Risk is an inherent part of doing business, so credit unions must understand the risks that affect their institution. The risk assessment is the foundation of an effective Bank Secrecy Act/Anti-Money Laundering program. Not only identifying but also thoroughly analyzing risk allows management to adequately mitigate it through internal controls, policies and procedures.
Identifying risk categories and analyzing those categories are two independent steps in ascertaining risk. Using quantifiable data in the form of specific numbers or percentages supports the risk assessment and provides valuable data for further analysis. Comparing data from year to year can highlight areas with considerable risk changes.
Credit unions should consider which tools are available to monitor member activity because technology can significantly impact residual risk.
The Federal Financial Institutions Examination Council (FFIEC) offers an example illustrating the value of the two-step risk assessment process:
Credit Union A and Credit Union B each send 100 international funds transfers per day. Credit Union A has determined that approximately 90% of its fund transfers are recurring, well-documented transactions for long-term members. Credit Union B has determined that approximately 90% of its fund transfers are nonrecurring or for new members. While these percentages appear to be the same, the risks are different.
Similarly, international transactions to countries with a high risk of money laundering and terrorist financing pose a different risk than transactions to less risky regions. Products and services will impact the credit union’s risk profile and can also have varying degrees of risk based on the analysis performed.
An effective risk assessment should include the volumes of all the credit union’s products and services — including but not limited to international transactions such as ACH and funds transfers — that could affect the overall risk profile of the credit union.
Geographic risk does not refer merely to the credit union’s location. It pertains to the location of its members and transactions. Where did the funds originate? What is the destination of the funds? The credit union should know where its members reside and have systems in place to track funds transfers, especially international transactions to countries considered to be primary money laundering concerns.
The credit union should also know about funds transfers that are processed through the institution from or to higher-risk domestic geographies, such as areas designated as High-Intensity Drug Trafficking Areas (HIDTAs) and High-Intensity Financial Crime Areas (HIFCAs).
A robust risk assessment will take into consideration the number of branches and members located in HIDTAs and HIFCAs and non-U.S.-born members from a country that is at high risk of money laundering or terrorist financing.
The number of Currency Transactions Reports and Suspicious Activity Reports can indicate areas with increased risk to the credit union. In addition, the turnover rate of personnel, particularly those in management, can impact risk and should be evaluated. Finally, the risk assessment should consider other nontraditional higher-risk activities such as methods of acquiring new account relationships.
While some types of members are higher risk due to the nature of their business, occupation or volume and types of transactions, it’s important to remember that not all risk is created equal. Higher-risk categories do not necessarily mean the member is high risk. The same is true for low-risk members who use high-risk products and services.
If the use of high-risk products is coupled with transactions involving high-risk geographies, a higher risk rating may be appropriate for an otherwise low-risk member. Credit unions that have a closed field of membership based on a shared commonality may have lower-risk members, whereas those with open membership may have members with a more complex risk profile.
Aside from identifying traditional higher-risk members, such as cash-intensive businesses and nonresident aliens, a credible risk assessment should document volumes of nontraditional higher-risk members, including ATM owners/operators, non-bank financial institutions, and marijuana-related businesses (including hemp and cannabidiol).
Services and electronic channels
Evolving technology makes banking more convenient for members. However, technology provides even more opportunity for savvy fraudsters. The near-instant speed and availability of transfer platforms can make BSA/AML compliance that much more difficult, since electronic banking provides more anonymity than services that are requested in person.
The methods by which an account can be opened and the methods in which products and services can be accessed are important components of accessing risk. Can members only view their activity with an online bank account, or can they initiate transactions? Are transactions limited to just internal transfers, or can the member conduct external transfers? Can the member initiate foreign transactions?
The answers to these questions will factor into the level of risk in this area. The risk assessment should address accounts opened online, business and personal remote deposit capture members, prepaid access such as gift cards and travel cards, P2P transactions and online banking functionality.
The risk assessment should be updated at least annually. However, the introduction of new products or services or major operational changes should be a trigger for making more frequent updates.
When considering new products and services, identify and analyze the risk. Not all risk is created equal, and not all higher-risk customers are necessarily high risk. When offering products and services that use electronic channels, make sure tools are in place to identify suspicious activity.
The use of quantitative data helps support the risk in a particular area. BSA and compliance staff should be involved if there is a change in products or services or how they’re accessed. Comparing data from year to year can assist in determining potentially heightened risks in a certain area.
How Wipfli can help
Wipfli can assist your financial institution in developing a comprehensive risk assessment that addresses the broad range of factors affecting those analyses. Learn more about our compliance services or continue reading: