Risk Management in US MSB Institutions

Introduction

The US Bank Secrecy Act (“BSA”) requires that every Money Services Businesses (“MSB”) implement a BSA/Anti-Money Laundering (“AML”) Compliance Program.  Risk assessments provide a clear view as to the organization’s policies and procedures. Failure to implement a comprehensive BSA/AML Compliance Program may result in significant fines and/or penalties by state and federal regulators. So, what does this have to do with risk management?  Having a risk assessment allows the company to establish a comprehensive Anti-Money Laundering (AML) Compliance Program.

US Regulations state that a company’s BSA/AML Compliance Program must be commensurate with the risks posed. This means that a comprehensive risk assessment must effectively evaluate the adequacy of policies, procedures, and internal controls that have been developed to mitigate the company’s risk. Brandi Reynolds has contributed to this blog to give us a brief outlook on the guidelines for effective Risk Management.

If you are a Financial Institution in any other jurisdiction different that the United States, and especially if you do business with US Financial Institutions it is very important that you understand the requirements and expectations of US regulators, both state and federal, over US Non-Bank Financial Institutions or MSBs.

Download a PDF

What is a risk assessment as it relates to MSBs?

• It is the process of recognizing the – potential of money laundering and terrorist financing risks,
• The identification and analysis of those risks,
• Conducting an assessment of the risks; and
• Developing strategies and processes to manage and mitigate the identified risks.

What is the purpose of a risk assessment? 

The intent of a risk assessment is to identify and measure risks in relation to the products, services, geographic locations and points of customer interaction that are most susceptible to money laundering and terrorist financing activities and develop:

• Policies
• Procedures
• Systems
• and Internal Controls

The risk assessment also serves to highlight remaining areas of exposure that should be addressed after applying a system of risk-based internal controls.  Training and Audit functions are an important part of risk management.

What should be included in the risk assessment?

While there is no “one size fits all” approach when creating a risk assessment, it should encompass all key areas of the company. There are many formats and templates that can be used in creating a risk assessment.  The method used should be based upon the company’s risk profile and should be easy to understand.  It is recommended that the risk assessment contain the following four risk categories:

These four risk categories can then risk rated.  It is important to consider all areas of the company when creating a risk assessment.  When creating a comprehensive risk assessment, the following should also be considered:

• Identify specific   products, services, customers and entities;
• Evaluate the company’s Know Your Customer (KYC) program, if available;

• Provide an understanding of where offices are located geographically. The company should document any offices or branch locations that are located in High Intensity Drug Trafficking Areas (HIDTA) or High Intensity Financial Crimes Areas (HIFCA) as identified by FinCEN.

Some additional risk factors that should be addressed and documented include:

• Volume of Currency Transaction Reports (CTRs) & Suspicious Activity Reports (SARs)
• Quality of functional & corporate-wide training
• AML Compliance Program
• Board of Directors/senior management oversight
• Breadth/depth of independent audit function
• Core computer system & monitoring system capabilities
• Previous government sanctions
• Acquisitions & new products
• And last but not least, Vendor and Agent Oversight

Of particular concern are risks that are specific to our industry which includes:

• Lack of ongoing customer relationships;
• Requiring minimal or no identification;
• Limited and/or inconsistent records;
• Frequent small currency transactions;
• Varying levels of regulations and oversight;
• Quick product mix change by business or customers; and
• Quick entry and exit of business by smaller players.

Are You Properly Managing Your Risk?

The first step in knowing if you are properly managing your risk is by reviewing the risk assessment on a regular basis to determine if the risks of the company are still adequately assessed.

So, how do you manage your risk?  The key is to understand the company’s risk exposure and develop the necessary policies, procedures, and internal controls to mitigate the risk. Regulators expect MSBs to conduct an in-depth review of all areas of the organization as part of their risk management.  To understand your risk and know if you are properly managing it, you should be able to answer the following questions:

• Does your risk assessment encompass all areas of the company?
• When creating the risk assessment, were all products and services offered by the company properly evaluated and assigned a risk rating?
• Did you review a list of all geographic locations were products and services are being offered? Are any of these locations in a high-risk area?
• Have you incorporated all material changes such as new products/services, expansion into new geographic areas into your risk assessment?
• Was supporting data used to substantiate the risk assessed?
• Has the Risk Assessment along with the Compliance Program been presented to and approved by the Board of Directors?
• Does the Compliance Program address Customer Due Diligence (“CDD”) & Enhanced Due Diligence (“EDD”)?
• Are FinCEN license registration(s) properly filed and renewed?
• Does the company have policies and procedures in place for transaction monitoring to identify and report suspicious activity?
• Does the company have policies and procedures in place for transaction monitoring for CTRs?
• Does the company have adequate policies and procedures to mitigate the company’s overall risk?
• Does the AML/Compliance designate a Board approved AML/BSA Compliance Officer?
• Does the company identify products and/or services that may pose a higher risk of money laundering?
• Does the company have a separate OFAC Risk Assessment?

Summary

The BSA/AML Risk Assessment will allow you to have a better understanding of your overall risks. The risk assessment should be comprehensive and well documented. When complete, an effective risk assessment should enable the MSB to establish policies, procedures, and internal controls to develop the company’s BSA/AML Compliance Program.

Important topics such as this are covered in MTCC, IMTC’s Money Transmitter Compliance Certification Course that has been labeled at the best Compliance Course for the industry. The next MTCC presencial course will take place on Tuesday, November 12th , 2019 at IMTC WORLD 2019 at the Eden Roc Hotel in Miami Beach. You can register for the course online or get a discounted rate for the course and the conference. Besides the plenary topics in the morning there will be excellent Compliance & Regulatory break-outs in both afternoons, Wednesday , November 13th and Thursday November 14th. Join us!

Upcoming MTCC presential Courses will also take place in IMTC LATAM 2020 in Buenos Aires, Argentina on April 22-24, 2020 as well as IMTC EMEA 2020 in London, UK on May 26-28, 2020 and in IMTC ASIA 2020 in Ho Chi Minh City, Vietnam in a date soon to be determined (August-September 2020).

The Online MTCC Course is set to be launched at IMTC WORLD 2019 for everyone in the world to be able to have the opportunity to take it from the confort of their home or office in easy-to-follow 11 Lessons. For a preview of the course you can check it out here at Online Courses.