ANTI-MONEY LAUNDERING PROCESS MATURITY … laundering process maturity report sri lanka banking...

ANTI-MONEY LAUNDERING

PROCESS MATURITY REPORT

SRI LANKA BANKING INDUSTRY

April 2017

AML PROCESS MATURITY REPORT - SRI LANKA BANKING INDUSTRY

April 2017

The importance of ongoing review and assessment of any country's Anti-Money Laundering (AML) and Combatingthe Financing of Terrorism (CFT) regime cannot be understated in today's era of global crime and terrorism. Thepresent AML Process Maturity Report, the third in a series of reports published by Fintelekt for the South Asianregion, seeks to highlight the AML compliance strengths and suggest improvement areas for the Sri Lankan bankingindustry, with an objective to positively contribute to the AML compliance debate in the country.

Insights about AML/CFT Process Maturity in the Sri Lankan banking industry were gathered through detailed face-to-face interactions with compliance officers at 12 banks in December 2016 to assess the regulatory environment andbenchmark AML processes. Although the sample size is limited, we believe that the study results are fairlyrepresentative of a variety of banking organisations within Sri Lanka.

The study covers, in detail, processes related to risk identification and assessment, monitoring and record keeping,technology and systems, resources, training and other parameters. In addition, opinions of compliance officers onissues such as current challenges, organisational priorities, senior managerial involvement, Financial IntelligenceUnit (FIU) and regulatory programmes were also solicited.

We are thankful to all the compliance officers who participated in the study, as well as to the Association ofCompliance Officers of Licensed Banks - Sri Lanka (ACOB) for their significant support to this study. We are alsograteful to the Financial Intelligence Unit of Sri Lanka for their ongoing support to our efforts in spreading theimportance of building a stronger AML regime in the country.

AML PROCESS MATURITY- SRI LANKA BANKING INDUSTRY April 2017

www.fintelekt.com

Shirish PathakManaging Director

[email protected]

Arpita BedekarResearch Director

[email protected]


www.fintelekt.com

1. Executive Summary 4

2. Organisational Concerns and Challenges 7

3. AML Compliance as an Organisational Priority 9

4. Risk Identification, Assessment and Reporting 10

5. Technology 12

6. Resources and Training 14

7. FIU and Regulatory Involvement 15

Table of Contents

EXECUTIVE SUMMARY

Compliance officers across the banking industry stated that the top threats to theirbank are due to issues such as understanding beneficial ownership, understanding thesources of customers' funds and trade-based money laundering (TBML), whichincidentally are universal concerns that compliance officers are grappling with globally.

Note: Figures in brackets represent percentage of respondents highlighting the issue

70% AML compliance officers reported technology inadequacies to be their mainchallenge in day-to-day operations, signaling the need for Sri Lankan banks to enhanceinvestments in systems and solutions to strengthen their compliance capabilities.Inadequately trained staff was also mentioned as a challenge by compliance officers athalf the banks, emphasising the need for greater capacity building within theorganisation.


www.fintelekt.com

4

Not out of line with their current challenges, compliance officers outlined their top threepriority areas for AML compliance related spending for the next one to two years to beKYC reviews, updates and maintenance (73%), procuring/enhancing transactionmonitoring systems (64%), and AML compliance training (55%).

Organisational priority for AML compliance

Overall governance with respect to conductingaudits or internal reporting to variousmanagement teams within the bank seems to beconsistent and regular among study participants.Further, 92% of the compliance officers feel thattheir organisation's policy of internallypublicizing the AML compliance programme isadequate, indicating that due priority is given toAML compliance within the bank.

However, half the compliance officers expressedthe need for greater support and involvementfrom the senior executive management team andthe Board of Directors. This support is importantfor key decisions on technology, systems and processes and to improve the culture ofcompliance within the organisation.

Risk identification, assessment and reporting

There is relatively strong focus placed on risk allocation, updating of high-risk customerprofiles and risk assessments within the banks participating in the study. However,relatively low importance is being given to updating low-risk customer profiles, withmany banks not having updated low risk profiles within the last 3 years. This can posea threat, as banks may not know if some of the low-risk customers have moved to thehigh-risk category.

Another area that merits attention was that 45% of the banks have never undertakenan enterprise-wide risk assessment. Further, those banks that have conducted annualor semi-annual risk assessments, have done so internally and not through an objectivethird party agency.

Technology

The use of automated solutions for record-keeping, transaction monitoring and clientscreening is fairly high, though some banksare still relying on manual processes forrisk identification and transactionmonitoring.

However, these technologies may need to beevaluated for their relevance to the bank'scurrent business needs and regulatorycompliance gaps, and upgraded accordinglyso as to offer more functionality.


www.fintelekt.com

5

6

Resources and training

Banks are fairly regular at training front-line and compliance staff members. However,AML compliance training is not as regular, and in 33% of the banks, it is not providedfor senior and executive management members and in 42% of the banks not provided forthe Board of Directors. This may likely impact the decision-making ability of personnelat these key posts, as they may not be equipped with adequate understanding of trendsand current AML compliance risks.

