A risk mitigation strategy as it pertains to specific regulatory compliance functions within a financial institution becomes part of the specific risk model. For an ambiguous example, if a financial institution conducts a risk assessment and determines that certain activities over a specific threshold meet a higher classification of risk, then those activities and thresholds become part of the risk mitigation strategy. An internal procedure regarding use of a process, report, or software as part of this risk mitigation strategy becomes a risk control.
Multiple controls become part of a specific risk model, and also become a primary focus of examiners when testing and validating a financial institution’s adherence to regulations. Risk models contain inherent risks specific to the controls in place that are meant to mitigate risk. The development of a BSA/AML risk assessment for any financial institution is a necessary step in the development of a financial institution’s overall risk profile. Regulators and examiners seem to be giving more scrutiny to the development and implementation of BSA/AML and other financial crime risk management strategies, and the focus seems to be narrowing to even the smallest financial institutions. One need only to look at a few of the enforcement actions taken on depository institutions and credit unions by FinCEN to see that the focus on potential criminal activity is shifting from larger institutions to smaller.
As seen with the case of North Dade Community Development Federal Credit Union, lacking an overall understanding if the importance of the Bank Secrecy Act, and its inferred purpose to “Know Your Customer” can be very costly. More imposing is the reputational risk that a financial institution undergoes when publicly criticized for being fined. In this case, the ultimate end of the financial institution was charter revocation, closure and liquidation. It is the opinion of many within these smaller financial institutions that “overwhelming regulatory burdens” are making it harder and harder to serve the communities for which they were established in the first place. Knowing your customers and how they use your financial institution to interface with the overall banking system is no longer assuaged with lip service, but is becoming a big obligation to staying in business.