Moving Toward Collaborative AML Risk Assessments

By Jeff Lavine

JPL Advisory LLC

In July 2024, the US Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) proposed a new rule that includes requiring financial institutions to conduct periodic risk assessments as part of their Anti-Money Laundering (AML) and countering the Financing of Terrorism (CFT) programs. While this proposed rule reinforces a risk-based approach and adds specificity to AML risk assessment requirements, I still find it lacking.

The proposed approach does not fundamentally alter the vague guidance previously offered by US regulators in the FFIEC BSA/AML Handbook. Other global guidance is sparse, as in the even more sparse FCA Handbook at FCG 2.2.4., and the slightly less sparse HKMA Guideline, Chapter 2. 

This vagueness doesn’t help. My industry experience suggests that risk assessments fall short of their promise. All too often, rather than exploring and finding new risks to mitigate, risk assessments are too frequently a check-the-box exercise that justifies the status quo.

I believe the need for a new approach is now higher than ever.  Global financial crime rates are rising. Risk assessment failures were also the primary factor contributing to the AML program failures and financial crimes conducted through TD Bank USA, leading to a $3 billion fine. FinCEN noted that the bank's methodology for assessing risk was inadequate, lacking depth and specificity, which prevented accurate assessment of BSA/AML risks. 

In this blog post, I explore ways enhanced regulatory specificity for bank risk assessments can contribute to lower national AML/CFT risk through greater public-private risk sharing.  While the examples focus on US regulatory guidance, these principles are universally applicable.

Why so Vague?

Today, AML risk assessments are shaped by broad regulatory guidance, as found in the US’s FFIEC BSA/AML Manual. While this guidance outlines critical factors—such as products, services, customers, and geographic locations—that banks should consider, they leave much of the methodology and specifics up to individual institutions.  This has led to significant variance between bank risk assessment methodologies, limiting the benefit of sharing and off-site supervision.

The traditional argument favoring rule generality is that firms must highly customize risk assessments to fit the unique products, customers, and geographies they serve. This argument presumes that firms are unique.

But are they unique? Overall, banks are not all that different. They offer products and serve customer segments through the same delivery channels. Notably, the rising bank similarity is a systemic safety and soundness concern to supervisors like the New York Fed.

In light of this, it’s hard to believe that regulators could not find a standard methodology that could work for most, allowing for modifications.  Such a baseline would be valuable to supervisory agencies, enabling increased offsite supervision.  It would also provide valuable benchmarking for banks willing to share anonymized results.

No one argues that banks should be free to design their regulatory financial reporting. Each quarter, each bank files a Report of Condition and Income (Call Report), despite differences in product mix, etc. Call Reports are the foundation of regulatory off-site supervision. AML risk assessments could work like Call Reports, enabling risk monitoring between examination cycles. Like Call Reports, AML risk assessments could be scaled to allow less detailed reporting for smaller banks, reducing their regulatory burden.

Further, as noted above, risk assessment failures are cited as the primary factor contributing to the AML program failures at TD Bank USA and the subsequent $3 billion fine.  FinCEN stated (p. 49) that the “methodology to assess risk across its entire AML program, via its annual assessments, was inadequate and overlooked key risk and control factors that materially impacted the Bank’s risk profile analyses. The assessments lacked depth and specificity, which prevented AML management from accurately assessing the BSA/AML risks associated with TD Bank.” [emphasis added]. 

So why not issue guidance directing the kind of depth and specificity you are after?

Further support for the achievability and benefits of a standardized risk assessment is found in the World Bank Group (WBG), which provides a standardized FATF National Risk Assessments approach.  Their approach works and is employed by 100 countries.  WBG’s NRA standard offers a valuable baseline for analyzing country-level risks and the implementation and effectiveness of their measures to combat money laundering, terrorist, and proliferation financing.  Such reports inform how financial institutions and regulatory agencies allocate resources to address national risks.

Building a Better Current State

Perhaps the current US proposed rule to enhance risk assessment and the risk assessment failures noted in the TD Order can serve as a call to action.

