Email #3

THE RISK ASSESSMENT

One positive of the Bank Secrecy Act is that your credit union is allowed, and actually expected, to have a BSA program that is commensurate with your own institution's size, complexity, and nature. You would not want to be given the same level of regulatory expectations of large national banks that serve international clients, especially when you might be a smaller credit union in a rural area. But, how do you know what the BSA risk is at your credit union? You need to look at several factors and weigh them against member service, strategic goals, and general risk to your institution. That is where your credit union's risk assessment comes in!


We do a form of risk assessments each day to decide what path to take or how to proceed with a decision. I know in Montana we would never plan a road trip in the middle of winter without considering the forecast, type of vehicle, road conditions, light for the given time of day, and more. The same is true for your BSA assessment -- what are your credit union's risks and where and how can they be mitigated through more complex policies and procedures or the use of technology?


Who completes the assessment?

The assessment is often initially put together by management, but your board of directors should also be part of the process since they make decisions about some of the factors that impact the risk levels. In larger credit unions, each department might be responsible for helping update the institution's assessment on a regular schedule. Normally, a risk assessment should be reviewed and updated at least every 12-18 months. It is recommended that your credit union review the risk assessment whenever changes to the categories make it necessary and not wait 12-18 months to address those impacts.


Will examiners focus on the risk assessment?

Regulatory agencies made a strong statement about the importance of the risk assessment in early 2020 when they announced updates to the FFIEC BSA/AML manual used by examiners. It was noted that the "updates provide instructions to examiners for risk-focusing BSA/AML examinations." The Risk Assessment section clearly states that "understanding its risk profile enables the bank [credit union] to better apply appropriate risk management processes to the BSA compliance program" and also "enables the bank [credit union] to better identify and mitigate any gaps in controls."


How do we enhance our risk assessment?

Some credit unions are starting to incorporate data to support the statements they make within their assessment. That might include internally available data on the number of personal vs. business accounts, demographics of account holders, the percentage of members accessing online services, or accounts that have had fraud uncovered. If you want to include demographic or geographic statistics for your area, they are readily available from the U.S. Census or state economic sites (e.g., https://ceic.mt.gov) to provide a more thorough picture of your area of service. This can be especially important if you are growing or expanding into new service areas.


Your credit union's risk assessment is as unique as the credit union itself. No two will look alike or evolve in the same manner. While the FFIEC does provide Appendix J: Quantity of Risk Matrix as a tool, you should not be consider it a fill-in-the-blank template as you develop or update your credit union's risk assessment.

RISK AREAS OF FOCUS

Geographic Location


When assessing geographic location, your credit union should consider specifically whether it has branches or a field of membership that includes a High Intensity Financial Crimes Area (HIFCA) or a High Intensity Drug Trafficking Area (HIDTA). When your field of membership includes, or is near, a county with one of these designations, your risk is considered higher for money laundering activity.


There is currently not a designated HIFCA in Montana, but the state does have six counties deemed to be HIDTAs: Cascade, Flathead, Gallatin, Lewis & Clark, Missoula, and Yellowstone. In addition, reservation areas are commonly mentioned as areas of drug trafficking, as are areas along the interstate corridors. These should be considered and noted when setting the risk level for your geographic locations. Be sure to include those within your field of membership, as well as those bordering it.

Products/Services



Certain products and services pose a higher risk of money laundering or terrorist financing because they may allow a higher degree of anonymity or involve handling higher volumes of currency. Changing the way members access their accounts and services (such as during COVID lobby closures) also impact your risk level. Below are some examples:


Electronic funds services (wire transfers, third-party payment processors, payment apps, and ACH transactions)


Online banking

(especially online account opening)


Lending activities

(online loan applications and loans financed through third parties, such as car dealers)


Serving a money service business (MSB) that cashes checks or send funds


Accepting deposits from a cannabis-related business

Field of Membership

The risk assessment should clearly reflect a credit union's field of membership (FOM). Consider whether your FOM is a single employer, includes business accounts, encompasses multiple counties and urban areas, or is within a growing community where many members and potential members are no longer well known to your staff.
 
When a credit union expands to new counties or moves from a SEG-based to a community-based membership, it is an appropriate time to review the inherent risk of that change and adjust the credit union's policies and procedures to reflect such.

Looking at census data and other economic or demographic statistics of an area (such as those used to determine whether to expand service there or add branches or ATMs) can be helpful to include in your risk assessment and provide a more useful summary of the potential BSA risks in an area of service.
Comparing Risk Assessments

In January 2021, Jim Vilker of CU*Answers provided a webinar on Risk Assessments to the Compliance Officer Community. To show the value of data-backed assessments, he offered the following excellent example of how two assessments -- a simplistic risk assessment (#1 below) and one that includes more demographic data to back up the risk category conclusion (#2 below) -- analyze the membership category. It's clear that the second is more meaningful.
Risk Assessment #1

Success CU membership consists of people who live and reside in Sunny and Lakeside counties. The majority have natural person membership accounts. There was little to no activity in the last year indicating they are using the credit union for money laundering or illegal activity. Therefore, our BSA risk is considered low.
Risk Assessment #2

Success CU membership consists of 7,321 households with 9,435 membership accounts. 38% reside in Sunny County, 55% reside in Lakeside County, 4% reside in nearby counties, while the remaining 4% are outside of the state.

According to federal statistics, 44% of residents work in the blue-collar sector, 30% in health care, 20% agriculture, and the remaining 6% in other types of businesses.

The membership accounts consist of 64% natural person members, 10% small business, 6% trust accounts, 4% organizational, 2% representative payee, 10% minor, 1% custodial, and the remaining 3% consist of professional service providers and POA.

In the past year, the credit union has identified 6 accounts used for potential money laundering and is monitoring 12 others for anomalous activity. Listed below are the identified potential threats associated with the Bank Secrecy Act for each membership account type...

Risk Assessment Tool


The CSBS (Conference of State Bank Supervisors) provides a BSA/AML Self-Assessment Tool. It is intended to help a financial institution more effectively access and internally manage their BSA/AML risks and can be adapted to your credit union's circumstances and risk profile. The tool is intended to lead to more informed conversations with board and staff, and its use is optional.

Example of Failure


In March 2022, USAA was assessed a $140 million civil money penalty for willful violations of the BSA and its implementing regulations. According to the FinCEN release, one of the primary issues was that USAA had greatly expanded their membership eligibility, but had not adjusted their BSA program to reflect the additional risk they had taken on.

Next Topic

BSA PROGRAM COMPONENTS

Access the 2023 BSA email series archive on our Compliance Training Tools page after each email sends. You'll also find other BSA and compliance training webinars and materials.

Donya Parrish, VP Risk Management | donya@mcun.coop | 406-459-3497