Applying the Risk-Based Approach During a Pandemic―Lessons Learned


At the onset of the COVID-19 pandemic, the U.S. government passed the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The CARES Act was the government’s response to the rise in unemployment and a stagnant economy following a nationwide quarantine. From direct deposits to individual households to the Paycheck Protection Program (PPP) for small businesses, the government designed these programs to assist citizens and small businesses preserve employment. In creating these programs, the government also cultivated new outlets of opportunity for criminals to take advantage of “free money” during a time of unparalleled vulnerability. In part, this has been due to antiquated technology and regulations that were not set-up for a fully digitalized and remote workforce. Thus, regulators were motivated to issue numerous updates and adjustments to regulatory expectations focusing on the myriad of new risks caused by these unprecedented times.

A Risk-Based Approach

As early as April, the Federal Financial Institutions Examination Council (FFIEC) released an update on the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) examination manual. The update did not include new requirements, but rather suggested an “increased emphasis on a tailored risk-based approach to examination.”1 The manual includes a new section under “Risk-Focused BSA/AML supervision”2 that is not mandated for all financial institutions (FIs) to implement. However, this section was added for banks to create a sensible risk profile that aligns the nature of the business with the company it operates. Since most FIs had to implement a work-from-home environment, which poses more risk to institutions, the manual also suggested a risk-based assessment to help institutions implement anti-money laundering (AML) procedures that are tailored to the banks’ needs and to identify appropriate controls for the institution.3 Similarly, the Office of Foreign Assets Control (OFAC) provided the following update to its sanctions guidance:

“OFAC understands that the COVID-19 pandemic can cause technical and resource challenges for organizations. As OFAC has articulated in both its Economic Sanctions Enforcement Guidelines (31 C.F.R. part 501 Appendix A) and its Framework for Compliance Commitments, the agency supports a risk-based approach to sanctions compliance. Accordingly, if a business facing technical and resource challenges caused by the COVID-19 pandemic chooses, as part of its risk-based approach to sanctions compliance, to account for such challenges by temporarily reallocating sanctions compliance resources consistent with that approach, OFAC will evaluate this as a factor in determining the appropriate administrative response to an apparent violation that occurs during this period.”4

However, the FFIEC and OFAC were among the many regulators to make the following adjustments:

  • Small Business Administration
    • The Interim Final Rule outlines the AML compliance requirements for participants in the PPP.
  • Financial Crimes Enforcement Network (FinCEN)
    • On April 3, 2020, FinCEN issued guidance for FIs to comply with BSA/AML obligations during COVID-19.
  • Office of the Comptroller of the Currency (OCC)
    • On April 7, 2020, the OCC issued Bulletin 2020-34, which underscored FinCEN’s guidance on AML compliance during the pandemic.5
  • Federal Reserve Board
    • The Fed Board issued ongoing guidance on loans, mortgages and other financial services and entities affected by the pandemic.
  • Financial Industry Regulatory Authority (FINRA)
    • On March 24, 2020, FINRA published frequently asked questions detailing specific circumstances for temporary regulatory relief during the pandemic.
  • New York State’s Department of Financial Services (DFS)
    • On March 12, 2020, the DFS issued a temporary relief order for regulated entities/persons during the pandemic.

A risk-based approach to compliance has many benefits, including assessing current risks to create controls. Adequate controls help mitigate money laundering, audit problems and possible sanctions violations. Risk assessments can prevent future violations, as opposed to reacting to them, giving the institution the opportunity to work proactively. A successful risk assessment aims to understand the following:

  1. The risk posed to the bank, clients, third parties and procurement
  2. The risk from products and services
  3. The risk based on geographic locations of operations and third parties6

Heat maps can be used to test the risk using the data attributes listed above. Risk-based testing should be performed once a year. Depending on risk level, some banks may require additional testing throughout the year. The risk assessment analysis should be used to understand where the company’s weaknesses are, what areas need improvements, and what areas are at risk of sanctions or other potential regulations. The results can also be used to implement or strengthen controls in place.

Ultimately, all agencies are concerned that the fundamental changes to operations for corporations are subject to their purview, creating risk factors that the institutions may be unaware of or are simply not equipped to handle if it yields a greater volume in activity to review. Therefore, encouraging FIs and corporate compliance programs to focus on managing their risk will hopefully offset the anticipated gaps and deviations in meeting regulatory requirements.

The National Defense Authorization Act (NDAA) and Future Regulation

In 2021, robust regulations are expected to be implemented with the NDAA 2021 and the inclusion of key tenets from the Corporate Transparency Act, among numerous other Bank Secrecy Act updates.7 The inclusion of BSA/AML updates to the NDAA will transform the veiled secrecy around company registration in the U.S., provide whistleblower protection for AML among many other benefits that will provide support for those compliance officers or FI members that face challenges in the aftermath of the pandemic and onward. In addition to risk-based assessments, the following are key concentrations that FIs and businesses should prioritize to mitigate new and future risks:

  • Investment in artificial intelligence (AI) and technology: Creating AI models that can automatically increase or decrease thresholds based on learned data points within institutional operation could minimize, if not fully eliminate, false positives in transaction monitoring efforts. In addition, smarter AI could assist in reducing identity theft for U.S. government agencies and FIs. For example, expanded AI-based checks that replace or enhance knowledge-based audit authentication could highlight how criminal fraud groups are obtaining access to funds provided by the government.8
  • Investment in KYC programs: Alongside the implementation of AI, KYC programs need to keep up with modern criminals. Robust programs should include technology of systems that can easily change rules to ensure the rules align with modern crimes. Choosing to implement a KYC program with a risk-based approach will also minimize the amount of manual work or the remediation needed, as the institution will already understand the risks and will work with the appropriate controls.
  • Understand criminals: Understanding criminal trends through the pandemic has been an eye opener for most institutions. FIs need to keep up with trends to ensure systems and rules are amended to prevent criminal activity from entering the institution. Understanding data funneling through their systems can help conclude actions that need to be taken within their systems.


The knowledge acquired from the COVID-19 pandemic has helped close the knowledge gap between cybercriminals, money launderers and FIs. Unfortunately, the hard lessons learned come from the loss of millions of dollars. Congress and the Senate are drafting a proposal for a second stimulus relief that will test all the knowledge gained from what to do and what not do in compliance.

Mariah Rodriguez, director, Alvarez & Marsal, LLC, Miami, FL, USA,

  1. “FFIEC Updates Its Bank Secrecy Act/Anti-Money Laundering Examination Manual,” GreenbergTrauring, April 22, 2020,
  2. Ibid
  3. Ibid
  4. “The Office of Foreign Assets Control (OFAC) Encourages Persons to Communicate OFAC Compliance Concerns Related to the Coronavirus Disease 2019 (COVID-19),” U.S. Department of the Treasury, April 20, 2020,
  5. “Bank Secrecy Act/Anti-Money Laundering: OCC Supports FinCEN’s Regulatory Relief and Risk-Based Approach for Financial Institution Compliance in Response to COVID-19,” Office of the Comptroller of the Currency, April 7, 2020,
  6. Mario Mancuso and Abigail Cotterill, “What OFAC Means by a Risk-Based Approach to Compliance,” Kirkland & Ellis, May 26, 2020,
  7. “National Defense Authorization Act for Fiscal Year 2021,”,
  8. “The pandemic has changed how criminals hide their cash—and AI tools are trying to sniff it out,” MIT Technology Review,

Leave a Reply