top of page

BSA: Risk-Based Approach To Assessing Customer Relationships And Conducting Customer Due Diligence

WFC 33 Deborah | Risk-Based Approach

Today, we discuss NCUA Letter to Credit Union's #22-CU-08 Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence with returning guest Deborah Arndell, President of ARMOR Advisory Services.

The National Credit Union Administration (NCUA), the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the U.S. Department of Treasury's Financial Crimes Enforcement Network have prepared a statement. It clarifies the long-standing position that banks and credit unions must take a risk-based approach to assess individual customer risk. The attached joint statement reinforces the NCUA's position that no single customer type automatically presents a high risk of money laundering, terrorist financing, or another illicit financial activity risk.

The regulations established in the Bank Secrecy Act (BSA) establish a risk-based approach to assessing customer relationships and conducting customer due diligence. The NCUA expects credit unions to assess the risks posed by each customer individually. Further, the NCUA advises against refusing or discontinuing service to an entire class of customers based on perceived risk. Credit unions that comply with BSA and anti-money laundering (AML) requirements and have an effective customer due diligence program are well-positioned to manage customer relationships and risks appropriately, based on each customer relationship.

The Federal Financial Institutions Examination Council's BSA/AML Examination Manual (Manual) identifies specific customer types to guide examiners regarding unique characteristics. The Manual is not intended to suggest that those characteristics represent a higher money laundering, terrorist financing, or illicit finance risk. Ultimately, each credit union decides to provide or maintain financial services to any customer.


Listen to the podcast here

Risk-Based Approach To Assessing Customer Relationships And Conducting Customer Due Diligence With Deborah Arndell

I’m excited to have a previous guest back in this episode, Deborah Arndell, the President of Armor Advisory Services. Deborah, how are you doing?

I’m doing well, Mark. Thank you.

I’m glad to hear it. We had you one other time, and we talked about many topics on the Bank Secrecy Act. In this episode, we’re going to chat a little bit about NCUA Letter to Credit Unions 22-CU-08. The subject of which is Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence. This letter came out earlier in July 2022, and I shot a note to Deborah saying, “Maybe this would be something good to have a follow-up conversation on.” Before we get into that, Deborah, if you could give a little bit more background about your background relative to how you spent some time in the Federal government and now you’re out consulting? Give a little bit of a summary, if you will.

If somebody wants to see my entire background, they can go out to the website,, and get the full bio. I’ve been in financial services for many years, under half of that within the industry. I was doing the work of BSA officers, compliance officers, and ERM roles. In addition to that, I went into to auditing and eventually to the Federal Reserve Bank of New York, overseeing compliance for that agency and conducting exams doing that work.

In late 2016, I left to start my own advisory practice taking all of those years of experience and saying, “What can I do now for institutions to help them not have stress around the examination, to help them be more strategic and innovative and build sustainable, effective programs that give them confidence around regulatory visits.

I know you’ve worked in some very large banks and credit unions. We’ve had a couple of mutual clients that we’ve worked with. I thought it would be a great opportunity to chat about this letter to credit unions and the associated joint statement. The NCUA letter is short, and the statement is a little bit longer. I’m sure there’s more devil in the details, and you might have some thoughts relative to that.

Essentially NCUA’s letter states that the agencies have prepared a joint statement clarifying their long-standing position that banks and credit unions must take a risk-based approach to assess individual customer member risk. They go on a little bit later to talk about the fact that they should not just carte blanche reject somebody because they are in a particular line of business. I’m paraphrasing there.

Those were two key takeaways from this letter that I thought might be worth expanding on, and you might have more things you’d like to go in into. Relative to the NCUAs letter and the joint statement, Deborah, what do you think this means for financial institutions? How should they, if anything, adjust what they’re doing based on this clarification?

To address the first question, what does this mean to me? To me, this is nothing but a reset back to the original intention of the BSA/AML examination manual produced by the FFIEC, which was meant as an examination tool. Again, if examiners are looking at these things and a bank could take the same manual and look at them the same way, they should come to the same conclusions. It was a great tool for institutions to utilize to figure out, “Where are some areas that we might want to evaluate somebody or something as a higher risk, either a person, product, or service?

