The Bank Secrecy Act (BSA) does not explicitly state that money services businesses (MSBs) must conduct an anti-money laundering (AML) risk assessment. However, it does say that an MSB "shall develop, implement, and maintain an effective AML program" and that the program "shall be commensurate with the risks posed by the location and size of, and the nature and volume of the financial services provided" (31 CFR § 1022.210). By that logic, how can an MSB build a program that is commensurate with its risks if it has not evaluated its risks by conducting a risk assessment? How else can an MSB assess its money laundering and terrorist financing risks? Thus, while not a requirement, an AML risk assessment (AML RA) is necessary for an MSB to ensure its AML program is effectively identifying and mitigating its risks.
With that being said, the AML RA has become an expectation of regulators and an industry standard, even if not a regulatory requirement. However, it is not enough to conduct an AML RA once or to consider it as a stand-alone document. It should be utilized to inform the rest of your AML program and tied to the MSB's AML policy. When an MSB's risk changes, not only should the risk assessment be updated but also the MSB's AML policy to ensure processes and controls to mitigate the risks identified are implemented. As stated previously, the risk assessment process should not be viewed as a one-time thing. An AML RA should be updated at least annually or whenever there are significant changes to the MSB's operation. The AML RA is an ever-evolving, living document, that should accurately reflect and consider the MSB's operation to take into account changes that occur as the operation evolves.
And what better time to update your AML RA than at the beginning of the year. That is the best time to assess your AML program, review the previous year's operation, and take into account future plans for expansion or changes. While updating the risk assessment annually is an industry best practice, always remember that updates should be made whenever significant changes to an MSB's operation occur that would alter a company's risks. Whenever the MSB is updating its AML RA, it should consider asking some of the following questions:
- Customers
- Has the target customer changed over time?
- Did the MSB's main customer base change within the past year?
- Did the MSB identify changes in customer activity patterns?
- Does the MSB plan to expand its services to business customers?
- Geography
- Does the MSB only offer its services domestically?
- Does the MSB plan to expand its geographic footprint internationally?
- Does the MSB have plans to offer its services in high-risk jurisdictions?
- Products/Services
- Did the MSB add products/services to its portfolio?
- Did the MSB change any of the products/services it offers?
- Does the MSB plan to add or remove products/services in the future?
- People/Processes/Technology
- Did the MSB make changes to the systems that it uses to collect and store customer data?
- Did the MSB change or update its transaction monitoring or sanctions screening systems?
- Were changes made to key personnel such as Board members, senior management, the AML Officer, or other compliance or operational staff?
- Did the MSB implement new or updated processes for compliance?
The MSB should identify the answers to these questions and others, as this list is not all-inclusive, and update its AML RA accordingly. The MSB should also have a methodology documented to support its scoring model so that the AML RA does not appear subjective. The MSB should also focus on using both quantitative and qualitative data, as it should have a nice balance of both to provide real insights into the MSB's risks.
While we are on the subject, now is the perfect time to also ensure that your AML Risk assessment addresses the eight National Priorities (Priorities) issued pursuant to the AML Act of 2020 (AMLA) on June 30, 2021. At that time, FinCEN issued its first-ever government-wide priorities for anti-money laundering and countering the financing of terrorism (AML/CFT) in accordance with § 6101(b)(2)(c) of the AMLA. These Priorities are as follows: corruption; cybercrime; terrorist financing; fraud; transnational criminal organizations; drug trafficking organizations; human trafficking and human smuggling; and proliferation financing.
While not technically a requirement until FinCEN issues regulations to specify how MSBs should incorporate these priorities into their risk-based AML programs, as a best practice, MSBs should incorporate these Priorities now, if they haven't already done so. These Priorities are not unfamiliar to MSBs. Long before FinCEN identified these as Priorities, this type of activity has been prevalently seen in the MSB industry. Thus, MSBs should not wait for FinCEN to issue regulations to address these Priorities as this industry is at the forefront of detecting, investigating, and reporting this type of activity in its day to day AML compliance operation. To properly address the risks associated with these Priorities, MSBs should review each one to identify which ones are relevant to the MSB's operation and incorporate them accordingly into their AML RA. Once these regulations are issued in connection with the Priorities established by FinCEN, MSBs will be required to evaluate and integrate these Priorities based on their own operation and AML program. In the meantime, MSBs should be proactive and review their current risk assessment program's processes, controls, and governance to prepare for the forthcoming requirements.
Lastly, at a recent conference, a representative of FinCEN indicated that it would soon, as in some time in 2024, issue guidance making AML risk assessments a statutory requirement for all financial institutions going forward. It was also commented that FinCEN would issue standard guidelines on how to create an AML risk assessment.
Thus, now is the time to get ahead and update your risk assessments to include the National Priorities identified in the AMLA and to make any updates necessary to properly address the changes to your operation and accompanying AML risks. The beginning of the year is always the perfect time to reflect on the previous year and look toward the future. While there is yet no standard way or official guidelines on how to create an AML RA, Ankura has experienced consultants who can assist you with conducting, creating, updating, and implementing an effective and reasonably designed AML RA that is tailored to your company's operation and that will satisfy industry best practices and future regulatory requirements.
To stay up to date on the latest in financial regulatory compliance, financial crime prevention, and risk management, sign up for our newsletter: The Compass
Sources
https://www.ecfr.gov/current/title-31/subtitle-B/chapter-X/part-1022/subpart-B/section-1022.210
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.