Financial Institutions and Banking

How To Assess and Deal With BSA/AML Risks

Over the past few years, many people have turned to electronic banking (e-banking), whether for individual or business purposes. While e-banking may be convenient, it also may increase the possibility of hidden criminal behavior. In addition, compliance with Bank Secrecy Act/Anti-Money Laundering (BSA/AML) laws and regulations is increasingly scrutinized by banking regulators. This puts banks in the middle of a potentially difficult — even dangerous — situation, unless they develop strategies to both assess and handle any related risks.

Get with the program

To help combat money laundering and terrorist financing, banks must develop and implement comprehensive BSA/AML programs. These programs ensure banks know their customers, monitor transactions, identify suspicious activity, and share information with the government and other financial institutions.

Federal regulators emphasize a risk-based approach to BSA/AML compliance. In other words, a bank is expected to conduct a thorough risk assessment and develop policies, procedures and processes that are adequate for its size, location, customer base, products and services.

Determine the impact

E-banking — including online account opening, ATM transactions, Internet banking transactions, remote deposit capture (RDC), telephone banking and mobile banking apps — can increase a bank’s BSA/AML risks. The lack of face-to-face contact in e-banking transactions introduces a heightened level of risk to institutions by making them vulnerable to unauthorized users accessing customer accounts. As your bank introduces new e-banking products and services, it’s imperative to evaluate their impact on your BSA/AML program.

For example, online account opening without face-to-face contact may heighten your risk because:

  • Verifying the customer’s identity is more difficult,
  • The customer may be outside the bank’s targeted geographic area,
  • The customer may perceive these transactions as less transparent, and
  • A front company or unknown third party may use the account.

To mitigate these risks, banks should ensure that their BSA/AML monitoring, identification and reporting systems are properly equipped to flag unusual and suspicious activities conducted electronically. Useful tools include ATM activity reports, funds-transfer reports, new-account-activity reports and change-of-Internet-address reports. Reports that identify related or linked accounts are particularly effective in an e-banking context. These reports reveal accounts with common addresses, phone numbers, email addresses and taxpayer identification numbers.

Additional risk-mitigating controls may include imposing limits on 1) the types and sizes of transactions that can be conducted through e-banking platforms, 2) the volume and frequency of online-initiated transactions, if allowed, and 3) online accounts to ensure they’re offered only to established customers. Banks need to develop effective and reliable methods for authenticating customers’ identities when they open accounts online (such as “out of wallet” questions that only that person can answer).

Reduce RDC risks

While RDC provides obvious benefits to customers, it exposes banks to money laundering, fraud and information security risks. For example, fraudulent, sequentially numbered or physically altered checks may be harder to detect when they’re submitted via RDC. Plus, it’s difficult for banks to control or locate RDC equipment, particularly when foreign correspondents and foreign money service businesses increasingly rely on RDC.

Inadequate controls can result in altered deposit data, duplicate deposits and other problems. Also, customers or service providers typically retain original checks or other deposit items, which may create recordkeeping, data safety and integrity issues.

Potential risk mitigation steps include:

  • Performing a comprehensive RDC risk assessment before implementation,
  • Conducting appropriate customer due diligence and enhanced due diligence,
  • Establishing risk-based parameters for RDC customer suitability, such as lists of acceptable industries and standardized underwriting criteria,
  • Comparing an RDC customer’s expected account activity to actual activity,
  • Establishing RDC transaction limits, and
  • Ensuring that RDC customers receive adequate training.

Contracts should clearly set out the relative roles, responsibilities and liabilities of the bank and its customers with respect to RDC transactions. This includes procedures for handling and disposing of original documents.

Being vigilant

Make sure your bank remains watchful for ongoing BSA/AML issues and other potential risks resulting from e-banking. There’s no going back — e-banking is here to stay. The best strategy is to ensure your bank remains fully compliant, with all appropriate processes and procedures in place.

© 2023

Leave a Reply