On September 22, 2022, the ACAMS New York Chapter hosted in-person event that was sponsored by Deloitte titled AML Risk Assessment – Impact of AML Act of 2020 and AML/CFT Priorities. The event included the following individuals (from left to right pictured below): Max Bitenskiy (Executive Director, US Head of Risk Assessment, Financial Crime Prevention, UBS);
Jack Sonnenschein as moderator (Founder and Principal, Compliance Navigation LLC);
The discussion began with background information on the AML Act of 2020 (AML Act) and how the legislation impacts the need to conduct risk assessments. From the AML Act and proposed rulemakings, we can infer that risk assessments (which are currently not a regulatory requirement) will become an AML program requirement. Additionally, as a result of the AML Act and FinCEN’s publication of AML/CFT national priorities, financial institutions are beginning to further incorporate the priorities into their risk assessment processes.
It’s important for financial institution employees to note that not all of the AML/CFT priorities may be applicable to their firm’s risk profile. The applicability of the priority should be assessed first. Second, the financial institution should determine whether there is another risk assessment that is already conducted (e.g., a fraud or cyber risk assessment) that overlaps with the priority threats and can be leveraged. Many financial institutions have begun to consolidate risk assessments across financial crime areas, which inherently provides more coverage of the national priorities (although this trend began prior to the publication of the priorities last Summer).
Other approaches to addressing the nation priorities within risk assessments include the incorporation of qualitative questions within existing risk assessments to more specifically address the priorities. Other financial institutions are creating standalone threat assessments (more similar to a horizonal risk assessment) to address more targeting threats within the national priority category (e.g., healthcare fraud). Such threat assessments often leverage a very specific process and methodology and often aren’t performed by the Risk Assessment team.
The panel also spoke about the trend towards implementing more dynamic risk assessments, which means conducting risk assessments more often than during an annual refresh cycle. In order to move in this direction, firms need to assess their resource and technology capabilities – in particular, the ability to automate components of the work must be assessed.
Moving away from a “check the box” culture should be the main goal for the future of AML risk assessments. Coverage assessments are a natural next step to incorporate the risk assessment results into the overall AML program.
“The best defense is a good offense.” Organizations should be more proactive and find their unique way to be prepared for the anticipated AML risk assessment changes in response to FinCEN AML/CFT priorities.
Many organizations have started performing targeted threat assessments focused on a specific priority (e.g., healthcare fraud, proliferation financing, drug trafficking) which helped identify organizations’ exposure to risks associated with FinCEN priorities resulting in more useful information being reported to law enforcement.