If you don't have access to those entities, you don't have access to those unbanked. A lot of information goes unseen.

Within that examination manual, the FFIEC has laid out what they consider as higher-risk products and services as well as higher-risk persons and entities. I suspect what’s happened over time, which is pretty common, is that this higher risk factor, whether that’s, again, a product service person or entity, has become high risk overall. These two lines have been skewed between a factor and a component that may be higher risk, and suddenly, that makes the member or their business high risk.

I think some of it’s around terminology. That higher risk and high risk can be confused, particularly over time. As you start to go through exams, you don’t want to have findings. It’s like, “How do we get rid of some of these higher-risk issues?” I like to see the term change to elevated risk or something that’s not quite as easily interchangeable. The second thing that I think is human nature is we immediately make connections between things that may not be connectable.

For example, if you say, “I’m from New York City.” That must mean something very specific to someone who’s not from New York, and then within New York City, depending on which borough you’re from, people are like, “You’re from the Bronx, or you’re from Manhattan,” and that means something to them. What car do you drive, what school did you attended, or what kind of job do you have? People make connections about what that means about you as a person.

That’s exactly, to me, what’s happening here is, “You’re a non-governmental organization or charity. You’re a high risk.” That’s not necessarily true. For example, you could have a local NGO like A Free Bird in New York City that helps children with cancer versus a larger NGO that’s domestic like Feeding America or an international NGO and be like, “It’s international. It must be high risk.” You have Amnesty International and Doctors Without Borders.

You have a lot of NGOs that are international that have been accredited through the United Nations programs and also through US Aids cooperative organizations. Just because something is an NGO doesn’t make it high risk. It only means it’s a higher risk for potential money laundering or terrorist financing, and you have more work to do to figure out if they are, in fact, overall high risk.

That includes a lot of factors. What’s happened is because we’ve skewed, these lines entities and institutions said, we’re not going to open accounts for members that have some of these factors making an assumption that they’re high risk. We don’t want to deal with it. We don’t want to deal with the controls, so we’re going not to open those accounts. That’s a disservice, not only to these potential members but also to the organization and to the financial institution, because they may be losing very good members simply because one aspect of that member may be higher or have elevated risk.

That’s a fantastic explanation. I love the comparison to where you’re from. I get the connection there. The word is higher compared to high risk. From the 10,000-foot level, money service businesses as a category. Would that be one that would fit this conversation? There may be money service businesses that you want to consider high risk and some that make sense. Is that a good analogy or comparison, or is that a bad comparison?

It’s a good one. You have money service businesses. It’s become a dirty word because they are acting as a financial institution that is within a financial institution. If you’re at X bank and you have money service businesses, you have to have better controls in place. That MSB has to have a risk assessment. You have to go, and at least most institutions visit them routinely. That’s a lot of effort. You have to monitor their transactions to make sure they’re not utilizing that business for purposes of terrorist financing or money laundering, and that’s a lot of responsibility.

You have some that are legitimate that are trying to help the unbanked, the people that can’t get a bank account to have to go and cash their check somewhere else. They’re providing a good service, but you always have those people or businesses that take advantage of those opportunities and utilize them for something illicit or nefarious. It’s an MSB. It’s a higher risk. Let’s do some more homework and figure out, “Is this an entity that will be good for us, or is this something else we need to know that does, in fact, make it overall high risk, and in that case, we don’t want?

WFC 33 Deborah | Risk-Based Approach
Risk-Based Approach: Just because something is an NGO doesn't make it high risk. It just means it's a higher risk for potential money laundering or terrorist financing, and you have more work to determine if they are overall high risk.

I’m on LinkedIn a lot, and I read The Wall Street Journal, American Banker, and the topic of marijuana businesses. I see a lot of that discussed. I can sense that more banks and credit unions are serving this higher-risk group. Any chance that this guidance coming out might be connected to what’s going on in that arena, or is that maybe just a coincidence?

