&

A BSA/AML
RISK ASSESSMENT
Page 1 of 35
TABLE OF CONTENTS PAGE

Auditing & Updating a $13 Billion Organizations BSA/AML Risk Assessment....4

Auditing the Existing BSA/AML Risk Assessment..5

Core Components of a Comprehensive BSA/AML Risk Assessment.7

1. BSA/AML Risk Assessment Overview.7

1.1 Introduction7
1.2 Steps in the Risk Assessment Process..8
1.3 Detailed Bank Information.....8
1.4 Customers and Entities9
1.5 Money Service Businesses (MSBs)...10

2. BSA/AML Compliance Program Overview....11

2.1 Introduction....11
2.2 Internal Controls...11
2.3 Independent Testing.....12
2.4 BSA/AML Officer...12
2.5 BSA/AML Training..............................................................................................................13

3. BSA/AML Operations Overview.....13

3.1 BSA/AML Policy.13
3.2 BSA/AML Department..13
3.3 Customer Identification Program (CIP).14

4. Currency Transaction Reports (CTRs) and Monetary Instrument Logs (MILs)....14

5. Anti-Money Laundering Software Risk Assessment..15

6. High Risk Determination and Tracking...16

7. Regulation GG..17

8. Enterprise Wide BSA/AML Exam & Audit Reports..17

9. Business Units (BUs)...17

9.1 Products and Services (Appendix A).18

10. Identifying and Evaluating BSA/AML Risk.19

10.1 Introduction.19
Page 2 of 35
 10.2 HIDTA and HIFCA Locations..19
10.3 Risk Identification and Evaluation Ratings.........................................................................20

11. Corporations Risk Identification and Evaluation of Business Units/Products and Services
(Appendix B)...21

12. Summary of Corporations Enterprise Wide BSA/AML Quantitative Risk (Appendix D)...21

13. Mergers and Acquisitions...22

14. New Product Committee.22

15. Projected BSA/AML Risks.........................................................................................................23

CONCLUSION: Think Enterprise Wide....24

SAMPLE SPREADSHEETS:
Appendix A - Business Units BSA/AML Risk Identification and Evaluation of Products and Services,
Inherent Risks, Mitigating Controls and Residual Risks...25
Appendix B Risk Evaluation of Business Units/Products and Services..26
Appendix C Corporation Risk Evaluation of Company/Products and Services...27
Appendix D - Summary of Corporations Enterprise Wide BSA/AML Quantitative Risk..28

Appendix E - BSA Risk Analysis Chart, Customers/Accounts, Products/Services and Geographies....29

FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual Appendixes

Appendix I: Risk Assessment Link to the BSA/AML Compliance Program ..................32
Appendix J: Quantity of Risk Matrix.33

Research/References/Sources...35

Page 3 of 35
AUDITING & UPDATING a $13 BILLION ORGANIZATIONS BSA/AML RISK ASSESSMENT
By Donna Davidek, CAMS
December 30, 2013

The Business Dictionary (1) defines Risk Assessment as The identification, evaluation, and estimation of
the levels of risks involved in a situation, their comparison against benchmarks or standards and their
determination of an acceptable level of risk. The risk assessment process is not new to the Banking
industry. Risk assessments have been conducted in many areas within banking organizations for years,
so it seemed appropriate when the BSA area came into regulatory focus. Since at least 2005, every
depository financial institution has been required to perform and document a written BSA/AML Risk
Assessment. The purpose of a comprehensive risk assessment is to assess the enterprise wide BSA/AML
risk profile of the organization, including the Bank and all subsidiaries. By determining the enterprise
wide BSA/AML risk profile, the organization can evaluate the adequacy of existing processes and where
required, modify and update the risk management processes in an effort to more effectively identify and
mitigate risk. A risk assessment can serve as a valuable tool
for any Banking institution that wants to manage its
BSA/AML risk effectively. The key is to understand the
Banks risk exposure and develop the necessary policies,
procedures, systems, and controls to mitigate the risk. The
emphasis by regulators for financial institutions to conduct
detailed risk assessments has increased substantially over
the years. Today, there is an expectation by regulators for
BSA/AML Risk assessments to provide a more granular and
in-depth review of all areas of the organization. There is not
one recommended methodology or format specified or
method required when completing a risk assessment. As
long as the risk assessment can be understood by the
appropriate parties who will read it, the format should be
acceptable to federal regulators.

The information contained in this whitepaper does not

address OFAC risk as the organization represented conducted and documented a stand-alone OFAC Risk
Assessment. It is acceptable for the OFAC Risk Assessment to be incorporated into the organizations
overall BSA/AML Risk Assessment; however, it is best practice for a large bank to create a stand-alone
OFAC Risk Assessment. A process similar to the one outlined in this paper was also conducted when
auditing and updating the OFAC Risk Assessment.

Page 4 of 35
AUDITING THE EXISTING BSA/AML RISK ASSESSMENT

When faced with the task of auditing an

institutions existing BSA/AML Risk
Assessment, to determine if it is
adequate for the present state of the
organization, the initial question is
Where Do I Begin?
There are many reasons why a risk assessment should or must be updated. In order to determine
whether the existing risk assessment needs to be updated or whether it must be rewritten in its
entirety, the auditor must thoroughly review the existing risk assessment to determine if it appropriately
represents the organizations current risk profile and also conforms to regulatory standards. The
reviewer must determine if necessary control points, as represented in the list below, are included
within the risk assessment:

1. The risk assessment should properly reflect the current BSA/AML risk profile across the entire
organization.
2. The risk assessment should clearly identify all areas within the
organization and specifically identify those Business Units
(BUs) within the organization with direct BSA/AML
responsibilities. The risk assessment should also clearly
identify each BSA/AML responsibility specific to each Business
Unit.
3. The risk assessment should include a detailed, in-depth
evaluation of the inherent risk of every existing, new or
significantly expanded or modified added customers, geographies, products, services and
systems used or offered by each BU within the organization with direct BSA/AML responsibilities,
an evaluation of the effectiveness of systems and internal controls utilized by each BU and the
determination of the resulting residual risk of each product, service and system used or offered
through each BU.
4. Any major events or changes that have taken place within the organization should be reflected in
the risk assessment, e.g., mergers, acquisitions, expansions, changes in the organizations
footprint/expansion into new markets, new or changes to products or services, prior
inefficiencies identified that have not been corrected, new core data processing or anti-money
laundering systems, the Bank has crossed the $10 billion mark and is now by definition
considered to be a large Bank.
5. The findings provided in the risk assessment should be supported by appropriate qualitative and
quantitative data.
6. The institution should maintain an effective process for periodically reviewing and updating the
institutions risk assessment, insuring that all changes to BUs with any BSA/AML responsibilities
are represented appropriately.

Page 5 of 35
 7. The risk assessment should be shared and communicated with all BUs across the organization,
including management and appropriate staff.
8. The results of the organizations risk assessment should be reported to the appropriate
supervisory committee and/or to the Board of Directors.
9. At a minimum, the organizations BSA/AML Risk Assessment should have been updated within
the past twelve to eighteen months; however, the current standard practice for most
organizations is to update the risk assessment every twelve months. Prior to changing products
or services or engaging in new customers or geographies, a risk assessment update would also be
warranted. Regulatory changes may also warrant a risk assessment update.

After reviewing the existing risk assessment, it was determined to be inadequate. The existing risk
assessment lacked major areas of detail necessary to appropriately determine the organizations risk
profile. The original risk assessment was created in a format following the principles represented in the
FFIECs BSA Examination Manual Appendix J: Quantity of Risk Matrix and Appendix I: Risk Assessment
Link to the BSA/AML Compliance Program. Smaller community Banks often use these matrixes to
formulate summary conclusions; however, it is not particularly useful when developing a risk
assessment for a large institution. Appendix J may be utilized for a baseline approach; but a large Banks
products, services, customer base, geographies and systems are often too complex for a simple matrix.