FIU and regulatory involvement

Compliance officers mentioned the top areas of support required from the FIU andregulatory bodies as more experienced practitioners at FIU training programmes,increased guidance and wider publication of typologies and thematic reviews. Allcompliance officers also felt that more feedback from the FIU on disclosures made by thebank will help in better identification of suspicious transactions in future.

Way forward

Technology and training are areas requiring immediate attention within banks, whichwill help further strengthen the AML compliance environment in the country byequipping the relevant staff with the right tools and knowledge to combat Money-Laundering (ML)/Terrorist Financing (TF) risks.

Further, compliance officers at Sri Lankan banks, in conjunction with the FIU and otherregulatory and overseeing bodies may benefit from collaboration on issues such asupdating and maintaining country-specific watch-lists, knowledge sharing on typologiesand thematic reviews in the greater interests of the compliance function.


www.fintelekt.com

7

ORGANISATIONAL CONCERNS AND CHALLENGES

Organisational risks which pose serious threats to the bank

Compliance officers at 80% of thebanks participating in the studyconsider understanding UltimateBeneficial Ownership (UBO) ofcorporate clients to be the topmostrisk perceived as a threat to thebank, followed by an equal 50% ofbanks selecting understanding thesources of customers' funds andtrade-based money laundering asperceived threats to their bank.

Top AML compliance challenges for banks

Within the bank, top compliance challenges faced by banks are technology inadequaciesor gaps (identified by 70% respondents), enterprise-wide view of all customerrelationships (identified by 60%) and inadequately trained staff (identified by 50% ofrespondents).

Challenges for AML compliance officers

The top challenges identified by AML compliance officers in their day-to-day operationsare keeping abreast of developments in AML compliance and regulatory environmentand balancing business and AML compliance priorities within the organization,identified equally by 64% compliance officers, and transaction monitoring, identified by55% of compliance officers participating in the study.


www.fintelekt.com

8

Top priority areas for AML compliance related spending in thenext one to two years

Corresponding with the top challenges faced by compliance officers, the top threepriority areas for AML compliance related spending identified by the respondents areKnow Your Customer (KYC) reviews, updates and maintenance (73%),procuring/enhancing transaction monitoring systems (64%), and AML compliancetraining (55%) for the bank.


www.fintelekt.com

AML COMPLIANCE AS AN ORGANISATIONAL PRIORITY

Among the banks that participated inthe study, all compliance officersreport to the Board, Audit or Riskcommittees at either a monthly orquarterly frequency. 75% conduct anAML audit at least once a year.

The decision making authority of thecompliance officer is also high, with75% of the compliance officersreporting that they are the soledecision makers for compliancerelated issues in most cases, except incases where decisions are takenjointly with other senior managerialexecutives. Compliance officers at25% banks state that they areadvisors on decisions on compliance related matters.

About 36% of the compliance officers mentioned that they visit bank branches on aregular basis - either monthly or annually, while the remaining compliance officers visitin the event of a concern at the branch, or on a need-basis.

92% of the officers feel that their organisation's policy of internally publicizing the AMLcompliance programme is adequate.

Despite factors pointing to a high priority for AML compliance within Sri Lankan banks,50% of the compliance officers that were part of the study still think that they need moresupport and involvement from the senior executive management and Board of Directors.This is an important finding, pointing to the need for more that can be done within AMLcompliance at Sri Lankan banks.

9


www.fintelekt.com

10

RISK IDENTIFICATION, ASSESSMENT AND REPORTING

Most banks (83%) follow a centralized model for transaction monitoring, alertgeneration, alert handling and reporting of suspicious transactions. The remainingbanks follow a mix of centralized and regional model for compliance activities.

Updating customer profiles by risk category

All banks that participated in the study allocate a risk score to each customer. 92% ofthe banks verify the identity of the customer at the time of on-boarding the customer,while the remaining 8% complete the process within one month of the customer on-boarding.

80% banks update high-risk customer profiles once a year, while 10% update them oncein 2 years. 10% banks stated that they have not updated high-risk profiles within thelast five years.

For medium-risk customer profiles, 50% banks update once in 2 years and 30% once in3 years, while 20% stating that they have not updated the medium-risk profiles withinthe last five years.

There is relatively low focus placed on low-risk customer profiles, although they makeup between 75% and 95% of the proportion of the total accounts within the bank. Only40% of the banks that participated in the study said that they have updated low-riskcustomer profiles within the last three years, while 40% have updated once in the last5 years. 20% have not updated in the last five years. This poses a significant risk tobanks, as they may not know if any customers have moved into the high-risk category.

For high-risk customer segments, the strategy at 83% banks is to conduct EnhancedDue Diligence (EDD), while 58% also undertake greater monitoring or high-riskcustomer accounts to manage the risk. Most banks access or use information availablein public domain for customer risk assessment.


www.fintelekt.com

11

All banks assess ML/TF risks associated with a new product, service or channel beinglaunched by the bank.