Because it’s caused so much of a reaction from financial institutions if again, this is causing a trigger reminder that there are a lot of entities that you’re not banking, but yet you’re on board with cannabis banking. Why is that versus you do not want to handle these? I don’t know what the trigger was for this. I have been inside a lot of institutions, and I noticed how prevalent some of the conversations are on, “ They are a cash-intensive business, so we don’t want that here.”

Maybe some of this is that we are finding that legitimate entities are unbanked. Part of what you want and as a regulator, what I wanted is I wanted to bank as many people as possible because as long as they’re within the financial system where we have regulations, we can identify and monitor activity. However, it’s hard to do that once out on a black market or someplace where we can’t see it.

To the extent we can get them into the monetary system, I think regulators want to see that. It gives us an opportunity to provide those Polaroids around what’s going on at our institution. However, if you don’t have access to those entities and are unbanked, a lot of information goes unseen. We also don’t want people taken advantage of.

It’s critical that you have them in a regulated entity where some of that oversight is taking place. I think there are a lot of reasons this may be going on, but I do know that there’s been a pushback from institutions not to bank a lot of these members because they have one of these factors on cash-intensive businesses are fairly common. Still, a restaurant in Nebraska does not have the same risk that a restaurant in a high drug-trafficking area of Atlanta is going to have.

We need to look at these more holistically, just as we, as human beings, would want somebody to get to know us before they assign some trait or overall evaluation of us. We would want them to get to know us a little bit better and find out what we’re about. We need to do the same thing with these people coming to us trying to get accounts.

Why are you here? What is it about you? Tell me a little bit more about the business and you. A lot of questions go into due diligence, and I think we’ve gotten to a point where we don’t want to do the homework, but we need to do it. Again, we may be missing out on some great members at credit unions or customers at banks because we just made these broad policy decisions that don’t do service to the monetary system as a whole.

That’s another good comparison. The path of least resistance is easier for someone to have to put all the energy in, potentially to take a look at the individual businesses. I could see where someone might be eliminating a whole group, as you’re saying. Only because it’s going to take a substantial effort, and it’s easier to say no to all than go through that effort. As you said, you could be missing out on some really fantastic members and they need services. I love the point of getting them into the system as well.

This was a very big conversation around payday lending that we needed to get these folks into the system because they were being taken advantage of. Usually, laws were being sealed out as far as the percentage of interest rates and the fees that were associated with these so we could get them into the system. The goal is how do we get these parties not performing all these banking services outside of the system.

The more you do upfront, the better off you'll be, not only in bringing somebody who is likely not to be laundering or financing terrorism but also somebody who's not going to become an administrative nightmare.

In addition to that, Mark, I think another part of this is that financial institutions are trying to avoid BSA violations. They think if they limit their risks by excluding some of these entities will somehow increase their chance of having a good exam and not having the reputational and punitive damages that can come from systemic violations, again, missing out on some great possible revenue and relationship-building. You have to figure out how we balance those two things out. I think they’ve been in an imbalance for a little bit longer than they should be, which is why we’re seeing this level-setting. This resetting of, “This is what we meant. Please stop overreacting.” Let’s get back to what we intended. That’s what the statement is about.

This is a little off-topic, the concept of outside the system. When I think of that, something else that’s in the news a lot comes up in my mind, and that’s blockchain and utilizing, not crypto, but the blockchain element of crypto as part of the banking system or part of moving money around. Yet, it’s a little bit less transparent or maybe a lot bit less transparent than being within the system. Jumping ahead 5, 10, or 20 years, whatever you think, how do you see that from where you sit as the expert and the roles you’ve played? What are the public policy challenges that we have to face on that topic?

I think the issue with blockchain and anything related to digital currency is similar to where we’ve been historical with anything that was new. The activity is well beyond or well ahead of the laws coming after. It’s like criminals. They’ve created a new crime before the law can catch up and say, “Here are the penalties and the things we’re looking for.” It’s the same thing here.

You’ve got FinTech. There is a lot of incredible opportunity with FinTech, but you’re going to have challenges with it. I have been following it in the news, and it seemed to be on its upward trajectory and then we have this bottoming out. I don’t know what the future of that looks like, and I won’t even speculate. It’s also a very sensitive topic with a lot of people.

