BSA/AML/OFAC Risk Assessments
Presented to: AMLA Florida Chapter
Ivan A. Garces, CPA, CFE, CFF, CAMS
Jason Chorlins, CPA, CFE, CAMS, CITP
BSA/AML/OFAC Risk Assessments
A robust risk assessment will help your bank to promptly and accurately identify risks and apply appropriate controls
to mitigate risk or identify unacceptable risks to avoid.
Risk considerations
Customers
Identify
BSA/AML/OFAC Products & services
Geographic locations
Risks
Continuous Monitoring
Program Enhancements
Process
Analyze
Determine inherent risk (qualitative &
BSA/AML/OFAC
quantitative analysis)
Risk
Evaluate
Residual Risk
Report
Identify potential events that
might impact BSA/AML &
OFAC objectives
Employ a combination of
qualitative and quantitative
risk assessment
methodologies
Identify and assess mitigating controls
Assess risk from two
perspectives:
- Likelihood
- Impact
Communicate risk assessment results
Use risk assessment to drive
policy, procedures, controls
and testing
The Board of Directors and management sets the risk appetite and is responsible for creating a culture of
compliance to ensure staff adherence to the bank's BSA/AML/OFAC Program
Problems/Issues Observed
Problems/issues observed of risk assessments and their
methodologies:
 Does not capture risk across all areas of the financial
institution
 Data completeness and integrity
 Deficient documentation and/ or lack of well-defined
methodology
 Evaluation of mitigating controls
 Risk assessment is inconsistent with strategic vision of
the financial institution.
 Insufficient analysis of BSA/AML/OFAC infrastructure
requirements and scalability
Mitigating Controls
Mitigating Controls
Governance & Infrastructure
 Mitigating: Policies and procedures
appear to adequately mitigate
identified BSA/AML/OFAC risk and are
consistent with statutory and regulatory
standards without significant deviations
or exceptions.
 Moderately mitigating: Policies and
procedures appear to mitigate
identified BSA/AML/OFAC risk and are
consistent with statutory and regulatory
standards but recommendations are
suggested to enhance policies,
procedures and processes.
 Deficient: Policies and procedures
appear to be insufficient to mitigate
identified BSA/AML/OFAC risks and are
not consistent with statutory and
regulatory standards.
Control Considerations
 Compliance tone
 BSA Compliance Officer’s authority
to adequately administer program
 Adequate reporting lines
Policies & Procedures
Customer Risk RatinAg
Process
CIP/CDD/EDD
Monitoring & Surveillance
Investigation, Escalation &
Reporting
 Policies are BOD approved
 Expand across the Bank’s business
lines
 High risk customers identified
 Customers adequately risk rated
 Level of monitoring & account
surveillance
 Leverages CDD/EDD
 Investigations well documented
 SAR/No-SAR decisions well
supported
Recordkeeping
 Staff is qualified, experienced and
well trained
Training
Independent Testing
 Regular testing is performed
 Management resolves findings
timely
Best Practices
 Interview business line leaders & consider enterprise
wide BSA/AML/OFAC risks
 Discuss strategic vision and possible new product
deployments, customer focus, and geographic footprint
 Evaluate MIS systems that support the BSA/AML/OFAC
program
 Review ROE’s, audit reports, & regulatory
correspondence
 Policies and procedures (GAP Analysis)
 Compile customer & transaction database and identify
risk concentrations
 Trending from year to year
Best Practices (continued)
 Reporting statistics: SARs and CTRs
 Evaluate efficacy of flags and alerts
 Consideration of current regulatory actions
 BSA/AML/OFAC risk assessment is aligned with
enterprise risk management program
 Stress-testing BSA/AML/OFAC program
 Share risk assessment with business line leaders
and with training coordinator
Stress Testing of BSA/AML/OFAC Resources
2013
Alerts per Cases per High Risk
KYC
AML Unit AML Unit Reviews
CTRs
Reviews
15,926
6,620
2,556
12,536
33,402
13.00
13.00
6.00
1.50
9.00
1,225.08
509.23
426.00
8,357.33
3,711.33
102.09
42.44
35.50
696.44
309.28
4.64
1.93
1.61
31.66
14.06
0.58
0.24
0.20
3.96
1.76
2014
OFAC Alerts per Cases per High Risk
KYC
Alerts AML Unit AML Unit Reviews CTRs Reviews
26,983
17,433
8,382
2,468
12,702
29,671
2.50
18.00
18.00
6.00
1.50
9.00
10,793.20
968.50
465.67
411.33 8,468.00 3,296.78
899.43
80.71
38.81
34.28
705.67
274.73
40.88
3.67
1.76
1.56
32.08
12.49
5.11
0.46
0.22
0.19
4.01
1.56
OFAC
Alerts
24,948
2.50
9,979.20
831.60
37.80
4.73
10% Decrease from 2014
Alerts per Cases per High Risk
KYC
Description
AML Unit AML Unit Reviews
CTRs
Reviews
Estimated Numbers based on an Increase/Decrease
15,690
7,544
2,221
11,432
26,704
Min 2013/2014 per Hour/Person
0.46
0.22
0.20
3.96
1.56
Max 2013/2014 per Hour/Person
0.58
0.24
0.19
4.01
1.76
Avg 2013/2014 per Hour/Person
0.52
0.23
0.20
3.98
1.66
Est. Number of BSA/AML Personnel (@ Min 2013/2014)
