casemark/bsa-risk-assessment
skills/legal/bsa-risk-assessment/SKILL.md
Drafts a BSA/AML Risk Assessment for U.S. financial institutions per FinCEN, FFIEC, and OCC standards. Evaluates inherent risks (customer, product, geographic, transaction, third-party), control adequacy, and residual risk. Use when preparing annual BSA compliance assessments, post-acquisition integration reviews, or when business changes trigger reassessment under 31 U.S.C. § 5318(h).
$ install --global
skillsauthnpx skillsauth add casemark/skills bsa-risk-assessmentInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 25, 2026, 3:30 AM27.1s1 file scanned
SKILL.md
- name:
- bsa-risk-assessment
- language:
- en
- description:
- Drafts a BSA/AML Risk Assessment for U.S. financial institutions per FinCEN, FFIEC, and OCC standards. Evaluates inherent risks (customer, product, geographic, transaction, third-party), control adequacy, and residual risk. Use when preparing annual BSA compliance assessments, post-acquisition integration reviews, or when business changes trigger reassessment under 31 U.S.C. § 5318(h).
BSA/AML Risk Assessment
Produces examination-ready BSA Risk Assessments evaluating inherent AML/CFT risks against mitigating controls per FFIEC BSA/AML Examination Manual methodology.
Prerequisites
Gather before drafting:
- Institution profile — entity type, charter/regulator, total assets, branch footprint, international relationships
- Products & services — inventory with volumes for high-risk products (wires, monetary instruments, prepaid, trade finance, crypto on/off ramps)
- Customer data — segments with counts of high-risk categories (cash-intensive businesses, PEPs, NRAs, MSBs, foreign correspondents)
- BSA/AML program docs — policies, CIP/CDD/EDD procedures, monitoring system specs, training records
- Filing history — annual CTR/SAR counts by category
- Independent testing — most recent scope, findings, remediation status
- Regulatory history — outstanding MRAs, MOUs, enforcement actions
Document Sections
1. Executive Summary
Overall risk rating (Low/Moderate/High), key concentrations, control gaps, priority recommendations with owners and target dates.
2. Introduction
- Regulatory basis: 31 U.S.C. § 5318(h); 31 C.F.R. § 1020.210
- Scope: all business lines, products, customers, geographies
- Assessment period and update frequency (typically annual)
- FFIEC risk-based methodology alignment
3. Institution Overview
Table covering: entity type, charter/regulator, total assets, branch count, high-risk products offered, customer segments, annual CTR/SAR filing counts.
4. Inherent Risk Identification
Five risk dimensions, each rated High/Moderate/Low:
- Customer — cash-intensive businesses, MSBs, NBFIs, PEPs, NRAs, nonprofits, foreign correspondents, FATF-listed jurisdiction customers
- Product & Service — flag products enabling anonymity, rapid movement, or cross-border activity (wires, prepaid, private banking, trade finance, digital channels, crypto)
- Geographic — HIDTA/HIFCA areas, FATF grey/black list jurisdictions, FinCEN GTO zones, OFAC sanctioned countries
- Transaction — high-volume cash, structuring patterns, funnel accounts, rapid cycling, shell companies, trade-based ML
- Third-Party — independent agents, outsourced onboarding/processing, fintech partnerships
5. Risk Assessment Matrix
Per risk category:
| Risk | Inherent | Likelihood | Impact | Mitigating Controls | Residual | |---|---|---|---|---|---| | [Category] | H/M/L | H/M/L | H/M/L | [Description] | H/M/L |
Reference FATF typology reports and FinCEN advisories for current typologies (ransomware, elder exploitation, human trafficking, real estate, virtual assets).
6. Controls & Mitigation
Evaluate each BSA program component against its regulatory basis:
| Component | Citation | |---|---| | CIP | 31 C.F.R. § 1020.220 | | CDD / Beneficial Ownership | 31 C.F.R. § 1010.230 | | EDD | FFIEC Manual | | Transaction Monitoring | FFIEC Manual | | OFAC Screening | 31 C.F.R. Part 501 | | CTR Filing | 31 U.S.C. § 5313 | | SAR Filing | 31 U.S.C. § 5318(g) | | BSA Officer / Governance | 31 C.F.R. § 1020.210 | | Training | 31 C.F.R. § 1020.210 | | Independent Testing | 31 C.F.R. § 1020.210 |
For each: document current status and adequacy rating.
7. Conclusions & Recommendations
- Overall risk determination with narrative justification
- Residual risks where controls are insufficient
- Prioritized remediation table (recommendation, priority, owner, target date)
Verification Requirements
These items change over time — confirm before finalizing:
- [ ] FATF grey/black list countries — verify at fatf-gafi.org
- [ ] Active FinCEN GTOs — jurisdiction-specific and time-limited
- [ ] Beneficial ownership threshold (currently 25%) — check for subsequent FinCEN rulemaking
- [ ] FinCEN advisory numbers — verify FIN numbers and dates before citing
Pitfalls
- Quantitative support required — risk ratings must cite transaction volumes, SAR counts, or alert rates; qualitative assertions alone are insufficient
- Board presentation — document must be board-approved or presented to senior management with evidence of review
- Version retention — keep prior assessments; regulators compare year-over-year
- Privilege risk — do not include attorney-client privileged material if document will be produced to examiners
- FFIEC citations — reference specific Examination Manual sections when evaluating control adequacy
Related Skills
casemark/skills/legal/automated-contract-summary
development
VerifiedTrustedCommunity
name: automated-contract-summary language: en description: Generates structured executive summaries of contracts using ML — captures key terms, party obligations, risk allocations, and compliance requirements in a standardized format. Optimized for high-volume review where speed and consistency matter. tags: - summarization - agreement - corporate --- # Automated Contract Summarization Produces standardized executive summaries of contracts using machine learning, capturing essential term
21SKILL.mdUpdated May 26, 2026
casemark/obligation-mapping
tools
VerifiedTrustedCommunity
Extracts regulatory obligations from dense regulations across jurisdictions. Breaks down multi-level regulations into clear article-level obligations, classifies applicability to a business, and prioritizes by risk level. Use when translating regulations into actionable compliance requirements.
21SKILL.mdUpdated May 25, 2026
casemark/horizon-scanning
development
VerifiedTrustedCommunity
Continuously monitors regulatory landscapes for changes relevant to a specific business. Ingests global regulatory updates, filters by relevance, summarizes impact, and produces an actionable change advisory. Use when tracking regulatory developments affecting a particular product or market.
21SKILL.mdUpdated May 25, 2026
casemark/gap-analysis
testing
VerifiedTrustedCommunity
Compares an organization's existing compliance controls, policies, and procedures against extracted regulatory obligations to identify coverage gaps. Produces a remediation plan with prioritized actions. Use when assessing compliance maturity or preparing for regulatory audits.
21SKILL.mdUpdated May 25, 2026