On Oct. 18 the OCC published a consent order requiring KeyBank to take various actions to comply with the Bank Secrecy Act.
The order's mandatory provisions make it clear that a risk assessment of the banks, products, services, customers, and geographic locations is essential to ensure compliance.
The agencies have always preached that though they cannot give detailed guidance on an appropriate anti-money-laundering system, such a system should be "risk based." But the new "Bank Secrecy Act Anti-Money Laundering Examination Manual," issued June 30, took that one step further and for the first time directed that "in formulating a risk-based BSA/laundering compliance program, management should identify the significant risks to their bank and develop a risk assessment tailored to their circumstances."
Though the requirement of a "risk assessment" is not found in any law, rule, or regulation, this has not prevented the agencies from mandating one. As this manual and a review of recent agency activities make clear, among the first things examiners will want to evaluate in the examination process will be banks' own risk-assessment process.
The manual makes it clear that the request letter examiners send before undertaking an examination "should be tailored for the specific bank's risk profile," and that examiners' scoping and planning process should be driven by a review of the bank's own process for assessing BSA and laundering risk. Examiners are directed that, for the purpose of an examination, if a bank "has not completed its own risk assessment or the risk assessment is inadequate," they must complete one for it.
In Article II of the KeyBank consent order ("Bank Secrecy Act Internal Controls") the OCC lays out extensive steps the bank must take to satisfy the risk assessments and comply with the examiner guidance.
For the necessary whole-bank risk assessment, banks should use the guidance in the manual and also review the language of the KeyBank order. That order describes what a bank should do to "ascertain the risk level inherent in its customer base" and in its "lines of business and functional areas."
The lack of an adequate assessment could be the basis of an enforcement action or criticism of internal controls; it could compel the examiners to conduct their own assessment for the bank. Banks must therefore take the agency's mandate as seriously as they must take the BSA compliance program and the customer identification program.
Hopefully, examiners will recognize good-faith efforts and give guidance, if needed - rather than beat banks over the head for not having adequate "Bank Secrecy Act Internal Controls" as noted in Article II.
