Set aside that annual risk assessment as soon as it is complete, or actively consult it throughout the year?
By John Hintze
Risk assessments can swallow up many hours of bank executives’ precious time. But if they result in flashing red lights about unexpected risks, then banks have probably done something wrong throughout the year.
Khouri spoke on a panel that was part of the ABA/ABA Financial Crimes Enforcement Conference. Also on the panel were Carl Francois, BSA and fraud officer at Southern First Bank, a community institution with $4 billion in assets, and Rebecca Schauer Robertson, deputy BSA officer and financial crimes manager at Blue Ridge Bank, with $3.3 billion in assets, who served as moderator.
The bankers discussed risk assessments from several angles, including the extent to which first-line employees at the bank provide input; the role of a bank’s internal audit, upper management and board of directors; and whether various risks are combined into a single assessment. The panel participants agreed that while risk assessments’ rewards may not seem to warrant the load of work they entail, they are nevertheless essential documents.
Khouri’s statement was in response to Schauer Robertson asking how frequently the two banks conduct their risk assessments and whether they actively consult the assessments throughout the year or, practically speaking, set them aside until the next annual review.
Francois noted the plain-vanilla nature of his bank, without exotic financial products or acquisitions, and that Southern First’s annual risk assessment is conducted by a third party. However, he’s the one, given the bank’s relatively small size, who gathers all the necessary information from different parts of the organization.
“I’m involved from start to finish, which helps me identify changes in this year’s responses compared to last year’s and whether there’s anything different,” Francois said. “Even though we outsource it, it still takes up a lot of my time, and it’s an important exercise.”
Ally, instead, completes the exercise fully in-house, producing a main “programmatic” annual assessment that looks at all the different business lines and their inherent risks, the control environment and finally the residual risk. The bank uses a software tool to help gather the information, provide supporting documentation, do the calculations, and it has a team member primarily focused on the task.
Khouri said he monitors the process to ensure he isn’t “spending too much time and resources just to validate the information. But in the end it’s a good exercise.” He added that Ally also performs “mini” risk assessments in the event of significant developments such as an acquisition or regulation impacting a business line.
The risk assessment exercise brings together input from first-line bank employees all the way to internal audit and the board of directors. Khouri said his team works closely with first-line bank employees who provide much of the necessary data about customers and products.
“As we continue to expand, we’ve had our own data team try to pull that information for us, so it’s less of a burden on the front line,” he said. “But much of the time we must work closely with them.”
Francois said he works with IT resources to pull the required data, and given the bank’s straightforward business model and “clean” data, relatively few first-line employees must be contacted.
Asked whether the panel participants receive feedback on their risk assessments from business management teams, Khouri said the assessment first seeks input from the risk committees of the business lines, the first-line of defense. Then the results are presented to the corporate AML oversight committee, where they are escalated up the chain. A summary goes to a compliance-risk-management committee. Then up to the board once a year.
Francois meets monthly with “operational directors” to discuss any potential risks that may require a mitigation plan and may be incorporated in the annual risk assessment. “It’s good to have the opportunity to present it to them, on the chance anything there needs to be addressed,” he said, adding that the bank’s CEO and president sit in on those meetings.
In terms of his bank’s board, Francois said, members get the full risk-assessment report but they typically scrutinize a heat map summary and ask questions about red issues they may be unfamiliar with.
“It’s a good thing if there’s nothing that scares folks,” he said. “In reality, you want it to be boring.”
Khouri agreed, noting his team’s heat map at the top level of the organization, where each line of business is rated for its inherent risk, control environment and residual risk. In addition, one page is devoted to AML and another for the Office of Foreign Assets Control. Each notes whether there are year-over-year changes to the overall risk score. Then there’s a page for each line of business to explain in more detail any concerns. All the supporting documentation can be accessed through the risk-assessment software tool.
“We don’t believe the final report should be extensive. All these pages are combined in one deck that goes up through the chain of management for review,” Khouri said.
Both bankers said their institutions combine BSA, including AML and OFAC in one risk assessment, rather than separate these.
“In a community bank, I’m the BSA and OFAC officer, and a lot of those data points go together,” Francois said. “It creates efficiencies to just do it all at one time.”
Khouri said Ally’s compliance tool assesses AML separately from OFAC and displays the information in separate dashboards. But they are combined into one risk assessment. Both banks approach fraud separately from their BSA/AML risk assessments.
Francois noted that Southern First Bank’s fraud-related suspicious activity reports exceed those for AML, and that fraud is among the eight national AML/combating-the-financing-of-terrorists (CFT) priorities that the Financial Crimes Enforcement Network first announced in June 2021, indicating that a fraud risk assessment is important.
“It’s something we’re going to do in 2024, but we haven’t decided yet whether to do it in-house or partner with someone to map it out,” Francois said.
Asked whether their institutions have incorporated these priorities into their risk assessments, both bankers said they have considered them but are waiting for guidance before making significant risk-assessment changes.
“I was asked the same question by my FDIC examiner about a month ago, and when I said I’m waiting on more guidance, he responded, ‘That’s fine; I’m not going to put the cart before the horse,’” Francois said.
John Hintze frequently writes for the ABA Banking Journal.