By: Pat Voss, Assistant Vice President – Member Outreach
Federal and State regulatory examination of credit unions compliance with the Bank Secrecy Act (BSA) has grown significantly over the years and continues to be at the top of examiner priorities when visiting credit unions. One of the more common BSA regulatory exam findings is a lack of a defined BSA risk assessment and risk mitigation process and procedures.
It doesn’t matter whether you are considered a large or small asset sized credit union or whether your business structure is considered simple or complex. It also does not matter whether you are federally insured or privately insured, you must comply with the requirements of the Bank Secrecy Act (BSA).
While considering a Bank Secrecy Act compliance program, credit unions must first and foremost use a risk-based approach to developing a sound compliance program. The BSA/AML Risk Assessment – Overview chapter in the 2014 revised FFIEC Bank Secrecy/Anti-Money Laundering Examination Manual (Click here) on page 18 clearly states that your risk assessment should involve two (2) primary steps:
- The identification of specific risk categories (your risk profile) through a review of your credit unions products, services, members, entities, transactions and geographic locations in which you operate, and
- You must complete a detailed analysis of the data identified in the risk profile which is used to develop processes/procedures (risk mitigation) to manage identified risks.
The FFIEC Bank Secrecy Act/ Anti-Money Laundering Examination Manual further states there are many effective methods and formats used in completing a BSA/AML Risk Assessment and that credit union management should decide the appropriate method and format. An example of the risk assessment flow is located in Appendix I (page(s) I-1 of the manual and a sample risk assessment is located in Appendix J (page(s) J-1 and J-2).
There is no one-size fits all when it comes to an enterprise wide risk assessment. Also there is also no strict format required of the assessment.
Please don’t hesitate to email us at [email protected] or contact your Regional Director if you have questions regarding this blog post.