How do you deal with that as something new? How do you regulate that? How do you protect people that are within that process? The problem is if you don’t do something to help regulate it, you have the same situations that you’ve had historically with payday lending again and money service businesses. Until you bring them into the fold, things happen that people lose a lot of money. They lose their livelihoods. They end up losing their lives. The question is ultimately, where is the future of this? What does that look like? I don’t know, but I think we do have to figure out what parts work. Can we bring it into the existing regulation? How do we do that? It’s a huge process to take an activity and then get it into law.

It can take years and sometimes decades. How long have we been talking about changes to the Community Reinvestment Act, which doesn’t apply to credit unions? It takes a long time to get those laws designed and implemented. You design them in Congress, and then the regulatory agencies are responsible for implementing the laws on how they apply to the institution. It’s a long process, and because I think it’s been fluctuating so much, it’s hard to know how we regulate it because it’s been so up and down.

The question has been, is this a product or a service that’s going to take off as a long-term future product? The question is, “Are we talking about something that has viability, or should we be talking a little bit more earnestly about what that looks like and how we integrate that? There are people on both sides of the fence. I don’t even have an opinion right now of whether it’s going to sustain itself or not, but we are in an age where the next product is here.

I don’t know what the final version is going to look like. It isn’t anything we’ve seen yet, but I think it’s going to start to nuance itself. Once it gets to a place where it’s nuanced, we can start to ask the question, “How do we regulate it?” I don’t know. This one has been a rollercoaster ride reading these articles.

It’s fascinating on every level. As you said, you have to see where it’s going to land. Is it going to survive? How’s it going to be structured? What is it going to be used for? You can start grappling with that 5, 10, and 15-year journey of what lies ahead of you. Again, it’s capitalism too. It’s a new idea, and this country’s founded on new ideas. Some of them pit it out, and some of them take off. It’s going to be fun to watch, that’s for sure.

WFC 33 Deborah | Risk-Based Approach
Risk-Based Approach: Financial institutions are trying to avoid BSA violations. They think limiting their risks by excluding some of these entities will increase their chance of having a good exam and not having the reputational and punitive damages that can come from violation.

We’re also very averse to change and risk as far as investing funds that could be gone tomorrow. If we look back historically, we’ve seen the same thing with electronic banking and online banking. I don’t want to get involved in that. That’s scary. Now, it’s part of our daily routine.

Are there any other thoughts relative to the NCUA as it relates to this letter to credit unions and the guidance?

I want to answer your second question. What do we do? What is risk-based, and how do we deal with that with respect to these products, services, persons, and entities? We have to go back to what we do when we have a potential new member come in the door. We know that we’re following through on the requirements of the customer identification program under the USA Patriot Act. If you combine, the equation is CIP, Customer Identification Program, plus Customer Due Diligence, CDD equals Know Your Customers. CIP plus CDD equals KYC.

How do we get to the KYC part? With the CIP, we know that institutions are doing it because they have to. They are verifying identities. As part of that, they are getting some due diligence information. They are getting occupation or employer. They’re asking some of those basic questions. They’re running check systems in some locations. They’re doing their own fact check because they’re required to do that. It’s fine and good, but it’s that due diligence piece. The question is, do you do an account opening, or do you open the account and then move that into the back office, where they then conduct due diligence?

People have a lot of different views on this. My take on it is that the gatekeeping function at account opening is critical because we all know that marriage is easy but divorce is harder. Hiring someone is easy, but firing them is harder. Renting or leasing to a tenant is easy, but evicting them is harder. The more you do upfront, the better off you’re going to be. Not only in bringing in somebody that is likely not to be laundering or financing terrorism, but also in somebody who’s not going to become an administrative nightmare for you. You are constantly filing sources on them, having to investigate and use resources for things you could have avoided.

