Articles & E-Books


Does Your BSA/AML Risk Assessment Cover the Bases?

Nov 04, 2018

If you’re like me and have been watching any of the postseason baseball games, you are impressed by the talent of the players, especially how quick they can cover the bases to turn a double play. I also get annoyed with all of the pitching changes. But that got me thinking about the amount of prep work done by each team to identify the best matchups. The managers must decide which risks they are willing to take by replacing one player with another. Those “risk assessments” drive the game plan and, hopefully, continued success. As we near year-end and approach the time of year when many financial institutions are getting ready to update their risk assessments for board approval, I thought it would be good to highlight the “bases” you need to cover in your BSA/AML Risk Assessment.


According to the FFIEC’s BSA/AML Examination Manual (the “Manual”), the first step of the risk assessment process is to identify the specific products, services, consumers, entities, and geographic locations unique to your financial institution. 


After a quick scan of the Manual’s risk assessment guidelines, you may decide a few of the areas don’t apply to your institution. Does that mean they shouldn’t be included? Let’s look at some of the key areas you should address.




Identify the size of your institution and consider giving a comparison from three to five years ago for reference. Has your footprint expanded? Have you had an unusual amount of employee turnover? What type of financial institution are you (agricultural, large business, community consumer-focused institution, etc.)?


Geographical Locations


This section identifies where your institution operates and what geographic areas you serve. It is important not only to keep in mind the communities where you have a physical presence, but also to consider where your consumers reside and/or work. While you may not operate in a foreign country of money laundering concern, many institutions may be in or within commuting distance of areas designated as High Intensity Drug Trafficking Areas or High Intensity Financial Crime Areas. It is good to both note the proximity to one of these designated areas and give a good estimate of how many of your consumers live or work in those areas.


Who Are Your Consumers?


The Manual gives good guidance on consumers and entities that may be inherently higher risk by nature (nonresident aliens, non-bank financial institutions, etc.), and you should ensure all consumer types noted as high risk are addressed in the risk assessment. If you have any consumers who are “outliers” to the norm based on business type, this would be a good place to note them, along with any information regarding why your financial institution feels comfortable doing business with them. It also helps to indicate types of high-risk consumers you do not currently bank (e.g., virtual currency brokers, marijuana growers/distributors, politically exposed persons, third-party payment processors, etc.). Indicating the types of consumers considered by your institution to be a prohibitive risk is helpful in supporting your overall rating. By the way, do you have any Bitcoin ATM operators yet? They are becoming common.


Products and Services


This is a section that is probably the most likely to change in any given year and should be updated accordingly. It is very important that any new products or services are identified and rated in a timely manner. Mobile deposit capture and online banking-initiated wire transfers may be products offered now that you didn’t offer a few years ago. Ensuring that you provide a listing of all products and services offered is essential. Similar to prohibited consumer/entity types, indicate which high-risk products and services you do not offer.


Final Analysis


Having all the above information identified and laid out in a nice risk assessment format is great, but how does it translate. As a final step, you should perform a risk analysis for each area. Providing operational data to give context to each risk type is important not only to help you identify your financial institution’s overall rating, but also to help gauge future changes in risk.   Quantifying your products, services, and consumer types allows for easy year over year analysis. I often see “Wire transfer volume is moderate.” What is moderate? It could be 100 per month for one institution and 15 per month for another institution of a similar size. It is important to provide volumes whenever possible.   


Now that you know the key areas, you can reference the Manual to ensure you are covering all the bases. You now have a roadmap to confidently help drive your BSA/AML program into the future. And don’t forget, the risk assessment is just the first step. Once you’ve identified your risk, tailor your BSA program to address each of those risks, which will ensure your BSA game plan is well established and will drive your future success.


Adam B. Baker, CFSA, CAMS
View Profile