The existing risk assessment consisted of a series of spreadsheets, one for each BU with BSA/AML
responsibilities, including an overall summary. It was difficult to read and lacked a clear, descriptive
narrative. Products, services and systems were not fully detailed. The risk assessment contained an
insufficient listing of applicable red flags, inherent risks were not fully identified and risk rated,
mitigating controls listed were not clearly defined and had minimal explanation and residual risk was not
fully explained and/or risk rated. To summarize, the BSA/AML Risk Assessment conclusions were not
adequately documented; therefore, they could not be supported. Risk assessments cannot lack
supporting documentation; but should contain appropriate facts, justification and documentation in
order to reach correct overall conclusions of defining the risks within an organization. Comprehensive
supporting documentation should provide an auditor or regulator with the rationale that was utilized to reach
overall conclusions in the risk assessment. In order to properly conclude there is a sufficient BSA/AML
program in place, the risks at the institution must be appropriately identified.

EXISTING BSA RISK ASSESSMENT

Page 6 of 35
After completing the audit process, a
decision had to be made to either update
the existing risk assessment or rewrite it in
its entirety. The Bank had transitioned to
what was now defined as a large Bank and
as a result, the existing risk assessment no
longer adequately represented the
BSA/AML risk profile of the organization. In
order to be commensurate with the size and
complexity of the organization, the decision
was made to rewrite the risk assessment in
its entirely.

Core Components of a Comprehensive BSA/AML Risk Assessment

Best Practice for a $13 Billion Institution
After determining the existing risk assessment was outdated and did not adequately represent the
current BSA/AML risk profile of the organization, a more detailed and granular risk assessment had to be
developed. The objective is not solely to complete a risk assessment, as the risk assessment is not the
end game but merely a tool. The risk assessment only focuses attention on inherent and residual risk.
The greater objective is to create a meaningful risk assessment as a key tool to identify, prioritize and
ultimately manage risk. There are numerous elements to consider when creating a risk assessment. The
list below was drafted based on a great deal of research, information obtained through attending
various ACAMS conferences and webinars and Appendix J and Appendix I from the FFIEC BSA
Examination Manual. The following information gathered was utilized as a guide to determine what
information should be included in the new risk assessment.

1. BSA/AML Risk Assessment Overview

1.1 Introduction (3)
In an effort to define the purpose of the risk assessment, statements such as the following can be
included:
1. The Bank has established a goal of maintaining a Bank Secrecy Act (BSA) and Anti-Money
Laundering (AML) compliance program with strong risk monitoring procedures in place.
2. To achieve this goal, the Bank continuously monitors the various risks that could directly
impact the quality of the Banks program.
3. Based on the information contained in the risk assessment, the Bank has identified its
BSA/AML risk profile to be High/Inadequate, Moderate/Adequate or Low/Strong, which ever
risk rating is applicable.
4. Identifying the Banks risk profile has assisted the Bank with delegating its resources and
reasonably managing the Banks overall BSA/AML Program.

Page 7 of 35
 5. The BSA/AML Risk Assessment provides a comprehensive analysis of the highest risks facing
the organization and will be shared with Senior Management, the Board of Directors or
whoever is applicable.

The risk assessment should also indicate what it is not designed to accomplish. The risk assessment process
should function as a guide in the development of applicable risk-based policies, procedures, systems and controls
and is not designed to be utilized as a means of denying account relationships to specific entities or eliminating
higher risk products or services.

1.2 Steps in the Risk Assessment Process (2)

1. Identification of Specific Risk Categories
According to the FFIEC BSA/AML Examination Manual, the first step of the risk assessment
process is to identify specific products, services,
customers, entities and geographic locations.
2. Detailed Analysis Steps in the Risk
The second step of the risk assessment process
entails a more detailed analysis of the data obtained Assessment Process
during the identification stage in order to more 1. Identification of Specific
accurately assess BSA/AML risk. This step involves
Risk Categories
evaluating data pertaining to the Banks activities
(e.g., number of domestic and international funds 2. Perform Detailed
transfers, private banking customers, geographic Analysis of the Gathered
locations of the Banks business area and customer
transactions) in relation to Customer Identification Data
Program (CIP) and customer due diligence (CDD) 3. Evaluation of the
information. This detailed analysis is ultimately
BSA/AML Program
important because within any type of product or
category of customer there will be accountholders
that pose varying levels of risk.
3. Evaluation of the BSA/AML Program
In this step, it is acknowledged the Bank has structured its BSA/AML Program to adequately
address the concerns identified in the risk assessment; and as a result of the findings,
appropriate policies and procedures were developed to monitor and control the various risks.

1.3 Detailed Bank Information

A detailed description of the information that is specific and unique to the Bank should be included.
1. The current asset size of the Bank
2. The Banks footprint:
a. States where branch offices are located
b. Markets within each state, including number of branch offices within each market
c. Identify when and where any new branch offices were opened
d. Define primary market areas by percentages of the entire Bank
e. Identify location of corporate headquarters
Page 8 of 35
 f. List number of ATMs located throughout the Banks footprint by state
g. Indicate number of full-time associates employed by the organization and the
percentage of turnover rate of associates, including key personnel
h. Summarize the Banks domestic and foreign operations, including an explanation of
the Banks policy on opening foreign business accounts

1.4 Customers and Entities

The risk assessment should clearly define the entire client base, with particular concern for the
identification of client/entity types conventionally associated with heightened risk of exposure for
money laundering and terrorist financing. The preferred method of presenting information gathered
is to create reports or spreadsheets that identify the information below by branch office, totaled by
market and totaled by state, as well as the number of accounts and dollar amounts as a percentage
by branch office, market and state. This process best
defines the geographic regions of the client base by their
share of the entire Bank.
1. Deposit Accounts number of accounts and total
dollar amount, including percentages by market
and percentages by state
a. Personal
b. Non-personal
c. Time deposits
2. Loans Accounts number of accounts and total
dollar amount, including percentages by market
and percentages by state
a. Personal
b. Non-personal
c. Loans secured by cash, marketable
securities or cash value life insurance
3. Foreign Businesses
a. Number of relationships
b. Number of accounts
c. Country of origin
d. Occupation/Nature of business
e. Type of account and dollar amount
4. Private Banking
a. Definition of private banking that is exclusive to the Bank, including no international
private banking clients
b. List of products and or loans that are exclusive to private banking clients
c. Identify deposit accounts and loan accounts, including number of accounts and dollar
amount by market and state
5. Clients/Entities number of accounts and dollar amounts of:
a. Entities as defined by NAICS codes
b. Non-resident aliens
Page 9 of 35
 c. Resident aliens
d. Sole proprietors
e. Cash intensive businesses
f. Politically Exposed Persons (PEPs)

