Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Risk Assessments In the US
14 Plays1 day ago
US-based MSB Compliance BSA/AML Compliance Specialist Lisa Summerbell and MSB Compliance President Jay Postma join the Future of the Finacial Crime Podcast to discuss the current landscape of financial crime and financial crime compliance in the United States.
The Future of the Financial Crime Podcast is a production of Arctic Intelligence, an award-winning Regulatory Technology (RegTech) business that transforms financial crime risk assessments to help protect your business.
Recommended
Transcript
Introduction to the Podcast
00:00:00
Speaker
This is the Future of Financial Crime, a production of Arctic Intelligence, a podcast takes a global perspective on financial crime compliance. Obtaining board buy-in and approval for you to have authority over the controls that impact the AML program and think like a criminal. the Criminal networks out there have become more and more sophisticated and they are they are working tirelessly to try to steal money and to launder money from illicit operations.
Meet the Experts: Jay Postma and Lisa Sommerbel
00:00:32
Speaker
Welcome to the Future of Financial Crime. My name is Kwame Slusher and I am your host today. And we have two very special guests from, I guess I can't even say across the pond, across the sea. We have Jay Postma, President of MSP Compliance and Lisa Sommerbel, BSA AML Compliance Specialist. Welcome to the Future of Financial Crime podcast. Thank you. Thank you.
Understanding Risk Assessments
00:00:53
Speaker
So today we're going to have a little bit of a chat of, I guess, about risk assessments in general. And I think this is going to be an interesting conversation because, you know, risk assessments might be a perennial issue, but, you know, every jurisdiction, I assume, sort of experiences some problems in a nuanced and interesting way sometimes, depending on jurisdictional specific types of risks. But before we get into any of that, I'm just going to get you both to just briefly introduce yourselves and talk a bit about your your roles that you do now. um So I'll start with you, Lisa, because that's where you're situated on my screen and then we'll go across to Jay. Okay, thank you. um I am a CPA and a certified fraud examiner, um certified financial crime specialist, and a certified anti-money laundering specialist. um My background is in, I started my profession
00:01:47
Speaker
in accounting, doing auditing, and focusing on internal control testing. I moved into fraud investigation and disputes shortly before I moved to the UK for 14 years. I worked in the UK with Ernst & Young for about seven of those years and moved back to the US about seven years ago. I joined up with Jay and have been delving into the anti-money laundering world ever since. Never look back. And yourself, Jay?
00:02:18
Speaker
Yeah, I have a long background in financial services. I started with 10 years at the Federal Reserve Bank of Atlanta. And after that, I was part of starting two different FinTech companies and was also a banker at a community bank that grew through a couple bank acquisitions and then was acquired, after which I started MSB Compliance. And for the past 17 years, I've been working to continually surround myself with people who were smarter than me in many ways and had had additional experiences that could work alongside me to perform independent reviews of of ah various types of money services, businesses, FinTech companies, and payment processors. And we also do a good bit of advisory work with companies.
00:03:16
Speaker
Yeah, sure. That's great. So we're here to talk a bit about risk assessments in that financial crime space. But I thought it'd be useful for any listeners who may not be familiar with, I guess, a little and how things are regulated, where you are. And i'm I'm assuming that where you both are is Atlanta, Georgia, if I got that correct, based on your email signature. Yeah, so ah give me a sense ah of the US and I guess who are the regulators and sort of enforcement players in that financial crime compliance space.
Complexity of US Financial Regulation
00:03:46
Speaker
Yeah, the United States is a bit different than other parts of the world because we have federal level regulators as well as state regulators. And one of the things that often surprises people outside of the US when companies want to move into the US market is how complex it can be needing to get different types of registrations and licensing in order to participate in the American market.
00:04:14
Speaker
We have FinCEN, Financial Crimes Enforcement Network, which is our FIU. And then we have the the different banking regulators, such as the OCC, the FRB, the NCUA, and the FDIC. But if you're going to be a money services business, then you have to register with FinCEN. And the IRS is your federal functional regulator. And you have regulators in each state in which you conduct business to deal with.
