1. Quick Reference Guide to BSA/AML Enterprise Risk Assessment
By Mayank Johri & Erik De Monte
1 Introduction
The AML Risk Assessment is a key pillar in a financial institution’s AML compliance program addressing BSA/AML
regulations. The assessment is an essential mechanism to assist management in understanding the institution’s
vulnerability to money laundering and terrorist financing including:
i. Playing a critical role in the compliance governance structure.
ii. Providing transparency of AML risk across businesses, product, and customer.
iii. Guiding management to make informed decisions about risk appetite and implementation/prioritization
of control efforts, allocation of resources, technology spend, etc.
iv. Ensure both internal (i.e. senior management) and external (i.e. regulators) relevant parties are made
aware of the key risks, control gaps and remediation efforts.
The AML Risk Assessment calculates an aggregate AML risk rating for each line of business (LOB). The aggregate AML
risk is a combination of AML risk (inherent risk) and quality of risk management (control effectiveness). The
methodology is based on published regulatory guidelines and input from the institution’s AML policy office. In addition
to providing insight over the points discussed above, the risk assessment acts as a foundation and an essential driver for
all areas within the BSA/AML group for the period following the assessment.
The following diagram outlines from a high level the risk assessment approach. Inherent risks are identified and the
control environment is analyzed to understand how these risks are being mitigated. What remains is the aggregate, or
residual, risk that is to be addressed.
Figure 1.1 High Level Approach
2 Challenges
Institutions face a myriad of challenges while conducting a risk assessment. Foremost of their challenges being sourcing
data from the various LOBs which proves difficult to accomplish in a timely and efficient manner. Management of
multiple documents across LOB can be extensive and reliance on LOB resources to perform data validation is time
consuming. BSA/AML expertise over data is limited and the process of reviewing, cleaning up and transforming can be
an onerous task.
Another challenge is setting thresholds and scoring as this process is usually subjective and manual which results in an
indefensible methodology to define the institution’s BSA/AML risk.
3 Solution
The BSA/AML risk assessment should be considered a collaborative analytics and policy function. Across financial
institutions, the acquisition and understanding of the data environment is the area in which the analytics team can act as
a bridge for the BSA/AML team. Ideally, management should allocate a dedicated analytics team having BSA/AML risk
expertise to take the lead by and collaborate with the policy team. Together, the team can build an automated, robust,
and defensible BSA/AML risk assessment.
2. The investment of time and co-collaboration between Analytics and the policy office to build an automated risk
assessment model will alleviate data acquisition pain points and allow the policy office to allocate more time towards
their qualitative assessment (as discussed further below). The automation model can be built on a dynamic platform
which will be leveraged for all subsequent year assessments.
3.1.1 Automated Data Sourcing and Extraction
As discussed above, one of the largest challenges that the BSA/AML group faces is in the first phase of the assessment:
data sourcing. The steps below outline the collaborative process that the BSA/AML and dedicated analytics teams can
take to move towards a more efficient and technologically supported system:
1) Analytics and BSA/AML gain a collaborative understanding of data required to perform the assessment by
building a comprehensive questionnaire. Review prior assessment’s data and understand any challenges that are
faced in the procurement process of said data.
2) Analytics and BSA/AML map the questionnaire to data elements in various systems. Consult LOB contacts as
needed.
3) Analytics team will utilize knowledge of cross-LOB systems and backend databases to build custom queries and
conduct completeness and accuracy test on extracted data. Any data transformation processes which can be
automated can be incorporated through data extraction queries as needed.
4) QC and validate queries for across all LOBs. Consult LOB contacts as needed.
5) Engage technical support team and build an ETL structure which allows for targeted and quality data that can
be pulled daily, monthly, etc.
6) Build an AML-wide data dictionary.
The benefit of building an automated data sourcing process can be seen in the visual below. Time consuming challenges
faced due to manual data extraction and validation can be automated by leveraging the Analytics team. The new
automated process provides a peace of mind over the data that is sourced and opens up availability for the BSA/AML
team to focus on subsequent steps within the risk assessment (i.e. qualitative assessment of inherent risks, control
effectiveness, etc.).