1.5 Money Service Businesses (MSBs)

The risk assessment should clearly state the Banks position on opening accounts for clients
determined to be MSBs. If the Bank has identified MSBs as part of their client base, a risk
assessment should be performed on these entities. The MSB risk assessment should pertain to:
1. Currency dealers or exchangers
2. Check cashers
3. Issuers of travelers checks, money orders or stored value cards
4. Sellers or redeemers of travelers checks, money orders or stored value cards
5. Money transmitters
Other factors to consider when completing the MSB risk assessment are the following:
1. Inherent risk factors of MSBs
2. Considerations for risk rating of MSB clients
3. Lower risk indicators
4. Higher risk indicators
5. Mitigating controls
6. Client base
a. Identify number of high risk clients
b. Type of business the MSB engages in; e.g., convenience store, grocery store, gas
station, check cashing, etc.
c. Total dollar amount of MSB activity:
a. Credits and debits
b. Cash in and cash out
c. Incoming wires and outgoing wires
d. Total number of transactions
e. Identify top 10 MSB clients by dollar amount
f. Identify top 10 MSB clients by cash: cash in, cash out and total cash
d. Define demographics of all MSB clients
a. Risk category of each MSB
b. City and state where business in conducted
c. Located in High Intensity Financial Crimes Area (HIFCA) and High Intensity
Drug Trafficking Area (HIDTA), yes or no
7. Residual risk and overall risk rating of MSBs
8. Mitigating controls for MSB clients
a. Customer Due Diligence (CDD) & Enhanced Due Diligence (EDD)
b. FinCEN license registration
c. Transaction monitoring
d. Risk rating of each MSB client

Page 10 of 35
2. BSA/AML Compliance Program Overview
2.1 Introduction
(2)
According to the FFIEC BSA/AML Examination Manual, the Banks BSA/AML compliance program
must provide for the following:
1. A system of internal controls
2. Independent testing of BSA/AML compliance
3. Designating an individual or individuals responsible for managing BSA compliance
4. Training for appropriate personnel

It is best practice to acknowledge that the Bank has a written BSA/AML compliance policy that meets
FFIEC requirements and has been approved by the appropriate board or committee of the Bank.

Internal Controls are the

Banks Policies, Procedures and
Processes designed to limit and
control risks and to achieve
2.2 Internal Controls (2) compliance with the BSA.
The Banks Board of Directors is ultimately responsible
for ensuring the Bank maintains an effective BSA/AML
program. As a result, management is required to
develop policies and procedures designed to limit and reasonably control BSA/AML risks identified in
the risk assessment. The Banks internal controls must consist of:
1. Conducting an annual BSA/AML Risk Assessment to identify those areas posing the highest
risk for money laundering, terrorist financing and/or illegal activities.
2. Appointing a BSA Officer to be responsible for the BSA Policy and Procedures and oversight of
the day-to-day compliance.
3. Designation of a centralized department responsible for managing the daily responsibility of
BSA/AML compliance.
4. Policies and procedures to ensure compliance with all regulatory record keeping and
reporting requirements.
5. Risk-based monitoring system to identify and report appropriate transactions including SARs
and CTRs.
6. Meetings/Reports with appropriate boards or committees to discuss the following:
a. Key Risk Indicators (KRIs)

Page 11 of 35
 b. High risk processes
c. Compliance initiatives
d. Program deficiencies, including Quality Control/Quality Assurance results
e. Suspicious Activity Reports (SARs) filed
f. Currency Transaction Reports (CTRs) filed
g. Accounts closed due to suspicious activity
h. Customer Identification Program (CIP) violations
i. High Risk Accounts
j. Completed and outstanding Training
k. Source of alerts reported and investigations completed

2.3 Independent Testing

This section is intended to provide all information related to independent testing of the BSA/AML
Compliance Program.
Information should include:
1. Defining responsibility for managing the independent audit process
2. Who independently conducts the audit
3. Frequency of audit conducted
4. Goal of the audit
5. Scope of the audit
6. Follow up meeting on findings during the audit
7. Defining responsibility for writing responses to findings
8. Requirement for prompt management follow up on resolving
deficiencies cited in findings

2.4 BSA/AML Officer

The qualified, designated BSA/AML Compliance Officer should be
named as appointed on the applicable date by the Board of Directors.
A brief description the BSA Officers responsibility should also be included, in addition to an overview
of the BSA associates who assist with the responsibility of day-to-day administration of the BSA
functions. It should also be noted that the Board of Directors is responsible for ensuring the BSA
Officer has sufficient authority and recourses to administer an effective BSA/AML Compliance
Program based on the Banks risk profile.(3)

Page 12 of 35
 2.5 BSA/AML Training
Training for appropriate personnel is a requirement of a BSA program. Information regarding the
Banks training program and results should be thoroughly detailed in the risk assessment.
Information to include:
1. How the training is conducted, e.g., computed-based, in person, etc.
2. How often training must be completed
3. Method of assigning and tracking the training courses, as well as training for new hires
4. Types of training, e.g., job specific, Business Unit BSA/AML programs, new hires, etc.
5. In the current calendar year, number of associates who completed their assigned BSA/AML
training, including percentage of completion by associates
6. Timing of training completed by newly hired associated, e.g., new associates must complete
their BSA/AML training within the first 60 days of employment
7. Include an outline of all training topics and testing materials included in the annual BSA/AML
training, including the responsibility for selecting and organizing the BSA training program
8. Annual training for BSA Officer and ongoing training for BSA associates
9. Annual Board of Directors training

Training is one of the four pillars of a BSA Compliance Program as indentified in the FFIEC BSA Exam
Manual. The importance of assigning, completing and tracking training for all appropriate personnel
cannot be overlooked.

3. BSA/AML Operations Overview

3.1 BSA/AML Policy
An overview of the contents of the written BSA/AML Policy should reflect the purpose and goal of
the policy and how the organization complies with the overall requirements of BSA regulations and
the USA Patriot Act. Approval by the Board of Directors and the date approved should also be
included.

3.2 BSA/AML Department

This section should reflect that the Bank has established a centralized BSA Department responsible
for overseeing and implementing the Banks BSA/AML Program and monitoring, investigating and
reporting suspicious activity. Indicate management has ensured adequate staff is allocated to

Page 13 of 35
 complete all steps necessary to appropriately identify and report criminal activity. Best practice is to
list the physical location of the BSA Department, number of associates assigned to BSA, combined
total number of years of BSA experience of the department as well as combined number of years of
overall banking experience of the BSA associates. If any of the BSA associates have achieved any
certifications or advanced certifications, such as ACAMS or ACAMS Audit, include that information in
this section.

3.3 Customer Identification Program (CIP)

All Banks must have a CIP. The CIP is intended to enable the Bank to form a reasonable belief that it
knows the true identity of each customer. The risk assessment should contain an overview of the
Banks CIP to include:
1. Customer information required to open an account
2. Summary of risk-based procedures for verifying the identity of the customer
a. Verification through documentary methods
b. Verification through nondocumentary methods
c. Additional verification for certain customers, e.g., when the Bank cannot verify the
customers true identity using documentary or nondocumentary methods
3. Procedures for circumstances when the Bank cannot verify the customers identity
4. Recordkeeping and retention requirements
5. Adequate customer notice, when and how notice is provided to customer
6. When reliance on another financial institution for CIP is acceptable

4. Currency Transaction Reports (CTRs) and Monetary Instrument Logs (MILs)

Information about the Banks daily work process relative to CTRs and MILs should be included in the risk
assessment. The daily work process would include:
1. System used to process CTRs
2. Reports utilized to indentify all reportable CTRs and verify cash in and cash out totals are correct
3. How cash is aggregated by tax identification number
4. How CTRs are created and verified
5. E-filing and acknowledging the file
6. Number of CTRs filed
Page 14 of 35
 7. Number of exempt clients, Phase I and Phase II, and define exemption process
8. Process of verification of monetary instrument logs

5. Anti-Money Laundering Software Risk Assessment

Effective AML software provides a comprehensive enterprise-wide BSA compliance solution. By storing
and evaluating data for both clients and accounts, AML software enables the BSA Department to reduce
compliance risk, consistently apply BSA policies and procedures, accurately assess client risk, enforce a
structured BSA review workflow to monitor transactions, facilitate management and Board oversight,
and implement Customer Due Diligence and Enhanced Due Diligence programs. AML software also
gives users the tools to create and manage cases for those clients and accounts requiring more thorough
oversight and documentation. AML software can also provide BSA a portal for creating and filing
Suspicious Activity Reports (SARs) for cases in which such action must be taken.

