyond the annual evaluation
Institute of Chartered Secretaries and Administrators
 
Introduction to Risk Governance
The Windsdor Consulting Group, Inc.
 
Anti Money Laundering Framework
nikatmalik
 
goAML
jwsong127
 
Customer Due Diligence: Improving Screening Processes for OFAC Entities and O...
SHAUN HASSETT
 
Understanding Its Suspicious Activity Reporting (SAR) Requirement
complianceonline123
 
Governance, Risk & Compliance Management Solution
Rishabh Software
 
Risk assessment principles and guidelines
Haris Tahir
 
Ad

Similar to Quick Reference Guide to BSA/AML Risk Assessment (20)

PDF
Leveraging Technology and Analytics BSA Risk Assessment
Erik De Monte
 
PDF
CTPAT Foreign Manufacturers MSC 2019.pdf
donquixotedominic
 
PPTX
Operational risk management process by s&p
ABDULMUIZZKHAN4
 
PDF
Sample Risk Assessment Report- QuantumBanking.pdf
SathishKumar960827
 
PPTX
IA PRESENTATION-4.pptx
axmedxasancali1
 
PDF
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
PPT
Presentation_20110802213554
P Karlin Panggalo.SE.MM.Ak.CA.CFA.CCM
 
PDF
Ffiec cat may_2017
Josef Sulca Cueva
 
PDF
CISA Domain- 1 - InfosecTrain
InfosecTrain
 
PDF
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ShivamSharma909
 
PDF
CTPAT Highway Carriers MSC March 2020.pdf
AntonioCharnichartMa1
 
PDF
Whitepaper-Minimising Customer Impact on Bank Mergers
Sinjo Alex
 
PDF
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
Dion K Hamilton
 
PDF
Download ebooks file Guide to Data Analytics Aicpa all chapters
rhajaesuntha
 
PDF
Auditing Assurance and Risk 3rd Edition Knechel Solutions Manual
wadhahvindhu
 
PDF
How Audit Committees Can Help with Third-Party Risks
MHM (Mayer Hoffman McCann P.C.)
 
PDF
CCAR & DFAST: How to incorporate stress testing into banking operations + str...
Grant Thornton LLP
 
PDF
Download full ebook of Guide to Data Analytics Aicpa instant download pdf
ulvphvd2681
 
DOCX
My slides
veronikako
 
PPTX
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Swaminath Sam
 
Leveraging Technology and Analytics BSA Risk Assessment
Erik De Monte
 
CTPAT Foreign Manufacturers MSC 2019.pdf
donquixotedominic
 
Operational risk management process by s&p
ABDULMUIZZKHAN4
 
Sample Risk Assessment Report- QuantumBanking.pdf
SathishKumar960827
 
IA PRESENTATION-4.pptx
axmedxasancali1
 
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
Presentation_20110802213554
P Karlin Panggalo.SE.MM.Ak.CA.CFA.CCM
 
Ffiec cat may_2017
Josef Sulca Cueva
 
CISA Domain- 1 - InfosecTrain
InfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ShivamSharma909
 
CTPAT Highway Carriers MSC March 2020.pdf
AntonioCharnichartMa1
 
Whitepaper-Minimising Customer Impact on Bank Mergers
Sinjo Alex
 
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
Dion K Hamilton
 
Download ebooks file Guide to Data Analytics Aicpa all chapters
rhajaesuntha
 
Auditing Assurance and Risk 3rd Edition Knechel Solutions Manual
wadhahvindhu
 
How Audit Committees Can Help with Third-Party Risks
MHM (Mayer Hoffman McCann P.C.)
 
