US government agencies, including FiNCEN, issued combined guidance on the 22nd of July 2019 on how they supervise and examine the compliance of financial institutions (FIs) to anti-money laundering (AML) regulations, including the US Bank Secrecy Act (BSA). Whilst this is US-centric guidance, it is pertinent for FIs outside of the US to consider when contemplating the effectiveness of a financial crime governance framework and associated controls.
The guidance focuses heavily on the need for a “risk-focused” approach to be instilled across all elements of an effective AML framework. Having a clear understanding of the FIs risks is critical for the development of an effective risk assessment and sound risk management controls – this approach will also enable regulators to supervise the FI in an effective and subjective manner, noting that different FIs have different risk profiles.
In the guidance, FIs are encouraged to manage risk associated to customers by implementing controls which can be effectively monitored and contain the risk of a specific relationship, rather than refusing to provide to services to high risk customers. This approach will enable firms to meet their legal and regulatory objectives, as well as effectively managing the customer relationship. The guidance notes that federal agencies will be able to evaluate the adequacy of a specific firm’s compliance programme relative the risk of its business if this approach is maintained.
A transparent risk-focused approach and profile will allow regulators to scope and plan an initial review of an FIs AML compliance programme more effectively, resulting in a greater understanding of the adequacy of the firm’s compliance programme. This will result in a less intrusive and more targeted review for the FIs AML controls which will be welcomed by the firm.
A targeted review of an AML programme should allow the examiner to allocate more resource on higher-risk areas and fewer resources to lower risk areas. A risk-focused review of the FIs AML programme should be considered in line with the unique risk profile of the firm. This will allow the extent of the review to be assessed in line with the quality of the risk management processes in order to identify, measure, monitor, and controls risks. Which in turn will allow an accurate assessment on the potential of the firm being used for money laundering, terrorist financing and other illicit activity.
The guidance provides a list of common practices that the agencies will undertake in assessing an FIs risk profile. These should be considered by all FI’s so they can anticipate and effectively plan for a regulatory review; these include:
leveraging available information, including the FI’s AML risk assessment, independent testing or audits, analyses and conclusions from previous examinations, and other information available through the off-site monitoring process or a request letter to the bank.
contacting the FI between examinations or prior to finalising the scope of an examination.
considering the FI’s ability to identify, measure, monitor and control risks.
In order to design and embed a compliant and effective AML programme which will be aligned to the recent US government guidance, FIs should:
Design and regularly review its risk appetite and risk profile;
Design subjective controls which can meet specific, and not generic customer specific risk;
Carry-out regular independent testing of the AML programme and controls;
Regularly train personnel on the specific risk, profile and controls of the firm.
The full joint statement can be viewed here: https://bit.ly/32MxiYZ