Skip to content
Compliance & Risk

U.S. AML reform efforts should seek ‘flexibility’ in bank risk assessment process, say experts

Brett Wolf  Regulatory Intelligence

Brett Wolf  Regulatory Intelligence

As the U.S. Treasury Department's Financial Crimes Enforcement Network (FinCEN) works to amend Bank Secrecy Act (BSA) regulations, compliance officers at financial institutions hope the bureau and other contributing regulators focus on clarifying risk assessment requirements and maximizing their flexibility, experts said during a recent webinar hosted by anti-money laundering (AML) consulting firm AML RightSource.

As the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) works to amend Bank Secrecy Act (BSA) regulations, compliance officers at financial institutions hope the bureau and other contributing regulators focus on clarifying risk assessment requirements and maximizing their flexibility, experts said during a recent webinar hosted by anti-money laundering (AML) consulting firm AML RightSource.

Like FinCEN’s USA PATRIOT Act regulations and the more recent customer due diligence rule, the prospect of a detailed risk assessment regulation is “a little daunting to try to figure out,” said Jack Oskvarek, BSA compliance executive with Wintrust Financial. “I think the effort by FinCEN is good, but it raises lot of questions.”

FinCEN in September issued a so-called Advance Notice of Proposed Rule Making that was years in the making, reflected concerns long-expressed by compliance professionals during public events, and provided a written framework for possible reforms to BSA regulations that dictate financial institutions’ AML obligations. Addressing the risk assessment process was one of FinCEN’s priorities.


The complexity of risk assessments varies considerably between community banks, midsize banks, and larger institutions.


The Treasury bureau’s director has publicly stated that the notice was intended as a “conversation starter” aimed at launching a formal dialogue with financial institutions and other stakeholders.

One issue raised was whether to explicitly require financial institutions conduct a risk assessment — something that is now only implicitly mandated as part of a required risk-based approach. The notice also envisions that FinCEN would annually issue a list of AML priorities in collaboration with law enforcement and regulatory partners, providing a tool to help banks hone their risk assessments.

The notice, whose comment period ended in mid-November, was a good opportunity for banks to respond to FinCEN’s proposals and give feedback, Oskvarek explained. “That’s important,” he added. “They did ask a lot of questions and there is always that worry about not going too far. But it’s nice that hopefully [amended requirements] would have added clarity, but with enough flexibility. You don’t want to have this so prescriptive that we are limited in how we can approach and analyze our risk-based approach, because it’s all about risk-based (principles).

“We want the process to be something that complements our program and evaluating our risk profile and control environment, so I think there’s a lot of value to it, but it needs to go through some fine tuning.”

Under a new administration

Once FinCEN has reviewed public comments, the next step in the Treasury bureau’s AML reform push would be to issue a proposed rule, after which institutions would once again have an opportunity to comment prior to the issuance of any amended rules. The process is expected to take years to complete. U.S. President-Elect Joe Biden’s administration, under his choice for Treasury secretary, Janet Yellen, would take over that effort in January.

The complexity of risk assessments varies considerably between community banks, midsize banks, and larger institutions, John Byrne, executive vice president of AML RightSource, said during the webinar.

Byrne added that AML RightSource discussed FinCEN’s notice with some of its client institutions, and they agreed “there needs to be more clarification and less subjectivity on behalf of the examiners, but crafting a regulation does present other challenges. One of the things they said is they don’t want it to become too prescriptive.”

The “most important” finding of AML RightsSource’s dialogue with clients was that banks want to ensure that regulators understand “there is mindful risk-taking by banks,” Byrne noted. “That’s what they do. Banks are in the process of taking risks, so if a risk assessment regulation were to impact that negatively, that sort of goes counter-intuitively to why you’d have a regulation.”

It was the banking industry — not FinCEN — that first called for changes to risk assessment requirements, he added. “This came from the community. People think we need clarity here and this certainly is a way to get there.”


“A little more guidance about what it should look like and what it should be would be helpful, because […] there’s so much gray area anyway.”


Writing a risk-assessment mandate into the regulations “is kind of moot because everybody already does it,” said Chuck Taylor, head of financial crimes advisory with AML RightSource, adding that the question is: “How granular and how prescriptive does it get?”

Quoting a banker with whom he had discussed the issue, Taylor said: “Guardrails are great, but I don’t want absolute prescriptive requirements on what I have to do, I want to have the flexibility to tailor it to my institution” and an overly prescriptive regulation would be “disruptive.”

“A little more guidance about what it should look like and what it should be would be helpful, because in the [BSA compliance] world there’s so much gray area anyway,” he said. “But why fix something that isn’t broken?”

The experts also touted the importance of conducting regular, repeatable processes and assigning numerical values to various contributing risk elements — such as customer type, geography, and services sought — during the assessment.

They also highlighted the importance of not allowing business lines to unduly sway assessments and the importance of proper training for risk assessors and the need for assessments to be tailored to the size of the institution.


regulatory intelligence

More insights