Risk assessment is the cornerstone of the BSA program development. Since all activities in the lifecycle of the BSA process flow from the risk assessment, it is something that can make all the difference in the success of your BSA program. Clear identification of the inherent risks, mitigating controls and residual risks is the foundation of building a program that will pass regulatory scrutiny.
As a practitioner who has been responsible for risk assessments and also worked through cease and desist orders, it is a step that is very different from financial institution to financial institution. Unfortunately, there are no set standards for the industry. Granted, there is not a one size fits all, but there is an amazing lack of industry standards in risk assessment process.
Recently, I had heard from the regulatory examiners from OCC, FDIC, NYDFS, and Federal Reserve about the most common deficiencies in examinations. All of them sited risk assessments as the top issue in regulatory exams. Inadequate risk assessments were, across the board, the number one deficiency.
A company called RegSmart, www.beregsmart.com, has released a program that standardizes and automates the BSA/OFAC risk assessment process. I really wish I would have had access to such a tool when I was a BSA Officer.
When I was a BSA Officer at a large community bank, I engaged four team members full time to focus on the risk assessment process. This was a continual cycle and it was only part of the equation. We also created multiple board and committee reports that utilized similar data that I had to manage as the BSA Officer. I engaged a person for three days per month to create these reports.
The Initial Questions
All of this made me wonder how much we actually spend on risk assessments. I sent out a survey to BSA Officers to get their perspective on this question. I thought it would be a worthwhile exercise to start to quantify exactly how much we are spending. I asked four simple, yet important questions:
- What is the asset size of the bank?
- How many resources do you use to support the risk assessment process?
- How much time do you spend on the process?
- How much do you spend on outside firms or consultants?
Observations and Answers
The answers that I received were surprising, even though I knew this was a critical and expensive process. I was surprised that in practice, banks are spending more than I anticipated. The answers, of course, varied based on asset size and institutional complexity, but in the smaller banks, the average institution under $1 billion in assets indicated that on average four to six FTEs committed anywhere from four to eight weeks preparing and updating the risk assessment documentation. In speaking with some of these banks, the majority of that time is spent updating the data and narratives. What is not typically included was the monthly and quarterly board reports and updates that are performed as part of the duties of the BSA personnel. Based on the industry average wage (national) for small financial institutions of $51,206 according to Glassdoor.com and Salary.com, the cost to small financial institutions for internal resources would average $23,632 annually for updating the risk assessment. Smaller (Tier 3) financial institutions also were far less likely to utilize outside consultants for the risk assessment process.
Mid-tier and top tier financial institutions were more likely to use both internal and external resources for their risk assessments. Institutions in the $1-$50 billion asset size tend to spend more on external resources but utilize internal resources as well. Those internal resources typically support the internal process AND the external consultants and audits. The risk assessment process for the mid-tier banks typically encompasses many more lines of business and diverse product sets than Tier 3s. Average timelines for preparation of the annual risk assessment in the mid-tier are six to ten weeks. Those timelines are largely dependent on the complexity of the institution’s risk and portfolio but typically four to six analysts are engaged for that time period. At an average rate of $55,540, the internal resource spend is up to $64,084 annually. Again, this cost assessment is exclusive of board reports and ongoing metrics preparation.
Tier 1 financial institutions obviously have the most complex risk models and exposure, and given their size and complexity, it is no surprise that the number of internal resources and time invested in the risk assessment process is considerably higher. According to the surveys received, banks above $100 billion in assets utilize larger teams of analysts to collect and compile the annual risk assessment. In addition, external resource spending was much higher in Tier 1s.
On average, the larger banks utilized teams of 10-15 resources, but the work was concentrated over a shorter period of time. The risk assessment process seemed to be an ongoing event at many larger financial institutions instead of just an annual event. At an average salary of just over $57,000, the timelines are shortest at just two to four weeks. These annual sprints are exclusive of ongoing processes and systems, data warehouse and analytics, and data management that large institutions are likely to have in place. These numbers are focused solely on the BSA analysts that support the risk assessment process. Board reports, BI Analysts or DW Analysts and other support mechanisms are all costs of supporting the process and are not included in these cost numbers. Given the investment of time and resources in BSA, the average spend in the large institutions is estimated at $66,144.
In the grand scheme of things, the costs for the AML staff in risk assessment do not seem egregious, however, since risk assessments seem to be a problem point from the perspective of the regulators, what is the solution to making sure our risk assessments are on point? Are we not spending enough money? Are the processes and data analysis too manual? Is it the data itself? Is there an inconsistency? Lack of clear definition? The realistic answer is a combination of all these factors is part of the solution.
I would love to explore more of these questions and answers with you as we dive deeper into this area. As always, please contact me with questions, comments, thoughts or any kind of input. Maybe by exploring the problem, we can identify long-term solutions.
Next Installment: External Resource Cost Analysis
About the Author
Debra Geister is Manager and CEO of Section 2 Financial Intelligence Solutions. Section 2 (S2) focuses exclusively on the tracking and documentation of the “hybrid threat.” She and her team are passionate about education and detection of transnational criminal organizations in our financial systems. Previously, she was Managing Director for AML Advisory Services at Matrix International Financial Services. Geister has 15 years of experience in leadership roles in banking compliance. She worked at US Bank as a VP of Risk and Compliance and spent three years at Meta Bank as Senior Vice President, leading the combined Fraud and Bank Secrecy Act (BSA) Unit.
About RegSmart
RegSmart offers the best-in-class automated BSA/AML risk assessment. Supported by subject matter experts, RegSmart collects data with intuitive wizards and stores that data for regulatory compliance and change management. RegSmart delivers complete, plain language reports with actionable intelligence. Please visit us at www.beregsmart.com.
If you would like to see a demonstration of our best-in-class automated BSA/AML risk assessment and audit applications, please contact us at 214.919.4670, or email John Ravita at jrravita@beregsmart.com or Mark Stetler at mstetler@beregsmart.com. We look forward to visiting with you.