Important Aspects of Risk Assessment

ACAMS Today had the opportunity to participate in a roundtable about the ACAMS Risk Assessment Tool. The roundtable discussion was moderated by John Byrne, CAMS, ACAMS executive vice president. The participants were comprised of three members from the ACAMS Risk Assessment Task Force: Vasilios Chrisos, CAMS; Anna Rentschler, CAMS and Jeanne Thurman, CAMS.

Vasilios Chrisos oversees the management of Macquarie’s AML and sanctions programs in North and South America. He is responsible for conducting risk assessments, developing AML policies and procedures, ensuring employees receive periodic AML training, acting as an adviser to stakeholders regarding AML/CTF and sanctions matters, managing investigations — as appropriate, ensuring Suspicious Activity Reports are prepared and filed timely, performing compliance testing, participating in the new business/product approval process, and chairing various AML Working Groups across the region.

Prior to joining Macquarie, Chrisos helped lead Ernst & Young’s AML advisory practice by managing projects/initiatives at large, complex institutions. He assisted and advised financial services institutions in developing comprehensive AML risk assessment frameworks, identifying inherent money laundering vulnerabilities, establishing customer risk-ranking protocols, designing AML compliance programs, implementing policies, procedures and controls, creating AML governance structures, establishing Enhanced Due Diligence (EDD) protocols, and developing transaction monitoring capabilities.

Chrisos has worked with financial institutions that were either undergoing or facing regulatory enforcement actions and advised them on the construction of action plans and communication strategies with regulators, including regular updates on the progress of remediation efforts. In addition, to his role on the ACAMS global advisory board, Chrisos co-chairs the New York Chapter and is involved with several ACAMS taskforces.

Anna McDonald Rentschler is vice president and BSA officer for Central Bancompany, Jefferson City Missouri, a $10 billion holding company in Missouri and Oklahoma with branches in Kansas and Illinois with which she has been affiliated for 30 years. The Financial Investigations Unit, which encompasses the BSA/AML and Regulation E-dispute divisions, encompassing enterprise-wide consolidation of these functions for 13 affiliate banks.

Jeanne H. Thurman is the global financial crimes compliance executive for the Enterprise Control Functions and Global Technology and Operations for Bank of America, one of the largest financial institutions in the world. In this role, Thurman consults with the businesses on financial crime risk issues, and oversees the Global AML Policy and Program implementation and AML Risk Assessment execution for her areas of responsibility.

Thurman joined Bank of America in 1987, starting her career in Internal Audit. She then spent several years managing domestic and international payments operations. For the last 16 years she has worked within Global Compliance managing key AML and Economic Sanctions functions.

John Byrne: A good way to get the conversation going is to talk in general about the risk assessment environment based on formal regulatory and enforcement actions. If we could start with your perspective and your personal experience on what are the important aspects of risk assessment (RA) from a regulator’s point of view?

Jeanne Thurman: It’s evolving for them as it is evolving for the institutions. For the last number of years, the regulators come in and look at our assessments and the bar continues to keep climbing on what is expected, and trying to get to that point where “you nailed it,” is remarkably difficult because the bar keeps moving and that’s because of changing expectations.

With all of the enforcement actions, and all of the different things regulators are looking at, they are still trying to figure out what they expect from the RA. It would be helpful for regulators to be more prescriptive — so they tell us what they expect and then we have solid guidelines, but the guidance is limited.

JB: Anna, Jeanne deals with the regulators on a more frequent basis, sometimes even daily, but you deal with them differently, usually only when there is an exam or a formal interaction. From your experience what is it that the regulators want?

Anna Rentschler: Well one of the things the regulators agreed to is our process for RA. We have 13 affiliate banks for which we perform the RA. Initially we did it individually, but now the regulators have agreed that we can look at it from a big umbrella approach at the holding company level using a risk-based approach. Risk based is truly something for which we need to tell our own story. Extensive documentation is required and there are numerous graphs that are created when conducting presentations. I hate to call them pretty pictures but that is what they are, a picture tells a thousand words. It also depends too on whether you have examiners that have known you and have come in year after year, so they are not as concerned except on maybe the newer aspects of your risks for products and services. If you have regulators that are from outside the area that have never walked into one of our banks before or when you have the joint agency review; the FED, the OCC and the FDIC, it is really important that our RA tells the story and the why. They don’t have to know us, they can simply read the document and tell what our residual risk is after we have done all the mitigating steps.