Figure 3.1.1.1 Data Sourcing Automation
3. It is important to note the benefit of using this exercise to solidify an AML-wide data dictionary. As the risk assessment
not only identifies and drives much of the BSA/AML efforts throughout the year, it also incorporates understanding the
customer, product, channels, etc. data which is leveraged by all functions of the BSA/AML department in their various
day to day projects.
3.1.2 End to End Automated Solution
Included below is the proposed process under the new Analytics driven automation model. The process still follows the
structure of a standard risk assessment (Data Sourcing, Inherent Risk, Control Assignment, Threshold and Scoring
Analysis, etc.) but now includes automated processes that can be implemented using the co-collaboration of BSA/AML
and a dedicated Analytics team.
Figure 3.1.2.1 End to End Automated Solution
This effort in turn will see the following impact:
a) Automate and remove the delegated responsibility of data requests from all LOBs.
b) Allow data to be pulled and presented in an already agreed upon and familiar format.
c) Eliminate the preliminary data pull and validation process, freeing up more time to allocate to the assessment
process.
d) Integrate front end forms/repositories (i.e. SharePoint) and automate calculation of scoring based on dynamic
and flexible thresholds for flexibility year over year.
e) Integrate advanced data visualization tools (i.e. Tableau) for a more dynamic visual UI (i.e. real-time threshold
adjustment analysis, etc.).
4. 4 Understanding the Risk Assessment and
Additional Automation Opportunities
Once data has been acquired, the BSA/AML team works to understand the inherent risks associated with the bank and
the effectiveness of the controls in place to calculate what aggregate risk remains. The figure below depicts a high level
understanding of the process. Each of these phases is elaborated on in further detail below and includes opportunities in
which an analytics team can be leveraged to bring automation to each stage of the process.
Figure 4.1 Understanding the Risk Assessment
4.1 Inherent Risk
Inherent risk is defined as “the risk absent controls”. This assumes that the quality of the controls in place to mitigate
money laundering or sanctions risk never result in an Aggregate Risk that is higher than Inherent Risk. The controls
either mitigate or fail to mitigate Inherent Risk.
For each line of business the Inherent Risk Rating is comprised of four attributes: Customer Risk, Product and Channel
Risk, Geography Risk, and Other Risk. Each will need to be evaluated independently to understand the overall risk that
the institution faces.
4.1.1 Customer Risk
Customer Risk reviews the overall client landscape of the institution to understand what inherent risk the clients and
their distribution poses to the institution. Customer Risk will be determined by reviewing the following attributes:
1. High Risk Customer Type (e.g., PIV’s, PSPs, PICs, cash intensive, etc.)
2. AI Governance
3. AML Subpoena
4. Entity Structure
5. Industry Risk
6. New Customer
7. OFAC
8. Prior SAR
9. Section 312
10. 314a
Often times, a pre-existing Customer Risk Rating model can be leveraged, particularly if the model is built to incorporate
the aforementioned attributes.
5. 4.1.2 Product and Channel Risk
Product and Channel Risk reviews the various products and services offered by the institution and the channels available
to the consumer to procure, utilize, and terminate these products. An in depth understanding of financial instruments
and the inherent nature of these products is key in assessing the overall risk landscape of the institution given the offered
products and channels. Product Risk will be determined by the following attributes:
1. Anonymity in transaction / Difficult to ascertain ultimate beneficiaries
2. Transaction related to the product can result in wire transfers to or from high risk countries
3. Complex product (i.e., involves multiple parties)
4. Involves online account services
5. Unrelated third parties receive disbursements, provide collateral, make payments or receive released collateral
6. Speed of Funds Movement
7. International transactions possible
8. Account floor requirements
9. Transactions in Products can be done with CASH
It is important to note here that engagement with the LOB directors or contacts is pinnacle at this step of the
assessment, particularly for any new products offered since the last assessment. Assessment of risk should not be based
solely on the inherent risk of the financial product/channel alone but also with an understanding of the way in which the
client base specific to the institution uses the product/channel. This is where the LOB directors or contacts can be a
resource in providing insight on the expected behavior and what risks this poses to the institution as a whole.
