The 2010 edition of the Federal Financial Institutions Examination Council's (FFIEC's) Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual is notable for its significant expansion of the BSA/AML risk assessment section within its Core Examination Overview—a crucial step in promoting the framework which serves as the foundation of an effective BSA/AML compliance program. The fact that the FFIEC placed such emphasis on this section and positioned it near the beginning of the manual in the 2010 revision is no accident. The role and value of the BSA/AML risk assessment cannot be understated in terms of its direct impact on the BSA/AML compliance program and compliance risk management, particularly regarding the efficacy of transaction monitoring, suspicious activity reporting and resource allocation within the financial institutions' overarching compliance infrastructure. Whether an institution employs manual or automated transaction monitoring, case investigations systems and controls, the BSA/AML risk assessment and, more specifically, the underlying customer risk assessment is the keystone supporting all efforts to identify, measure, monitor, and report money laundering and terrorist financing activities. The formality of the BSA/AML risk assessment will typically increase in direct proportion to the scale and complexity of an organization's operations. Whether a small community bank or large multinational financial institution with a dedicated Financial Intelligence Unit (FIU), the risk assessment is vital to execution of AML initiatives.

Coincidentally—or not—the same statements can be said for financial institutions' BSA/AML risk assessment's influence on the ability of the law enforcement community to effectively detect, investigate, and prosecute criminal and terrorist financing activity, as well as allocate resources particularly in the review and analysis of Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs). Therefore, it stands to reason that the BSA/AML risk assessment represents both an inherent de facto aggregate cost factor and cost value to both financial institutions and law enforcement in terms of real dollars. To better understand this hypothesis, we will explore this matter further.

BSA/AML examination guidance defines the risk assessment endeavor as a two-step process. Step one: identify the specific products, services, customers, entities, and geographic locations unique to the bank. Step-two: in a more detailed analysis of the data obtained in step one, evaluate data pertaining to the bank's activities in relation to the customer identification program (CIP) and customer due diligence (CDD) information, noting that within any type of product or category of customer there will be accountholders that pose varying levels of risk.¹ CIP, CDD and Enhanced Due Diligence (EDD) initiatives—components of "Know(ing) Your Customer" (KYC)—are the essential tools required to complete the step-two process. For the purpose of this review, we will focus on step-two of the process.

Financial Institution Risk Ranking, EDD, and Resource Efficiencies

From a financial institution step-one perspective, a well-developed, documented risk-based BSA/AML risk assessment will assist in identifying the institution's BSA/AML risk profile and will serve as the foundation of a risk-based compliance program in support of the "four pillars" of effective BSA/AML compliance programs, which are: appointment of a BSA/AML officer; establishment of internal controls; independent testing; and training. From a step-two perspective, however, a well-developed BSA/AML risk assessment—particularly the "customer" risk assessment component—guides the institution in identifying and vetting customers who pose the greatest risk for suspicious activities subject to more frequent and enhanced monitoring. The risk assessment weighs heavily on the CIP through the establishment of an accurate customer risk profile during the information gathering stage during account opening and CDD efforts. Effective CDD policies, procedures, and processes are considered the cornerstone of a strong BSA/AML program.² It is at this point that an institution must assign the customer's BSA/AML risk ranking. The ranking may take the form of assignment of a numeric value or "rag" score (red, amber, and green) to classify escalation categories for EDD in manual operational environments or assignment of a numeric value or score as part of a customer's information file (CIF) in automated operational environments. Whether under manual or automated conditions, higher risk customers require enhanced due diligence to establish effective controls and processes to mitigate BSA/AML risk. Left unchecked, ineffective or inaccurate customer risk rankings have a direct and sustained impact on EDD/KYC and transaction monitoring efforts throughout the life of the customer relationship and can have the unintended consequence of delaying or, more disturbingly, thwarting the ability to detect potential unusual or suspicious activity due to ineffective EDD/KYC.

Once this population of customers has been identified, isolated and escalated to a higher tier of monitoring, the question arises as to whether human and technology resources have been sufficiently allocated to ensure that the institution can execute its BSA/AML compliance strategy to meet critical performance goals and regulatory obligations. It is here that an ineffective customer risk assessment can be revealed to have a direct correlation to resource allocation, efficiency and effectiveness, regardless of operating environment (manual vs. automated). The risk assessment/customer risk assessment affects four key cost components for financial institutions:

1. The ability to identify and measure suspicious activity, thus their ability to root out hazardous accounts and relationships;
2. The direct cost of human resources dedicated to EDD/KYC and transaction monitoring initiatives and sufficiency thereof;
3. Direct cost-benefit impact of information technology solutions systems relative to accuracy of parameter presets and tuning/retuning efforts, accuracy in identifying suspicious activity and patterns as well as vendor expense management; and,
4. The ability to effectively target new products and services suitable to customers to match their profile or needs.

In practical terms, the aforementioned costs equate to real-dollar losses through: opening unwanted high-risk accounts and relationships; ultimate failure to identify suspicious activity, resulting in potential regulatory actions including fines and restrictions; lost business opportunities; staffing shortages that weaken BSA/AML program effectiveness; overstaffing that creates bloated costs and/or misallocation of valuable resources that could have been dedicated to program or system enhancements or upgrades; and, high-risk customers that just "slip through the cracks." In the end, hazards facing financial institutions with weak risk assessments include, but are not limited to compliance, legal, reputational and operational risks.

