Increasing Focus on Risk Management at Major Financial Institutions in the US

In this article, we’re focusing on what’s happening in the United States, particularly on various regulators’ increasing emphasis on risk management capabilities at major financial institutions.

According to an unofficial source close to the Office of the Comptroller of the Currency, an internal report leaked to Bloomberg alleges that 11 of the 22 large banks it supervises have “insufficient” or “weak” operational risk controls. If this is true, it means that at least half of the largest banks in the US need to improve their risk management practices.

FinCEN’s Notice of Proposed Rulemaking (NPRM) and ML/TF Risk Assessments

The Financial Crimes Enforcement Network (FinCEN) has issued a notice of proposed rulemaking (NPRM) with a significant focus on money laundering and terrorist financing (ML/TF) risk assessments. This will impact a wide range of regulated businesses, including financial institutions, casinos, depository institutions, insurance companies, money services businesses (MSBs), mortgage brokers, securities and futures dealers, and precious metals / jewellery businesses.

The full NPRM can be found here, and a shorter fact sheet is available here.

Below is a summary of the key points related to the risk assessment process:

Risk Assessment Process

FinCEN is proposing a risk assessment process requirement that would facilitate a financial institution’s understanding of its specific illicit finance activity risks and enable more dynamic identification, prioritization, and management of those ML/TF risks.

Key Takeaways

Here are the key takeaways from the notice of proposed rulemaking impacting ML/TF risk assessments:

1. A risk assessment process must consider FinCENs AML/CFT Priorities, among other items, to account for emerging and evolving ML/TF risks informing the AML/CTF program.
2. To have an effective, risk-based, and reasonably designed AML/CFT Program, regulated businesses need to establish a risk assessment process as the basis of the AML/CFT program. 
3. While many FIs identify, evaluate, and document their ML/TF risks through a risk assessment process that may be conducted periodically as a point-in-time exercise, FinCEN intends for FIs to utilize a dynamic and recurrent risk assessment process not only to assess and understand a FIs ML/TF risks, but also to reasonably manage and mitigate those risks. 
4. FIs risk assessment process must identify, evaluate, and document their ML/TF risks, including consideration of: (1) the AML/CFT Priorities issued by FinCEN, as appropriate; (2) the ML/TF risks of the based on the business activities, including products, services, distribution channels, customers, intermediaries and geographic locations; and (3) reports filed by the financial institution pursuant to 31 CFR chapter X. 
5. FI’s will have to review and update their risk assessment on a periodic basis, including, at a minimum, and particularly when there are material changes to the businesses ML/TF risks.
6. The risk assessment process must serve as the basis of a risk-based AML/CFT program. Regulated businesses must develop either policies, procedures, and internal controls, or independent testing “commensurate with the identified risks”
7. Regulated business must understand the risks they face to effectively mitigate those risks and achieve compliance with the BSA or foreign AML/CFT laws. 
8. An ML/TF risk assessment process becomes an explicitly stated regulatory requirement for developing when developing their AML/CFT programs.
9. An FIs risk assessment process can provide valuable insight into how limited compliance resources and attention can be effectively and efficiently deployed to address identified risks, and to comply with BSA/AML requirements
10. Regardless of the approach, the information obtained through the risk assessment process should be sufficient to enable the business to establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program.

Regardless of the approach, the information obtained through the risk assessment process should be sufficient to enable businesses to establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program.