The proposed rule is moving in the right direction; it establishes one-way public-private sharing through the FinCEN Priorities and gets prescriptive on business activities and SAR analysis. More is necessary. Specifically, it requires that the risk assessment process serve "as the basis for the state member bank's AML/CFT program, including implementing… internal policies, procedures, and controls commensurate with those risks…". It also requires risk assessments to include:

1.     The [FinCEN’s published] AML/CFT Priorities…;

2.     The ML/TF risks of the financial institution, based on its business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and,

3.     [Suspicious Activity Reports] filed by [the] financial institution”.

At a minimum, the rule should aim to make risk assessments more comparable and sharable by standardizing the relationship of the risk assessment process to internal controls. It’s time to require risk assessments to use the longstanding inherent risk, mitigating controls, and net residual risk approach. US regulators and other supervisors require this level of risk assessment specificity elsewhere. For example, this is consistent with the approach used by the US Federal Reserve to assess consumer compliance risk, even for smaller Community Banks, and the FATF guidance on Risk-Based Supervision, cited in the FinCEN rule.

An enhanced rule should include requiring the following standard elements:

1. Identifying the level of AML/CFT inherent risks associated with business activities, as defined by FATF;

2. Requiring FinCEN to help out by presenting the Priorities as inherent risk statements to be mitigated rather than in narrative form to limit ambiguity;

3. Incorporating assessing, through self-assessment and third parties, of the adequacy of specific mitigating internal policies, procedures, and training, including but not limited to customer due diligence, screening, and specific suspicious activity monitoring models or scenarios associated with addressing inherent risks; and,

4. Scoring residual risk, as defined by FATF, associated with material business activities based on the level of inherent risk and the adequacy of mitigated controls.

5. In addition, the regulation, regulators, or industry working groups should produce an implementation framework. 

   
   

This framework should include defining the following:

• Specific methodologies detailing, describing and assessing inherent risk;

• Methods to trace inherent risks to their risk-mitigating preventative or detective controls;

• Standards for identifying and evaluating the effectiveness of these mitigating controls, including but not limited to model validation and data quality and completeness assurance processes;

• Documentation standards to ensure that evaluations are thorough and transparent; and,

• Clear guidance on action plans to reduce risks and address control weaknesses.

Standardized Analysis Beats Gut Feeling

Without a clear framework and standard, boards, supervisors, and compliance professionals risk overreliance on intuition. We need more than a gut feeling to secure our financial system. Experts note that intuition is the least reliable when our experiences are limited.  Most board members are not banking professionals (less than 16% are, according to one Harvard Business School study), and many heads of bank financial crime programs have spent most of their careers at one or two firms.

Standardized AML risk assessments will provide data to check or improve intuitive risk judgments. The above framework could establish comparability between institutions, minimizing overreliance on intuition.

By establishing these parameters, regulators can help banks identify vulnerabilities more effectively and allocate resources where they are most needed.  More concrete, standardized guidelines would generate sharable data that would lead to:

• Better Compliance: Clear guidelines would help to ensure that AML compliance controls are sufficiently tailored to risk profiles and that risk mitigation is less reactive.

• Improved Supervision: Regulators would benefit from standardized assessments that allow for more effective offsite supervision. This would enable examiners to spot AML risk outliers among the portfolio of institutions they examine, which could ultimately reduce enforcement activity.

• Efficiencies: A persistent industry complaint is that the current legal and supervisory paradigm misdirects resources to lower-risk activities.  An industry-standard risk assessment would provide the data for realignment, ensuring that high-risk areas receive focus and lower-risk segments avoid unnecessary scrutiny.

• Lower Systemic Risk: Data freely shared among industry participants could highlight situations where participants individually or serially underestimated inherent risks for particular products or services.

Conclusion

As financial crimes become more complex and pervasive, regulators should take decisive action to enhance AML compliance frameworks within banks. By providing more precise definitions and requirements for AML risk assessments and encouraging industry-wide and public-private risk sharing—particularly regarding identified inherent risks—regulators can empower financial institutions to build sound compliance programs that better combat money laundering and terrorist financing.

This collaborative approach will strengthen individual banks and contribute significantly to the stability and security of the global financial system.