BSA Risk Assessments-What’s the Point, December 28, 2016



For those of you who have experienced a BSA examination or audit, you know one of the first things you are asked for is your BSA/OFAC risk assessment.  It has also likely been your experience to find a risk assessment deemed complete and not in need of some sort of enhancement is something of a “unicorn”.  In most cases, examinations and audits include a comment discussing the need to expand the risk assessment and to include more detail.  The detail required for a complete risk assessment is elusive at best.  Often, the right information for the risk assessment fits the famous Supreme Court definition of pornography- “you know it when you see it”.

The FFIEC BSA manual is not exactly helpful when it comes to developing risk assessments.   The manual directs every financial institution should develop a BSA/AML and an OFAC risk assessment.  Unfortunately, the form the risk assessment should take or the minimum information required are left as open questions for the financial institution.   Thus, many financial institutions end up with a very basic document which has been developed to meet a regulatory requirement, but without much other meaning or use.

As financial institutions continue to change and the number of financial products and type of institutions offering banking services grows, the risk assessment can be something entirely different. Taking the approach that the risk assessment can be used to formulate both the annual budget request and the strategic plan, can change the whole process.

The FFIEC BSA examination manual specifically mentions risk assessments in the following section:

“The same risk management principles that the bank uses in traditional operational areas should be applied to assessing and managing BSA/AML risk. A well-developed risk assessment assists in identifying the bank’s BSA/AML risk profile. Understanding the risk profile enables the bank to apply appropriate risk management processes to the BSA/AML compliance program to mitigate risk. This risk assessment process enables management to better identify and mitigate gaps in the bank’s controls. The risk assessment should provide a comprehensive analysis of the BSA/AML risks in a concise and organized presentation, and should be shared and communicated with all business lines across the bank, board of directors, management, and appropriate staff; as such, it is a sound practice that the risk assessment be reduced to writing” 1


This preamble has several important ideas in it.   The expectation is, management of an institution can identify:

  • Who its customers are:  including the predominant nature of the customer base- are you a consumer institution or a commercial at your core?  Who are the customers you primarily serve?
  • What is going on in your service area?  Is it a high crime area or a high drug trafficking area, both or neither?  The expectation is you will know the types of things, both good and bad going on around you.  For example, if you live in an area where real estate is extremely high cost, there might be several “bad guys” buying property for cash as a means of laundering money.   The point is you need to know what is going on around you
  • Where are the outlier customers?  Do you know which types of customers who require being watched more than others?  There are some customers who, by the nature of what they do, require more observation and analysis than others.  The question is, have you identified these high-risk customers?
  • How well are you set up to monitor the risks at your institution?  Do you have systems in place are up to the task to discover “bad things” going?  Does the software you use really help the monitoring process?   This analysis should consider whether the staff you have   truly understand the business models your customers are using.  For example, if your customer base includes Money Service Businesses, do you have staff in place who know how money services business work and what to look for?  The best software in the world is ineffective if the people reading the output are not familiar with what normal activity at an MSB.
  • Ties to the strategic plan: Does the BSA program have the resources to match changes in products or services planned for the institution? For example, if the institution plans to increase the number of accounts offered to money services business, does the BSA department have an increase in staff included in its budget?


Effective Risk Management 

The information and conclusions developed in the risk assessment should be used for planning the year for the BSA/AML compliance program.  The areas with the greatest areas of risk should also be the same areas with the greatest dedicated resources.   Independent audits and reviews should be directed to areas of greatest risk.  For example, if there are many electronic banking customers at the institutions while almost no MSB’s, then the audit scope should presumably focus on the electronic banking area and give MSB’s a limited review.  In addition, training should focus on the BSA/AML risks associated with electronic banking, etc.

Rethinking the Risk Assessment process 

Continued development of new products and processes in finance and technology (“fintech”) and BSA/AML have opened the possibility of a vast array of potential new products for financial institutions.  Products such as digital wallets and stored value on smartphones have opened new markets for people who have been traditionally unbanked and underbanked. Financial institutions which are forward thinking should consider the possibility some of these new products have the potential to enhance income.

