Fortifying Your AML Audit with International Best...

Asia Full Day SeminarsAsia Pacific Region - 4th Annual Enhanced AML/CTF Tools and Techniques

1

Fortifying Your AML Audit with International Best Practices

Hue Dang, CAMSHead of Asia, ACAMS

1 February 2013

Asia Pacific Region –4th Annual Enhanced AML/CTF Tools and Techniques

AgendaRegulatory Framework: BSA/AML ExamOptimizing your audit practices to meet

stringent regulatory expectations and regional standards Implementing a risk-based approach to AML

auditsLeveraging audit findings to improve AML

department processes Applying the latest techniques to streamline

testing and reporting procedures

2


Regulatory Framework: BSA/AML Key Components

AML Risk AssessmentStep 1: Risk categories: products, services, customers,

entities, transactions, and geographic locations Step 2: detailed analysis of the data identified to

better assess the risk within these categories AML Compliance Program Written policies, procedures, and processes System of internal controls to ensure ongoing

compliance (CIP Program) Independent Testing Designation of Compliance Officer Training

3


Regulatory Framework: BSA/AML Key Components (cont’d)

Suspicious Activity Monitoring & Reporting SystemsReview correspondence with primary regulatorCheck for STR, CTR errors and exemptions

Level and Extent of Automated SystemsVolume of activity commensurate w/ customer

occupation or type of business Number & Volume of high-risk customers Volume of STRs/CTRs in relation to exemption Volume of STRs/CTRs in relation to bank size,

asset or deposit growth, and geographic location4


Implementing a risk-based approach to AML audits

STARTING POINT 1. What are the Key Elements of a Good AML Program?

Statement of Objective AML Organization Structure - Identification of Roles & Responsibilities AML Regulatory Framework Outline of the AML/Compliance/Risk Governance Structure Risk assessment of Clients/Products/Geographies /Transactions On-boarding Procedures - CIP + KYC On-going Monitoring + Periodic Review Escalation - Investigation-Suspicious Activity Reporting Cooperation with Law Enforcement, other financial institutions Sanction Screening MIS Record Retention AML Training Review and Auditing/Testing of the AML Program

5


1. Management Oversight

2. AML Policies/Procedures

3. AML Monitoring

4. SAR/STR Reporting, Sanction Screening

5. Testing

6. Training

2. Derive the Key AML Risks and Controls from an Effective AML Program

6


Testing AML Controls :

Some Common Flaws in AML Risks and Controls Management Oversight Lack of Business Participation/Buy-in (No

‘Culture of Compliance’) Weak AML Governance Structure (i.e. Senior

(AML) Management not aware of AML issues and their resolution)

AML Policies Fragmented procedures/processes Not robust enough – in mitigating certain High Risks Not timely in addressing regulatory changes (Gaps &

Remediation)


AML Monitoring Parameters/Thresholds not optimized: Noise

vs Productive Alerts Inefficient disposition of Alerts: Too many non-

productive Alerts Inexperienced AML Analysts – to detect

unusual activity Insufficient resources Failure to document the rationale for closing

an alert/investigation

Testing AML Controls :Some Common Flaws in AML Risks and Controls

8


SAR/STR Reporting, Sanction Screening Lack of clarity in the Escalation Process Too much time taken to determine possible

suspicious/unusual activity (Delay in reporting) Poor SAR/STR Narratives - Failure to clearly state

why the activity is suspicious (or NOT suspicious) Failure to take (or track) action post-SAR/STR

filing Search request and result reporting are not

streamlined (resulting in untimely responses/incomplete coverage)


9


Testing No Independent; only Self-testing Lack of Transparency in Testing and Results Poorly defined Corrective Action Plans (Root Causes not

identified/addressed) Failure to track Follow-up Actions – Corrective Action

Plans/Remediation Training Failure to identify correct target-audience(s) within the Firm Failure to track and follow-through on non-completion of

mandatory training New Training vs Refresher Training (same modules/contents) Failure to train to regulatory requirement


10


11

CASE STUDY:

Testing KYC/CDD Controls


STARTING POINT: Appreciate the importance of an effective KYC /CDD program

Effective KYC/CDD Program

Identifies the ML/TF risk that the prospect / client may pose

Tailors the Due Diligence required to be performed on the prospect /client

ML/TF risk to the your FI /Bank Managed

Satisfies that the prospect / client does NOT pose a ML/TF risk

12


Key components of an effective KYC/CDD program

OBTAINClient Identity Information & Documentation

VERIFYClient Identity Information & Documentation

Written Customer Identification Program / Procedures

Customer Due Diligence

Name Screening

Sanctions Lists

Do-not-do Business Lists

Due Diligence or Enhanced Due Diligence (EDD)

Object: To enable the bank to form a reasonable belief that it knows the true identity of each customer.

Object: To enable the bank to verify facts about the client, including his reputation.

