Creating Reliable Risk Assessments: How to Measure BSA Risk

Part 3 of 4

Bank Secrecy Act, Anti-Money Laundering, and Office of Foreign Assets and Control (BSA/AML/OFAC) are critically important to any financial institution. The FFIEC recommends financial institutions conduct a BSA/AML risk assessment every 12 to 18 months or when new products or services are introduced, existing products and services change, or higher-risk customers open or close an account.[1] The steps are the same as with every other kind of risk:

  1. Identify BSA/AML/OFAC risks with relevant risk controls.
  2. Assign impact and probability to each BSA/AML/OFAC risk to understand each risk’s potential effect on the organization.
  3. Assign and prioritize controls for each BSA/AML/OFAC risk to manage risk mitigation.
  4. Define residual risk for BSA/AML/OFAC, for a deeper dive into the total risk and a more consistent risk assessment.

When assessing BSA/AML/OFAC, identify potential risk categories by looking at the institution’s products, services, customers, transactions, and geographic locations as well as the regulations that must be followed. There’s no shortage of areas to assess, including funds transfers, foreign correspondent accounts, and Know Your Customer.

But how exactly do you properly assess a risk? Let’s do just that with one BSA risk: the risk of failing to file suspicious activity reports (SARs).

Inherent vs. Residual Risk

Inherent risk scores represent the level of risk an institution would face if there weren’t controls to mitigate it. For example, think of the risk of a cyberattack if the institution didn’t have any defenses in place.

For residual risk, one would need to think of controls in place to mitigate the inherent risks. Residual risk is the risk that remains after controls are taken into account. In the case of a cyber breach, it’s the risk that remains after considering deterrence measures.

To assess inherent risk, determine how big of an impact of an event would have and how likely the event is to occur.

Inherent risk = Impact of an event * Probability

To calculate residual risk consider the inherent risk as well as the effectiveness of the controls. That includes how large of an impact a control has in mitigating a problem as well as how effective it is.

Residual risk = Inherent risk * Control effectiveness

Control effectiveness = Control impact * % ineffective


  • Making the Assessment

    Different institutions use different scales when making these measurements. In conducting this exercise, we’ll use a 5-point scale using these terms to measure risk and potential impact:

    • Catastrophic
    • Significant
    • Moderate
    • Minor
    • Insignificant

    Control effectiveness will be measured on a three-point scale for impact:

    • Very important
    • Important
    • Not important

    Probability and effectiveness will be measured on a five-point scale:

    • Certain
    • Likely
    • Possible
    • Unlikely
    • Remote

    With these in mind, let’s begin to assess risk.

    Risk: Failing to file timely SARs.

    Event Impact: Catastrophic. Failing to file suspicious activities reports and other BSA violations are a common source of enforcement actions. Falling short can have tremendous regulatory repercussions.

    Probability: Possible. Just because you tell staff to do something, that doesn’t mean they’ll do it. Without a structure in place to ensure that reports are filed in a timely fashion, it’s entirely possible something will fall through the cracks.

    Inherent risk: Catastrophic. While the probability is only moderate, the potential consequences are so dire that the risk remains very high.

    Fortunately, there are a variety of controls that can reduce the risk of a financial institution failing to properly file SARs.

    • Policies and procedures
    • Training
    • Regular audits

    Let’s look at policies and procedures.

    Control: Policies and procedures

    Impact: Important. Well-drafted policies and procedures spell out the specific steps that should be taken and assign roles and responsibilities. They provide an important roadmap to ensure that every report is properly filed.

    Effectiveness: Moderate. There is always a chance that someone doesn’t follow the policies and procedures. Assessments have shown occasional lapses.

    Residual risk: Minor. This strong control will go a long way towards reducing risk.

    Conduct this assessment with each of the controls. Then assess the total value of the controls to determine how high or low the residual risk. Remember, not every control is equal. Give greater weight to those with a high impact and less to those with a low impact.

    Be sure to be candid when assessing controls. If the assessment reveals that a control isn’t particularly effective, it might not be a problem even if other strong controls are in place. It could be an opportunity to strengthen a weak control or decide that it’s not worth the resources.

    Comparing CIP Controls

    Consider collecting data for the Customer Identification Program (CIP) provisions of the USA PATRIOT Act. The PATRIOT Act requires that an institution collect five key pieces of customer information before opening an account. A review of enforcement actions related to anti-money laundering violations indicates there is a significant inherent risk in failing to fill this requirement.

    This risk can be reduced with several controls. They include:

    • Automated software that prevents an account opening from moving forward without the information.
    • A checklist for employees.
    • Quality control by double checking a sample of new accounts.

    On the surface, these all seems like great controls, but assessments over time can demonstrate the strengths and weaknesses of each control.

    For example, the automated software ensures that information is entered 100 percent of the time. No fields are left blank.  However, it can’t guarantee that the correct information is entered. The checklist has potential for human error and an assessment may demonstrate that employees often skip this step. Finally, an assessment of quality control procedures may show that it’s extremely effective in ensuring the proper information is entered, but it’s only used on a sampling of new accounts because it’s too time consuming to do for each new account.

    The fact that the institution is inconsistent on the checklist, a relatively unimportant control, probably won’t have a huge impact on the institution’s overall residual risk. It might even decide to discontinue the control due to its ineffectiveness. It all comes down to risk tolerance and effectiveness. If after assessing its controls, it decides the residual risk is too high, it can introduce new controls or dedicate more resources to existing ones.

    To learn more about risk assessments, including how to ensure they are reliable, timely and consistent, check out our whitepaper on creating reliable risk assessments.

    [1] Federal Financial Institutions Examination Council Bank Secrecy Act/Anti-Money Laundering InfoBase. BSA/AML Risk Assessment-Overview. https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_005.htm Accessed 11/16/2017.