News Feed

CUNA BSA Conference: Looking at compliance as risk-based or rules-based

Mon, Nov 3, 2014

Columbia, Maryland

Anti-money laundering rules under the Bank Secrecy Act (BSA) in the United States have generally used a more rules-based approach than much of the world, according to the World Council of Credit Union's Michael Edwards, but that may be changing thanks to new international guidance released last week. Edwards, World Council's vice president and chief counsel, spoke Monday at the Credit Union National Association's BSA Conference.

Like in other countries, BSA rules in the United States are primarily based on international standards from the Financial Action Task Force (FATF), a Paris-based organization that writes anti-money laundering and countering the financing of terrorism (AML/CFT) standards at the global level. The FATF has recently updated its guidance on the risk-based approach (RBA) to AML/CFT in order to address better the main weakness of rules-based AML/CFT approaches, namely that bad actors are more easily able to circumvent rules-based compliance systems than those based on RBA principles.

"An RBA to AML/CFT means that countries, competent authorities, institutions and organizations are expected to identify, assess and understand the money laundering/terrorism financing risks to which they are exposed and take AML/CFT measures to those risks in order to mitigate them effectively," reads the official RBA definition from the task force.

Since 1988, the FAFT has issued international AML/CFT guidance, including its "40 Recommendations," which serve as the high-level principles for AML/CFT compliance around the world. The FATF most recently revised the 40 Recommendations in 2012, and on October 24th of this year released updated guidance on the RBA to AML/CFT for banks and credit unions.

"The FATF has reinforced and reinvigorated their RBA concept compared to their earlier guidance because they thought most countries hadn't done it right, and I think that includes the United States. That's because the default compliance approach in the U.S. across all different types of regulation  is a heavy rules-based system, rather than a principles-based one," Edwards said. 

"The FATF is trying to move countries away from a check-the-box type AML/CFT approach where criminals can learn the rules, and slip between the cracks in those rules, to a more flexible RBA where regulated institutions use judgment to go after the actual money laundering risks present in their lines of business in ways that might not be predictable to bad guys."

An RBA defines money laundering and terrorist financing risk as a function of three factors: threat (the persons or activity that can cause harm), vulnerability (things that may be exploited by the threat) and consequence (the impact of harm that may be caused).

"If you really don't have an effective BSA compliance program you'll probably regret it sooner or later, either through unfavorable examinations or through something really bad happening that negatively affects your institution's reputation and results in the credit union being cut off from corresponding banking services," he said. "That's the biggest risk in my mind. If you get cut out of the payments system because you don't have an effective BSA program, your members aren't going to be able to use your services."

He said a risk matrix is one of the better ways for management to document its analysis of money laundering risks. A risk matrix defines various levels of risk by probability and severity categories. Credit Union of Ohio, of Hilliard, Ohio, $134 million in assets, has developed a comprehensive risk matrix, available through CUNA's compliance file sharing group that Edwards cited as a good example for credit unions to follow.

Edwards also reminded those in attendance that there is no such thing as a BSA exemption, saying that no matter how low the risk might seem, there is still due diligence that must be done.

Credit unions, he said, have an advantage due to their field of membership requirement, which requires each new member to be verified to some extent before opening an account or receiving services. ​

Source: CUNA News Now