00:04:45
Speaker
And Lisa, I'm going to bring this across to you. So now that Jay's laid out that sort of lay of the land in terms of who the players are, risk
Challenges in Risk Assessments
00:04:54
Speaker
assessments. I guess when I say risk assessments to you, what what do you think is some of the biggest challenges for businesses in that space to get right when it comes to risk assessments?
00:05:05
Speaker
Yeah, well, from our experience in working with companies on their risk assessments and also looking at how companies have approached their risk assessment, we see that there is sometimes difficulty in being able to comprehend how a business might be abused by criminal actors, what makes them a potential victim, basically, of being used for the commission of illicit financial activity. And that is that forms the foundation in the basement. the
00:05:43
Speaker
the basement, it is the foundation, the basis for identifying where your risks are. And with the risk assessment, of course, that's the whole point of why you're doing a risk assessment is to identify what your risks are and where your chinks are in your armor, and then to implement controls to mitigate those risks appropriately. ah So I think we're going through a fundamental transformation here with regard to risk assessment, the Fincen and Treasury haven't previously legally required companies to do a risk assessment. That is now enshrined in law in the AML Act 2020, and it's going to be actually be implemented at some point hopefully next year. And once it's a legal mandate,
00:06:31
Speaker
then they're going to, all of the financial institutions will be supervised, you know, their supervisory regulators will be looking at their risk assessments in a lot more detail. And they do expect them and require them, they will require them to look at the national financial crime priorities of the United States as part of their risk assessment.
00:06:54
Speaker
And Jay, so you talked about that federal level and that sort of state level of regulation. What kind of communication do regulated entities get from the the regulators? And does that help them in terms of understanding how best to assess their risks in that space? right Regulators are fairly active in providing guidance documents.
00:07:19
Speaker
participating often in various industry association conferences, informal guidance, other other directives. So I think in general, they they seem to do a pretty good job of communicating expectations. you know And then of course, there's expectations that can be identified also by looking at regulatory enforcement actions where people did not implement an effective program that was reasonably designed.
00:07:50
Speaker
And so they had problems and and the government takes action, you know, legally and and through
Continuous vs. Annual Risk Assessments
00:07:56
Speaker
fines. and And that's part of where things are changing because in in the past, the risk assessment was kind of presumed to be required if you're at a risk level where it's necessary in order to prove that you met that that bar of reasonable design. But through the through the AML Act of 2020, and eventually when FinCEN comes out with their additional guidance, they'll be providing much more prescriptive information on exactly what needs to be in a risk assessment, how it should be performed. And yeah you know i'm I'm looking forward to that because in 17 years we've seen
00:08:39
Speaker
that the risk assessment often is something that is kind of like, ah you know they used to advertise on TV infomercials, this chicken rotisserie thing, and you know and all the people in the audience would yell, set it and forget it. And my God, in a lot of companies, banks and fintechs, that's kind of the way it is. Once a year, everybody huddles around the table and they rethink the risk assessment and they make some tweaks here and there.
00:09:07
Speaker
then they approve it and and it may result in some improvements to their operations. you know But by the time it's approved, it's often already out of date. And and we're dealing with criminal organizations now that are just so professional in in the development of their businesses. you know These are evil people in the world who, you know they have accountants and lawyers and you know they have compromised people at bankers and you know different companies. And they are working night and day to try to figure out you know which companies didn't recognize where they had gaps so that we can exploit them. And so it's critical that things change to where the risk assessment becomes a much more fluid process that takes place throughout the year, ah rather than just simply at one discrete moment.
00:10:04
Speaker
Yeah, sure. And I like the idea of enforcement is communication. That's an interesting way of thinking about it, I think. ah So back to you, Lisa, you talked about this sort of new guidance and new legislation that is coming out, sort of requiring risk assessments. And the reason why I asked that question about communication is one of the perennial challenges I think in Australia is that No one ever quite gets the risk assessment quite right, at least to our financial intelligence units satisfaction. So I guess from your perspective, from what you're seeing, do you think that might be a challenge in the US where you are aware, yes, this is going to be a requirement, but people are going to probably struggle to to meet the regulatory expectations?
