Question: How often does a bank have to update its BSA risk assessment? Is it still 12 to 18 months?
Answer: It used to be 12-18 months in prior versions of the FFIEC Manual which you can see reflected here:
“Bank’s Updating of the Risk Assessment An effective BSA/AML compliance program controls risks associated with the bank’s products, services, customers, entities, and geographic locations; therefore, an effective risk assessment should be an ongoing process, not a one-time exercise. Management should update its risk assessment to identify changes in the bank’s risk profile, as necessary (e.g., when new products and services are introduced, existing products and services change, higher-risk customers’ open and close accounts, or the bank expands through mergers and acquisitions). Even in the absence of such changes, it is a sound practice for banks to periodically reassess their BSA/AML risks at least every 12 to 18 months.”
However, you can see below that this was revised in the current version to reflect that “there is no requirement to update the BSA/AML risk assessment on a continuous or specified periodic basis”:
“Generally, risk assessments are updated (in whole or in part) to include changes in the bank’s products, services, customers, and geographic locations and to remain an accurate reflection of the bank’s ML/TF and other illicit financial activity risks. For example, the bank may need to update its BSA/AML risk assessment when new products, services, and customer types are introduced, or the bank expands through mergers and acquisitions. However, there is no requirement to update the BSA/AML risk assessment on a continuous or specified periodic basis.”
Compliance Alliance offers a comprehensive suite of compliance management solutions. To learn how to put them to work for your bank, call (888) 353-3933 or email firstname.lastname@example.org and ask for our Membership Team.