The BSA Department is charged with the responsibility for the Banks compliance with the BSA, including
detection of money laundering, terrorist financing and/or other criminal activity. The Bank should
perform a risk assessment on the AML software used by the Bank. The risk assessment should be
documented and included in the overall BSA/AML risk assessment. Information should include the
following keys to implementing the AML software and understanding and validating its functionality:
1. Basic concepts of the AML software
2. How the software is configured
3. Define the case management system
4. Identification or alert of unusual activity
5. Management of alerts
6. Investigative guidelines for working cases
7. Suspicious Activity Reports (SARs)
a. Decision making
b. Completion
c. Filing
8. Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) processes
9. Questions asked of client during the account opening process, including scoring of the responses
by client
10. Use of software to indentify high risk clients
a. Potential high risk clients
b. Risk rating of clients
11. Software change control procedures
12. How data is imported from the core processing system to the AML software
13. Independent validation of the software: testing integrity and accuracy of the AML system,
including audit results
14. Understand what the system does not do
a. Identify gaps
b. Results of a gap analysis performed on AML software

Page 15 of 35
 15. Utilization summary for specific date range of the risk assessment
a. Number of investigations as a result of the AML software
b. Number of cases resulting from investigations
c. Number of SARs filed
16. Risk of failure of the AML software, hardware or data.

An alternative definition
for the acronym SAR is
SOMETHING
AINT RIGHT!!

6. High Risk Determination and Tracking

The BSA Department is responsible for developing and maintaining a list of clients identified by the Bank
as potentially posing a High Risk of terrorist financing or financial crimes, including money laundering.
The list of High Risk clients may evolve from many different sources, such as their type of business,
account activity, geographic location, etc. This section should define the various ways BSA Department
personnel are alerted of potential suspicious clients/activity:
1. AML software
a. Risk runs
b. Peer analysis worklists
c. Customer Due Diligence (CDD) questions
d. Account Due Diligence (ADD) questions
2. Notification from associates outside of the BSA Department (internal notification)
3. Law enforcement requests e.g., subpoenas, national security letters, etc.
4. Cash shipment reports
5. Daily CTR processing and exemption reviews
6. 314(a) matches
7. Incoming and outgoing 314(b) requests
8. SARs filed

Define process used to determine and track High Risk Clients:

1. Review is conducted and based on investigation, client is determined to be high risk
2. Annual risk rating of entire data base
3. Customer Due Diligence (CDD) review consisting of responses to questions asked of client during
the account opening process
4. Expanded due diligence for high risk clients
5. Identifying and tracking new potentially high risk clients

Page 16 of 35
What defines High Risk Entities and Activities? Although attempts to launder money through a
legitimate financial institution can emanate from many different sources, certain kinds of businesses,
transactions or geographic locations may lend themselves more readily than other to potential criminal
activity. All high risk client relationships should clearly be identified by number of accounts and type of
business. The BSA Risk Analysis Chart, Appendix E, may be a useful tool when performing BSA risk
analysis in an effort to identify higher risk clients.

7. Regulation GG
The risk assessment should state the Banks position to not Regulation GG
maintain accounts with any business involved in internet Unlawful Internet Gambling
gambling. The process and method utilized by the Bank to
evaluate the likelihood that a potential client is engaged in an Enforcement Act of 2006
internet gambling business should be defined and included in
the risk assessment.

8. Enterprise Wide BSA/AML Exam & Audit Reports

The information in this section should consist of the results of all exams and audits, both internal and
independent and the results of any BSA/AML findings. The information can be placed in spreadsheet
format and should include:
1. Business Unit and/or Subsidiary
2. Date of last audit or exam
3. BSA/AML Findings yes or no
4. Audit schedule, e.g., 12 18 months, 19 24 months, 24 26 months, etc.
5. Detailed description of each finding
6. Management response to each finding

The results of the BSA Department exams and audits should also be included in this section.

9. Business Units (BUs)

There are numerous Business Units (BUs) within a banking organization. All associates within all BUs are
responsible for BSA/AML compliance, but not all BUs have job specific BSA/AML responsibilities. The
BUs within the organization with specific BSA/AML responsibilities should be identified in the risk
assessment.

Page 17 of 35
9.1 Products and Services (Appendix A)
(2)
Remote
Certain products/services pose a higher risk of Trust & Deposit
Capture
money laundering or terrorist financing depending Asset ACH
Mgmt.
on specifics as offered by the Bank. Such products
Lending PRODUCTS Funds
may facilitate a high degree of anonymity or involve Activities Transfers
the handling of high volumes of currency or funds &
transfers or practices with limited paper trails Electronic Private
making it difficult to follow the money. There may Banking SERVICES Banking

be products with high volumes of transactions that Mobile Credit

make it challenging to identify the legitimate Banking Payroll Cards
transactions. Some of these products and services Cards
are listed below, but the list is not all inclusive:

1. Electronic funds payment services electronic cash (e.g., prepaid and payroll cards),
funds transfers (domestic and international), third-party payment processors, automated
clearing house (ACH) transactions and automated teller machines (ATMs)
2. Electronic banking
3. Private banking (domestic and international)
4. Trust and asset management services
5. Monetary instruments
6. Lending activities, particularly loans secured by cash collateral and marketable securities
7. Nondeposit account services (e.g., nondeposit investment products and services)
8. Foreign correspondent accounts
9. Trade finance
10. Services provided to third party payment processors or senders
11. Foreign exchange
12. Special use or concentration accounts

The expanded sections of the FFIEC BSA/AML Examination Manual provide guidance and discussion on
specific products and services detailed above.

The risk assessment should identify all products and services within the organization and indicate the BU
specifically responsible for each product/service. The risk assessment must take into consideration all of
the organizations BUs and operating subsidiaries and how the risk of one BU is interrelated to another
BU. Think enterprise wide when performing the risk assessment related to BUs and their respective
products, services, systems and controls:

1. Identify each BU and define all of its functions in detail

2. Identify and list each product and service offered through the BU
a. Identify and list inherent risks associated with each product/service
b. Include a risk rating for the inherent risks identified of each product/service, e.g.,
high, moderate or low

Page 18 of 35
 c. Identify and list the controls in place to mitigate each risk identified, including all
systems utilized by the BU
d. Include a risk rating of the residual risks identified after mitigating controls were
analyzed, e.g., high, moderate or low
e. Include a chart that summarizes activity for specific products/services, e.g., funds
transfers. Information should include number of wires, dollar amount of wires,
monthly totals of each category including overall percentages of domestic and
foreign, personal and non-personal.

This process can be achieved through a series of spreadsheets that represents each BU in its entirety. By
gathering information relative to each BU and maintaining all documentation to support the reported
data, the auditor can be confident that sufficient data has been gathered and analyzed to support the
findings and resulting risk ratings. See Appendix A. The BU risk information will be summarized and
recorded on a Risk Evaluation of Business Units/Products and Services spreadsheet. See Appendix B.

10. Identifying and Evaluating

BSA/AML Risk
10.1 Introduction (3)
The Bank should focus on developing a BSA/AML
Risk Assessment by identifying risk categories
unique to the Bank and analyzing the data
identified to better assess the Banks risk within
these categories. The detailed analysis identifies
the products, services, customers, entities and
geographies that pose risk to the Bank.

Joint participation with various departments and BUs across the Bank, management and appropriate
staff should be considered to achieve the best results. Through the risk assessment process, the Bank
will lay a foundation for the efficient allocation of the organizations time and resources. By allocating
its resources to the areas of highest risk, the Bank can effectively manage and reduce its BSA/AML risk.