CCAR & DFAST: How to incorporate stress testing into banking operations + str...
Grant Thornton LLP
 
Download full ebook of Guide to Data Analytics Aicpa instant download pdf
ulvphvd2681
 
My slides
veronikako
 
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Swaminath Sam
 
Ad

Recently uploaded (20)

PDF
Clinical guidelines as a resource for EBP(1).pdf
MashalKhan626345
 
PPTX
climate analysis of Dhaka ,Banglades.pptx
rrawjatun
 
PPTX
CEE 2 REPORT G7.pptxbdbshjdgsgjgsjfiuhsd
hildogavino28
 
PDF
Recruitment and Placement PPT.pdfbjfibjdfbjfobj
Alka392097
 
PPT
Chapter 2 METAL FORMINGhhhhhhhjjjjmmmmmmmmm
JanakiRaman206018
 
PDF
22.Patil - Early prediction of Alzheimer’s disease using convolutional neural...
ngaviet5
 
PPTX
advance b rammar.pptxfdgdfgdfsgdfgsdgfdfgdfgsdfgdfgdfg
rohullahansari5
 
PPTX
Supervised vs unsupervised machine learning algorithms
agarwal18harsh08
 
PPTX
Data_Analytics_and_PowerBI_Presentation.pptx
ZubyrAhmed
 
PPTX
IBA_Chapter_11_Slides_Final_Accessible.pptx
SrikantKapoor1
 
PDF
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
 
PPTX
05. PRACTICAL GUIDE TO MICROSOFT EXCEL.pptx
macomputermacomputer
 
PDF
BF and FI - Blockchain, fintech and Financial Innovation Lesson 2.pdf
JamesWilliams752225
 
PDF
Galatica Smart Energy Infrastructure Startup Pitch Deck
Shahzaib Ajmal
 
PDF
Foundation of Data Science unit number two notes
sanguleumeshit
 
PPTX
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
 
PDF
Introduction to Business Data Analytics.
jamalmumthaj
 
PDF
.pdf is not working space design for the following data for the following dat...
jerinjoy242
 
PPTX
Introduction-to-Cloud-ComputingFinal.pptx
testnet29393883
 
PDF
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 
Clinical guidelines as a resource for EBP(1).pdf
MashalKhan626345
 
climate analysis of Dhaka ,Banglades.pptx
rrawjatun
 
CEE 2 REPORT G7.pptxbdbshjdgsgjgsjfiuhsd
hildogavino28
 
Recruitment and Placement PPT.pdfbjfibjdfbjfobj
Alka392097
 
Chapter 2 METAL FORMINGhhhhhhhjjjjmmmmmmmmm
JanakiRaman206018
 
22.Patil - Early prediction of Alzheimer’s disease using convolutional neural...
ngaviet5
 
advance b rammar.pptxfdgdfgdfsgdfgsdgfdfgdfgsdfgdfgdfg
rohullahansari5
 
Supervised vs unsupervised machine learning algorithms
agarwal18harsh08
 
Data_Analytics_and_PowerBI_Presentation.pptx
ZubyrAhmed
 
IBA_Chapter_11_Slides_Final_Accessible.pptx
SrikantKapoor1
 
TRAFFIC-MANAGEMENT-AND-ACCIDENT-INVESTIGATION-WITH-DRIVING-PDF-FILE.pdf
chouziyu14
 
05. PRACTICAL GUIDE TO MICROSOFT EXCEL.pptx
macomputermacomputer
 
BF and FI - Blockchain, fintech and Financial Innovation Lesson 2.pdf
JamesWilliams752225
 
Galatica Smart Energy Infrastructure Startup Pitch Deck
Shahzaib Ajmal
 
Foundation of Data Science unit number two notes
sanguleumeshit
 
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
 
Introduction to Business Data Analytics.
jamalmumthaj
 
.pdf is not working space design for the following data for the following dat...
jerinjoy242
 
