business team is standing on a graphScrutiny of Bank Secrecy Act compliance at financial institutions everywhere is surging. Fines and enforcement orders are all over the headlines. Regulators, as well as board members, want to know that banks and credit unions have taken a good look at what their exposure is, and have a solid plan in place to address those risks. What are the elements of a solid BSA Risk Assessment?
The task of conducting and documenting a BSA Risk Assessment can seem daunting. Sometimes, financial institutions will try to get by with something general and vague that could apply to almost any financial institution. But what inquiring examiners and board members really want to know is that the financial institution has gone through a thought process that is logical for its own set of products and services, as well as the market where it is located.
We find that the well-executed BSA Risk Assessments seem to go through some form of the following five steps.

Risk Categories

First, they take some time to identify their risk categories. A good framework for this process can be found on the FFIEC’s website. It has a section devoted to the identification of specific risk categories. These include:

  • Products and services, such as the types of electronic funds payment services or foreign correspondent accounts.
  • Customers and entities, such as foreign financial institutions and cash-intensive businesses.
  • Geographic locations, such as doing business in high intensity drug trafficking areas or with customers or members who do business in countries subject to OFAC sanctions.

Strong Second-step

The second step is to delve deeper into the risk categories identified in step one. We find that this second step is the area that is left out the most often as it requires further analysis.
They say a picture is worth a thousand words. Here’s your opportunity to provide a detailed picture of your risk. For example, don’t just say that the financial institution sends out 100 international funds transfers per day. Dig a little deeper to find out if 90 of those 100 transfers are recurring, well-document transactions for long-term customers. That’s a much different risk than if 90 of those 100 transfers were non-recurring or for non-customers or non-members.

Risk Rate

The third step is to risk rate each of the areas identified in step one. Not all risks are created equal, so it makes sense to identify those that are higher priority so that they get the resources they need to be adequately mitigated.


The fourth step is providing the narrative guidance. The narrative is a key part of the risk assessment. It doesn’t have to be long, but it needs to show that the financial institution understands what the figures from step two means. The FFIEC BSA/AML Examination Manual states that “[t]he risk assessment should provide a comprehensive analysis of the BSA/AML risks in a concise and organized presentation… as such, it is a sound practice that the risk assessment be reduced to writing.”
The narrative should provide justification behind why that specific risk area was rated as low, moderate or high.

Mitigation Efforts

The fifth and final step is to identify the mitigation efforts the financial institution is taking to mitigate those risks. Not all risks require mitigation efforts, but most areas will have at least some degree of attention, especially those areas designated moderate or high-risk.
While no two BSA risk assessments will be the same, our experience is that those that follow these general steps not only hold up better in an examination, they help the financial institution make sure it is allocating its resources in a way that make sense for its own unique set of circumstances.

Ken Agle Headshot
Ken Agle, President of AdvisX, our sister company, brings more than 25 years of experience covering almost all facets of financial institution risk management operations. He has conducted more than 350 compliance reviews and has assisted more than 200 financial institutions throughout the United States. He has developed and implemented systems and training programs on all phases of banking risk management, including, but not limited to BSA/AML, fair lending, loan review, HMDA, CRA, BSA, operational compliance, TILA, and RESPA. He has written numerous regulatory responses and appeals and has been instrumental in assisting institutions with challenging circumstances while facing regulatory enforcement orders. He has partnered with McGladrey & Pullen, RSMI, Promontory, Sheshunoff and other multi-region firms to provide support services to financial institutions. Mr. Agle specializes in strategic regulatory response and in developing and implementing both proactive and reactive tools and systems to preempt and resolve issues affecting today’s financial institution. For more information on BSA/AML services, contact Ken Agle.