Thinking Like Criminals in AML Compliance
00:10:46
Speaker
Yeah, I definitely think so um because risk assessment, the approach to risk assessments appears from what we've seen to be kind of a brain dump of, you know, what are our potential risks and, oh, I've read through, you know, the advisories and the guidance and these are all the risks that we could have with a limited ability to ah determine which ones are actually applicable because people don't start with understanding their business model.
00:11:15
Speaker
And so that fundamental understanding of, okay, what is our product? What is our service? And how who do we offer it to? Where do we offer it? And what about our product and service makes it attractive to potential criminals? you know Is it the speed of transactions? Is it the you know minimal KYC requirement? Is it the fact that I can do things and they don't catch it in their transaction monitoring?
00:11:44
Speaker
um These are the things that you need to think through from a criminal mind. you know You have to have kind of a criminal perspective on goggles when you're looking at your business model and products and services to be able to identify which risks are actually inherent to your business ah so that you can then mitigate the risks. I think that's going to be potentially a mind change that's going to have to happen um in order for people to do it effectively.
00:12:14
Speaker
Yeah, people people will need to learn how to think differently yeah in order to be more effective. Well, I like the way you're taking this. So in an attempt to to think differently, to meet these expectations and to, I guess, do better and appropriate risk assessments,
00:12:32
Speaker
what I guess for anyone listening to this podcast, what what would that look like? How would you get your team and your business to think differently?
Tools and Updates for Risk Assessments
00:12:42
Speaker
um And I guess I'll start with you, Jane, and we can move across to you, Lisa. Well, I think one of the aspects is simply that spreadsheets and Microsoft Word are not sufficient tools in order to do a risk assessment for a financial institution of any size or potentially higher risks. You need you need a tool that will allow you to be very ah thoughtful and detailed and pull together information in a way that it can be maintained. And then more importantly, a tool that will allow it to be a process that that is integrated into the business so that
00:13:29
Speaker
you know, every month or quarter when you're meeting with the board, you should be able to say, you know, three months ago, our risk was this. And since then, here's what we've learned. And here's some new ah areas of risk that impact us. Here's some risks that we ah determined we're not able to address with our current controls. and And here's what we need in terms of new controls or new software. You know, it's it's something that needs to be living and breathing within the compliance department and at the board level on ah on a current basis. Yeah, and it it needs to it needs to be being part of that living document. It needs to um link to the remediation
00:14:14
Speaker
ah of the weaknesses that have been identified via the the risk assessment. So you've assessed the risk, you've identified your controls, and you've tested your controls. Where is that all documented? Is it you know in various folders on your network drive? you know Is it in different documents? um it It needs to all be part of one document, part of one thing. And so you've got your inherent risk, your controls, your control testing, and then your remediation.
00:14:44
Speaker
and then the circle back to the inherent risks. So as part of that living document, it needs to be a circular sort of process that's always happening. And you need ah an effective tool to be able to do that sort of thing. Yeah, and one thing that we've seen over you know the many years of of working with all different types of companies, financial institutions,
00:15:09
Speaker
is that, well, the the risk assessment doesn't always tie in very clearly to the mitigations. you know It's one thing to identify your your inherent risks, but what are you doing about it? And are you effective in what you've chosen to do? Is it working as intended? It's rare for us to see somebody that has a risk assessment and then also has you know a controls library that says, here's all the controls we've implemented. And and from an internal testing standpoint, here's what we're doing ourselves ah to test these things on a periodic basis. Or if an independent review comes in or ah a regulator comes in and does an examination and there's findings or recommendations. you know It's unfortunately rare for people to
00:16:07
Speaker
take that back to the risk assessment. They may go back to the program, they may go back to the software, but they don't always go back to the risk assessment and reevaluate the risk and then look at the controls to make sure they're appropriate. That's interesting. and i Either of you, I guess, can sort of follow this up. as what What do you think accounts for that gap between the risk assessment and mitigation? Is there some common
Controlling Risk Assessment Processes
00:16:35
Speaker
trend? Is it lack of training?
