PRACTICAL SOLUTIONS
Bridging the gap between risk assessment
and transaction monitoring
A
robust money laundering/terrorist financing (ML/TF) risk
assessment is the cornerstone of a sound compliance pro-
gram. With more reliance on automated transaction monitor-
ing systems, it is more important than ever to ensure that your
transaction monitoring program is properly configured and aligned
to the ML/TF risk profile of your institution.
On June 30, 2016, the New York Department of Financial Services
(NYDFS) issued final rule part 504 requiring senior officers or board of
directors to certify the effectiveness of anti-money laundering (AML)
and Office of Foreign Assets Control (OFAC) transaction monitoring
and filtering programs. 1 The final rule goes on to state that an institu-
tion’s transaction monitoring program should be reasonably designed
based on the risk assessment of the institution and appropriately
matches BSA/AML/OFAC risks to the institution’s businesses, prod-
ucts, services and customers/counterparties.
While conducting ML/TF risk assessments is not a new practice, it
is the first time that ML/TF risk assessments are a written require-
ment for NYDFS-regulated institutions. This article will provide best
practices for bridging identified ML/TF risks to your transaction
monitoring program.
Identifying ML/TF risks
within your institution
The board of directors and management set the risk appetite and
are responsible for creating a culture of compliance to ensure staff
adherence to the financial institution’s compliance program. A
robust risk assessment will help your financial institution to
promptly and accurately identify risks and apply appropriate con-
trols to mitigate risk or identify unacceptable risks to avoid. A sound
risk assessment will identify potential events that might impact
compliance objectives and should employ a combination of qualita-
tive and quantitative risk assessment methodologies. The risk
assessment should be utilized for the purpose of driving policy, pro-
cedures, controls and independent testing.
The risk assessment process has four main steps:
1. Identify the ML/TF inherent risks
2. Analyze the mitigating controls
3. Evaluate residual risk
4. Determine the direction of risk
Inherent risk is the risk that is present without regard to mitigating
controls. Per the Federal Financial Institutions Examination Council’s
(FFIEC) BSA/AML Examination Manual, 2 a risk assessment should
include an assessment of the financial institution’s products, ser-
vices, customers, entities, transactions and geographic locations. A
sound risk assessment should include gathering relevant customer
and transaction data and interviews of business line leaders. The
composition of a complete customer and transaction database is the
first step in understanding where the ML/TF risks are within your
institution. It is best practice to include at least two years of customer
and transaction data within your database as this helps identify
potential trends utilized for determining the direction of risk.
1 The final rule applies to banks that are chartered or licensed by New York, as well as nonbanks, such as money services businesses.
2 FFIEC BSA/AML Examination Manual dated November 17, 2014, page 18.
The composition of a complete customer
and transaction database is the
first step in understanding where the
ML/TF risks are within your institution
34
ACAMS TODAY | SEPTEMBER–NOVEMBER 2017 | ACAMS.ORG | ACAMSTODAY.ORG
RISK ASSESSMENT