The ability to safely and effectively offer new products depends heavily on the ability of the compliance department to fully handle the regulatory requirements of the products.  When preparing the risk assessment, consider the resources necessary to offer new and (money making products).

There are no absolute prohibitions against banking high risk clients  

Per the FFIEC BSA Examination manual higher risk accounts are defined as:

“Certain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered. Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents” 2

The Manual goes on to detail several other factors which should be considered when monitoring high risk accounts.  We note the manual does not conclude high risk accounts should be avoided.

The BSA/AML examination manual (“exam manual”) establishes the standard for providing banking services to clients who may have a high risk of potential money laundering.  Financial institutions are expected to:

  1. Conduct a risk assessment on each of these clients,
  2. Consider the risks presented
  3. Consider the strengthening of internal controls to mitigate risk
  4. Determine whether the account(s) can be properly monitored and administrated;
  5. Determine if the risk presented fits within the risk tolerance established by the Board of Directors.

Once these steps are followed to open the account, for high risk customers, there is also an expectation there will be ongoing monitoring of the account for potential suspicious activity or account abuse.    The exam manual is also clear; once a procedure is in place to determine and properly mitigate and manage risks, there is no prohibition against having high risk customers.  The risk assessment section of the exam manual notes the following:

“The existence of BSA/AML risk within the aggregate risk profile should not be criticized as long as the bank’s BSA/AML compliance program adequately identifies, measures, monitors, and controls this risk as part of a deliberate risk strategy.”3

Once an account has been determined to be high risk, and an efficient monitoring plan has been developed, there can be various levels of what high risk can mean.    When a customer’s activity is consistent with the parameters which have been established and have not varied for some time, then account can technically be high risk but not in practice.   For example, Money Services Businesses are considered “high-risk” because they fit the definition from the FFIEC manual.  However, a financial institution can establish who the customers of the MSB are and what they do.  A baseline for remittance activity, check cashing and deposits and wire activity can be established.   If the MSB’s activity meets the established baseline, the account remains “high risk” only in the technical meaning of the word.   Knowing what the customers’ business line is and understanding what the customer is doing as they continue without much variation reduces the overall risk.

For a more complete discussion of the effective use of the BSA/AML risk assessment, please contact us at

Planning Your Compliance Year- December 13, 2016

As the year comes to close, for most people, it is time to celebrate with family and friends and to look forward to the new year with anticipation.  For risk and compliance officers at financial institutions, the new year comes with a bit of a different perspective.  For many years now, each new year brings a different set of regulations and the challenge of keeping financial institutions in compliance.   This is not necessarily a bad thing.  New challenges can present an opportunity for new and more efficient solutions.   There are some steps that you can take that can truly help you get to the goal of getting on top of compliance.


Step One- Information Gathering

There are several sources for regulatory changes.  It is important to consider the fact that compliance and risk expectations can be changed by more than the implementation of new regulations.   Regulatory agencies respond to world events, the political environment, resources allocations, technology and many other factors.   One valuable source of information that is often overlooked are the annual plans or statements that are issued by the prudential regulations.  All three issue a plan that addresses the areas that they will emphasize in the upcoming year.[1]  For example, the Office of the Comptrollers’ annual report points out that strategic planning will be an emphasis of the examinations teams in 2017.   In addition, there are many organizations and agencies that list the effective dates for regulations.  At VCM, we have a form that lists regulations, effective dates and whether the regulation will apply to your organization. [2] Gathering information on the new regulations and regulatory initiatives is a key first step for planning the compliance year.

Step Two – Setting the Parameters

The next step is to complete a risk assessment.  Often, we see risk assessments that are performed specifically for meeting a regulatory requirement.  In many cases, these assessments are completed and put away until it is time to do an annual update.  We believe that the risk assessment provides an excellent opportunity to set the parameters for your own compliance program.  Your risk assessment should include:

  • The areas where there have been regulatory of? internal audit findings in the past
  • The types of products the Bank offers and the risks associated with those products
  • New products contemplated
  • The management reports currently being generated by software
  • Changes in regulations that might affect the bank
  • Changes in staff that have occurred or are planned.

