One positive of the Bank Secrecy Act is that your credit union is allowed, and actually expected, to have a BSA program that is commensurate with your own institution's size, complexity, and nature. You would not want to be given the same level of regulatory expectations of large national banks that serve international clients, especially when you might be a smaller credit union in a rural area. But, how do you know what the BSA risk is at your credit union? You need to look at several factors and weigh them against member service, strategic goals, and general risk to your institution. That is where your credit union's risk assessment comes in!
We do a form of risk assessments each day to decide what path to take or how to proceed with a decision. I know in Montana we would never plan a road trip in the middle of winter without considering the forecast, type of vehicle, road conditions, light for the given time of day, and more. The same is true for your BSA assessment -- what are your credit union's risks and where and how can they be mitigated through more complex policies and procedures or the use of technology?
Who completes the assessment?
The assessment is often initially put together by management, but your board of directors should also be part of the process since they make decisions about some of the factors that impact the risk levels. In larger credit unions, each department might be responsible for helping update the institution's assessment on a regular schedule. Normally, a risk assessment should be reviewed and updated at least every 12-18 months. It is recommended that your credit union review the risk assessment whenever changes to the categories make it necessary and not wait 12-18 months to address those impacts.
Will examiners focus on the risk assessment?
Regulatory agencies made a strong statement about the importance of the risk assessment in early 2020 when they announced updates to the FFIEC BSA/AML manual used by examiners. It was noted that the "updates provide instructions to examiners for risk-focusing BSA/AML examinations." The Risk Assessment section clearly states that "understanding its risk profile enables the bank [credit union] to better apply appropriate risk management processes to the BSA compliance program" and also "enables the bank [credit union] to better identify and mitigate any gaps in controls."
How do we enhance our risk assessment?
Some credit unions are starting to incorporate data to support the statements they make within their assessment. That might include internally available data on the number of personal vs. business accounts, demographics of account holders, the percentage of members accessing online services, or accounts that have had fraud uncovered. If you want to include demographic or geographic statistics for your area, they are readily available from the U.S. Census or state economic sites (e.g., https://ceic.mt.gov) to provide a more thorough picture of your area of service. This can be especially important if you are growing or expanding into new service areas.
Your credit union's risk assessment is as unique as the credit union itself. No two will look alike or evolve in the same manner. While the FFIEC does provide Appendix J: Quantity of Risk Matrix as a tool, you should not be consider it a fill-in-the-blank template as you develop or update your credit union's risk assessment.
|