Debating whether it’s necessary to do an annual risk assessment on a particular compliance risk category? (Fill in the blank: BSA/AML/OFAC, ACH, fair lending, or any other regulatory topic.)
First, consider whether you’re performing the risk assessment solely because some regulatory body or other entity requires it. If the answer is yes, you might be missing the point. A risk assessment is for management’s use — to review the results and make meaningful and supported decisions.
Assuming, however, that the question is based solely on regulatory requirements, know that there are very few regulations that specifically require a risk assessment and even fewer where the requirement is annual. Most consumer regulatory requirements dictate that management understand and manage the risks. An examiner will ask management how they understand risks when they haven’t completed a written risk assessment.
Assessing risks to the security, confidentiality, and integrity of customer information
Title 16 CFR 314.4(b)(1) reads: “The risk assessment shall be written and shall include:
(i) Criteria for the evaluation and categorization of identified security risks or threats you face;
(ii) Criteria for the assessment of the confidentiality, integrity, and availability of your information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats you face; and
(iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.”
Assessing risk to customers or to the safety and soundness of the financial institution from identity theft
Title 16 CFR 681.1(c) reads: “Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:
(1) The methods it provides to open its accounts;
(2) The methods it provides to access its accounts; and
(3) Its previous experiences with identity theft.”
Note: “Red flag” means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
While not a regulatory requirement, institutions participating in The Clearing House’s ACH network must perform an ACH risk assessment.
There are other areas where the regulatory language falls short of requiring a risk assessment, but agency guidance unambiguously indicates the importance of assessing risk. Some examples include:
Because risk assessments are so important to examiners, and because it’s difficult for management to document their understanding of risks without performing a written assessment, consistent processes based on your institution’s risk profile are key.
Could this necessitate the completion of risk assessments every year or more frequently? Yes, a merger/acquisition could necessitate a more frequent risk assessment, as could an expansion into a new market or way of doing business for the institution.
Learn more about risk assessment best practices or explore how Quantivate Enterprise Risk Management Software can help through flexible process-based or scenario-based models that equip your organization to perform assessments at the risk or category level.