10.2 High Intensity Drug Trafficking Areas (HIDTA) and High Intensity Financial Crimes
Areas (HIFCA) Locations
The total number of the Banks branch office locations should be included, indicating the number of
locations in HIDTAs and HIFCAs. At the time of this writing, there are 28 HIDTAs, which include
approximately 16 percent of all counties in the United States and 60 percent of the U.S. population.
HIDTA-designated counties are located in 46 states, as well as in Puerto Rico, the U.S. Virgin Islands, and
the District of Columbia. At the time of this writing, there are 7 states in the U.S. with areas of
jurisdiction by counties that are considered HIFCAs. They are California, Arizona, counties bordering and
adjacent to those bordering the U.S. and Mexico boundary in Texas, Illinois, (Chicago), New York, New
Jersey, and South Florida. All areas of Puerto Rico and all areas of the U.S. Virgin Islands are also
Page 19 of 35
considered HIFCAs. The Banks branch locations should be identified by name, address, city, state, zip
code, county and HIDTA yes or no and HIFCA yes or no. This information can be placed on a spreadsheet
and included in the risk assessment.

HIDTA information can be obtained at:

http://www.whitehouse.gov/ondcp/high-intensity-drug-trafficking-areas-program.
HIFCA information can be obtained at:
http://www.fincen.gov/law_enforcement/hifca/index.html#map_hifca.

Each of these various levels of risk for each of the items

listed below should include a brief description as defined
by the Bank. The definitions of the risk listed below will be
utilized when analyzing all information gathered to
determine the Banks Final BSA/AML Risk Score:
1. Inherent Risk define what determines a rating of
High, Moderate or Low
2. International transactions Yes or No
3. Geographic Risk define what determines a rating
High, Moderate or Low
4. Cash Intensive Yes or No
5. Monitoring/Mitigating Controls define what determines controls considered to be Strong,
Adequate or Weak
6. Residual Risk define what determines a rating of High, Moderate or Low

Page 20 of 35
11. Corporations Risk Identification & Evaluation of Business Units/Products
and Services (Appendix B)
In an effort to determine the Banks Final BSA/AML Weighted Risk Score, information determined from
the risk identification and evaluation must be analyzed. In the first step above, the inherent risk,
mitigating controls and resulting residual risk of each product/service was determined and documented
on the Business Units BSA/AML Risk Identification and Evaluation of Products and Services (Appendix A).
The second step is to create a spreadsheet to record the various risk levels determined in the risk
evaluation conducted as outlined in Appendix A. In this step, additional information will be analyzed to
determine the Banks final BSA/AML scoring. The additional information includes International
Transactions, Geographic Risk, Cash Intensive, the Business Unit Risk Rating, the Risk Weight of each BU
and the Final Risk Weighted Score of the entire Bank. See Appendix B.

Appendix A: Represents the risk identification and evaluation of each BU within the Bank.
Appendix B: Represents the Bank and all of its BUs.
Appendix C: The same process represented in Appendix A and Appendix B should be repeated for
each subsidiary of the Bank and each subsidiary of the organization, as represented by Appendix C.

An additional column can be added to spreadsheets containing identified risks to indicate whether the residual
risk trend is increasing, decreasing or stable. The risk trend can be measured as indicated below:

Increasing Decreasing Stable

12. Summary of Corporations Enterprise Wide BSA/AML Quantitative Risk

(Appendix D)
The final stage in determining the Corporations Enterprise Wide BSA/AML Risk Score is to create a final
spreadsheet containing a summary of the quantitative risk results by company. Each company within
the corporation should be listed, along with each BSA/AML rating that has been determined after
performing a detailed analysis of the data gathered during the identification stage. The analysis process
gives management a better understanding of the Banks risk profile in order to develop the appropriate
policies, procedures and processes to mitigate the overall BSA/AML risk.

In this step, the Risk Weight of each division of the corporation must be determined. In the sample
spreadsheet represented by Appendix D, the Bank and Subsidiaries owned by the Bank represent 90% of
the Risk Weight of the corporation. A Subsidiary owned by the Corporation represents 2% of the Risk
Weight and an additional Subsidiary along with Companies owned by the Subsidiary represent 8% of the
Risk Weight of the organization. The information on Appendix D represents the final process in
summarizing the Corporations Enterprise Wide BSA/AML Quantitative Risk as determined by the risk
assessment process.

Page 21 of 35
13. Mergers and Acquisitions
If the organization has participated in recent mergers or acquisitions, the enterprises wide risk
assessment should be updated to include a due diligence review of the newly acquired entity. This
section should indicate any findings that may impact implementation, integration, financial
considerations, and non-financial risk that could potentially impact the organization. Information
gathered related to client base, products and services offered, international entities/transactions, high
risk clients/entities indentified, SARs and CTRs filed, information on the existing BSA Compliance
Program, etc. should also be included in the risk assessment. Based on the information gathered and
analyzed, the due diligence team should determine the initial overall BSA/AML risk of the newly
acquired entity. Anticipated integration timelines should also be recorded. As soon as possible, the risk
assessment should be updated to include all information relative to the newly acquired entity.

14. New Product Committee

In addition to the Bank having a comprehensive risk management program designed to identify
measure, monitor and control risks related to existing products and services, the Bank should also have
clearly defined objectives, expectations and risk limitations for all new products and services. To review,
understand and approve projected risks of new products and services, the Banks New Product
Committee process should be defined in this section. The enterprise wide risk assessment should define
the purpose of the committee and the process by which the committee will review and approve all new
or significantly expanded or modified products and services.

Not all organizations utilize a New Product Committee to review and approve new or significantly
expanded or modified products and services. If the organization does not utilize a New Product
Committee, indicate here the process the organization utilizes to identify, measure, monitor and control
risks related to new or significantly expanded or modified existing products and services.

products and services.

Page 22 of 35
15. Projected BSA/AML Risks
This section would include any projected strategic and regulatory BSA/AML risks identified that may
have an impact on the corporation such as:
1. Products and services currently under consideration by the New Product Committee
2. Future mergers or acquisitions
3. Upcoming changes in regulations, e.g., FinCENs Advanced Notice of Proposed Rule Making on
Beneficial Owners
The risk assessment should include any BSA/AML projected risks and managements plan on how to
mitigate the risks identified.

Page 23 of 35
 CONCLUSION:
THINK
ENTERPRISE
WIDE
Auditing to determine the adequacy of a BSA/AML risk assessment requires significant time and
commitment. The larger and more complex the organization, the more detailed both the audit and risk
assessment process will be. Dont forget to Think Enterprise Wide. When auditing the risk
assessment, the risks of each Business Unit are a major consideration. How the risks are interrelated
among BUs across the entire enterprise must be considered and subjected to detailed analysis. The risk
assessment process should be comprehensive, transparent and well documented. When completing the
risk assessment process effectively, the end result will create the reliable conclusions necessary to
establish appropriate policies, procedures, processes and systems required to develop the organizations
Enterprise Wide BSA/AML Compliance Program, which is ultimately designed to measure and minimize
risks associated with BSA/AML laws and regulations.

RISK VS.
REWARD

Page 24 of 35
Appendix A
SAMPLE SPREADSHEET
Business Units BSA/AML Risk Identification and Evaluation
Of Products and Services, Inherent Risks, Mitigating Controls and Residual Risks

Business Unit Name

Products/Services
*List each product/service
offered through BU
*List applicable BU
responsibilities & duties
specific to each, including how
they comply with duties such
as the examples listed below:
Inherent Risks
*List inherent risk of each
product/service.
*List red flags indentified.
*Indicate inherent risk rating
of each product/service/red
flag identified.
Mitigation/Controls Residual Risk
Risk Risk Rating
Rating
High, * List each mitigating control for each High, Moderate or
Mod product or red flag identified for each Low risk rating after
or product/ service. analysis of
Low *List systems used for mitigating controls
mitigation/controls.
*Indicate residual risk rating of each
product/service/red flag identified.