4.1.3 Geographic Risk
To understand the geographic risk is to understand the geographic impression of the financial institution. Geographic
risk will pose a risk if the institution is a regional bank with branches in HIDTA and HIFCA, large institution with
operations in high risk countries or an institution with private banking. In addition, geographic risk is particularly
important to reassess during each assessment as different geographic areas hold different risk year to year due to changes
in economic climates or political shifts (i.e. new regulations). Geographic Risk will be determined by the following
attributes:
1. Citizenship
2. NRAs
3. Residence
4. Country of Formation
5. Country of Operations
6. Country of Investment
7. Country of Investors
8. Transactions from/to high/medium/low/domestic destination
Additional consideration should be allocated to the anti-bribery and corruption risk assessment which can either be
performed as a part of the AML risk assessment or as a supplemental risk assessment, at the discretion of the
BSA/AML management.
4.1.4 Other Risks to Consider
Additional risks will need to be considered that do not particularly fall into any of the aforementioned risk categories but
still contribute to the overall inherent risk that the institution faces. The following are an example of some of additional
risks to consider. Relevance will vary based on financial institution.
1. Are there any planned future changes to business units related to staffing in the next year - either business or
compliance staff - that could impact the ability to comply with AML and perform AML compliance related
tasks?
2. Have there been significant changes in marketplace (geography, customer segments, and
competition/expansion), technology (systems), business processes or products within the past year?
3. Are there any dealings with counter parties that may be used to facilitate a transaction or refer a customer?
4. Does the business or technology plans take special consideration to include details surrounding customer,
geography, products and system changes?
6. 5. What is the staff turnover for full time personnel?
6. Which channels are used to access the products offered by the business line?
7. Are there plans to grow the business inorganically through Mergers and Acquisitions?
8. Does the business rely on a vendor or a third party to carry out a process or part of a process related to
compliance with AML regulations?
4.1.5 Final Calculation of Inherent Risk
Once the risks have been fully vetted and quantified (at the discretion of the policy office’s procedures around
quantitative assignment), the total of each of the risks are aggregated to numerate the total inherent risk. The policy
office will then assess if any weights will need to be applied to any of the risk groups based on the specific financial
institution. For example, if there is a considerable number of high risk customers in the population, customer risk will
weigh more than other categories.
Please note that this inherent risk calculation is performed separately for each LOB. Should the policy office deem it
necessary, different weights will be assigned to different LOBs based on those LOB’s specific risk environment.
Figure 4.1.5.1 Inherent Risk Calculation
4.2 Control Effectiveness
After inherent risk is calculated for each LOB, the assessment continues to understand what controls currently exist to
mitigate and address the inherent risks identified. This is performed through interviews with the respective contacts in
each of the LOBs. Best practice calls for each LOB to upload all the supporting documentation on controls in a shared
repository such as a SharePoint site. As needed, internal audit may be engaged at this step to provide any documentation
that they hold in their repositories that would prove relevant to the assessment.
The BSA/AML team then reviews the control documentation provided for each inherent risk identified. After
understanding the control in place and the impact it has against the inherent risk, the BSA/AML team measures the
effectiveness of the controls and each control is given a numerical value. Similar to the calculation for the inherent risk,
depending on the prominence and how extensive a control is may require that a weight be applied in the calculation at
the discretion of the policy office.
4.2.1 Factors and Determination
Below is a table that outlines factors related to the control effectiveness of a financial institution. Included in the table
are the various factors that the BSA/AML team will inquire with each LOB about and the expected documentation that
would assist in the determination of the control effectiveness.