The risk assessment should be designed to determine the areas where your institution has the greatest risk for violations or findings.  The assessment should be brutally honest and unflinching in its assessment of the compliance needs for your institution.

The most important part of this step is to remember to USE the document that you have prepared!  The risk assessment should be the basic document that helps you make the case to senior management for additional staff and/or resources.   The risk assessment should also be used to help set the scope of the internal audits that are performed.  It is very rare that there will be time to cover every potential issue in a year so the risk assessment should help prioritize resources.    The risk assessment should also be used to set the training calendar.

Step Three- Checking Twice  

In addition to going through the regulations, it is necessary to make sure your policies and procedures match the requirements.  For example, have you developed a solid method for making sure that you comply with the “valuations rules” of regulations B and Z?  Do you know what these are and how they affect you?

It is also a very good idea to sign up for all the “Free stuff” that the regulators publish about compliance.   These can be used as useful supplemental training tools.  There is a great deal of very helpful information made available by the Federal Reserve and the CFPB. [3]

Step Four-Call for Help!

One of the benefits of completing a comprehensive compliance risk assessment is that the results can help you determine the level of support that is needed.   Far too often compliance departments get additional resources only after the staff has been overwhelmed or has experienced a poor result from an audit or examination.  However, as the saying goes, an ounce of prevention is worth a pound of cure.  Identifying the areas that are the highest risk and asking for help in those areas before they become a problem is a best practice that will enhance your compliance program and the quality of your life!

One of the best areas to get support for compliance is through the staff at your bank.   At the end of the day, compliance is a team effort that requires the input of the whole bank to be most effective.  One of the themes that we have noticed over the years is that people tend to buy in more when they understand the how’s and whys of compliance.  While online training classes are clearly efficient and relatively inexpensive, they sometimes can lack the perspective that gives the staff members the reason why the regulation exists.   For example, we have found that taking the time to explain what it is that BSA laws and rules are trying to accomplish to the staff members who are opening accounts has dramatically improved the collection of data for CIP.  The same is true for Regulation B and a host of other areas.  By helping bank staff understand that there really are good reasons why you are so insistent on complete and accurate disclosures, you can greatly reduce the error rate in these disclosures.   The more help from staff that you get, the more efficient you can be.


Step Five- Execute the Plan

Once you have completed the risk assessment, prioritize the risks and asked for help, it is time to execute the plan.   Make sure that the scope of the audits that you are getting will meet your needs and give you information on how things are going.   Regulators have become increasingly critical of audit scopes that are too general or that do not cover specific areas of compliance weakness at the bank.   The internal audit is an important tool that should be used to help find areas that need attention.  It is true that the auditor is your friend.  The results of audits should be taken seriously and positively as this is your opportunity to determine levels of compliance without having regulatory problems.

Like all good coaches, as a compliance officer you know the areas where your team is the weakest.  Make sure that your compliance plan is designed to address these areas from the outset.  If training has been a concern for example, then make sure that you have addressed the root of the problem.

Step Six-Remain Flexible

There is a parable that says that if you want to prove that God has a sense of humor- then try making your own plans.  There is no question that the best-laid plans can sometimes go awry.  Therefore, it is important that you build flexibility into your plan.  For example, even though you may have wanted to do flood insurance testing in the first quarter, you might find that the more urgent area of risk is compliance with HMDA.  Even though flood insurance will always be a “hot button” issue, there are times when the greater area of risk can be somewhere else.  The point is that your plan can hit all the highest areas of risk to ensure that your program is successful.


Planning your compliance year cannot only keep you ahead of trouble; it can help you start making different New Year’s resolutions!


