As financial institutions face increased scrutiny on assessing Bank Secrecy Act/Anti-Money Laundering (BSA/AML) risk, there is now another tool to help document that risk. The Conference of State Bank Supervisors (CSBS), along with state financial regulators, recently announced the release of the BSA/AML Self-Assessment Tool, which is aimed at assisting institutions to better identify and communicate BSA/AML risk.
The BSA-AML Assessment Tool is not a requirement. Rather, the CSBS emphasizes that the voluntary tool should be used in conjunction with the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual and corresponding laws and regulations. "The BSA/AML Self-Assessment Tool helps financial institutions have a more consistent framework for assessing and communicating their BSA/AML risk-management program," said CSBS President and CEO Jon W. Ryan. "By providing this tool we hope in some ways to simplify and improve BSA/AML compliance."
The Self-Assessment Tool is a spreadsheet in Microsoft Excel format, which has pre-populated categories that mirror those used in the FFIEC BSA-AML Examination Manual. First, the Tool identifies risk in three categories: (1) Products & Categories; (2) Customers & Entities; and (3) Geographic Locations. After risk criteria are identified for each category, a risk level, ranging from low, moderate, to high, is assessed for each criteria. Once inherent risks are calculated, the Tool allows users to provide an assessment of risk mitigation controls for each risk level (weak, satisfactory or strong) followed by a residual risk rating for each bank.
The CSBS highlights that the main goal of the Self-Assessment Tool is to help communicate the results of the risk assessment process and promote transparency. By pairing down the assessment to one document, all identified risks can be shared between compliance staff, management and the board of directors. The Tool is also fully customizable and can be tailored to add risk definitions or adjust assigned values to afford higher weight to various risks. However, the Tool does not provide guidance on how to differentiate between risk levels and provides no guidance as to the expected risk controls for each category. Without such guidance, the risk ratings produced by the Tool remain extremely reliant upon the specific products, services, customers and geographic locations for each bank being assessed.
The release of the Self-Assessment Tool comes on the heels of a recent advisory issued by the Financial Crimes Enforcement Network requiring banks to file Suspicious Activity Reports (SAR) regarding cybersecurity or data breach events concerning efforts to acquire funds illegally or through unauthorized transactions. This includes malware intrusions or denial of service attacks that prevent financial institutions from stopping an unauthorized money transfer. As money-laundering schemes evolve and technology changes at a rapid pace, an emphasis will be placed on developing more sophisticated and transparent BSA/AML compliance programs. The BSA/AML Self-Assessment Tool can provide a good framework for banks to enhance their existing risk-assessment processes and improve programs for the future.