Risk Assessment, Controls & Reporting (SARs/CTRs)

This lecture closes the loop on the compliance program: risk assessment, control design, and reporting. They form a chain, each link feeding the next. The enterprise risk assessment tells you where your dangers are; controls mitigate those specific dangers; and reporting pushes what you detect out to the authorities, the FIU and law enforcement, who can act on it.

When these three connect, the program is coherent and defensible. When they don't, when controls don't match the assessed risks, when monitoring is calibrated for last year's business, or when detection never turns into a filed report, the program fails its purpose even if every box is technically ticked and every policy beautifully written. The exam tests whether you see them as one connected system rather than three isolated tasks, so trace the chain in every scenario.

Start with the enterprise risk assessment, mandated in spirit by FATF Recommendation 1. You identify inherent risk, the risk before any controls, across key dimensions, your customer base, your products and services, your geographies, and your delivery channels. Then you evaluate the strength of your controls to arrive at residual risk, the risk that remains after mitigation.

That residual figure is what should drive resource allocation, monitoring intensity, and board attention. The assessment must be documented, methodology, ratings, assumptions, and conclusions, so an examiner can follow your reasoning, and refreshed whenever the business changes materially: a new product line, entry into a new market, an acquisition, or a new delivery channel like a mobile wallet can all shift the risk picture overnight. A common exam trap is a firm whose risk assessment is years stale while its business has transformed.

Controls should map directly to the risks you found, every significant risk needs an owner and a control answering it. They come in two flavors: preventive controls that stop bad activity before it happens, like screening a payment against sanctions lists before it sends or blocking onboarding of a prohibited customer, and detective controls that catch it after, like transaction monitoring that flags a structuring pattern or an unexpected wire to a high-risk country. Monitoring deserves special care: thresholds set too high miss real activity, set too low they bury analysts in false positives, the same calibration tension you saw in sanctions screening, and tuning must be tested and documented.

And remember the independent-testing pillar: controls aren't assumed to work, they're validated through objective testing and sampling, with gaps tracked to remediation and reported up. A control no one tests is a control no one can trust, and an examiner will say so.

Now the reporting itself, and a distinction the exam tests often. A Suspicious Activity Report, under 31 CFR 1020.320, is filed when activity is suspicious, judgment-based, no dollar threshold required, generally within thirty days of detection, and FATF Recommendation 20 calls for these suspicious-transaction reports globally.

A Currency Transaction Report, under 31 CFR 1010.311, is mechanical and threshold-based: cash transactions over ten thousand dollars in a single business day, aggregated across a customer. So SAR equals suspicion, a human judgment; CTR equals cash over a fixed line, no judgment, and structuring to dodge that line is itself a SAR-worthy red flag.

Both are governed by strict confidentiality: a SAR's existence generally cannot be disclosed, and tipping off the subject is prohibited and can be a crime. The exam loves the SAR-versus-CTR contrast, lock it in, because the distractors deliberately blur the two.

A SAR is only as useful as its narrative. A good one tells the FIU plainly who did what, when, where, how much, and why it's suspicious, the five Ws plus the so-what, written in plain chronological language so an outside reader, an analyst or an agent who's never seen the file, needs no further explanation. Vague filings, suspicious activity noted, waste everyone's time and may draw examiner criticism.

It must be filed within the required deadline, generally thirty days, and the supporting records retained for the mandated period, typically five years under the BSA. So, recap: the enterprise risk assessment defines inherent and residual risk; controls map to those risks, mix preventive and detective, and are independently tested; SARs report suspicion while CTRs report cash over a threshold; and a clear, timely, confidential SAR narrative is how detection becomes usable intelligence. Next, asset recovery and ethics.

Test yourself first.