7. Factors
Proposed
Weight
Determination
Oversight/Culture, AML Corporate
Governance/Organization
xx%
Culture of compliance from management, with clear roles,
responsibilities, and reporting lines; number of FTEs or
equivalents and skill levels
Training & Staffing xx% AML training for all staff, including performance reviews
IT Tools & Information Systems/Management
Information/Management Reporting Record
Keeping and Retention
xx%
Transaction monitoring systems, data platforms, systems
integration
Policies & Procedures / Quality
Assurance/Independent Testing and Oversight
(including recent Internal Audit, most recent
Compliance Testing or regulatory examination
specific to AML policies, procedures, or programs or
Other Material Findings/Other Risk Assessments)
Action Plan items noted during annual risk
assessment and Action Plan items are tracked
xx%
AML policies and procedures, including KRIs and
updates based on changes in industry practices and
regulatory expectations; KYC adherence; independent
monitoring (pre- and post-on boarding) and testing
Monitoring/Investigations/Detection and
CTR/SAR filing
xx%
Implementation of policies and procedures; record
retention, tracking,
and documentation of investigations for CTR and SAR
filings
Exceptions to policy or obtained approval for any
exceptions to policy
xx% Approval process for exceptions
Know Your Customer (“KYC”); Client Due
Diligence (“CDD”); Enhanced Due Diligence
(“EDD”)
xx% Robust KYC and EDD program
FIU’s documented procedures for transaction
monitoring and reporting Independent assessment
for effectiveness annually
xx% Third party validation of process and procedures
Internal controls over general ledger suspense, sweep
or other concentration accounts used to process
customer funds
xx% Documented controls of general ledger accounts
4.2.2 Setting Thresholds & Scoring
Once inherent risk and control effectiveness assessment have been completed, the policy office will now assess:
What constitutes a “high” risk? What constitutes a "moderate" risk? What constitutes a "low" risk? Without established
thresholds, the policy office cannot effectively answer these questions. And without the answers to those questions, they
cannot effectively determine aggregate risk.
8. This is where an Analytics team can be leveraged to cluster the data for threshold identification. The basic
approach to clustering is to partition objects/observations into several similar subsets. By extracting data and using the
clustering functions in a statistically dynamic coding language (such as R, python, etc.) these datasets can be broken
down into groups of distinct clusters around one common entity within the dataset (which represents the group). As
such, a single data point in a cluster happens to have the minimal average dissimilarity to all other data points assigned to
the same cluster. This partition more accurately allows the assignment of a boundary (such as a target threshold to
distinguish normal from unusual). Subsequently, thresholds can be set by determining the outliers and the percentile
population in this outlier cluster.
The advantage of using a statistically dynamic coding language is that as long as the data inputs remain
consistent through each year, the same code can be run year after year to automate the threshold identification process.
This allows BSA/AML to allocate more time for qualitative analysis as well as provides a defensible model backed by
quantitative validation for the threshold selection process. Refer to figure5.2.2.1 below for a visual understanding behind
the clustering concept in identification of thresholds for a risk attribute.
Figure 4.2.2.1 Clustering and Outlier Identification
4.3 Aggregate Risk
Once both the inherent risk and the effectiveness of the internal control environment have been considered, the
aggregate risk can be determined. Aggregate risk is the risk that remains after controls are applied to the inherent risk.
The aggregate risk rating is used to indicate whether the money laundering risks within each of the line of business are
being adequately managed. Illustration of a three (3) tier risk calculation is included in the visual below:
Inherent Risks Controls Strength Aggregate Risks
Low
90-100% Low
80-89% Moderate
<80% High
Moderate
90-100% Low
80-89% Moderate
<80% High
High 90-100% Low
9. 80-89% Moderate
<80% High
4.3.1 Aggregate Financial Institution Risk
Once aggregate risk has been calculated for each line of business, the BSA/AML team is now able to assess the overall
risk for the financial institution at an aggregate level.
As discussed in section 5.1.5, the inherent risk is calculated for each line of business using the formula below.
Inherent RiskLOBn
= (Customer RiskLOBn
)(Customer Risk Weight LOBn
)
+ (Geography RiskLOBn
)(Geography Risk Weight LOBn
)
+ (Products and Channels RiskLOBn
)(Products and Channels Risk Weight LOBn
)
+ (Other RiskLOBn
)(Other Risk Weight LOBn
)
As discussed in the section above, the Aggregate Risk is calculated by subtracting the control effectiveness score from
the inherent risk score for each LOB.
Aggregate RiskLOBn
= (Inherent RiskLOBn
) − (Control EffectivenessLOBn
)
Lastly, the total risk for the financial institution is calculated by aggregating each LOB’s aggregate risk where x is equal
the total number of LOBs. Per the policy office’s discretion, a weight can be applied for each of the LOBs.
Aggregate Financial Institution Risk = ∑(Aggregate RiskLOBn
)(WeightLOBn
)
x
n=1