# of Associates/Training
Suspicious Activity Monitoring
Client Services Offered
314a Requirements
CTR Requirements
MIL Requirements
Funds Transfer Requirements
Internal Risk Assessment
CIP Requirements

Include a chart to summarize all products and services listed to include, number of clients, number of
transactions, dollar amounts, and all information that applies to each specific BU. The goal of each
spreadsheet is to define each BU, products/services they offer, the BSA/AML responsibilities specific
to each BU and how each BU complies with their BSA/AML responsibilities, including monitoring for
suspicious activity. Each BU spreadsheet should also list every product or service offered by the BU,
including any associated red flags; identify the inherent risks associated with each risk identified, the
associated mitigating controls and the resulting residual risk. The BU, products/services and
applicable risk ratings are recorded on Appendix B.

Page 25 of 35
 Appendix B
SAMPLE SPREADSHEET
RISK EVALUATION OF BUSINESS UNITS/PRODUCTS AND SERVICES
Date:
Monitoring
Cash / Business Final Risk Final Final Risk
Inherent Intl Inten Mitigating Residual Unit Risk Numeric Risk Weighted
BUSINESS UNIT Risk Trans Geo Risk sive Controls Risk Rating Equivalent Weight Score

BANK NAME MODERATE 2 50% 1.0000

Retail Banking High Yes Moderate Yes Adequate High
Personal Checking High Yes Moderate Yes Adequate High
Non-Personal High Yes Moderate Yes Adequate High
Checking
Alternative Delivery Moderate
Services
Personal Online High No Moderate No Adequate Moderate
Banking
Personal Bill Pay High No Moderate No Adequate Moderate
Mobile Banking High No Moderate No Adequate Moderate
Deposit Services High N/A N/A N/A Strong Moderate MODERATE 2 5% 0.1000
Facility Services Low N/A N/A N/A Adequate Low LOW 1 0.25% 0.0025
Human Resources Low N/A N/A N/A Strong Low LOW 1 0.25% 0.0025
Mortgage Company MODERATE 2 2.5% 0.0500
ABC Mortgages Moderate No Low No Adequate Moderate
Loan Operations Low N/A N/A N/A Strong Low LOW 1 1% 0.0100
Loan Review Low N/A N/A N/A Strong Low LOW 1 1% 0.0100
Security Department High N/A N/A N/A Strong Moderate MODERATE 2 5% 0.1000
Treasury Management HIGH 3 15% 0.4500
ACH/IAT Services High Yes Moderate No Adequate Moderate
Remote Deposit
Capture (RDC) High No Moderate No Adequate Moderate
Wire Transfers High Yes High No Adequate High
List each BU & related
product/service

Determine applicable
ratings & Final Risk
Weight 20% .295
FINAL BSA/AML
WEIGHTED RISK
SCORES HIGH YES MODERATE YES ADEQUATE MODERATE

100% 2.0200
Bank Name FINAL BSA/AML WEIGHTED RISK SCORE
MODERATE

RISK NUMERIC EQUIVALENT

0 to 1.9999 = LOW RISK
2 to 2.9999 = MODERATE RISK
3 + = HIGH RISK
This chart represents a sample of a partial list of Business Units and their related products/services within the organization. All BUs
should be included on the chart, along with applicable ratings and the Final Risk Weight of each BU as determined after completing
appropriate analysis. The Final Risk Weighted Score can then be calculated to determine the Banks Final BSA/AML Weighted Risk
Score, which will be recorded on Appendix D.
Page 26 of 35
Appendix C
SAMPLE SPREADSHEET
CORPORATION RISK EVALUATION OF COMPANY/PRODUCTS AND SERVICES
Date:

Monitoring / Final Risk Final Final Risk

Inherent Geo Cash Mitigating Residual Numeric Risk Weighted
Business Unit Risk Intl Trans Risk Intensive Controls Risk Final Risk Equivalent Weight Score
Subsidiary
owned by Bank High Yes High No Adequate Moderate MODERATE 2 100% 2.0000
*Company
owned by
subsidiary
*Company
owned by
subsidiary MODERATE

NAME OF SUBSIDIARY OWNED BY BANK

BSA/AML RISK ASSESSMENT
Summary of Quantitative Risk by Company

Date:

Risk Risk
BSA/AML Numeric Risk Weighted
Company Rating Equivalent Weight Score

Subsidiary
owned by Bank MODERATE 2.000 60% 1.200
*Company
owned by
subsidiary MODERATE 2.000 15% 0.300
*Company
owned by
subsidiary MODERATE 2.000 25% 0.500
BSA/AML FINAL
WEIGHTED RISK
SCORE of
SUBSIDIARY
OWNED by
BANK MODERATE 100% 2.000

RISK NUMERIC EQUIVALENT

0 to 1.9999 = LOW RISK
2 to 2.9999 = MODERATE RISK
3 + = HIGH RISK

Page 27 of 35
Appendix D
SAMPLE SPREADSHEET
Summary of Corporations Enterprise Wide BSA/AML Quantitative Risk

CORPORATION NAME
ENTERPRISE WIDE
BSA/AML RISK ASSESSMENT
Sample Summary of Quantitative Risk by Company

Date:

Risk Risk
BSA/AML Numeric Risk Weighted
Company Rating Equivalent Weight Score

BANK NAME owned by the Corporation MODERATE 2.000 90% 1.800

Subsidiary owned by the Bank MODERATE
Subsidiary owned by the Bank MODERATE
Subsidiary owned by the Bank MODERATE
Company owned by the Subsidiary LOW
Subsidiary owned by the Corporation LOW 1.000 2% 0.020
Subsidiary owned by the Corporation MODERATE 2.000 8% 0.160
Company owned by the subsidiary MODERATE
Company owned by the subsidiary MODERATE

CORPORATION NAME ENTERPRISE WIDE BSA/AML FINAL WEIGHTED 100% 1.980

RISK SCORE
MODERATE

RISK NUMERIC EQUIVALENT

0 to 1.4999= LOW RISK
1.5000 to 2.9999 = MODERATE RISK
3 + = HIGH RISK

This chart represents a summary of the Final BSA/AML Weighted Risk Scores of the Bank and all
Subsidiaries and Companies owned by the Corporation. Information recorded on this chart is
transferred from Appendix B & Appendix C. The Risk Weight and Risk Weighted Score of each entity
is calculated to determine the Corporations Enterprise Wide BSA/AML Final Weighted Risk Score.

