Articles & E-Books


BSA/AML Risk Management and Electronic Banking

Jun 19, 2017


Just as certain products and services offered by financial institutions pose a heightened level of risk, how customers interact with those products and services also alters the levels of associated risk, as well as the regulatory expectations for risk mitigation. Financial institutions should consider all indicators of risk when evaluating methods of risk mitigation. In this article, we will focus on electronic banking. E-banking continues to become exponentially more important to the financial industry, both in terms of serving customers and presenting new challenges from a regulatory and risk standpoint. 

 The Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) requirements for e-banking are designed to limit and control these risks. Through implementation of proper internal controls, training, and customer due diligence, institutions can effectively manage the associated risks. The development of appropriate policies, procedures, and processes will ensure that the proper level of internal controls is in place to provide the necessary level of risk mitigation and security while still allowing for the smooth delivery of services to the customer.

Electronic Banking

 According to the FFIEC BSA/AML Examination Manual, e-banking systems are those that provide electronic delivery of banking products to customers. This delivery method includes online account opening, automated teller machine (ATM) transactions, Internet banking transactions, Remote Deposit Capture (RDC) activity, and telephone banking and mobile apps.  In this digital environment, consumers expect to be able to securely initiate payment for their concert tickets or for their mortgage with a few touches on the screen, without face-to-face contact.  Likewise, regulators expect financial institutions to sufficiently manage the risk through capturing transactions conducted electronically and monitoring account behavior.

Assessing Risk Factors

 Financial institutions should take into account the general risks presented as a whole by e-banking and the risks of each product or service offered. Focusing on these risks will ensure that the internal controls are aligned with the size, risks, and complexity of the services offered and have the capability to flag activity of concern. Reputational risk is also increased when e-banking is involved. Each week seems to bring another story involving hacking and stolen identities. The modern consumer not only expects to have the ability to perform activity with the push of a button, but also expects the provider to have the security in place to safeguard this activity and their personal information.

In general, activity that does not occur in person poses a higher level of money laundering risk and presents new challenges in the monitoring of suspicious activity.  E-banking makes it more difficult to verify identity due to the inherent lessening of transparency and the immediacy of the transaction. In addition, e-banking allows for more interactions occurring outside of institutions’ targeted geographic areas. RDC may increase the probability of fraud and the transmission of compromised information as a result of the equipment being located outside of the financial institution.  Mobile banking presents many of the same risks found within the traditional banking sector, along with additional security risks surrounding account data and fraudulent deposits, or payments and vendor management. The many forms of electronic funds payment services likewise present risks of account takeovers and laundered funds.

Financial institutions should perform a risk self-assessment annually and as new products are developed and rolled out to ensure the internal controls are in place to manage the risk.

Mitigating Risks

 Once financial institutions determine the extent to which they utilize e-banking and the level of risks associated with e-banking, they should develop mitigation methods to monitor those areas.  Internal controls must be able to identify operations most vulnerable to money laundering and other criminal activity, as well as provide a program tailored to manage risks.  These controls should also ensure the ability to capture e-banking transactions and identify reportable transactions to accurately file all required reports, such as Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs). While institutions are not held accountable for their customers’ compliance with BSA/AML regulations, regulators do expect that institutions have internal controls and systems in place to identify suspicious activity and to conduct appropriate due diligence based on risk.

Financial institutions need to institute controls for detecting unusual and suspicious activity within their e-banking systems and ensure that transactions conducted electronically are captured.  This begins at account opening. As part of the Customer Identification Program (CIP), policies should make reference to the acceptable methods of verifying identity when an account is not opened in person.  As part of the account opening process, obtain expected account activity as necessary to compare to actual activity to monitor for significant deviations. Likewise, it is important to institute controls on any transactional limitations on e-banking products for activities deemed more high risk as part of the customer due diligence (CDD) procedures. This may include conducting additional due diligence if certain transactions by the customer are noted, an increase in the customer’s activity is observed, or additional high risk accounts are open by the customer. As e-banking transactions occur, test monitoring systems already in place to ensure the information is captured.  Where information is not captured, make updates or create new reports.

Where RDC or mobile banking is involved, procedures should be put into place to provide methods to deactivate access to the account in the event of loss or theft of the mobile device. Additional security parameters may include additional methods of accessing the account, password protection requirements, and limitations on velocity or allowable payments. In addition, monitoring should be conducted for suspicious activity or trends.

Even though institutions may have all of the proper systems in place, without properly training employees, it may all be for naught. One of the more important internal controls that can be put into place is to train employees to be aware of their responsibilities under the BSA/AML regulations and to be aware of internal guidelines. This includes tailoring the training to ensure it is applicable to each employee and comprehensive enough to ensure compliance.


E-banking presents both challenges and opportunities for growth for financial institutions and is an expectation of many modern consumers. By identifying risks, institutions can develop a system to mitigate fraud and monitor e-banking transactions. The adoption of a comprehensive program will allow financial institutions to grow and offer e-banking services in a way that provides security for consumers and follows compliance with regulations and expectations.



Nick Bonnema, JD, CRCM
View Profile