[1] See for example,,


[2] This form can be found on our website at


Assessing Your Compliance Management Program- November 29, 2016

In April of 2016, the FFIEC released proposed new guidelines for rating compliance programs at financial institutions.  These guidelines have since been adopted and will commence in March of 2017. The new compliance guidelines will represent a strong departure from the current system for rating. In addition, these guidelines present a strong opportunity for financial institutions to greatly impact their own compliance destiny.  Although these new guidelines have been released with limited fanfare, the change in approach to supervision of financial institutions has been discussed for some time and is noteworthy.  The upcoming changes to the ratings for compliance programs, will put a premium on the overall effectiveness of your compliance management program.   The stronger the program for compliance, the less likely a single finding will impact the overall rating.

Determining Effectiveness

Although it is easy to assume that “effectiveness” is in the eye of the beholder, there are some metrics that can be used to make this determination.  Some of the factors that the regulators will consider when assessing effectiveness include:

·        Ability to identify compliance risks at the institution – under the new ratings systems the risk assessment your institution prepares will be a critical document. On a regular basis, it is necessary to identify all the risks associated with:

o  The products you offer

o  The customers you serve

o  The It systems you are using

o  The training program you have

o  The strength of the policies and procedures in place

o  Turnover at key positions

o  New and additional products offered

Regulators will expect the risk assessment process is comprehensive and robust and all potential problems are considered and addressed. For each risk mentioned above there should be steps designed to reduce risk to an acceptable level. In this case, the acceptable level should match with the risk appetite of the Board. All financial activity has some level of inherent risk. The risk assessment should detail how your institution has identified the risk and done all that it can to reduce the risk to the level the Board has decided they are willing to take.

·        Appropriate resources to address and mitigate risks – One of the disconnects that often occur between the completion of a risk assessment and the ongoing operation of a financial institution is consideration of the resources that are available. For example, it is one thing to develop comprehensive procedures for testing compliance with flood rules. It is another thing altogether not to have sufficient staff to complete all the steps in the procedures. Moreover, if the staff that are expected to follow the flood procedures are overburdened or under trained, your plans for mitigating risk will be thwarted. The level and quality of resources directed towards compliance will be a key consideration for the overall compliance rating under the new guidelines. Suppose your financial institution had a finding in the flood insurance area after an examination. If the finding was caused by an oversight, that is unlikely to repeat, the impact of the finding will be minimized. On the other hand, if the finding was created because there wasn’t enough time or staff to do a quality check, the issue looms large.

·        Ongoing testing of the internal controls – Much like the old saying “an ounce of prevention is worth a pound of cure” regular testing of compliance controls can greatly enhance the effectiveness of a compliance program. The testing doesn’t have to be extensive, just consistent. Take five of the most recent originated loans and make sure that the disclosures were completed timely and completely. Do the same for deposit accounts that have been recently opened. Complete a mystery shopping event to test employee’s knowledge of products and services.  By using ongoing testing, a compliance team can determine the areas of true weakness and address them.

·        Training of staff– Most financial institutions rely on on-line training to meet the obligations of keeping staff informed about the applicable regulations. On-line training is an extremely useful and cost effective manner to give staff members basic understanding. However, effective compliance programs augment this training with in-person classes that allow staff to ask real world examples. This reinforces the information and allows for a deeper understanding of the requirements of the regulations and how staff is critical for an overall strong program.

Using Findings to your advantage

Maintaining an effective program does not mean that there won’t be ANYfindings. It DOES mean that when errors occur, the compliance team can determine the root cause of the problem and develop a plan to address it.  An effective compliance program will be able to use findings to strengthen the program itself in the long run.

There are Lessons for All Financial Institutions in the Wells Fargo Case- Part Three: A Glaring Need – November 2, 2016

There are lessons for All Financial Institutions in the Wells Fargo Case

Part Three- Turning Our Eyes to a Glaring Need

We have talked about the Wells Fargo case involved violations of Unfair, Deceptive Acts or Practices Act. We noted that this is true because the practices of the bank forced extra accounts and products on customers who simply didn’t want them. In addition to unwanted accounts were significant fees and charges. In some cases, there were as many as 10 unwanted accounts for customers of Wells Fargo.

While this case continues to wind its way through various administrative hearings, news stories and the inevitable civil lawsuits, there is a strong irony in this case that can easily go unnoticed. There can be no doubt that customers of the Wells Fargo were victimized by an abusive campaign. However, while these customers can be considered OVERBANKED there are simultaneously millions of Americans are unbanked and underbanked.

