cfotechoutlook

The Quintessential Technology Source for Corporate Financial Professionals

Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
9SEPTEMBER 2025CFO TECH OUTLOOKoften done on a part-time basis by BSA Officers who already have full-time jobs. The end result is a report to the FI's executives letting them know where the risk is, or, more accurately, was last year when the data was pulled. Box checked. For a risk assessment to be truly effective, and allow for a RBA, the assessment should be the beginning of the process, not the end. In performing the assessment, the BSA Officer should be able to identify areas of higher risk, and shift resources to meet that risk, rather than just report on where it is. More likely, however, the end result is a report that will note areas of heightened risk, but no changes to monitoring activity will take place. Future State Risk AssessmentThe first step to a truly effective risk assessment is current data. Risk assessments today are based on data collected over the previous year up to the point the assessment started. By the time a report is issued, the risks assessed are already historical, and any emerging trends have become historical ones. Rather than aggregating data periodically, FIs should build dashboards identifying areas of risk, updating frequently, allowing the assessor to see trends as they emerge and react accordingly. It is hard to overestimate the amount of data that goes into a risk assessment, as the FI is essentially trying to understand all the ways money can enter and leave the institution. Given this, the FI should include automated monitoring, which will trigger alerts should there be changes in customer activity or product usage. Advanced technology can also assist here. AI is very good at finding patterns in large data sets that a human may miss. AI models can be trained to look for emerging anomalies that the straight percentage rules may miss. The problem with seeing small trends in large data sets is that the reviewer may not understand why the issue is suspicious. GenAI could add context to the alert, writing a narrative that helps the reviewer understand the issue. The Way ForwardChanging the process, however, will only go so far. Once identified, a decision needs to be made on mitigating the risk. As noted in the AMLA, FIs should be moving resources to higher risk areas and away from lower risk issues. FIs generally do a good job of allocating resources to higher risk areas, but this is often additive. When a high-risk issue is identified, new resources are requested to help mitigate. In order to be more nimble to meet emerging risks, the FI should look to move resources away from lower risk areas, rather than asking for more resources to fight new ones. This would be done with the understanding that lower risk does not mean "no risk," and by moving resources away from that risk, the FI may be allowing nefarious activity to go on un-reported. The first step to a truly effective risk assessment is current data. AI models can be trained to look for emerging anomalies that the straight percentage rules may miss
< Page 8 | Page 10 >