REGULATORY RISKS (risks related to federal and state requirements) Compliance Program Compliance Program is documented, implemented and aligns to the Risk Assessment Compliance Program is documented, but does not align to the Risk Assessment. No documented Compliance Program or implemented Compliance Program. Designated Compliance Officer Independent Program Review Compliance Officer is designated and his/her roles and responsibilities are defined. by an independent and competent party at a frequency aligned to the overall risk for the company. Compliance Officer is designated without defined roles and responsibilities. infrequently by the Compliance Officer, or is performed by someone reporting to the Compliance Officer. Compliance Officer is not designated and the roles and responsibilities are undefined. by the Compliance Officer or is not performed. Employee Training Transaction Monitoring There are standardized and frequent trainings for all employees, including new hire training prior to the processing of a transaction. Transactions system allows for ongoing automated transaction monitoring alerts for suspicious There are some periodic trainings for employees and new hire training. There is periodic manual transaction monitoring performed for suspicious There is limited to no employee training. There is no transaction monitoring performed for suspicious Recordkeeping All key records have been identified along with the required maintenance period, and there is monitoring to ensure the recordkeeping occurs appropriately. Most key records are identified along with the required maintenance periods. There is no monitoring for compliance with the requirements. There is no designation of key records to maintain or the required maintenance periods. Your Additional Regulatory Risk Factors
OPERATIONAL RISKS (risks related to inadequate processes, systems or human failures that are not detected) Employee Turnover Low turnover of key or frontline personnel. Low turnover of key personnel, but frontline personnel may have moderate turnover. High turnover, especially in key personnel. System Data Integrity Error recognition software is in place to prevent invalid data for customer transactions. Data Security Electronic data is secured and there is a Business Continuity Plan in place for backups of key records. Employees can override error recognition software and still complete the transaction. Electronic data is secured, butthereisnotastrongbusiness Continuity Plan in place. There is no error recognition software in place. Electronic data is not secured and there is no Business Continuity Plan in place. Your Other Operational Considerations
CUSTOMER RISK (risks related to the types of customers [e.g., consumer/business, occupation, anticipated types of transactions]) Customer Base Customers are all well known. Customers vary and are not all well known. There is a large and growing customer base with very few known customers. Customer Identification Customer identification is entered Customer identification is maintained into and maintained within a system on hard copy paperwork and not in a that can be used for transaction system. monitoring. Customer identification is not consistently obtained and maintained. Customer Identification Based on Transaction Amount Transaction system requires additional customer identifica- tion for transactions above a certain amount. There is manual monitoring in place to ensure additional customer identification is obtained for transactions above a certain amount. There is no process in place to obtain additional customer identification for transactions above a certain amount. Politically Exposed Person (PEP) No members are known to be a PEP. Some members are known to be a PEP. Numerous members are known to be a PEP or are connected to an international political figure. Your Customer Types
PRODUCT & SERVICES RISK (risks related to the types of products and services offered ) (the risk that remains after low, moderate, high Money Transfers Limited number of money transfers that are mostly domestic to low-risk jurisdictions. Moderate number of money transfers, with some inter- national transfers to typically low-risk countries. Large number of money trans- fer transactions. Frequent transfers to, or from, high-risk jurisdictions. Mobile Money Transfer Very few, if any, mobile money transfer transactions. Some mobile money transfer transactions by known customers. Many mobile money transfer transactions. Your Product Types
REGULATORY RISKS (risks related to federal and state requirements) Compliance Program Compliance Program is documented, implemented and aligns to the Risk Assessment Compliance Program is documented, but does not align to the Risk Assessment. No documented Compliance Program or implemented Compliance Program. Designated Compliance Officer Independent Program Review Compliance Officer is designated and his/her roles and responsibilities are defined. by an independent and competent party at a frequency aligned to the overall risk for the company. Compliance Officer is designated without defined roles and responsibilities. infrequently by the Compliance Officer, or is performed by someone reporting to the Compliance Officer. Compliance Officer is not designated and the roles and responsibilities are undefined. by the Compliance Officer or is not performed. Employee Training Transaction Monitoring There are standardized and frequent trainings for all employees, including new hire training prior to the processing of a transaction. Transactions system allows for ongoing automated transaction monitoring alerts for suspicious There are some periodic trainings for employees and new hire training. There is periodic manual transaction monitoring performed for suspicious There is limited to no employee training. There is no transaction monitoring performed for suspicious Recordkeeping All key records have been identified along with the required maintenance period, and there is monitoring to ensure the recordkeeping occurs appropriately. Most key records are identified along with the required maintenance periods. There is no monitoring for compliance with the requirements. There is no designation of key records to maintain or the required maintenance periods. Your Additional Regulatory Risk Factors
OFAC SANCTIONS COMPLIANCE RISK (risks related to screening transactions and customer lists for the likes of terrorists and drug traffickers) (the risk that remains after low, moderate, high OFAC Sanctions Program Company has procedures for Company screens of customers and screening of customers, vendors; adjudicating false-positives; employees, board members, perform batch screenings periodically; vendors, and third parties; and personnel are well trained in adjudicating false-positives; perform OFAC. batch screenings periodically; monitor transactions and personnel are well trained in OFAC. Company screens international customers. Customer Base Products & Services Stable, well-known customer base in a localized environment. Limited number of funds transfers, limited third-party transactions, and no international funds transfers. Customer base changing due to growth, merger, or acquisition in the domestic market. A moderate number of funds transfers. Possibly, a few international funds transfers. A large, fluctuating client base in an international environment. A high number of transactions including international. Geographic Considerations No other types of international transactions, such as cross-border ACH or trade finance. Limited other types of international transactions. A high number of other types of international transactions. Regulatory Risk Third Party Screening Tools Adjududication of False- Positive Matches No history of OFAC actions. No evidence of apparent violation or circumstances that might lead to a violation. Third party tools are tested periodically to ensure current SDN and Sanctions Lists are in use. Company has procedures and personnel are well trained in adjudicating potential matches and fully document how they clear the match. A small number of recent actions (e.g., actions within the last five years) by OFAC, including notice letters or civil money penalties, with evidence that the company addressed the issues and is not at risk of similar violations in the future. Third party tools are tested periodically to ensure current SDN and Sanctions Lists are in use. Company has procedures and personnel adjudicate potential matches and document the match is cleared. Multiple recent actions by OFAC, where issues were not addressed, thus leading to an increased risk of the company undertaking similar violations in the future. Third party tools are only tested during the independent review to ensure current SDN and Sanctions Lists are in use. Company personnel document potential matches and clear the transaction without documenting their actions.. Your OFAC Sanctions Risks