00:16:38
Speaker
I think one of the one of the factors is that um a lot of the controls that you can put in place are outside of the control of the compliance officer or the BSA, you know the AML compliance officer. They sit in finance, they sit in IT, t in product design and development, in marketing.
00:16:59
Speaker
in you know the anti-fraud team in customer service. And so there's with so much outside of the control of the AML officer, it's sometimes difficult, especially in bigger companies, to be able to enforce that people understand their role in applying controls, design them effectively, make sure that they're being applied, test them, and then report back to the AML officer that they're effective or not. So it it can become a challenge due to that. I think that may be one of the contributors.
00:17:37
Speaker
Yeah, and and a lot of companies have been working on improving their culture of compliance, but risk assessment does not seem to have been a big part of that yet. The realization that risk assessment and and the commitment that the board and the compliance team ah give to it and the amount of time and resources brought in from those other areas of the company, as Lisa mentioned,
00:18:04
Speaker
you know If you're going to have a strong culture of compliance, understanding your risk and getting you know feedback and buy-in across the the different silos within a company is critical. Amazing. Those are really great answers. Well, I think we're going to start to wrap things up a bit, so I'm just going to ask you both ah questions i guess not advice exactly but for anyone who's listening, who happens to be operating in the financial crime space, wherever they might be in
Key Advice for Effective Risk Assessment
00:18:35
Speaker
the world. you know what i guess what are some If you could narrow it down to three key points, what bits of advice or key points would you like to leave them with? And I'll start with you, Lisa.
00:18:48
Speaker
so Definitely, number one is understanding your business model and your products and services inside and out. and that That means you know not only understanding what they are, but also how they're delivered you know and how they're designed and and even down to the IT t side of things.
00:19:07
Speaker
and As part of that, also interacting with the key control owners in different areas of your business, obtaining board buy-in and approval for you to have authority over the controls that impact the AML program. And third, think like a criminal. You got to be constantly thinking about how how your company can be abused so you can protect it. Yeah, I think those are great, Lisa. And um you know I think a big part of things is teaching people how to think critically and to be skeptical of things. You know you you can't just assume that um everything's going to work out OK and that you understand all the risk. You you need to be constantly learning. you know Training is one of the pillars, but it's often not treated like a pillar.
00:20:05
Speaker
among companies. And you know I think some areas that can be improved is just simply in understanding you know risk assessment, the value of it, the importance, how to go about it, how to think differently, how to think like a criminal. you know Again, the criminal networks out there have become more and more sophisticated, and they are they are working tirelessly to try to steal money and to launder money from illicit operations and and we need to be just as diligent in understanding our risks and looking for those gaps. you know It's like if my doors and windows are locked, my house is less likely to get robbed than the next one. Well, hopefully everybody in financial services will lock their doors and close their windows when they need to and protect themselves.
00:20:57
Speaker
and I think a lot of training in those areas would be very helpful. The BSA officer or the AML CFT officer um oftentimes doesn't have sufficient authority um or direct, I guess, evidence of of influence within the board of directors. You know, I think it's critical that the the BSA officer have have influence in in the board with everything from risk assessment to transactions, monitoring and sanctions filtering.
00:21:28
Speaker
uh, training, you know, making sure that people get, uh, effective training for transaction analysis, you know, but a lot of it is understanding the business model. And I think oftentimes the criminals understand the business model better than some of the financial institutions. Well, excellent. Well, thank you so much for that. That was this really good. Thank you very much, Jay and Lisa for coming onto the podcast. Thank you.
00:21:55
Speaker
Thank you. This has been a production of Arctic Intelligence. And the music is a production by Royalty Free Music.