Business Unit Risk Assessment to Support AML Compliance
Many financial institutions are facing tremendous regulatory challenges due to lack of a comprehensive AML risk assessment program. Alacer's Business Unit Risk Assessment program can help identify levels of vulnerability to money laundering and risks of terrorist financing.
Today, many financial institutions are facing tremendous regulatory challenges due to lack of a comprehensive Anti-Money Laundering (AML) risk assessment process. As a key component of an effective AML Compliance Program, regulatory guidance recommends that financial institutions develop and implement a comprehensive AML risk assessment process that includes products and services, customers, geographies and business units. The purpose of the AML risk assessment is to identify the products and services, business units, customers and geographies that pose heightened risk for money laundering or terrorist financing.
A Business Unit Risk Assessment (BURA) forms a key component of an AML Risk Assessment. A BURA is an attempt to identify each business unit’s level of vulnerability to money laundering and terrorist financing risks. This involves an evaluation of, among other factors, products and services, customer base of each business unit and the risks and controls at the business unit level. In order to identify and understand an institution’s overall AML risk exposure, a Business Unit Risk Assessment (Assessment) must be established and conducted. The primary purpose of the Assessment is to measure the inherent AML risk within each business unit, by providing a mechanism for identifying each business unit’s respective AML risks and assessing the mitigating controls used to manage these risks.
The results of a BURA should be used to identify gaps in an organization’s AML Compliance program and to establish priorities. Additionally, the BURA results allow senior management and the board of directors to make informed decisions about money laundering and terrorist financing risks and to oversee how these risks are being managed.
A financial institution had its AML Compliance program criticized by internal auditors and regulators for lack of a robust and comprehensive risk assessment process. While the institution developed, adopted, and implemented a risk assessment methodology, the risk assessment rationale and methodology did not take into consideration all of the five (5) business unit risk assessments and how these risk assessments impacted the overall AML Compliance program. Audit fatigue, lack of resources, data integrity, and technology issues within the AML Compliance department led to process breakdown. Based on the issues noted, Alacer created a task plan that included:
- creating a Business Unit Risk Assessment Questionnaire
- appointing a central point of contact to lead facilitated sessions with business units
- engaging subject matter expertise and assistance
- identifying areas and departments to determine the population of business units that are required to complete the Questionnaire
- training business units and compliance personnel
- completing Questionnaire with business units, assigning risk ratings and finalizing assessment documentation with compliance.
Alacer Group professionals with deep expertise in AML Compliance, Risk Management and Technology had previously worked within the institution. Based on our experience and institutional knowledge, we knew this process could work for the institution.
The Assessment process includes:
- developing and maintaining a consistent, structured and integrated methodology for identifying, monitoring, managing and reporting AML risk;
- reviewing background materials (e.g., Audit Reports, Regulatory Examination Reports, Benchmarks or other Matrices, MIS) related to each business unit prior to leading the facilitated sessions associated with the Assessment in order to better understand the products and/or services and processes utilized by each business unit;
- serving as a facilitator for each business unit by providing guidance in completing the Assessment module;
- conducting a quality review of each business unit’s Assessment results prior to submission to the business unit’s head for approval;
- conducting comparative analysis of the current year’s AML risk assessment results versus the prior year’s results and documenting any significant changes; and
- tracking the status of each business unit’s Action Plan(s) and requesting status updates to assess whether the deadline for completion is met or any issues that might impact the deliverable are escalated to the head of the business unit.
Alacer Consultants worked with bank management to greatly enhance the business unit risk assessments process, and the overall AML risk assessment process in order to meet regulatory expectation. In addition to identifying where money laundering and terrorist financing risks are the greatest, the results of the BURA process was used to identify gaps in the organization’s AML Compliance Program. The BURA process dictates documentation and verification requirements for new and existing customers, support and validate the customer risk assessment process, determine the nature and frequency of transaction monitoring, influence the nature, scope and frequency of AML audits and assist in establishing other AML Compliance program priorities such as policies and procedures, training, staffing, compliance monitoring and testing.
A best practice approach in conducting BURA is to engage the business owners – the people who has the best knowledge and understanding of the business in identifying the inherent risks in the products and services, any money laundering & terrorist financing risks posed by the customers they serve and current money laundering/terrorist financing controls and any noted gaps in the AML Compliance program. Compliance plays a critical role in the process by reviewing and approving business owner-assigned ratings. Additionally, Compliance should implement, oversee, coordinate and maintain an effective AML Compliance program for the institution. More specifically, Compliance should support the business units in establishing and implementing procedures for compliance with applicable AML laws and regulations as well as meeting regulatory expectations.
In addition to Compliance, Internal Audit plays a pivotal role in the process. Internal Audit assesses the activities and processes conducted within each business unit to determine if they are consistent with the organization’s documented policies and procedures. More specifically, with respect to the Assessment, the primary responsibility of Internal Audit is to evaluate the Assessment process and methodology as part of its risk-based independent testing and as deemed necessary, conduct testing activities.