JB: Anna, when you do the joint exams, are the regulators all on the same page?

AR: Yes and no, how is that for an answer? Each regulator has their own preferences for how they want the information presented to them. We have one agency that asked for the summarization in an excel format and a word document three to four pages in length that summarized all the risks. In our report each product and service has its own page, and an owner of that product or service and we do send it to the various departments on an annual basis to discuss it. The purpose of the discussion is to see if there are any changes, any new risks and any report changes that might be mitigating. We go through the entire process every year. It takes a good two and a half to three months to get the whole thing completed.

JB: Vasilios, your bank is international and I know that your portfolio is North America but is there a difference in RA oversight with regulators outside the U.S. versus regulators for North America?

Vasilios Chrisos: In my experience the expectations of regulators outside the U.S. are not as high as what I have found with U.S. regulators. The U.S. regulators want to see more detail and more supporting documentation. It does seem that banking regulators, and this is especially true here in the U.S., have gone to the next stage in the RA life cycle. What was being done and documented several years ago when the guidance first came out is not good enough anymore. As stated earlier, the regulators keep pushing the bar in terms of supporting documentation — more reports, statistics and metrics to support the results of the assessment. I haven’t seen that rigor with RAs outside the U.S.

In terms of my experience in dealing with the regulators in North America, I would echo the consistency issue, some regulators are okay with a top down approach, some bottom up; meaning they want to see the risks identified and assessed at the individual business unit or desk level all the way up to the legal entity and holding company. I have also seen that the expectations have evolved over time, more and more they want to see the AML or compliance officer engage the business or front office directly and not go through an intermediary (such as a business alliance compliance officer or somebody in a legal or in another risk management function). I just went through an exam this year where the examiner wanted to see more thrown into the RA process. He felt that when I am conducting my business unit RAs, this would be a good time for me to review my customer risk rating methodology and other things. He almost used the RA exercise as a trigger to revisit other components of my program. I am not necessarily sure if I agree with that because you have to split your work over the course of a year. Needless to say in any exam that I have had to deal with, the RA is by far the focal point in the exam.

JB: Vasilios, how long is your process?

VC: Our process is strictly the business unit or business line of RA. It is a several month process and one of the challenges we have, and I know we are not alone in this, is the number of entities that need to be assessed. We have 30 or so assessment units, that number could be made up of business units or stand-alone legal entities. In total we are conducting over 60 RAs (separate assessments for BSA/AML and OFAC/Sanctions). It is unreasonable to expect that it can be done in an abbreviated time period, especially if we have to engage the front office or business partners directly. It’s hard to do this in a few weeks, this will take a few months.

JB: Vasilios, your career background also includes securities, is there a big difference in assessing risk in the securities space?

VC: There is a bit of a difference, the actual risk in money being laundered may not be as high, but when you start talking about the risk of insider trading, market manipulation or market abuse, there is more of a discussion. Those are the obvious areas that hold greater likelihood of securities related fraud occurring, so that is factored into the assessment process.

JB: Why don’t we talk through specifically how your RA process works.

JT: We are constantly conducting RAs, so it’s not an event during the year, it is continuous.That doesn’t mean that everything is being assessed concurrently, but throughout the year different assessments are taking place by our compliance managers. We create an enterprise-wide risk profile, where we have a roll up of all of the lines of businesses and business units, but throughout the year we are conducting various RAs. For example, things like a line of business, a new product that is going through the pipeline, or it might be related to a region or a country because of a particular requirement within a country. So we perform those assessments all year long and again at one point during the year we will generate an overall risk profile which rolls in all the RAs conducted. As to when we might choose to conduct a follow up assessment, it depends on the level of risk and the controlled environment that was identified in the previous assessment.

JB: It makes sense to me that a bank as large as yours, Jeanne, would have to be constantly assessing new products and new delivery mechanisms. Does your policy indicate that or do you just have a number of people doing a general list of assessment policies, or does it specifically say that it is dynamic and that it depends on the events and the issues as they arrive?

