In July 2019, the financial institution regulatory agencies — comprised of the OCC, FRB, FDIC, and NCUA in conjunction with FinCEN — released a joint statement outlining a risk-based approach to Bank Secrecy Act examinations. 

While no new requirements were established as part of the exam process, its release confirms each respective regulatory agency’s commitment to tailor its BSA examination scope to the risk profile of the institution. It’s a common-sense approach to the exam process in that it will allow examiners to allocate more resources to reviewing higher-risk areas and fewer resources to lower-risk areas.  

This is good news for most institutions, but there is one caveat. In order to determine the most appropriate scope for each institution, the examiner will rely on various documents, such as the institution’s risk assessment and prior regulatory and independent examinations. 

To ascertain the risk profile of an institution, the examining agency will review its BSA/AML/OFAC risk assessment. Some cookie cutter risk assessments use vague terminology such as “few,” “moderate” or “normal” to describe the volume of high-risk products, services or geographies. An institution using such a risk assessment may see no change to its examination scope because the subjective terms make it difficult for an examiner to discern the actual level of risk. 

Regardless of the size of the institution, the risk assessment should be comprehensive and include real data as it relates to the geographic presence of the institution’s branches and consumer base, types of products and services offered, and operational data such as volume of currency transaction reports and suspicious activity reports filed, monetary instruments sold for cash, funds transfer activity, and exempt customers. 

The risk assessment should also outline high-risk products, services or consumers the institution does not have, such as marijuana-related businesses, third-party payment processors, money service businesses, ATM owners/operators, video gaming operators, private banking or remote deposit capture, to name a few. 

This approach demonstrates that the institution considered these in the development of its risk assessment and helps to mitigate the risk for the higher-risk products, services or consumer base it does serve. 

For an institution that maintains the aforementioned higher-risk relationships, the risk assessment should clearly define the inherent risk, the controls implemented by the institution to mitigate the risk, and the resulting residual risk. This data not only gives examiners a clear picture of how the institution identifies, measures and controls risk but also allows examiners to allocate proper resources to the examination.  

Having a comprehensive risk assessment in place benefits an institution during the examination process regardless of its risk profile. A lower-risk institution may have a narrower examination scope, while a higher-risk institution may have a more focused examination scope, keying in on areas that are most vulnerable to money laundering, terrorist financing or other illicit financial activity. A sound risk assessment also sends a strong message to the examining agency that the institution has a good understanding of its risk profile.  

A regulatory examination need not induce anxiety, and putting the building blocks in place to allow for proper scoping of the examination can help ensure that it does not. Wipfli has talent and resources available to assist your institution in developing a customized and comprehensive risk assessment.