PRACTICAL SOLUTIONS
Inherent Risk k
Effect of Mitigating Controls
Residual Risk
The interview process is essential to obtaining a tailored and effective risk assessment and can assist with providing a qualitative assessment of the customer and transaction data. The interview process can identify ML / TF risks that were not previously identified and can help foster a line of communication between each business line and the compliance department. In addition, the interview process can help promote a culture of compliance by breaking down the silos of a traditional financial institution by encouraging information sharing and looking at ML / TF risks across the financial institution.
For each ML / TF risk identified throughout the risk assessment process, it is important to cross reference the institution’ s policies and procedures to ensure that there are policy statements and controls in place to mitigate the ML / TF risk. This helps financial institutions determine whether there is a potential gap in the policy and procedures and the ongoing monitoring of the particular ML / TF risk.
How to establish a risk assessment methodology for assessing ML / TF risk
Program enhancements Process improvements Risk reduction opportunities
One of the biggest shortcomings with ML / TF risk assessments is the lack of a well-defined risk assessment methodology. The risk assessment process should follow a well-defined methodology, which should be fully described in your risk assessment report and supporting documents. The risk assessment methodology should provide: 1) measurement of inherent risks accounting for the principals of impact and likelihood; 2) an assessment of the effectiveness of the mitigating controls; 3) an evaluation of the residual risks that exist after consideration of the mitigating controls; 4) a determination of the direction of risk for each risk; and 5) a process for determining the overall inherent and residual risk rating of the institution.
In addition, the risk assessment should incorporate new and emerging risks within the industry such as the FinCEN guidance FIN- 2016-A005 on cyber-enabled crime and on how documenting cyber risk impacts a financial institution’ s ML / TF risk profile. It is important to remember that the risk assessment should be tailored for each institution and allow for the application of specialized knowledge / professional judgment by the compliance officer. The professional judgment factor can allow for an accurate reflection of the financial institution’ s risk profile based on intricate knowledge held by the compliance officer and / or stakeholders.
While risk assessments are typically conducted on an annual basis, it is often forgotten that it should be updated when a“ major event” occurs as well. A major event is generally interpreted as: 1) a merger or acquisition; 2) exponential growth in a new market area; 3) introduction of a new product or service; and 4) significant changes in the regulatory environment that impacts the financial institution. It is recommended that each financial institution define in its institution’ s policy what may necessitate an event-driven risk assessment. Furthermore, it is
TRANSACTION MONITORING
ACAMS TODAY | SEPTEMBER – NOVEMBER 2017 | ACAMS. ORG | ACAMSTODAY. ORG 35