Enterprise-wide risk assessment

45% banks have undertakenan enterprise-wide riskassessment within the lastone year, with another 10%having conducted anassessment within the lastsix months. However, 45%of the banks stated thatthey have never undertakenan enterprise-wide riskassessment. Further, thosebanks that have conductedrisk assessments, have doneso internally and notthrough an objective thirdparty agency. This areatherefore needs attentionand appropriate action.

Reporting to the FIU Sri Lanka

Banks filed between 3 and 40 Suspicious Transaction Reports (STRs) with the FIU, withthe average being 19 STRs for the last financial year. When asked if banks areundertaking a periodic review of STRs filed with the FIU Sri Lanka as a potential riskassessment tool, only 40% banks mentioned that they were doing so.


www.fintelekt.com

12

TECHNOLOGY

Record-keeping

70% of Sri Lankan banks use automated systems while the rest are relying on manualsystems for KYC and CDD-related record-keeping.

Identifying suspicious activities

Most banks use a combination of automated systems, reporting by employees and tip-offs from intelligence agencies for identifying suspicious ML/TF activity.

Transaction monitoring

Methods for transaction monitoring consist of automated systems at 67% of the banks,while the remaining 33% use manual or excel based reviews.

At least 40% banks reported that they generate a large number of alerts, often beyondthe capacity of the AML team to address effectively.

Beneficial ownership

For verifying beneficial ownership, banks mainly use the KYC process (92%). Only 33%additionally use information from the Registrar of companies.

Client screening

83% banks have a client screening technology in place. Apart from the UN List andOFAC List which are used by all banks, 71% banks have internal watch lists and 43%also have access to commercially available sanction lists such as Accuity or Worldcheck.

58% banks feel an urgent need for a Sri-Lanka specific sanctions list or watch list forsanctions monitoring. The FIU Sri Lanka should consider updating the available listregularly for the benefit of reporting entities.

Technology gaps

Despite the proportion of banks using automated solutions for compliance relatedfunctions being fairly high, 70% of compliance officers have flagged off technologyinadequacies or gaps to be a challenge for their bank, signaling the need for upgradingtechnology used within the bank to make it more relevant to their current needs.


www.fintelekt.com

13

Important factors while evaluating an AML data provider /vendor for the bank

The overwhelming factor while evaluating an AML data provider or vendor for the bankwas mentioned as price, by 80% of the respondents. Conforming to internationalstandards (70%) and credibility of the vendor (60%) were at second and third placerespectively.


www.fintelekt.com

14

RESOURCES AND TRAINING

Team size

58% of the banks have an AML compliance team size of less than 5 members. 33% bankshave an AML compliance team size of 6 to 10 members. 8% have 11 to 20 members inthe team.

81% compliance officers indicated that the team size has increased over the last threeyears, with the rest of the compliance officers reporting no change in the team size.Further, 67% are planning to increase the team size in the next two years, while theremaining stated they do not plan to increase as they have recently recruited into theteam.

AML compliance training

Training for front-line staff and AML compliance staff is conducted regularly withinbanks, with 17% providing training twice a year and 83% banks providing annualtraining. For senior and executive management and Board of Directors, 67% and 58%banks respectively provide annual or semi-annual training.

AML compliance training is not provided for senior and executive management at 33%of the banks and Board of Directors at 42% of the banks that participated in the study,which may likely impact the decision-making ability of personnel at these key posts, asthey would not be equipped with adequate understanding of trends and current AMLcompliance risks.

Training methods

75% of banks provide role-specific training depending on the profile of the employee. Thepopular training methods are internal classroom based (67% banks), through the use ofwritten material (58% banks) and internal e-learning based training (42% banks).


www.fintelekt.com

15

FIU AND REGULATORY INVOLVEMENT

FIU or regulatory visits

75% banks have been subjected to a visit by the regulator within the last one year. Mostof the visits have been for routine inspections. However, some banks mentioned that thevisits were for specific investigations.

Interaction with the FIU

All compliance officers reported that either they themselves or a member of their teamhave attended FIU training programmes within the last year. Compliance officers alsoreported having used the help desk of the FIU Sri Lanka or interacted with them in thelast year. 92% banks found the response of the FIU satisfying.

All banks felt that more feedback from the FIU on disclosures made by the bank willhelp in better identification of suspicious transactions in future.

Areas of support needed from the FIU

70% compliance officers felt that more experienced practitioners at FIU trainingprogrammes would improve the quality of programmes. Increased guidance and widerpublication of typologies and thematic reviews were stated by 60% compliance officersas important areas of support expected from the FIU Sri Lanka.


www.fintelekt.com

ANTI-MONEY LAUNDERING PROCESS MATURITY … laundering process maturity report sri lanka banking...

Documents

Transcript of ANTI-MONEY LAUNDERING PROCESS MATURITY … laundering process maturity report sri lanka banking...