Introduction-to-Cloud-ComputingFinal.pptx
testnet29393883
 
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 

Quick Reference Guide to BSA/AML Risk Assessment

  • 1. Quick Reference Guide to BSA/AML Enterprise Risk Assessment By Mayank Johri & Erik De Monte 1 Introduction The AML Risk Assessment is a key pillar in a financial institution’s AML compliance program addressing BSA/AML regulations. The assessment is an essential mechanism to assist management in understanding the institution’s vulnerability to money laundering and terrorist financing including: i. Playing a critical role in the compliance governance structure. ii. Providing transparency of AML risk across businesses, product, and customer. iii. Guiding management to make informed decisions about risk appetite and implementation/prioritization of control efforts, allocation of resources, technology spend, etc. iv. Ensure both internal (i.e. senior management) and external (i.e. regulators) relevant parties are made aware of the key risks, control gaps and remediation efforts. The AML Risk Assessment calculates an aggregate AML risk rating for each line of business (LOB). The aggregate AML risk is a combination of AML risk (inherent risk) and quality of risk management (control effectiveness). The methodology is based on published regulatory guidelines and input from the institution’s AML policy office. In addition to providing insight over the points discussed above, the risk assessment acts as a foundation and an essential driver for all areas within the BSA/AML group for the period following the assessment. The following diagram outlines from a high level the risk assessment approach. Inherent risks are identified and the control environment is analyzed to understand how these risks are being mitigated. What remains is the aggregate, or residual, risk that is to be addressed. Figure 1.1 High Level Approach 2 Challenges Institutions face a myriad of challenges while conducting a risk assessment. Foremost of their challenges being sourcing data from the various LOBs which proves difficult to accomplish in a timely and efficient manner. Management of multiple documents across LOB can be extensive and reliance on LOB resources to perform data validation is time consuming. BSA/AML expertise over data is limited and the process of reviewing, cleaning up and transforming can be an onerous task. Another challenge is setting thresholds and scoring as this process is usually subjective and manual which results in an indefensible methodology to define the institution’s BSA/AML risk. 3 Solution The BSA/AML risk assessment should be considered a collaborative analytics and policy function. Across financial institutions, the acquisition and understanding of the data environment is the area in which the analytics team can act as a bridge for the BSA/AML team. Ideally, management should allocate a dedicated analytics team having BSA/AML risk expertise to take the lead by and collaborate with the policy team. Together, the team can build an automated, robust, and defensible BSA/AML risk assessment.
  • 2. The investment of time and co-collaboration between Analytics and the policy office to build an automated risk assessment model will alleviate data acquisition pain points and allow the policy office to allocate more time towards their qualitative assessment (as discussed further below). The automation model can be built on a dynamic platform which will be leveraged for all subsequent year assessments. 3.1.1 Automated Data Sourcing and Extraction As discussed above, one of the largest challenges that the BSA/AML group faces is in the first phase of the assessment: data sourcing. The steps below outline the collaborative process that the BSA/AML and dedicated analytics teams can take to move towards a more efficient and technologically supported system: 1) Analytics and BSA/AML gain a collaborative understanding of data required to perform the assessment by building a comprehensive questionnaire. Review prior assessment’s data and understand any challenges that are faced in the procurement process of said data. 2) Analytics and BSA/AML map the questionnaire to data elements in various systems. Consult LOB contacts as needed. 3) Analytics team will utilize knowledge of cross-LOB systems and backend databases to build custom queries and conduct completeness and accuracy test on extracted data. Any data transformation processes which can be automated can be incorporated through data extraction queries as needed. 4) QC and validate queries for across all LOBs. Consult LOB contacts as needed. 5) Engage technical support team and build an ETL structure which allows for targeted and quality data that can be pulled daily, monthly, etc. 6) Build an AML-wide data dictionary. The benefit of building an automated data sourcing process can be seen in the visual below. Time consuming challenges faced due to manual data extraction and validation can be automated by leveraging the Analytics team. The new automated process provides a peace of mind over the data that is sourced and opens up availability for the BSA/AML team to focus on subsequent steps within the risk assessment (i.e. qualitative assessment of inherent risks, control effectiveness, etc.). Figure 3.1.1.1 Data Sourcing Automation
