News and Resources

BuckleySandler FinCrimes Webinar: Conducting a Financial Crimes Risk Assessment

  • July 24, 2014
  • 12:00 PM ET

BuckleySandler hosted a webinar, "Conducting a Financial Crimes Risk Assessment", on July 24, 2014, as part of our ongoing FinCrimes Webinar Series. Panelists included Sterling Daines, Managing Director at Goldman Sachs, and Miriam Ratkovicova, Senior Manager at Deloitte Transactions and Business Analytics LLP. The following is a summary of the guided conversation moderated by Jamie Parkinson, partner at BuckleySandler, and key take-aways you can implement in your company.

Best Practice Tips and Take-Aways

  1. The AML Office is the nerve center of the financial institution. Regulators will assume and hold the AML Officer accountable for knowing about financial crimes risks and violations.
  2. When conducting a risk assessment, focus on what you need to learn and what you don’t already know, not just documenting what you do know.
  3. Review regulators’ guidance (e.g., FFIEC BSA/AML Examination Manual and recent enforcement actions) to identify what they expect to see in your risk assessment.
  4. Companies not currently performing a risk assessment across the business should consider doing so. If an enterprise-wide risk assessment already exists, it should be reviewed on a regular basis to identify new risks associated with new products, new policies, new customer base, or changes in the business.

Risk Assessment Requirements

The panelists began the session by reviewing the regulatory requirements and regimes relating to risk assessments, including those of prudential regulators such as the OCC and Federal Reserve, as well as the FFIEC. Panelists observed that examination manuals provide particularly helpful insights for companies seeking to determine what respective regulators are expecting to see in an adequate risk assessment.

While there is no specific regulatory mandate to conduct a risk assessment, both panelists emphasized that it has become a de facto expectation that companies engaged in financial services or at risk of being used for financial crimes will perform a risk assessment of their business—regardless of the regulatory requirements for conducting one.  Companies not currently performing risk assessments should strongly consider doing so in order to adequately address the company’s risk profile.  Additionally, panelists emphasized that even companies with existing risk assessments should continue to review and revise on a regular basis to address changes in business and ever increasing regulatory expectations. 

Risk Assessment Approaches

The panelists noted that there are many effective methods and formats for performing a risk assessment, but typically any approach should include both qualitative and quantitative assessments following certain sequences: 

  • An assessment of the company’s inherent risks;
  • An assessment of the mitigating controls already in place to minimize inherent risks; and
  • An assessment of residual risks that may not be adequately addressed by mitigating controls. 

The panelists suggested that risk assessments be performed following a consistent approach on an enterprise-wide basis. Increasingly, regulators expect that various business lines within a company should be aware of, and involved with, assessing the controls that may impact their own inherent risk, even if those controls are ‘owned’ by another unit or division within the company (e.g., a central alert investigation unit), given that any deficiencies in those controls will impact the residual risk of the given business line.

Later on, the panelists discussed the various pros and cons associated with a combined financial crime risk assessment approach as opposed to implementing a discipline-specific risk assessment – i.e. one focused exclusively on AML risks, or exclusively on sanctions/OFAC risks. This overarching financial crimes approach was noted to be an especially significant emphasis for companies in Europe, where regulators have been focusing on the interconnectivity of company business models more heavily than their American counterparts. However, this all-inclusive approach may be beneficial for any company when conducting a risk assessment because a holistic approach will be more likely to adequately assess interconnected financial crime risk areas.  In this regard, the panelists agreed that the AML Office or program is the nerve center across the financial institution and regulators will look to the AML function for all financial crimes-related data and control, believing that the AML Office should be aware of all possible financial crime risks to which the organization may be exposed.

Successful Risk Assessments

Panelists concluded by suggesting that companies establish realistic and reasonable frameworks for conducting risk assessments. Doing so will help them in creating a risk assessment that can be fully utilized and effective in mitigating risks. Additionally, a reasonable framework allows approaches, assumptions, and considerations involved with each risk assessment to be adequately documented for review by internal audit and regulatory bodies. They cautioned that sometimes the process turns into a “writing exercise” and that instead, to be effective, it should be a “thinking exercise.”  If successful, a risk assessment accomplishes the following:

  1. Did it identify risks or a break-down in controls that you didn’t know about before?
  2. What did we learn that was new?
  3. Do we now know exactly how transactions flow, what products are and how they pose risk, how customers interact with the products, and so forth.


Contact Jamie Parkinson with any further questions.