Jim Vilker
Jim Vilker of CU Answers talks about why it is essential credit unions have a comprehensive and up-to-date risk assessment in place.

Risk assessments essential to BSA/AML programs

November 17, 2017

The assessment process is the shoulders in which all Bank Secrecy Act/anti-money laundering (BSA/AML) programs sit upon, Jim Vilker of CU Answers said Wednesday at the CUNA/National Association of State Credit Union Supervisors BSA Conference. During his session, Vilker explained how credit unions should work to ensure their risk assessments are comprehensive and up to date.

“Every credit union is unique to a degree, and this should be reflected in the assessment process,” Vilker said. “A well thought out assessment will both guarantee compliance with regulations and maximize the effectiveness of the program.”

Vilker cautioned against an approach that he called, a “race to the next risk assessment template” approach, and instead recommended credit unions retrench on thoughtful and relevant processes that take into account each credit union’s relative inherent risk.

This includes taking into account product, geography and member variables, and considering the likelihood of each variable impacting the BSA/AML program.

“You should be making a new focus on loss mitigation controls that are relative, achievable and documented,” Vilker said.

He also recommended risk assessment take a more nuanced approach to grading risk levels.

“Low, medium and high doesn’t cut it anymore,” he said. “Credit unions need to expand how they look at risk. Compliance, reputational, transaction, legal and regulatory risk should all be considered.”

Vilker suggested credit unions start considering the likelihood when creating a risk assessment, based on controls in place, prior experience, prior audits and documented procedure.

According to Vilker, risk assessments of the future will:

  • Reflect the unique characteristics of the credit union, including member, geography, products and services;
  • Be dynamic and incorporate other business units, such as cybersecurity; and
  • Be based upon a process that allows management to understand residual risk and make the appropriate investment decisions.