FI vs. Law Enforcement: Contrasts and Parallels

Whereas financial institutions have a distinct pool of individual customers and the capacity to risk rank them based on existing relationships and CIFs, which equate to hardened data points, law enforcement must rely upon and gather information from a large and varied pool of resources in order to build and prosecute cases. Authorities are dependent upon the quality of information from both internal and external sources and face inherent information gaps because they may only know that some number of criminal organizations, money launderers, or possible terrorist financing entities reside within a fixed jurisdiction—but little else. Most discoveries occur through other investigations into the precursor crime. Thus the information that authorities receive from financial institutions in an effort to prosecute offenders within the criminal justice system must be clear and effective. For law enforcement, many cases begin with a small piece of information about the illicit financial network that must be prosecuted. Within the financial services community, however, customers generally have to produce a considerable amount of information before they are allowed to use products and services, and throughout the customer relationship institutions have the opportunity to analyze all of the customer's activity.

Therefore, it stands to reason that the end result of an ineffective BSA/AML risk assessment foundation and associated CIP, CDD, EDD/KYC on the financial institution side of the AML equation ultimately impacts the law enforcement side of the equation through partial, incomplete, or missing information within CTRs and SARs. Failure to identify a customer as high-risk through the CIP, CDD and EDD can result in the loss of early leads in criminal investigations. Failure to flag a customer as high-risk for suspicious activity and maintain strong EDD/KYC efforts through account and transaction monitoring can mean the loss of information critical to building or strengthening ongoing criminal cases. Inaccurate, incomplete, or unfiled CTRs and SARs can result in incorrect leads, unintentional facilitation of criminal or terrorist financing activities and loss of criminal prosecution opportunities.

From the law enforcement perspective, case management scenarios mirror the challenges facing financial institutions during the step-two risk assessment process with respect to EDD/KYC initiatives, but through the context of extended time parameters and expanded numbers of information pools. Consider that the financial institution's risk assessment/customer risk assessment impacts four key cost components for law enforcement initiatives:

1. The ability to identify and measure criminal activity, thus their ability to root out the most nefarious criminal and terrorist financing accounts, organizations and relationships;
2. The direct cost of human resources dedicated to monitoring and investigation initiatives relative to staffing levels and dedicated man hours;
3. The direct cost-benefit impact of information technology solutions systems relative to improving the accuracy of identifying the most suspicious activity and patterns; and,
4. Law enforcement's ability to build and explore joint regional, domestic, and multi-national task force opportunities, specifically concerning the "highest-risk" criminal, money laundering and terrorist financing organizations. Law enforcement agencies may spend approximately the same time on relatively small cases as on larger cases, therefore resource allocation is critical to overall prosecution success.

For law enforcement, the aforementioned costs can equate to real-dollar losses through: opening and pursuing lower-risk cases and investigations, resulting in waste of valuable investigative resources and opportunities; failure to identify criminal trends, resulting in potential increase of these trends and future losses for institutions; lost prosecutorial opportunities and misallocated justice system resources; staffing and/or resource cutbacks that weaken investigative impact and effectiveness; overstaffing that creates bloated costs and/or misallocation of valuable resource funds that could have been dedicated to program or system enhancements or upgrades; high-risk criminals and terrorists that just "slip through the cracks."

The compliance related risks involving ineffective BSA/AML risk assessments presented by financial institutions thus pose considerable operational risk to the law enforcement community. As with banks, authorities also have limited resources and must try to utilize their assets to gain the most impact and benefit. Risk management and risk assessment processes are undeniably proven risk mitigation methodologies for both financial institutions and law enforcement, but U.S. law enforcement has struggled with implementing this approach as there has been little-to-no pressure to adopt them. Part of the problem may be that the methodology is not considered an option—or it has not been presented as one.

Law enforcement relies upon access to individuals that financial institutions have reported through CTRs and SARs. It is law enforcement's job to analyze this information, and that is where risk assessments and subject prioritization could revolutionize how money launderers are identified and prosecuted in the U.S. and beyond. Most authorities rely upon SARs because financial institutions have already identified the subject of the SAR as suspicious and requiring further investigation. This method does not take into account any of the information that law enforcement has access to or suspicious individuals and entities that infiltrate multiple institutions. There are volumes of intelligence within BSA data available to almost every law enforcement department in the U.S.; however, only analyzing SARs singles out two types of criminals—and not all subjects of SARs are criminals. One type of criminal reported in SARs, and the most common, is the criminal that is not educated enough to avoid detection and controls; the other type are ones that are simply too big to hide beneath their activity. Educated money launderers that have learned to quietly integrate their funds back into society may never show up in a SAR, but are much more likely to be identified in CTRs.

Summary

Both financial institutions and law enforcement must contend with structuring and organizing a vast pool of information through the effective allocation of human and information technology resources. When law enforcement is able to combine the existing data that they have amassed with the data produced by the financial community, there is proven capability to produce world-class proactive intelligence and generate significant inroads into the criminal, money laundering and terrorist financing communities. By doing so, the U.S. Treasury, FinCEN and other global regulatory bodies are in turn able to be more informed of ongoing patterns and trends and able to issue further guidance to the financial community to prevent and deter the misuse of both U.S. and global financial networks. 

Brian Arrington, MBA, CAMS, communications director of the ACAMS Chicago Chapter, examiner with the Federal Reserve Bank of Chicago, Chicago, IL, USA, brian.arrington@chi.frb.org

Clayton Byford, CAMS, counter threat finance analyst, Chicago HIDTA/HIFCA, Chicago, IL, USA, cbyford@chicago-hidta.org

1. The FFIEC's 2010 BSA/AML Examination Manual, BSA/AML Risk Assessment — Overview, pages 22-30.
2. The FFIEC's 2010 BSA/AML Examination Manual, Customer Due Diligence – Overview, page 63.