There is a need for an institution or group like ACAMS to pull something together for the industry

JT: The policy directs that we will conduct an annual RA and as significant changes occur that we will re-evaluate in the areas that they have occurred. This gives us the flexibility to schedule based on events, for instance if we want to evaluate based on a particular regulatory action. Because we are not technology intensive we are not boxed into a requirement of conducting set assessments, but at a minimum we will deliver the annual risk profile.

JB: Anna is your process and policy similar in that you do it on a regular basis but as things occur you make adjustments?

AR: Yes we do it annually as of year-end, of course we have the joy of having some national banks do the MLR as of September 30th of every year, so we do definitely send it in, we put it in the drawer and then we wait until the end of the year. If we are adding a new product or service we will do a RA or get one of those done before hand, and we will add that to our RA profile. It’s not dynamic in that fashion but if we have new products or services then we will make changes to that, but it is done every year.

VC: We also do it annually, not as dynamic as Jeanne described, but we try to time it and do the assessment on a fiscal year. Our fiscal year ends in March, so in January we start having discussions around budgets. We try to do our assessments before that discussion takes place, so that based on the results of the assessments we can pinpoint areas we want to spend more time on, or where we want an increase in oversight. A member of my team is part of the new business/new product committee, so we stay abreast of changes in business strategy, or production of new products. We will go back and revisit the RA every year or conduct new assessments if we are taking on a new business. We visit our database of assessable units and give it a sanity check by going out to different people within Compliance, Risk or Legal just to double check and confirm the in-scope population. We also re-visit our quantity of risk matrices at the onset just to see if they need any tweaking or regulatory guidance. Then, it is just a matter of scheduling the interviews and conference calls with our key business executives, completing a risk assessment template for each unit, and consolidating results into heat maps or dash boards. We also prepare a final report for the region and specific memos for different entities and present these to the respective boards sometime during the year.

It really isn’t any different across the board for our international business. To be honest with you, we follow the guidance that has been laid out in the FFIEC manual and we follow the processes that institutions deploy in the U.S. Again, what I found is that here in the U.S., we are further along in the lifecycle and have more mature process, so my colleagues across other regions have adopted much of the methodology that we’ve created here in the U.S. Thus, for the most part, the methodology that we have globally is based on the approach we’ve taken in the U.S.

JB: Do you engage in any information sharing on RA with your peers, outside of conferences? Have there been any opportunities for you to specifically share on RA or does that come up in the normal course of information sharing?

Everyone in the industry and the regulators are trying to figure out what they want from a RA perspective

VC: There were a few forums that were organized by consulting firms, several years ago when the RA guidance was first introduced as part of the FFIEC manual. As far as I know, there haven’t been too many organized forums around this topic in the last few years. I know here in New York, we try to get together with other financial institutions (on an informal basis) and “open the kimono.” We share practices, methodology, approaches. We also talk about how-to integrate securities fraud or bribery and corruption into our respective AML RAs, so that we don’t have to conduct multiple assessments, or hit the business units multiple times during the year. So, to answer your question, there is some information sharing, but there is a need for an institution or a group like ACAMS to pull something together for the industry on a more formal basis because the RA practices are changing and evolving. When you factor all these things it’s probably good to kick-start the dialogue again.

The ACAMS RA project will eventually lead to user forums and user groups, the ability to share information under one umbrella. Jeanne or Anna do you currently have that opportunity?

JT: We don’t have RA forums where we participate. What we see is when the risk comes up there are sessions scheduled and some of that conversation is the real risk versus the perceived risk. Sometimes there is a perception that there is a risk and we will talk about it. This is also what the regulators are focusing on at that time, it may not have historically been a particular focus to the regulator and then all of a sudden we get asked about it. Have we conducted a RA on a particular product or in a particular space? We then try to share that information with others about the questions we are receiving, especially if we were surprised by it.

JB: Anna, I imagine your experience is a bit different running the RA for a holding company. Do you have the opportunity to share with other similarly situated institutions or do you share at the national conferences?

