On October 22, 2020, the ACAMS New York Chapter hosted a webinar titled Maximizing the Use of Financial Crime Risk Assessments: Best practices for financial institutions to exploit the full benefit from their annual assessment of risk. The panel was moderated by Jack Sonnenschein (Founder and Principal, Compliance Navigation LLC) and included TJ Haynes-Morgan (Chief Audit Executive, Raymond James Financial), Megan Nelson (Senior Vice President, Financial Crimes Governance, Truist Bank), and Miriam Ratkovicova (Managing Director, AML, Sanctions and Financial Crime, Deloitte).
The discussion opened with a reminder that while currently considered a best practice, current BSA regulations do not explicitly require risk assessments (although that may change in the future). We also know that the prominence of risk assessments is trending upward as evidenced by OFAC’s inclusion of the risk assessment as one of the five essential components articulated in the Framework of OFAC Compliance Commitments.
The panel included a presentation of several risk assessment case studies, which resulted in surprises for both the businesses and compliance stakeholders. In general, pleasant surprises come from internally initiated risk assessments that are completed in partnership with the business. For example, a business may realize they are operating within or under their risk appetite, allowing them more flexibility in certain markets. Conversely, businesses may also realize that their riskiest customers/products may not provide the profits/returns to warrant continuing in that sector.
Several best practices for conducting productive risk assessments were highlighted, including the suggestion that data quality be included as a core component of the inherent risk rating, and that regulatory risks (e.g., Consent Orders) also impact inherent risk rating. It was also advised that financial institutions focus on replacing extensive report text with digestible images and simpler to read reports that are easier for stakeholders to leverage.
There was extensive discussion around the ways in which risk assessments should encourage coordination and integration across the three lines of defense. For example, financial institutions should strive for unified agreement of inherent risks that can be articulated across all three lines of defense. Also, the outputs of each line of defense should be used by the firm, resulting in an interconnected partnership across the lines of defense. This cross-coordination is an important softer component of the value of a risk assessment. As a best practice, second and third lines of defense in testing and audit, respectively, should focus on the highest areas of risk as focus as they plan for the upcoming year.
Key takeaways from the discussion include:
Recently published Advanced Notice of Proposed Rulemaking (ANPRM) from FinCEN proposes to make risk assessments a regulatory requirement.
Financial institutions should look beyond the numeric output of risk assessments to identify trends and areas of emerging risk
Risk Assessment results should be easily digestible and presentable for stakeholders