I think the question is, when do you do it? The timing is critical, but I think it should be done upfront before you establish that relationship, and then the question is, “How do we do it?” One of the things that institutions haven’t done well historically is put in either some risk-scoring model where you say, “Here are all the factors we’re going to consider. Here’s the weight we give each one, and then we’re going to come up with a total score. If you’re above the score, you’re at high risk. It’s either we don’t want you, or we’re going to automatically move you into an annual enhanced due diligence review. Because of what you provide, we want to bring you on as a member, but we know we’re going to have to monitor you.

Also, you can say, “High risk, we don’t want that person here or that business here, so we’re going to say, ‘No, thanks.’” One of the things I do when I come in is help them put into place this due diligence risk-based scoring process. The other thing that process includes is asking questions about some of these higher risk factors within the examination manual.

Do you have a privately owned ATM? You can ask that question, and some entities do, but what they don’t do is define what that means. Numbers aren’t going to know. They’re not usually sophisticated enough to know, “I have an ATM on-site, but I don’t empty it. I have a third party that does it, so it’s not privately owned.” In fact, it may still be because they don’t understand what that phrase means, or you may have somebody say, “Yes, I do have one,” when, in fact, they don’t.

They only happen to have Chase’s machine on-site, so they’re like, “I have a privately-owned ATM.” You may lose someone because you’ve not defined it you may get someone who marks it incorrectly because they don’t know what it means. Part of that is defining these terms for individuals and then also making it clear at the time of account opening that we have a policy here. We have a definitive statement that if you have what we’ve defined as a privately-owned ATM because it’s our policy not to have those accounts, or it is our policy not to have a money service business. It’s our policy not to have somebody that’s doing pouch activity. We are making it clear to you that if we identify that going forward, we will be closing your account.

We've relied heavily on check systems, which don't tell us anything about someone except their banking history.

These are the kinds of things that aren’t being done upfront. What are the things that are a violation of your policy? The question is based on this statement from this joint statement. Should they be? Maybe you should open yourself up a little bit more but if you want to keep them as policy violations, let’s ask the right questions at account opening. Let’s define those terms for people. Let’s figure out who we’re dealing with, give a definitive policy statement, and then use this risk scoring model to figure out whether this person is low, moderate, or high risk overall. If they’re high risk, do we bring them in and do EDD, or do we just say, we’re going to exclude you, but the individual factors themselves are not enough to make somebody high risk?

To me, what’s critical here is making sure that you are clear on who you want and don’t want and giving yourself a little bit more freedom to say, “Privately-owned ATMs aren’t so bad. Let’s bring those into the fold and not make them a policy violation, but let’s add them to our factors and our risk-based approach. Let’s bank them. If everything else about them is fine, let’s bring them in. We’ll have to monitor the cash activity and make sure it’s normal and reasonable for that type of business.”

We’re going to have to do a little bit of work, but it’s worth having them here because not only are they our members, but they’re providing services to our community, and that’s important to us as well. There are a lot of things around this upfront process that I think are not handled well currently. One of the things that have surprised me, particularly with credit unions, is that the NCUA has not historically been a sitting institution for not having due diligence in place. I think this joint statement also lets us know that they are going to start looking at that, that you cannot bring someone in and not perform proper due diligence.

If they’re high risk also, be performing your annual enhanced due diligence, which may require you to do site visits and get financial statements or bank statements. There’s a lot that goes into this. I think the statement is not only to level set but for credit unions that may also be assigned that look, “We have to start making sure this is in place. I think there may be another level of review coming as well. Hopefully, that’s not too much information. It only gives people enough to know that you got to do this. The question is when do you want to do it, but be prepared that if you’re opening the account to doing it after the fact, you may find that you have somebody that’s a little bit harder to get rid of than they would have been if you’d done all this work upfront.

That’s fantastic advice. I love the gatekeeper comparison. When someone engages with you, you’re walking through this, and they have to make that decision of when to do it. You give those examples of it’s easier to get married and divorced. It’s easier to hire than fire. If this was my responsibility and I was in a credit union, and we’d hired you, you came in and said that, I’d be like, “We don’t even need to talk about it anymore. Let’s do it when they come in the door.” When you have that discussion with clients, is it something that they instantly see the light and they end up going at the front-end or is it 80/20? How does that play out when someone brings you on and you walk them through what their options are here?

It’s interesting because human nature plays a big role in this that we get so used to doing things a certain way that we don’t stop to ask ourselves. If we were building it from scratch now, what would it look like? I think a lot of it is that shock of, “Why didn’t we think about that?” Why didn’t we consider that? We’ve put a lot of reliance on check systems, which don’t tell us anything about someone except for their banking history. That’s even limited.

We’ve relied on that as the primary gatekeeper instead of doing additional work. I talked to people about check systems. It’s a useful tool, but people have figured it out. You’ll have people coming to get a new account before their old one is closed and reported to check systems. You won’t see that closed account yet, but if you had waited two more weeks, it would have shown up.

You also have people that if you have a lot of inquiries on check systems, it might be an indication that someone is going around to a number of institutions that may be looking to commit fraud. The other thing I’ve noticed is a lot of institutions that don’t use check systems. People find out about that, including employees, and that information gets out. I know of a credit union that did not use check systems and found that members were coming in and commenting on that.

“I’m here to open an account because I hear you don’t do check systems.” That, to me, is a red flag. What we’re finding in the same institution is that not only were they not using checks systems and people were coming in that couldn’t get accounts elsewhere, but their own members who had been closed previously that they didn’t report, we’re getting new accounts.

WFC 33 Deborah | Risk-Based Approach
Risk-Based Approach: The hard part is updating information on a routine basis to make sure that the person you brought in has remained in good standing with you and that you are evaluating them based on facts versus previous historical data.

Even though they had taken a loss at the hands of this person, they were opening a new account. They didn’t even check their own records. If people have it in place, check systems become like, “We feel pretty good,” but it’s not enough anymore. I think we have to take those additional steps. People don’t stop to think about that. They’ve also historically put due diligence in the bucket of, “That’s the BSA function, so that’s a back office function. We don’t want branches doing that.”

I say you don’t have to have branches doing that. You can have BSA working with your branches upfront because you guys are a team and putting together a good tool that branches can use at inception to walk through the scoring methodology and make some determinations, but you’re not in that alone. Part of it is that there’s this connection between BSA and CDD. We leave that to them, but this decision is not about BSA and the branches. It is about the institution. You have to act as an institution when you’re doing these things and figure out, “It’s more work upfront.”

It might take us a little bit longer to establish the relationship, but that’s what we want. We want to establish great relationships with people and with businesses. We don’t want to make these quick knee-jerk decisions and either bring in somebody we ultimately are going to end up regretting or not let in somebody we wish we had. I tell institutions when we go through this process. An example I use that’s not directly related to banking is Justice Sandra Day O’Connor. She graduated third in her law school class from Stanford, and William Rehnquist graduated first.

They had dated in law school, but when they both graduated, the best job she could get was as a secretary in a law office because she was female. Imagine how all of these people that rejected her and put her in these inferior roles felt when she was put on the Supreme Court. We make judgment calls for lots of reasons, and we regret those decisions. Imagine being the person who said, “I don’t want Sandra Day O’Connor working in my law firm,” and she becomes a justice.

We do a lot of things that we might regret down the road, but we can prevent some of that if we just have better conversations around what we want to do. When do we want to do it? Who should be doing it? We’re just asking all the demonstrative questions and coming up with better answers versus continuing on this apathetic path we have followed historically until somebody reminds us, “There’s another way to do this.”

That’s what I do. I ask very basic questions and try to bring people back to a solution that may take more time upfront, that short-term sacrifice for long-term gains. I’ve always been about that. It’s going to cost you more front. It’s going to take more people and more time, but your long-term benefit is that you have a relationship that you may have to worry about. People can change. That’s the other thing too.

The third part of this is nobody’s static. We’re dynamic. You’ve changed jobs. I’ve changed jobs. We’ve changed geographical locations and the banks and credit unions we do business with. Our income and employment changed. The hard part is updating this information on a routine basis to make sure that that person you brought in has remained in good standing with you and that you are evaluating them based on facts versus previous historical data.

The hardest part is having BSA and retail work together to get updates to this information, but I think that the reaction is more of, “That makes sense. How do we go back to that space? What would that look like for us? What makes the most sense for us because it’s different for every institution?” Again, it’s good to have a dialogue, ask questions, and have people think about why we do what we do.

How many times have you walked someplace and hit a chair that is poorly placed in your living room? It takes you a long time until someone finally says, “Why don’t you just move it?” “Of course, I should just move it, but I haven’t.” We’ll only continue to deal with that human condition of moving towards pleasure and moving away from pain. Until the pain becomes too great, we don’t usually address things. We let them go. That’s what happens with BSA as well. We don’t, until we’re in a position of pain, stop to say, “Is there a better way? Should we think about this differently?” It is good that every 3 to 5 years to ask yourself questions around, “Why do we do what we do, and does that still make sense?” Institutions historically don’t go through that process.

It is the human condition to move towards pleasure and away from pain until it becomes too great.

You’re giving our readers a lot to think about all of these things. Deborah, I want to thank you for your time. If someone that’s reading this learns this, somebody probably will, and they go, “I want to get in touch with Deborah and talk to her about how I can make my credit union better on any of these topics.” What’s the best way for them to reach you?

They can certainly go out to my website, which is My contact information is out there. I’m also on LinkedIn, and my phone number is also available at both of those locations. They can reach me on a number of channels, and I’ll be happy to see what I can do for them. As always, Mark, it’s my pleasure to be here. I love to talk about this stuff. Hopefully, there are some good takeaways for people that again can help them continue to make their institutions stronger and better. Also, find themselves having more confidence and less stress around anything related to regulation and certainly risk management.

There are a lot of good takeaways here. I think this is going to be well-received by my audience. Again, Deborah, thank you for your time.

You’re welcome. It’s my pleasure. Thanks, Mark.

I appreciate you tuning into this episode.

Important Links

About Deborah Arndell

WFC 33 Deborah | Risk-Based Approach

Deborah has been in the banking and financial services industry since 1998. That time includes more than a decade inside the industry itself in a number of roles working for an array of firms of varying asset sizes. She left the industry in 2008 and entered the consulting arena to get a broader perspective of how other firms managed their compliance and operations. In 2010, having been offered an opportunity to merge her industry expertise with her consulting experience, she accepted a role in supervision at the prestigious Federal Reserve Bank of New York (FRBNY). During her six year tenure at the FRBNY, she held the responsibilities of Senior Examiner, Supervising Examiner and Manager before she was promoted into the elite Officer corps in 2014. In late 2016, she decided to leave the FRBNY to create something tailored specifically to her passions, ARMOR Advisory Services. Her first consulting job from May 2017 to December 2017 resulted in an offer to come on board as the EVP/Chief Risk Officer of the bank to help them ensure they were prepared for an acquisition.

Taking more than 20 years of experience and knowledge and combining them with her leadership abilities, strategic thinking and powerful communication skills, she launched this advisory firm. Her desire is to take the best of what she has learned and allow others to benefit from it; to take the headaches she had while in the industry, add in the do's and do not's she learned while in consulting, sift all of that through the light and dark sides of supervision and deliver a valuable partner back to the industry. Her highest purpose is to be a resource for a very limited clientele in the form of thoughtful and meaningful risk management insight and oversight.

​Deborah understands both broad risk management principles and risk-based execution as well as the nuances of day-to-day compliance and operations. As a regulator, she believed in being fair and reasonable and knows how to make Compliance Risk Management Programs (CRMP) and Compliance Management Systems (CMS) operate with the greatest efficiency and effectiveness without tripping over regulatory limitations. She believes that with strong communication and consistent, detailed documentation, nothing is out of reach - anything is attainable.

In her roles, she has been regulated by the FDIC, the OCC, the OTS and FINRA and has had working relationships with the NCUA, FDIC, the OCC, the CFPB, the IRS, FinCEN and various State agencies and law enforcement groups.

She was CAMS certified in 2007 and completed both the ABA Graduate and Undergraduate Compliance Schools in 2007. She received her Juris Doctorate in 2004. While in law school, she was certified in arbitration, mediation and negotiation.


bottom of page