Anti-Money Laundering Changes Raise Risk Assessment Requirements
BY ALAN DEINES
Following this checklist for streamlining procedures and added training for frontline staff can help.
Anti-money laundering legislation places increased compliance burdens on banks. Measures banks can take to alleviate the burden include: implementing risk assessment procedures and policies; establishing metrics that measure high-risk customers and transactions to determine level of risk; developing matrices to match up high-risk transactions with high-risk customers to reveal correlations; establishing procedures and coding conventions for identifying high-risk customers and transactions in databases to facilitate searches, analysis, monitoring and reporting; enhancing internal audit procedures to ensure compliance; and improving training for frontline staff.
Driven by the zero tolerance environment of the Patriot Act of 2001, bank regulators have recently made significant changes to the anti-money laundering provisions of the Bank Secrecy Act (BSA), particularly with respect to risk assessment, policy development and internal and external audit requirements imposed on banks. Regulators expect banks to identify their risk level and develop mitigating policies and procedures whose effectiveness will be judged according to the act’s new examination protocols. Since failure to comply can be very expensive — to the point of driving an institution out of business — risk assessment and mitigation are vital for survival.
While the factors that determine a bank’s risk profile — geography, customer base and types of transactions — are fairly clear-cut in regulators’ documents, the new guidelines are quite broad when it comes to implementation of risk-mitigation protocols. This means that it is up to banks to develop specific processes to minimize and measure risk.
Regulators’ examination procedures, too, have changed. While in the past they were audit-driven and focused on testing transactions, they now scrutinize the actual policies and processes a bank has in place. The handbook “Bank Secrecy Act Anti-Money Laundering Examination Manual,” issued by the Federal Financial Institutions Examination Council in June 2005, is a daunting, 300-page document. Yet, compliance need not be complicated. Streamlined policies and procedures, loophole-free data management and thoroughly trained employees from tellers to executives are the keys to making compliance a routine part of bank operations.
Banks will incur additional costs to extend the scope of their external audit. They will also need to do additional staff training and upgrade their computer systems to monitor transactions. We estimate these costs would constitute roughly 0.05% of an institution’s assets; a $1 billion-asset bank may spend about $500,000.
The following simple checklist will help streamline the process and facilitate compliance.
1. Implement risk assessment procedures and policies.
This requires learning more about customers. All banks obtain certain basic information about their customers when they open an account. But these documents are then filed away rather than used to make a judgment on the level of risk that might be associated with the account. The new regulations demand follow-up.
For example, greater due diligence and, if necessary, more stringent underwriting guidelines, are necessary when opening accounts. First, determine whether the new customer fits into any category that is perceived to be high-risk by regulators. Examples include liquor stores, lawyers, accountants, boat and used car dealers and pornographic establishments.
Pony Express Community Bank in St. Joseph, Mo., completely rewrote its BSA program two years ago. The bank now takes some extra steps in opening accounts, such as checking names against an OFAC (Office of Foreign Asset Control) list. “We also scan copies of identification used to open an account into our system, while in the past we checked IDs but did not necessarily keep copies. We retain the documentation for the life of the account and some period beyond,” says Robert Means, the bank’s president.
Verification of identity, including corporate papers for businesses, is no longer enough when accounts are opened. Because customers can lie and documents can be forged, further due diligence is in order. The address must be checked and anything out of the ordinary (such as a business in a residential area or a residence in an industrial area) must be noted. As further verification, the bank can simply call the new customer and thank him for opening the account. If anything raises a red flag, account activities should be monitored. What kinds of deposits are being made? What kinds of checks are being written? Keep an eye out for suspicious activities.
Scrutinize existing accounts, beginning with business accounts. What do bank employees really know about customers? This is the most time-consuming and labor-intensive process in bringing an institution into compliance. However, in most cases it will not be necessary to hire additional staff if the workload is distributed evenly and activities are well planned.
In reviewing existing accounts, refer to the regulators’ list of reportable, high-risk activities (wire transfers, large cash transactions, etc.) and compare them to account transactions. For example, are there too many high-risk transactions for a particular type of account?
2. Establish a set of metrics that measures high-risk customers and transactions to determine the level of risk.
Determine how many high-risk transactions or high-risk customers are “normal” for the bank, given its geographical location and nature of business. Questions that need to be answered at this stage include: How many customers does the bank have that fall into high-risk categories? How many may be considered “normal”?
Also, establish dollar thresholds for transactions. For example, the law requires the filing of a report for any amount over $10,000 for certain kinds of transactions, but the bank may want to establish a lower threshold to minimize risk. Many banks in the Midwest, for instance, begin scrutinizing transactions at $3,000 or $5,000. Track transactions by customer and monitor them over time. How many transactions per month per customer are to be expected? Establish review procedures that kick in when the norm is exceeded.
