How To Develop A Baseline Risk Analysis
As was discussed in Part One of this series ("Developing a "risk baseline" through practical analysis"), credit unions should start the development of a baseline risk analysis by considering an institution's size and member base.
Credit unions with larger numbers of members will have more factors to consider when evaluating the potential risks associated with the base. The geographic location of branches, where members live and do business, whether operations occur in High Intensity Drug Trafficking Areas (HIDTA) or High Intensity Financial Crime Areas (HIFCA), income and educational levels, will vary by institution and are all factors that will provide input to your analysis of risk.
The FFIEC Examination Procedures guidance refers examiners to Appendix I "Risk Assessment Link to the BSA/AML Compliance Program" (See Figure 1) to ensure that a financial institution utilizes an effective risk assessment that will become the foundation for establishing internal controls and the resulting overall Risk-Based BSA Compliance Program.
One you've compiled the initial data about your member base, also look at your process for collecting data about members, the sources and reliability of data, including the information provided directly from members, and the completeness of the data. Credit union members often enjoy a more personalized experience with their institution due to a deliberately intended corporate culture policy. Many times this results in reduced information gathering during interactions between a credit union representative and a member, so as not to burden the member with what may seem to be intrusive questions about their financial activities.
While each institution needs to evaluate how it will approach this dilemma, it is often a matter of disclosing the compliance requirements of the institution as well as the effort to improve the security for the members and their finances.
Another Helpful Step
It will also be helpful to geographically orient your member data-develop an understanding of where your members live, work, carry out their financial activity and other geographical areas where they transact business. With this information you'll not only be able to get a more transparent and complete view of member profiles, but also you'll increase the likelihood of compliance with OFAC and other sanctions screening regulatory requirements.
In addition, consider the products and services being offered and the options members have for opening accounts. Since money laundering is the process of getting illicitly gained funds into the formal financial system, criminals often spread their "placement" activities among a number of differing products to avoid detection. Some products are easier to abuse than others, particularly when there are options for opening accounts online or over the phone. The opportunity for face-to-face time with a member will always reduce exposure to risk, but will have to be balanced against the multiple ways doing business offered to members.
Therefore, any additional security measures, such as multiple factor identification, that strengthen your ID Verification and Authentication programs, challenge questions and member due diligence questionnaires will help reduce risks posed by virtual "clicks versus bricks" account opening options provided to members.
Profile Groups: Within Context
A baseline risk analysis can be enhanced by looking at shared traits among credit union members in order to develop profile groups. Many technology solutions base their behavioral monitoring logic on the expected and/or historical behavior of account and/or member activity. However, an analysis of your member base will usually show that members have common traits regarding their business activities, profession, income levels, etc. Also, certain attributes of the member base may represent higher risks than others. For example, members whose business activities are largely cash based, involve international transactions and include their own currency services as Money Services Businesses (MSBs) may represent higher financial crime risk exposure. Recognizing the common aspects of credit union members will assist you in defining profile groups.
Monitoring accounts and account holders within profile groups is a more robust means of mitigating risk and identifying unusual behavior, because it adds another layer when developing the business rules that drive the development of suspicious activity alerts. Behavior is thus evaluated not only against expected and historical member behavior, but also against the expected and historical behavior of the profile group and the thresholds that pertain to the group in question. The result is improved anomaly detection, specifically called for in the new FFIEC Guidance on transaction monitoring.
Thresholds: Correct Callibration
Thresholds are really just pre-determined values (based on risk analysis results) that can be plugged into your business rules defining when to generate an alert or review. Account or account holder activity is monitored for behavior that is outside what is expected for a member or account. Extending this logic to include monitoring of behavior in reference to the member's profile group, adds greater dimension and insight to whether the financial activity is appropriate.
Setting thresholds appropriately is important and will vary based on institution, business activity and member base. Low thresholds may yield too many "hits" and a high number of false positives. Thresholds that are too high can lead to a low number of hits and thus allow potentially problematic activities to go undetected.
Robust Risk Identification
When risk management is viewed across the entire life cycle of a member relationship, it becomes ever more important to improve an institution's ability to accurately estimate the risk associated with members and their financial activities. The greatest opportunity to gather the necessary information about members comes in those infrequent face-to-face encounters, and the most opportune moments are usually at account opening and onboarding.
Effectively evaluating risk though member screening and risk scoring through a process of assessing the baseline risk factors and developing robust profile groups to facilitate opportunities for high-risk monitoring will ensure a more comprehensive Customer Identification Program and Enhanced Due Diligence (EDD) which will go a long way toward mitigating financial crime risk and ensuring smoother regulatory exams.
Joseph Bognanno is a Financial Crimes Strategist with Wolters Kluwer Financial Services, and previously held positions with the Treasury Dept., IMF and other institutions.