QUESTION
We have two questions involving our anti-money laundering program: (1) When should we conduct a risk assessment? (2) How do we conduct a risk assessment?
ANSWER
Although many people think there is a specific timing requirement for risk assessments, the fact is the Bank Secrecy Act does not explicitly set forth guidelines on when it should be conducted. However, the risk assessment is usually conducted before the initial development of the compliance program. It is updated periodically. [Federal Financial Institutions Examination Council, Bank Secrecy Act/Anti-Money Laundering Examination Manual (“FFIEC Exam Manual”)]
Our clients establish a policy to review the risk assessment either on an annual or a bi-annual basis. The risk assessment should also be updated when new products or services are offered, new offices are opened, or new delivery channels are activated. The risk assessment should be updated when another entity is acquired, a merger occurs or there is any other type of organizational change that may affect risks facing the organization.
It is also the case that many people do not realize that there is no statute or regulation which provides guidance on how a risk assessment for an AML compliance program should be conducted. Federal financial institution examiners receive guidance about risk assessments from the FFIEC Exam Manual. The FFIEC Exam Manual assists regulators in their determination of the overall or composite level of money-laundering, terrorist financing and related risks in an organization. [FFIEC Exam Manual, Appendix]
The risk assessment process or the final report does not have to be complicated and overly time-consuming. Depending on the complexity of the organization, at the most rudimentary level, the process may be as simple as listing the products and services offered, which customers use what products and services, and where and how the products and services are used. That said, an adequate and effective AML compliance program really cannot be developed without an appropriate understanding of an organization’s potential risk for abuse for money laundering, terrorist financing or other criminal activity. Therefore, the risk assessment process provides the organization with a structure for assessing the risks.
We have conducted AML risk assessments for many years. If you would like information about our risk assessment reviews, please contact us HERE.
Jonathan Foxx
Managing Director
Lenders Compliance Group