Page 28 of 35
 Appendix E BSA RISK ANALYSIS
CUSTOMERS/ACCOUNTS, PRODUCTS/SERVICES AND GEOGRAPHIES
(4)
This chart primarily represents general federally defined BSA related risk categories which present heightened risk from the BSA/AML
perspective. BSA risks applicable to each bank can vary depending on the specific risk characteristics associated within each category of
risk. By identifying bank unique risk characteristics within each category, the bank can reasonably ascertain its overall general risk within
each category in order to develop a risk based and focused BSA/AML program to address and mitigate those risks.
Sources: Federally defined categories of high-risk products found in the SAR Activity Reviews, the FFIEC BSA/AML Examination Manual,
and the Treasury Departments National Money Laundering Strategy documents, etc.
Categories: Customers/Accounts Products/Services Geographies
RISK: Whether individuals and business Whether products and services are the type Whether branch, service locations,
customers create AML risk based on most likely used by money launderers to means of service delivery and
financial situation, occupation, reasons for hide and disguise illegitimate monies. demographics create AML risk due to
accounts, currency activity in accounts, higher criminal money laundering
etc. activity in the area.
Characteristics
LOW 314a hits no positive hits Account opening in-person only Acquisitions, branching or
Exempt customers none to less ACH services none offered or offered mergers none recently
than 5 domestic only Branches few in number 1 or
Existing, stable, known, long time Brokered deposit accounts not less
customers with little change offered Deposits taking only facilities -
Family/living trust deposit accounts Commercial loans domestic only none
High risk customers/businesses Consumer loans domestic only Domestic operations only (no
none to few Electronic banking (online account foreign)
Non-governmental organizations and opening, internal banking transactions HIDTAs or HIFCAs or other high
foreign charities - none to few and telephone banking) not offered risk geographies no offices
OFAC hits no positive hits Foreign correspondent accounts (none identified in SC)
Personal investment companies none/not offered Market Area narrow and
(PICS) accounts in Charleston, SC (or International accounts not offered defined mostly small towns and
other designated cities/states) Internet banking not offered rural
none to few Large currency transactions few to No formal communications from
Professional Service Providers limited activity OFAC indicating compliance
intermediaries between its client and Monetary Instruments - - travelers problems
the bank lawyers, accountants, checks, official bank checks and Personnel Low turnover of key
investment brokers and other such money orders sold to existing or frontline
third parties none to few customers only
Retail banking customers (checking Mortgage loans
and savings accounts) mostly Night deposit
SARs filed on customers Private banking services offered (high
Subpoenas or summonses few net worth individuals) not offered
received from law enforcement, IRS, Safe deposit boxes
etc. Savings and CDs
US Resident Customers/Accounts Telephone transfer availability
only (no international) Trust services none/not offered
Website informational, not
transactional
Wire transfers limited and domestic
only
MEDIUM 314a hits history of a few ACH services high domestic activity Acquisitions, branching or
positives and some international mergers Some recent local and
Commercial customers with minimal Brokered deposit accounts few domestic activity
cash activity or foreign wires or domestic only Branches moderate number
customers Checking and NOW accounts Communications from OFAC
Customer base increasing due to domestic include warning letters only, no
branching Commercial loans international OFAC violations noted
Domestic LLCs, LLPs Consumer loans international Domestic operations only with
Domestic none profit accounts Credit cards/cash advances some in high risk geographies (no
Exempt customers moderate Drafting of funds from other banks foreign)
number Electronic Banking Bank does or is Market Area broader (multiple
Growing customer base due to beginning to offer e-banking services counties, within the same state
expanding business Electronic payment services offered all cities, suburbs)
High risk customers/business Foreign correspondent few Personnel Lower turnover of key
(check cashers, conv. stores, non-res. accounts, but no payable thru but frontline staff in branches
aliens, foreign customer) moderate accounts may have changed
number Home equity loans The bank is located in or
International accounts few Internet banking (transactional) conducting major business
accounts or such accounts with offered to domestic and existing transactions in either an HIDTA or
unexplained cash activity customers only HIFCA area
Mail drop address on account Large currency transactions
Medicare supplies sales due to moderate to large volume or

Page 29 of 35
 Medicare fraud
Mostly US Resident
Customers/Accounts and a few
international
Movie Theaters
New customers moderate number
Non resident aliens none to few
OFAC hits few positive hits
Personal investment companies
(PICS) accounts moderate number
SARs moderate number filed
US resident customers assigning POA
HIGH 314a hits history of a large
number of positive
Accountants/Tax Preparers
Adult book stores/massage parlors
Antique dealers
Art dealers high end
Attorneys
Auctioneers
Auto dealers new and used
Auto salvage or collision repair shops
Auto wash
Bail bond companies
Bank insiders
Barbers, hair dressers & nail salons
Bartenders and dancers
Boat captains
Bowling alleys/leagues
Brothel houses
Cash intensive businesses
(convenience, liquor stores,
restaurants, truck stops)
Casinos
Cattle buyers
Charitable and non-governmental
organizations
Cigarette outlets
Cleaning services
Commercial customers with high
cash activity
Commercial customers with
international business including
foreign wires
Coin or gold bullion dealers
Construction companies/contractors
Convenience stores
Customers sending or receiving funds
from any NCCT nation
Customers with foreign business
Customers with privately owned
ATMs
Day care centers
Drug stores
Embassy and Foreign Consulates
Ethnic groceries
Exempt customers high number
Flea markets
Foreign corporation accounts with
transactions
Foreign LLCs, LLPs
Fruit stands - generic and ethnic
Furniture rental stores
Gas stations
Gun dealers
High risk customers (check cashers,
conv. stores, non-res. aliens, foreign
structured transactions
Loans secured by savings/CDs
Loans to closely held corporations
MMDAs offered
Monetary Instruments - - travelers
checks, official bank checks and
money orders sold to non customers
but limited activity
Non deposit investment products
(such as insurance)
Private banking services offered
moderate number mostly domestic
and few/no foreign customers
Telephone delivery system for new
accounts
Trust services moderate number
offered
Wire transfers moderate number w/
few international
Accounts opened through the
internet, mail, wire or by phone (non
branch; non face to face)
ACH services high domestic and/or
international activity
Brokerage Department/Operations
Brokered deposit accounts large
number Domestic and/or international
Business cash management accounts
Customer directed (non discretionary)
accounts such as custodial, investment
advisory and revocable trusts
Electronic banking products and
services wide array offered including
account transfers, e-bill payment or
accounts opened via internet
Electronic cash
Embassy Banking
Foreign branches
Foreign Correspondent bank
relationships
International Transportation of
Currency and Monetary Instruments
Internet banking (transactional)
offered to and accessible by new and
international customers
Investment Advisory/Management
Large Currency transactions high
volume; may include some structured
transactions
Lending activities (CD or stock
secured, etc.)
Loan guarantee schemes
Monetary Instruments Sales
travelers checks, official bank checks
and money orders especially large
numbers or amounts or consecutively
numbered or sold to non customers
New products and services (assess risk
early to build in controls to mitigate
risks)
Offshore activity
Parallel Banking domestic and
foreign bank controlled by one
person/entity
Payable thru accounts Large number
of foreign correspondent accounts
including payable thru
Payroll cards offered
Pouch services w/ foreign banks,
persons or businesses
Private Banking activities (domestic
and foreign) significant activity
PUPID pay upon proper ID wire
transfers
Acquisitions, branching or
mergers recent local/domestic
and international activity
Branches high number
Deposit taking facilities
HIDTAs Bank has branches
located in a High Intensity Drug
Trafficking Areas
HIFCAs Bank has branches
located in High Risk Financial
Crime Areas
Highly diverse metro areas or
universities located nearby
Large and growing deposit base in
a wide and diverse geographic
area
OFAC has sent bank reprimand or
penalty notification letter
Personnel High amount of
turnover especially in key
personnel positions
BANK OPERATING OR CUSTOMERS
DOING BUSINESS IN:
Bank secrecy havens
Countries identified in FINCEN
advisories
Countries in which production or
transportation of illegal drugs may
be occurring
Emerging countries that may be
seeking hard currency
investments
FATF Countries identified as non
cooperative
High risk locations for sending and
receiving wires
INSCR designated money
laundering countries and
jurisdictions
Market Area interstate, large
diverse metro areas and/or
international
NCCTS Non cooperative
countries territories (Myanmar
and Nigeria)
OFAC sanctioned countries,
including state sponsors of
terrorism
OFCs Offshore Financial Centers
Other countries identified by the
bank or FINCEN as high risk
because of prior experiences,
transaction history or other
factors
Page 30 of 35
 customer) significant number Remote deposit capture Section 311 Countries
Home Health services Special use or concentration accounts State Dept. identified countries
Import/export companies (intra-day, suspense, etc.) supporting international terrorism
Internal accounts with unexplained Stored value/smart cards offered aka Patterns of Global Terrorism
cash activity high number Telephone banking with significant
International customers/accounts/ international accounts
activity substantial Third party payment processors
Internet companies Trade financing with unusual pricing
Jewelry, Gem and precious metal features
dealer (retail and wholesale) Trust Accounts significant number
Laundromats/dry cleaners including charitable trusts and
Lawn mowing/landscaping foundations (domestic and foreign)
Large customer base over a diverse Trust accounts with foreign grantors
geographic area or beneficiaries
Leather goods stores US Dollar Drafts
Liquor stores Wire transfers frequent wires from
Money Service Businesses personal or business accounts to/from
Motels especially no name money laundering havens
New customers large number Wire transfers high number of non-
Newsstands customer wires
Night clubs Wire Transfers large number of
Non resident alien assigning POA international wires
Non-bank financial institution
(MSBs) relationships to include
domestic and foreign currency
exchanges, money transmitters,
check cashing, smart cards and e-
cash
Non-resident aliens
OFAC hits large number of
positive hits
Out of market customers significant
numbers
Painters
Pay day lenders
Phone card sales/companies
Plumbers
Physicians
Pawnbrokers, loan or finance
companies
Personal investment companies
(PICS) accounts
Pizza Parlors
Politically exposed persons (PEPs)
Preachers
Real estate agents cash sales of RE
Restaurants ethnic
Retail stores
SARs filed large number filed
Seafood distributors/shrimp boats
Securities Brokers
Self storage facilities
Senior Foreign Political Figures
Stock brokerage (broker dealer)
Subpoenas or summonses high
number received from law
enforcement, IRS, etc.
Subprime lenders
Tanning booths
Tattoo/body piercing parlors
Taxi cabs/cab companies
Telemarketers
Title companies
Travel agencies
Trucking companies especially on
US border
Trucks ice cream/hot dog, etc.
Insurance companies serving
uninsurable
Used car dealers
Vending machine companies
Video gaming/poker businesses