  • 3. It is important to note the benefit of using this exercise to solidify an AML-wide data dictionary. As the risk assessment not only identifies and drives much of the BSA/AML efforts throughout the year, it also incorporates understanding the customer, product, channels, etc. data which is leveraged by all functions of the BSA/AML department in their various day to day projects. 3.1.2 End to End Automated Solution Included below is the proposed process under the new Analytics driven automation model. The process still follows the structure of a standard risk assessment (Data Sourcing, Inherent Risk, Control Assignment, Threshold and Scoring Analysis, etc.) but now includes automated processes that can be implemented using the co-collaboration of BSA/AML and a dedicated Analytics team. Figure 3.1.2.1 End to End Automated Solution This effort in turn will see the following impact: a) Automate and remove the delegated responsibility of data requests from all LOBs. b) Allow data to be pulled and presented in an already agreed upon and familiar format. c) Eliminate the preliminary data pull and validation process, freeing up more time to allocate to the assessment process. d) Integrate front end forms/repositories (i.e. SharePoint) and automate calculation of scoring based on dynamic and flexible thresholds for flexibility year over year. e) Integrate advanced data visualization tools (i.e. Tableau) for a more dynamic visual UI (i.e. real-time threshold adjustment analysis, etc.).
  • 4. 4 Understanding the Risk Assessment and Additional Automation Opportunities Once data has been acquired, the BSA/AML team works to understand the inherent risks associated with the bank and the effectiveness of the controls in place to calculate what aggregate risk remains. The figure below depicts a high level understanding of the process. Each of these phases is elaborated on in further detail below and includes opportunities in which an analytics team can be leveraged to bring automation to each stage of the process. Figure 4.1 Understanding the Risk Assessment 4.1 Inherent Risk Inherent risk is defined as “the risk absent controls”. This assumes that the quality of the controls in place to mitigate money laundering or sanctions risk never result in an Aggregate Risk that is higher than Inherent Risk. The controls either mitigate or fail to mitigate Inherent Risk. For each line of business the Inherent Risk Rating is comprised of four attributes: Customer Risk, Product and Channel Risk, Geography Risk, and Other Risk. Each will need to be evaluated independently to understand the overall risk that the institution faces. 4.1.1 Customer Risk Customer Risk reviews the overall client landscape of the institution to understand what inherent risk the clients and their distribution poses to the institution. Customer Risk will be determined by reviewing the following attributes: 1. High Risk Customer Type (e.g., PIV’s, PSPs, PICs, cash intensive, etc.) 2. AI Governance 3. AML Subpoena 4. Entity Structure 5. Industry Risk 6. New Customer 7. OFAC 8. Prior SAR 9. Section 312 10. 314a Often times, a pre-existing Customer Risk Rating model can be leveraged, particularly if the model is built to incorporate the aforementioned attributes.
  • 5. 4.1.2 Product and Channel Risk Product and Channel Risk reviews the various products and services offered by the institution and the channels available to the consumer to procure, utilize, and terminate these products. An in depth understanding of financial instruments and the inherent nature of these products is key in assessing the overall risk landscape of the institution given the offered products and channels. Product Risk will be determined by the following attributes: 1. Anonymity in transaction / Difficult to ascertain ultimate beneficiaries 2. Transaction related to the product can result in wire transfers to or from high risk countries 3. Complex product (i.e., involves multiple parties) 4. Involves online account services 5. Unrelated third parties receive disbursements, provide collateral, make payments or receive released collateral 6. Speed of Funds Movement 7. International transactions possible 8. Account floor requirements 9. Transactions in Products can be done with CASH It is important to note here that engagement with the LOB directors or contacts is pinnacle at this step of the assessment, particularly for any new products offered since the last assessment. Assessment of risk should not be based solely on the inherent risk of the financial product/channel alone but also with an understanding of the way in which the client base specific to the institution uses the product/channel. This is where the LOB directors or contacts can be a resource in providing insight on the expected behavior and what risks this poses to the institution as a whole. 4.1.3 Geographic Risk To understand the geographic risk is to understand the geographic impression of the financial institution. Geographic risk will pose a risk if the institution is a regional bank with branches in HIDTA and HIFCA, large institution with operations in high risk countries or an institution with private banking. In addition, geographic risk is particularly important to reassess during each assessment as different geographic areas hold different risk year to year due to changes in economic climates or political shifts (i.e. new regulations). Geographic Risk will be determined by the following attributes: 1. Citizenship 2. NRAs 3. Residence 4. Country of Formation 5. Country of Operations 6. Country of Investment 7. Country of Investors 8. Transactions from/to high/medium/low/domestic destination Additional consideration should be allocated to the anti-bribery and corruption risk assessment which can either be performed as a part of the AML risk assessment or as a supplemental risk assessment, at the discretion of the BSA/AML management. 4.1.4 Other Risks to Consider Additional risks will need to be considered that do not particularly fall into any of the aforementioned risk categories but still contribute to the overall inherent risk that the institution faces. The following are an example of some of additional risks to consider. Relevance will vary based on financial institution. 1. Are there any planned future changes to business units related to staffing in the next year - either business or compliance staff - that could impact the ability to comply with AML and perform AML compliance related tasks? 2. Have there been significant changes in marketplace (geography, customer segments, and competition/expansion), technology (systems), business processes or products within the past year? 3. Are there any dealings with counter parties that may be used to facilitate a transaction or refer a customer? 4. Does the business or technology plans take special consideration to include details surrounding customer, geography, products and system changes?
  • 6. 5. What is the staff turnover for full time personnel? 6. Which channels are used to access the products offered by the business line? 7. Are there plans to grow the business inorganically through Mergers and Acquisitions? 8. Does the business rely on a vendor or a third party to carry out a process or part of a process related to compliance with AML regulations? 4.1.5 Final Calculation of Inherent Risk Once the risks have been fully vetted and quantified (at the discretion of the policy office’s procedures around quantitative assignment), the total of each of the risks are aggregated to numerate the total inherent risk. The policy office will then assess if any weights will need to be applied to any of the risk groups based on the specific financial institution. For example, if there is a considerable number of high risk customers in the population, customer risk will weigh more than other categories. Please note that this inherent risk calculation is performed separately for each LOB. Should the policy office deem it necessary, different weights will be assigned to different LOBs based on those LOB’s specific risk environment. Figure 4.1.5.1 Inherent Risk Calculation 4.2 Control Effectiveness After inherent risk is calculated for each LOB, the assessment continues to understand what controls currently exist to mitigate and address the inherent risks identified. This is performed through interviews with the respective contacts in each of the LOBs. Best practice calls for each LOB to upload all the supporting documentation on controls in a shared repository such as a SharePoint site. As needed, internal audit may be engaged at this step to provide any documentation that they hold in their repositories that would prove relevant to the assessment. The BSA/AML team then reviews the control documentation provided for each inherent risk identified. After understanding the control in place and the impact it has against the inherent risk, the BSA/AML team measures the effectiveness of the controls and each control is given a numerical value. Similar to the calculation for the inherent risk, depending on the prominence and how extensive a control is may require that a weight be applied in the calculation at the discretion of the policy office. 4.2.1 Factors and Determination Below is a table that outlines factors related to the control effectiveness of a financial institution. Included in the table are the various factors that the BSA/AML team will inquire with each LOB about and the expected documentation that would assist in the determination of the control effectiveness.