A Forgotten Population

Wells and many other financial institutions continue to pursue practices that forced additional accounts on people who already had a banking relationship. In the meantime, there are millions of potential customers who have no relationship at all as the FDIC showed inn their 2015 study of Unbanked and underbanked populations.

The FDIC has defined Unbanked and underbanked as follows:

“…… many households—referred to in this report as “unbanked”—do not have an account at an insured institution. Additional households have an account, but have also obtained financial services and products from non-bank, alternative financial services (AFS) providers in the prior 12 months. These households are referred to here as “underbanked.”[1]

Per the Corporation for Enterprise Development, there are millions of unbanked and underbanked households across the country. For example, in 2010 the same organization estimated that 20% of the households in New Jersey are underbanked.[2].     The number of unbanked and underbanked people that live within the service areas of financial institutions presents both an opportunity and a level of risk. As the FDIC pointed out in there May 2016 study “Bank Efforts to serve underbanked and unbanked Communities” the whole banking community is better served when the level of trust and participation is increased[3].

Why Unbanked and Underbanked?

The FDIC asks the same sorts of questions every year the answers have been consistent. Here are some of the key observations:

  • The most commonly cited reason was “Do not have enough money to keep in an account.” An estimated 57.4 percent of unbanked households cited this as a reason and 37.8 percent cited it as the main reason.
  • Other commonly cited reasons were “Avoiding a bank gives more privacy,” “Don’t trust banks,” “Bank account fees are too high,” and “Bank account fees are unpredictable.
  • Perceptions of Banks’ Interest The 2015 survey included a new question asked of all households: “How interested are banks in serving households like yours?”
  • The survey results revealed pronounced differences across households.
  • Approximately 16 percent thought that banks were “not at all interested” in serving households like theirs, and the perceptions of the remaining 8 percent were unknown.
  • Unbanked households were substantially less likely than underbanked or fully banked households to perceive that banks were interested in serving households like theirs. More than half (55.8 percent) thought that banks were not at all interested, compared to roughly 17 percent of underbanked households and 12 percent of fully banked households.

While financial institutions are overbanking the customers they have, there are well over 50 million households in America that currently either don’t have a relationship with a bank or a minimal one.

Why serve these communities?

In many cases, misperceptions from the point of view of customers and financial institutions keep them apart. For far too long it has been an axiom that the costs of providing banking services for consumer accounts prevents an acceptable rate of return. However, through the development and use of new technologies, the costs associated with consumer accounts has significantly declined.

Without significant competition for the unbanked and underbanked households, financial needs are met by business that are predatory. The number of financial institutions offering high cost loans has proliferated and the number of unbanked and underbanked families has grown.

Advances in technology had made it possible for financial institutions to offer services to communities throughout the country and the world without needed to expand the branch system. Today’s digital wallet customer is tomorrow’s commercial loan.

Compliance as an Asset

For the financial institution that considers offering new products and services using technology, a new approach to compliance must be pursued.   Currently for most financial institutions, compliance is viewed as a necessary evil expense that is at best, the cost of doing business. However, suppose the role and function of the compliance department changed. When the compliance department becomes fully versed in the requirements for offering Fintech products, the institution can become an active participant in the burgeoning market. By putting resources into your institutions ability to assess and monitor risks, new products, partnerships and growth is possible. Start thinking of compliance as an asset- it can be the gateway to new sources of income

Towards New Markets

The fact is that there are products that are available and cost effective while the market for these products is huge; there simply must be a willing spirit. Rather than committing fraud, consider serving the unbanked and underbanked markets


[1] FDIC survey of unbanked and underbanked households

[2] See anked_Places_in_America.pdfJune 2016

[3]The FDIC recognizes that public confidence in the banking system is strengthened when banks effectively serve the broadest possible set of consumers. Accordingly, the agency is committed to helping increase the participation of unbanked and underbanked consumers in the banking system.

Your Partner in Balancing Compliance