16.20
16.20
5.21
1.37
8.10
Est. Number of BSA/AML Personnel (@ Max 2013/2014)
12.81
14.81
5.40
1.35
7.20
Est. Number of BSA/AML Personnel (@ Avg 2013/2014)
14.31
15.48
5.31
1.36
7.62
10% Increase from 2014
OFAC Alerts per Cases per High Risk
KYC
Alerts AML Unit AML Unit Reviews CTRs Reviews
22,453
19,176
9,220
2,715
13,972
32,638
4.73
0.46
0.22
0.20
3.96
1.56
5.11
0.58
0.24
0.19
4.01
1.76
4.92
0.52
0.23
0.20
3.98
1.66
2.25
19.80
19.80
6.37
1.67
9.90
2.08
15.65
18.11
6.60
1.65
8.79
2.16
17.48
18.92
6.48
1.66
9.31
OFAC
Alerts
27,443
4.73
5.11
4.92
2.75
2.54
2.64
10% Decrease from 2013
High Risk
KYC
AML Unit
Unit
CTRs
Reviews
(1.80)
(0.79)
(0.13)
(0.90)
(3.19)
(0.60)
(0.15)
(1.80)
(2.52)
(0.69)
(0.14)
(1.38)
10% Increase from 2013
OFAC
High Risk
KYC
Alerts AML Unit AML Unit
Unit
CTRs Reviews
(0.25)
1.80
1.80
0.37
0.17
0.90
(0.42)
(2.35)
0.11
0.60
0.15
(0.21)
(0.34)
(0.52)
0.92
0.48
0.16
0.31
OFAC
Alerts
0.25
0.04
0.14
Description
Actual Numbers
Number of BSA/AML Personnel
Per BSA/AML Personnel
Per BSA/AML Personnel/Month
Per BSA/AML Personnel/Day
Avg Alert/Case per Hour/Person
Estimated Impact on Head Count
@ Minimum
@ Maximum
@ Average
AML Unit
(1.80)
(5.19)
(3.69)
Common threads
 Data and analytical gaps
 Lack of consistent and well defined approach
to risk assessment
 Inadequate assessment of mitigating controls
 Controls lag direction of risk
Political Constraints
 BOD, senior management and business line
buy-in
 Budgeting and allocation of resources
 BSA/AML/OFAC risks are not compromised by
revenue interests
 Breaking down silos
Questions?
01/2014
10
Ivan Garces joined Kaufman Rossin in 2006 after 10 years with a Big Four Firm. He focuses
his practice on providing investigative and forensic accounting services specializing in
internal corporate investigations, money laundering and regulatory compliance matters.
Ivan has extensive experience in anti-money laundering, USA PATRIOT Act, Bank Secrecy
Act, Office of Foreign Assets Control (OFAC), Foreign Corrupt Practices Act (FCPA) and
internal corporate investigations and compliance matters. He is an adjunct professor for
FIU's Master of Accounting Program where he teaches a graduate level class in forensic
accounting.
Ivan has advised a wide range of financial institutions from small privately owned banks to
large multinational institutions in the United States, Mexico, Central America, South
America and the Caribbean.
Ivan A. Garces, CPA, CFE, CFF, CAMS
Risk Advisory Services, Principal
Banking Practice Leader
Kaufman|Rossin
2699 South Bayshore Drive
Miami, Florida 33133
igarces@kaufmanrossin.com
(305) 646-6054
He is a Certified Public Accountant in Florida, Certified Fraud Examiner and Certified AntiMoney Laundering Specialist. Ivan is the President of the South Florida Chapter of the
Association of Certified Fraud Examiners and member of the American Institute of Certified
Public Accountants, Florida Institute of Certified Public Accountants, Association of Certified
Anti-Money Laundering Specialists and Cuban-American CPA Association.
Ivan earned a Bachelor's degree in Accounting and a Master's degree in Taxation from
Florida International University.
11
Jason Chorlins joined Kaufman Rossin in 2006 and is a member of our Risk Advisory
Services consulting practice. He participates in forensic and financial service investigative
engagements specializing in money laundering, internal corporate investigations, due
diligence and regulatory compliance matters.
Jason has participated in several anti-money laundering (AML) and Bank Secrecy Act (BSA)
consulting engagements, assisting banks with Know-Your-Customer file remediation, risk
assessments, and transaction analysis look-backs. He has also performed data and model
system validations for account and transaction surveillance systems for several financial
institutions.
Jason Chorlins, CPA, CFE, CAMS, CITP
Risk Advisory Services, Manager
Kaufman|Rossin
2699 South Bayshore Drive
Miami, Florida 33133
jchorlins@kaufmanrossin.com
(305) 857-6744
He is a Certified Public Accountant in Florida and Missouri, Certified Fraud Examiner,
Certified Anti-Money Laundering Specialist and Certified Information Technology
Professional. He is a member of the American Institute of Certified Public Accountants
(AICPA), Florida Institute of Certified Public Accountants (FICPA), Association of Certified
Fraud Examiners (ACFE), Association of Certified Anti-Money Laundering Specialists
(ACAMS) and Institute of Internal Auditors (IIA).
Jason earned a BSBA and Master’s degree in Accounting and a Certificate in Information
Systems from the University of Missouri-Columbia. In addition, he is a professor for the
Accounting Program for the University of Missouri-Columbia and serves as the PresidentElect for the Board of Trustees of the FICPA Educational Foundation, a non-profit
organization.
12