  • 7. Factors Proposed Weight Determination Oversight/Culture, AML Corporate Governance/Organization xx% Culture of compliance from management, with clear roles, responsibilities, and reporting lines; number of FTEs or equivalents and skill levels Training & Staffing xx% AML training for all staff, including performance reviews IT Tools & Information Systems/Management Information/Management Reporting Record Keeping and Retention xx% Transaction monitoring systems, data platforms, systems integration Policies & Procedures / Quality Assurance/Independent Testing and Oversight (including recent Internal Audit, most recent Compliance Testing or regulatory examination specific to AML policies, procedures, or programs or Other Material Findings/Other Risk Assessments) Action Plan items noted during annual risk assessment and Action Plan items are tracked xx% AML policies and procedures, including KRIs and updates based on changes in industry practices and regulatory expectations; KYC adherence; independent monitoring (pre- and post-on boarding) and testing Monitoring/Investigations/Detection and CTR/SAR filing xx% Implementation of policies and procedures; record retention, tracking, and documentation of investigations for CTR and SAR filings Exceptions to policy or obtained approval for any exceptions to policy xx% Approval process for exceptions Know Your Customer (“KYC”); Client Due Diligence (“CDD”); Enhanced Due Diligence (“EDD”) xx% Robust KYC and EDD program FIU’s documented procedures for transaction monitoring and reporting Independent assessment for effectiveness annually xx% Third party validation of process and procedures Internal controls over general ledger suspense, sweep or other concentration accounts used to process customer funds xx% Documented controls of general ledger accounts 4.2.2 Setting Thresholds & Scoring Once inherent risk and control effectiveness assessment have been completed, the policy office will now assess: What constitutes a “high” risk? What constitutes a "moderate" risk? What constitutes a "low" risk? Without established thresholds, the policy office cannot effectively answer these questions. And without the answers to those questions, they cannot effectively determine aggregate risk.
  • 8. This is where an Analytics team can be leveraged to cluster the data for threshold identification. The basic approach to clustering is to partition objects/observations into several similar subsets. By extracting data and using the clustering functions in a statistically dynamic coding language (such as R, python, etc.) these datasets can be broken down into groups of distinct clusters around one common entity within the dataset (which represents the group). As such, a single data point in a cluster happens to have the minimal average dissimilarity to all other data points assigned to the same cluster. This partition more accurately allows the assignment of a boundary (such as a target threshold to distinguish normal from unusual). Subsequently, thresholds can be set by determining the outliers and the percentile population in this outlier cluster. The advantage of using a statistically dynamic coding language is that as long as the data inputs remain consistent through each year, the same code can be run year after year to automate the threshold identification process. This allows BSA/AML to allocate more time for qualitative analysis as well as provides a defensible model backed by quantitative validation for the threshold selection process. Refer to figure5.2.2.1 below for a visual understanding behind the clustering concept in identification of thresholds for a risk attribute. Figure 4.2.2.1 Clustering and Outlier Identification 4.3 Aggregate Risk Once both the inherent risk and the effectiveness of the internal control environment have been considered, the aggregate risk can be determined. Aggregate risk is the risk that remains after controls are applied to the inherent risk. The aggregate risk rating is used to indicate whether the money laundering risks within each of the line of business are being adequately managed. Illustration of a three (3) tier risk calculation is included in the visual below: Inherent Risks Controls Strength Aggregate Risks Low 90-100% Low 80-89% Moderate <80% High Moderate 90-100% Low 80-89% Moderate <80% High High 90-100% Low
  • 9. 80-89% Moderate <80% High 4.3.1 Aggregate Financial Institution Risk Once aggregate risk has been calculated for each line of business, the BSA/AML team is now able to assess the overall risk for the financial institution at an aggregate level. As discussed in section 5.1.5, the inherent risk is calculated for each line of business using the formula below. Inherent RiskLOBn = (Customer RiskLOBn )(Customer Risk Weight LOBn ) + (Geography RiskLOBn )(Geography Risk Weight LOBn ) + (Products and Channels RiskLOBn )(Products and Channels Risk Weight LOBn ) + (Other RiskLOBn )(Other Risk Weight LOBn ) As discussed in the section above, the Aggregate Risk is calculated by subtracting the control effectiveness score from the inherent risk score for each LOB. Aggregate RiskLOBn = (Inherent RiskLOBn ) − (Control EffectivenessLOBn ) Lastly, the total risk for the financial institution is calculated by aggregating each LOB’s aggregate risk where x is equal the total number of LOBs. Per the policy office’s discretion, a weight can be applied for each of the LOBs. Aggregate Financial Institution Risk = ∑(Aggregate RiskLOBn )(WeightLOBn ) x n=1