Object: To ensure that the bank does not establish a relationship with a sanctioned person, or with someone that the bank ought not to do business (e.g. previously rejected, or terminated clients, known criminals), etc.

Record Retention

13


KYC/CDD Controls Testing:What are some of the common flaws /problems with a KYC/EDD program?

KYC Policy / Procedures No written CIP / CDD / Name Search procedures

/ Records Retention procedures. Unclear procedures Fragmented procedures/processes (i.e. not

consolidated or centrally located) Not robust enough – in identifying and/or

mitigating certain High Risks Clients PLEASE REFER TO NEXT SLIDE Not timely in addressing regulatory changes

(Gaps & Remediation)14


KYC/CDD Program Regulatory Expectation - Enhanced Due Diligence for Higher-Risk Customers

The bank should consider obtaining, both at account opening and throughout the relationship, the following information on the customer:

• Purpose of the account. • Source of funds and wealth. • Individuals with ownership or control over the account, such as beneficial owners,

signatories, or guarantors.• Occupation or type of business (of customer or other individuals with ownership or

control over the account). • Financial statements. • Banking references. • Domicile (where the business is organized). • Proximity of the customer’s residence, place of employment, or place of business to the

bank. • Description of the customer’s primary trade area and whether international transactions

are expected to be routine. • Description of the business operations, the anticipated volume of currency and total

sales, and a list of major customers and suppliers. • Explanations for changes in account activity.

Source: FFIEC BSA/Aml Examination Manual http://www.ffiec.gov/bsa_aml_infobase/pages_manual/manual_online.htm

http://www.ffiec.gov/bsa_aml_infobase/pages_manual/manual_online.htm�

http://www.ffiec.gov/bsa_aml_infobase/pages_manual/manual_online.htm�


KYC/CDD Program assessment Common flaws in KYC/CDD Programs – SUMMARY (cont’d)

Training Business does not appreciate the ML/TF risks Bankers do not know how to complete a KYC Profile.

KYC / CDD Client Profiles Insufficient information on client’s Source of Wealth or Source of Funds DD /EDD not performed. Or, results not sufficiently documented for the

DD/EDD that was performed No quality control on what client or banker says about the client (i.e. no

independent corroboration / verification) The information is stale; as the client’s profile has not been periodically

reviewed and updated. Too many exceptions / deferrals on client documentation to be

obtained. These deferrals may not be tracked to ensure the documents are received

16


Leveraging audit findings to improve AML department processes

17

Review the past finding (s) Review the Corrective Action (s) that were

agreed to address the finding.

Ask: Has the Corrective Action addressed the ROOT CAUSE?


Applying the latest techniques to streamline testing and reporting procedures

18

Identify Key AML Risks and their controls Test the Controls – Design and Operating

Effectiveness Don’t just rely on deliverables from the

Auditee. Think how else can we test the Controls – Independent data requests from Technology?


AML Audit Cycle: Summary

19

Adequacy of AML Program

AML Policies, procedures, processes

Compliance with AML

obligations by staff

Data testing including

monitoring programs

Review of training records

Record keeping

Measure against prior assessments.

audits


20

AML Audit Report Flow

• Scope agreed

Phase 1

• Perform Audit

Phase 2• Report to

Board

Phase 3

• Action plans

Phase 4• Validate

Phase 5


21

Some Cases


Hong Kong’s Largest ML Case (24 Jan 2013)

• 22-yr old high school drop-out working as factory delivery man• Chiyu Bank (part of Bank of China (HK)): initial deposit of HK$500

in 2009, within 8 mos, HK$13bil. in transfers by internet (4,800 deposits & 3,500 transfers out)

• VERDICT: 10 ½ yrs imprisonment• KEY QUESTION: What is the consequence to the Bank? 22

HK: Jan to Nov 2012: 136 MLcases prosecuted & 147 people convicted


23

Jurisdiction: Hong Kong Indicators: 600 transactions over 2 years, with HKD1 mil in size Deposited HKD1.1 mil. In Jockey Club account, only HKD2K used for

betting Monthly salary of HKD23K

Case description: Wilson Ho Hung-yiu, 36, attached to the Traffic Accident Investigation Unit of Kowloon West, used three bank accounts and a Jockey Club account to manipulate the money between 2007 and 2009. Defendant claimed transactions were for his business, but Inland Revenue Dept records showed he neither owned a property or ran a business, and had not other sources of income.

Verdict: 3 years imprisonment

Living/Salary Standards Test


• Securities Fraud • Investment Adviser Fraud, • Mail Fraud • Wire Fraud• False Statements • Perjury• False Filings to the SEC • Theft from an employee

benefit plan • AND three counts of

money laundering

Tying it all together: Ponzi Scheme

“ I am not a banker but I know that $100bn going in and out of a bank account is something that should alert you to something,” Madoff told the Financial Times from his North Carolina prison.


2525

Thank you.

Questions?

Fortifying Your AML Audit with International Best...

Documents

Transcript of Fortifying Your AML Audit with International Best...