3. Develop matrices to match high-risk transactions with high-risk customers to reveal correlations.
Which specific high-risk customers are engaging in which high-risk transactions and how often? Noticing suspicious correlations is critical to identifying risk. Further, examine the bank’s entire customer base for anything outside the norm. For example, if a business account is located in a residential area and performing large numbers of high-risk transactions, a review should be generated. Most banks today don’t go beyond a review of customers to a review of transactions. It may be necessary to revise account management procedures or to appoint an individual to take charge of the process.
4. Establish procedures and coding conventions for identifying high-risk customers and transactions in databases to facilitate searches, analysis, monitoring and reporting.
When information is gathered and entered into the computer systems, take the extra step to create a set of unique codes for the types of high-risk customers and transactions listed in the BSA. This will make it easy to sort, search and report by type of business or transaction and thus facilitate monitoring. The key is to be consistent in these conventions and to review the resulting reports in a timely manner rather than file them away. Act on the information, for example, by imposing stricter underwriting guidelines.
Almost all core processors generate transaction reports that may need only slight modifications to accommodate the new requirements. If extra fields are available in the database, it’s as simple as assigning them to a set of new codes. Some banks may need to add additional workstations, software and memory to their processors or program additional fields into the database. Others may need to purchase a program for statistical analysis to create the customer/transaction correlations.
How often reports are run depends on the bank’s geographic location. In a low-risk locale such as Nebraska, once a month may be plenty while billion dollar-asset banks in Los Angeles or Miami had better do it every day.
5. Enhance internal audit procedures to ensure compliance.
Making the audit function responsible for examining reports and spotting potential problems creates independence. Also, it ensures staff members are accustomed to dealing with regulatory compliance and scrutinizing the accounts.
However, the buck does not stop with the internal audit department. Procedures must be in place for internal auditors to work with the governing board or its audit committee to present information and recommend steps to mitigate risk. Senior management, on the other hand, needs to ensure that updates it receives from the regulators are passed down to the internal auditors so they can do their job. The procedures for external audits have not changed. However, the emphasis on compliance and risk assessment is new.
Training for Everyone
When banks’ procedures in gathering the necessary information and monitoring accounts are lax, it is usually because frontline staff members do not grasp the seriousness of the situation. Often, this is because they have not been adequately trained. Again, the solutions are straightforward. Get frontline people together for about a half-hour once a week, preferably in their work area, to raise awareness. Discuss the issues and problems they may be facing with compliance.
Pony Express Bank, for example, created a BSA committee whose members developed sample scenarios for currency transaction reporting and suspicious activity reports. Those scenarios are then used as training tools for the bank’s staff, which complete assignments for one of four basic scenarios each month. Afterward, they meet as a group to discuss any mistakes made and the challenges of completing transaction reports accurately.
The training also includes a sample situation in which participants must decide whether a suspicious activity report would be required. Scenarios are re-used with modifications to names, amounts and other specifics. For additional reinforcement, the bank also uses off-the-shelf training videos.
Frontline staff should be trained only on what they need to know to be on the lookout for suspicious customers and transactions. Don’t expect them to become experts in bank secrecy or money laundering. But do expect them to alert their supervisors to anything out of the ordinary.
For supervisors, provide more intensive training. Familiarize them with the regulations and involve them in the development of policies and procedures so they understand how they fit into the big picture and can properly supervise their teams.
Training for senior management and board members should communicate the serious consequences of failure to comply. This level of leadership does not need to be trained in the highly technical aspects of compliance that primarily affect mid-level management. Create the appropriate level of awareness and expertise up and down the ladder.
Having supervisors and even frontline staff take turns developing and presenting training sessions is a great way to reinforce skills and create deeper understanding. Employees who are actively involved in the training process are likely to improve their own expertise. They are much more likely to recall the material than if it had been spoon-fed to them. For balance and fresh perspective, it’s also a good idea to bring in outsiders periodically who can share experiences and best practices from other financial institutions.
Getting Help
Regulators also provide training and training materials, as well as how-to manuals, audit work papers and other materials that explain what needs to be done and when. Further, upon request, regulatory agencies will send representatives to banks to walk through procedures and policies. It’s an excellent service and free of charge.
Encourage everyone in the bank to visit regulators’ Web sites regularly to keep up to date. Audit staff particularly can benefit from the most up-to-date information and emerging issues found on the Web rather than waiting for the arrival of printed documents.
Regulator's Web Sites
- Federal Financial Institutions Examination Council - http://www.ffiec.gov/
- FDIC - http://www.fdic.gov/
- The Federal Reserve Board - http://www.federalreserve.gov/
- The Office of the Comptroller of the Currency - http://www.occ.treas.gov/
Mr. Deines is a principal with Woodbine, Kansas-based Stout & Deines, Inc., which provides solutions and training in bank management, management support, director support and IT audit consulting.