AR: Generally it is at the national conferences. We don’t have a real way to discuss certain things in our local environment; however, we do have 13 different banks that we can compare our RA to so that does help us compare apples-to-apples at our holding companies. We listen to what the examiners’ hot topics are, what is the “soup du jour” and anything that they specifically want us to review.

JB: As we get closer to finishing the ACAMS RA tool, do you see acceptance from within the AML community? Where do you see the RA tool fitting in within institutions?

JT: Everyone in the industry and the regulators are trying to figure out what they want from a RA perspective. ACAMS is taking this collective knowledge and putting it together in a tool that is going to be shared with the industry and the regulators. This tool will also add value to the ACAMS membership.Through informed discussions provided by the RA tool, we will reap the benefits of what other institutions are hearing and the questions they are receiving from regulators.Some of the questions we receive are about different methodologies and being able to tell the story that supports the methodology that you have in place is important.

AR: The way I see the RA working for ACAMS is that everyone understands it is a core system, not the “be all, end all” if you fill it out. The ACAMS RA tool will provide a core system with core formulas, but the financial institution will have the responsibility of deciding why this fits or why this doesn’t fit. The documentation would trigger it all. An added benefit would be to have a discussion forum, some type of Q&A on common issues, or updates on certain kinds of risk inherent in certain types of products. Participants of the RA tool will need to understand that one size does not fit all — certainly not one type of regulator.

JB: The additional value of the RA tool is not simply the scoring mechanism, but options for institutions to add their particular issues to their product whatever that may be. An easy way to explain this is that all of you have referenced to some degree the FFIEC manual, certainly if adjustments are made to that manual, that would be included in changes to the RA tool. Our view is not that this is something you would use one time but it is going to be a dynamic RA tool and continue to give you information in real-time with flexibility There will never be a view that one tool fits all institutions. What other benefits do you see the RA tool providing?

VC: Another benefit for those using the tool would be efficiency. We would not have to spend the time to incorporate new FATF typology reports, for example, around specific products. We know that ACAMS is going to do it. We also will know that they are going to have new products and services risk rated, not just rated based on guidance, but consensus from the user groups. There is efficiency there that we can refocus our efforts not on keeping the inputs into the risk assessment up-to-date because ACAMS will be doing that and instead we can re-deploy those resources elsewhere, such as into the actual execution of the assessment.

JT: The other thing I wanted to stay from a timing perspective, we have already heard that there are going to be changes to the FFIEC manual in 2013, and we know every time that happens it takes quite a bit of analysis on everybody’s part to say what do we need to do to re-direct based on changes in the manual. So there is an opportunity to include an interpretation of 2013 changes as this is being finalized and developed.

JB: Any last comments?

VC: I want to re-emphasize the importance of the RA in the overall build out of the AML compliance program. Sometimes I hear people speak of RAs as just a “check the box” exercise. That shouldn’t be the case. AML professionals should use the results of their risk assessments to drive how they’re going to manage the rest of their respective programs. It doesn’t have to be complicated. It could be as simple as looking at the heat map and seeing where you have reds and yellows. What are you going to do in those areas? Does this mean more training, more monitoring or more oversight? Does this mean implementing new procedures? Regulators don’t just want to see completed questionnaires and templates, they also want to see ample supporting documentation. Finally, in my opinion the point of the RA is to identify gaps or unmitigated risks so that you can, in turn, focus your attention and/or direct your resources to these areas.

AR: The other important piece is to make sure the board of directors is aware of the RA and that the RA matches the board’s appetite for risk — after all the liability does fall squarely on their shoulders. The summary of each of the pieces, the customer risk assessment, the geography, the CIP, OFAC, everything needs to go to the board of directors, so they are aware of the RA and where you reside in that whole RA effort.

JT: I would go back to Vasilios’ comment on the purpose of the RA because I think that is something we lose sight of, the purpose of the RA is to manage our businesses, target action and resources. We need to target the right resources against mitigating risks.

Moderated by: John J. Byrne, CAMS, executive vice president, ACAMS, Miami, FL, USA,

Contributor: Tanya Montoya, ACAMS, Miami, FL, USA,

Edited by: Karla Monterrosa-Yancey, CAMS, editor-in-chief, ACAMS, Miami, FL, USA,

Leave a Reply