How to Manage BSA/AML Risks
Two recent trends are converging to increase banks’ risk management obligations. One is heightened scrutiny by banking regulators of their Bank Secrecy Act and Anti-Money Laundering (BSA/AML) compliance efforts. The other is customers’ increasing demand for electronic banking (e-banking) services, which can increase a bank’s BSA/AML risks.
Taking a Risk-Based Approach
To help combat money laundering and terrorist financing, banks are called upon to develop and implement comprehensive BSA/AML programs to ensure they know their customers, monitor transactions, identify suspicious activity and share information with the government and other financial institutions. (See “Elements of a BSA/AML program.”)
Federal regulators emphasize a risk-based approach to BSA/AML compliance. In other words, a bank is expected to conduct a thorough risk assessment and develop policies, procedures and processes that are adequate in light of its size, location, customer base, products and services.
Assessing the Impact of e-banking
E-banking — including online account opening, ATM transactions, Internet banking transactions, remote deposit capture (RDC), telephone banking and mobile banking apps — can increase a bank’s BSA/AML risks. The lack of face-to-face contact in e-banking transactions introduces a heightened level of risk to institutions by making them vulnerable to unauthorized users accessing customer accounts. As your bank introduces new e-banking products and services, it’s imperative to evaluate their impact on your BSA/AML program.
For example, according to the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual, online account opening without face-to-face contact may heighten your risk because:
- Verifying the customer’s identity is more difficult,
- The customer may be outside the bank’s targeted geographic area,
- The customer may perceive these transactions as less transparent,
- Transactions are instantaneous, and
- A front company or unknown third party may use the account.
To mitigate these risks, banks should ensure that their BSA/AML monitoring, identification and reporting systems are properly equipped to flag unusual and suspicious activities conducted electronically. Useful tools include ATM activity reports, funds-transfer reports, new-account-activity reports and change-of-Internet-address reports. Reports that identify related or linked accounts are particularly effective in an e-banking context. These reports reveal accounts with common addresses, phone numbers, email addresses and taxpayer identification numbers. Additional risk-mitigating controls may include imposing limits on:
- The types and sizes of transactions that can be conducted through e-banking platforms,
- The volume and frequency of online-initiated transactions (if allowed), and
- Online accounts, to ensure they’re offered only to established customers.
The FFIEC emphasizes that, when determining the level of monitoring required for an account, one factor to consider is how the account was opened. Banks need to develop effective and reliable methods for authenticating a customer’s identity when he or she opens an account online (such as “out of wallet” questions that only that person can answer).
Mitigating RDC Risks
While RDC provides obvious benefits to customers, it also exposes banks to money laundering, fraud and information security risks. For example, fraudulent, sequentially numbered or physically altered checks may be harder to detect when they’re submitted via RDC. Plus, it’s difficult for banks to control or locate RDC equipment, particularly when foreign correspondents and foreign money service businesses increasingly rely on RDC.
The FFIEC warns that inadequate controls can result in altered deposit data, duplicate deposits and other problems. Also, customers or service providers typically retain original checks or other deposit items, which may create recordkeeping, data safety and integrity issues.
Potential risk mitigation steps include:
- Performing a comprehensive RDC risk assessment before implementation,
- Conducting appropriate customer due diligence and enhanced due diligence,
- Establishing risk-based parameters for RDC customer suitability, such as lists of acceptable industries and standardized underwriting criteria,
- Comparing an RDC customer’s expected account activity to actual activity,
- Establishing RDC transaction limits, and
- Ensuring that RDC customers receive adequate training.
Contracts should clearly set out the relative roles, responsibilities and liabilities of the bank and its customers with respect to RDC transactions, including procedures for handling and disposing of original documents.
The more your bank relies on e-banking products and services, the greater its risks. To avoid compliance issues, be vigilant in monitoring your bank’s risk profile and beefing up your BSA/AML program as those risks increase.
Sidebar: Elements of a BSA/AML Program
A bank’s BSA/AML program must include, among other things:
- An adequate system of internal controls,
- Appointment of a BSA compliance officer at the management level,
- Ongoing employee training,
- Independent compliance testing,
- A written, risk-based customer identification program (CIP),
- A system for maintaining records of customer information and methods used to verify customer identities,
- Procedures for comparing the customer database and certain transactions against lists of known or suspected terrorists or terrorist organizations maintained by the Office of Foreign Assets Control (OFAC),
- Procedures for filing currency transaction reports (CTRs) for cash transactions that exceed $10,000, as well as for related transactions that exceed $10,000 in the aggregate and transactions that have been structured to avoid reporting, and
- A system for monitoring transactions for suspicious activity and filing suspicious activity reports (SARs) when appropriate.
A comprehensive program can go a long way toward mitigating electronic banking risks.