Page 31 of 35
APPENDIX I: RISK ASSESSMENT LINK TO THE
BSA/AML COMPLIANCE PROGRAM
FFIEC Bank Secrecy Act/Anti -Money Laundering Examination M anual

Page 32 of 35
 APPENDIX J: QUANTITY OF RISK MATRIX
Banks and examiners may use the following matrix to formulate summary conclusions. Prior to
using this matrix, they should complete the identification and quantification steps detailed in the
BSA/AML Risk Assessment Overview s ection at pages 22 to 30 of the FFIEC Bank Secrecy
Act/Anti-Money Laundering Examination Manual.

Low Moderate High

Stable, known customer Customer base increasing due A large and growing customer
base. to branching, merger, or base in a wide and diverse
acquisition. geographic area.

No electronic banking (e-
banking) or the Web site is
informational or
nontransactional.
The bank is beginning e-
banking and offers limited
products and services.
The bank offers a wide array of e -
banking products and services
(i.e., account transfers, e-bill
payment, or accounts opened via
the Internet).

On the basis of information On the basis of information On the basis of information

received from the BSA-
reporting database, there
are few or no large currency
or structured transactions.
received from the BSA-
reporting database, there is a
moderate volume of large
currency or structured
transactions.
received from the BSA-reporting
database, there is a significant
volume of large currency or
structured transactions.

Identified a few higher-risk Identified a moderate number Identified a large number of

customers and businesses. of higher-risk customers and higher-risk customers and
businesses. businesses.

No foreign correspondent
financial institution
accounts. The bank does
not engage in pouch
activities, offer special-use
accounts, or offer payable
through accounts (PTA), or
provide U.S. dollar draft
services.
The bank has a few foreign
correspondent financial
institution accounts, but
typically with financial
institutions with adequate
AML policies and procedures
from lower-risk countries,
and minimal pouch activities,
special-use accounts, PTAs,
or U.S. dollar draft services.
The bank maintains a large
number of foreign correspondent
financial institution accounts with
financial institutions with
inadequate AML policies and
procedures, particularly those
located in higher-risk
jurisdictions, or offers substantial
pouch activities, special-use
accounts, PTAs, or U.S. dollar
draft services.

The bank offers limited or no
private banking services or
trust and asset management
products or services.
The bank offers limited
domestic private banking
services or trust and asset
management products or
services over which the bank
has investment discretion.
Strategic plan may be to
increase trust business.
The bank offers significant
domestic and international private
banking or trust and asset
management products or
services. Private banking or trust
and asset management services
are growing. Products offered
include investment management
services, and trust accounts are
predominantly nondiscretionary
versus where the bank has full
investment discretion.

Few international accounts Moderate level of Large number of international

Page 33 of 35
or very low volume of
currency activity in the
accounts.
A limited number of funds
transfers for customers,
noncustomers, limited third-
party transactions, and no
foreign funds transfers.
The bank is not located in a
High Intensity Drug
Trafficking Area (HIDTA) 2 7 1
or High Intensity Financial
Crime Area (HIFCA). No
fund transfers or account
relationships involve HIDTAs
or HIFCAs.
No transactions with higher-
risk geographic locations.
Low turnover of key
personnel or frontline
personnel (e.g., customer
service representatives,
tellers, or other branch
personnel).
international accounts with
unexplained currency
activity.
A moderate number of funds
transfers. A few international
funds transfers from personal
or business accounts with
typically lower-risk countries.
The bank is located in an
HIDTA or an HIFCA. Bank
has some fund transfers or
account relationships that
involve HIDTAs or HIFCAs.
Minimal transactions with
higher-risk geographic
locations.
Low turnover of key
personnel, but frontline
personnel in branches may
have changed.
accounts with unexplained
currency activity.
A large number of noncustomer
funds transfer transactions and
payable upon proper identification
(PUPID) transactions. Frequent
funds from personal or business
accounts to or from higher-risk
jurisdictions, and financial secrecy
havens or jurisdictions.
Bank is located in an HIDTA and
an HIFCA. A large number of fund
transfers or account relationships
involve HIDTAs or HIFCAs.
Significant volume of transactions
with higher-risk geographic
locations.
High turnover, especially in key
personnel positions.
Page 34 of 35
Research/References/Sources
1. http://www.businessdictionary.com
2. FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual
http://www.ffiec.gov/bsa_aml_infobase/pages_manual/manual_online.htm
3. BSA/AML/OFAC Risk Assessment, by System Administrator, Community Bank Oct ober
2008
http://www.encierrosolutions.com/bsaaml/bsa%20aml%20ofac%20sample%20report.
pdf
4. BSA Risk Analysis Chart by Gail Askins Cole, Compliance & Risk Management
consulting, LLC, (modified chart)
bankcrmconsulting.com/forms/BSA_Risk_Analysis_Chart.pdf
5. Crowe-Horwath LLP, Public Accounting & Consulting Firm - Scope of BSA Secrecy Act
Review of IBERIABANK June 2013
6. An Examiners Perspective on Understanding & Implementing BSA/AML Recommendations
by Ivy Washington
7. Is Your Institutions BSA/AML Risk Assessment Adequate? By Adina Himes
http://www.phil.frb.org/bank-resources/publications/src-insights/2007/third-
quarter/q3si1_07.cfm
8. Risky Business Products, Persons & Places by Phillips Gay, Profit Protection, LLC
9. IBERIABANK BSA/AML Risk Assessment by Donna Davidek April 2013

Page 35 of 35