Preventing Money Laundering and Terrorist Financing
staffing resources and the level of training that will be necessary if these policies, procedures, and processes are to be adhered to. Management for those banks that have accepted and assume a higher risk ML/FT profile should provide a more robust program that specifically monitors and controls those higher risks.
A 4.2.3 Bank’s Updating of the Risk Assessment An effective AML/CFT compliance program controls risks associated with the bank’s products, services, customers, and geographic locations. An effective risk assessment, therefore, should be an ongoing process, not a one-time exercise. When new products and services are introduced, existing products and services change, high-risk customers open and close accounts, or the bank expands through mergers and acquisitions, management should update its risk assessment to identify changes in the bank’s risk profile. Even in the absence of such changes, it is a sound practice for banks to reassess their ML/FT risks at least every 12 to 18 months.
A 4.2.4 Examiner Determination of the Bank’s ML/FT Aggregate Risk Profile In some countries, especially in the US, examiners, during finalizing the examination phase of the AML/CFT inspection, should assess whether the controls of the bank’s AML/CFT compliance program are appropriate to manage and mitigate its ML/FT risks, and so determine an aggregate risk profile for the bank. This aggregate risk profile takes into consideration the risk assessment developed by the bank and then factors in the adequacy of the AML/CFT compliance program. Examiners, based on the risk assessment, should determine whether the bank’s AML/CFT compliance program will appropriately mitigate the ML/FT risks. As long as the bank’s AML/CFT compliance program adequately identifies, measures, monitors, and controls this risk as part of a deliberate risk strategy, the existence of ML/FT risk within the aggregate risk profile should not be criticized. On the other hand, when the risks are not appropriately controlled, examiners must communicate the need to mitigate ML/FT risk to the bank’s management and board of directors.
194