IIB - INTERNATIONAL BANKING ANTI-MONEY LAUNDERING …€¦ · Inherent AML risk is assessed across...
Transcript of IIB - INTERNATIONAL BANKING ANTI-MONEY LAUNDERING …€¦ · Inherent AML risk is assessed across...
IIB - INTERNATIONAL BANKING ANTI-MONEY LAUNDERING SEMINAR
Practical Suggestions and Tips for an
Effective BSA/AML
Compliance Function -
Risk Assessment and Transaction
Monitoring
May 15, 2012
1 Copyright © 2012 Deloitte Development LLC. All rights reserved.
This publication contains general information only and Deloitte Financial Advisory
Services LLP is not, by means of this publication, rendering accounting, business,
financial, investment, legal, tax, or other professional advice or services. This
publication is not a substitute for such professional advice or services, nor should it
be used as a basis for any decision or action that may affect your business. Before
making any decision or taking any action that may affect your business, you should
consult a qualified professional advisor.
Deloitte Financial Advisory Services LLP shall not be responsible for any loss
sustained by any person who or entity which relies on this publication.
Disclaimer
2 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Challenges - Where is the risk?
Identifying where AML risk originates and how the factors interrelate can be a complicated task
Customers
Trusts
Corps.
PEPS
Individ.
Geographies
Transactions
Operations
Customers
Outsourcers
Service Providers
US
Channels
Internet
Telephone
In person Products
Credit
Trade Finance
Corresp. Banking
Deposits
Transactions
Frequency
Volume
Regulation
Head Office
FATF US
Value
Affiliates
3 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Risk Assessment typically follows a three-step approach:
Step 1: Assessment of Inherent Risk
Objective is to measure the risk of the entity or business units based on their
business activities, irrespective of any controls
– For example, a business unit operating in a higher risk jurisdiction and/or offering higher risk
products/services would have a higher inherent risk
Step 2: Assessment of Control Environment
Objective is to assess the control environment in light of the mitigating controls
implemented
Examples of strong internal controls: clear policies and procedures, strong KYC processes,
effective systems, training program and independent audit
Step 3: Determine Residual Risk
Upon completion Phases 1 and 2, determine residual risk, e.g., utilizing a
Residual Risk Rating Matrix , based on the overall inherent and control
assessment rating.
For example, a business unit with a higher inherent risk but strong governance, internal controls
and/or systems, etc. may have a lower overall residual risk than a medium risk business unit with
weak controls
An Approach to BSA/AML (OFAC) Risk Assessment
4 Copyright © 2012 Deloitte Development LLC. All rights reserved.
• Inherent Risk is typically based on selecting relevant, broad categories of risk:
• Customer Base
• Products and Services
• Transactions
• Delivery Channels
• Geography/Jurisdictions
• Other
• These broad risk categories are then sub-divided into inherent risk factors derived from regulatory guidance and industry leading practices.
• This tends to be more quantitative in nature. Greater reliance on quantitative data in this section to reduce subjectivity.
• Each inherent risk factor is assigned a weight based on its importance from an institutional, industry and regulatory perspective.
• The overall inherent risk is then derived based on the results of the assessment and the weights assigned to each risk factor.
Step 1: Assessment of Inherent Risk
5 Copyright © 2012 Deloitte Development LLC. All rights reserved.
As an example, the Customer Base risk category can be sub-divided into the following risk factors:
• Business/Occupation
o Industry type (i.e., the nature of the business that is conducted by a customer) is typically considered given that certain industry types inherently present a higher sanctions risk than other industries
o NAICS code
• Ownership Type
o Individual vs. Business
o Public vs. Private
• Legal Entity Type
o e.g., Corporation, LLP, LLC, Sole Proprietor, Not-for-Profit
• Length of Relationship
o Typically, the longer the relationship the less risky the customer because you know the customer better and their expected business activity
Step 1: Inherent Risk – Customer Base Risk Factors
6 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Step 1: Assessment of Inherent Risk - Illustration
Inherent AML risk is assessed across a defined set of main risk areas. Multiple risk factors are evaluated
within each main risk area to determine the overall inherent AML risk for each entity/business assessed.
Inherent AML Risk
Customer Base Inherent Risk
1
Product / Account Type Inherent Risk
2
Transactional Inherent Risk
3
Business Strategy Inherent Risk
4
Geography Inherent Risk
5
• Maturity/stability • Domicile/residency • PEP status • E - banking • Indirect customers
Portfolio of product offerings: • Sales finance • Mortgage • Life insurance • Anonymous savings accts
Portfolio of transaction types: • Domestic transfers • Cash deposits • International checks • International transfers
• M&A activity • Business strategy changes • Expected growth • Product portfolio expansion • Staff turnover
Country risk rating model: • Positive factors (FATF, EU,
BIS) • Negative factors (OFAC, NCCT,
311, offshore, etc.)
Summary Dashboard
Summary Dashboard provides an overview of the overall risk for each country by 5 main risk areas
Examples of Risk Factors Risk Model Snapshot 5 Main Risk Areas Legend: For each country / risk area / risk factor the inherent AML risk can be rated on a scale of:
Inherent AML Risk
Customer Base Inherent Risk
1 Customer Base Inherent Risk
1
Product / Account Type Inherent Risk
2 Product / Account Type Inherent Risk
2
Transactional Inherent Risk
3 Transactional Inherent Risk
3
Business Strategy Inherent Risk
4 Business Strategy
Inherent Risk
4
Geography Inherent Risk
5 Geography
Inherent Risk
5
• Individual/ Business • Industry Type • PEP status • E Legal Entity Status •
Portfolio of product offerings: • Deposits • Correspondent Banking • Credit •
Portfolio of transaction types: • Cash /Checks • Transfers • International / Domestic Wires • International / Domestic ACH
• M&A activity • Business strategy changes • Expected growth • Product portfolio expansion • Staff turnover
Country risk rating model: • Positive factors (FATF, EU,
BIS) • Negative factors (OFAC,
311, offshore, etc.)
Summary Dashboard
Summary Dashboard provides an overview of the overall risk by 5 main risk areas
Examples of Risk Factors Risk Model Snapshot Sample Risk Areas Legend: For each country / risk area / risk factor the inherent AML risk can be rated on a scale of:
Mortgages
Length of Relationship
7 Copyright © 2012 Deloitte Development LLC. All rights reserved.
• Mitigating Controls are typically assessed across various categories, e.g.:
• Management: Structure, Oversight and Governance
• Policies and Procedures
• Training
• Systems
• Internal Testing, Controls, and Reporting
• Controls are assessed using series of questions relevant to each category. This
assessment tends to be more qualitative.
• Each control category is then assigned a weighting based on the importance that the institution places on the control.
• The overall control rating is then derived based on the results of the assessment and the weights assigned to each control.
Step 2: Mitigating Controls & Residual Risk
8 Copyright © 2012 Deloitte Development LLC. All rights reserved.
ASSESSMENT OF CONTROLS
WEAK 3+
MEDIUM 2
STRONG 0
LEVEL Max Count of “ N ” for each Control Area
ASSESSMENT OF CONTROLS
WEAK 3+
MEDIUM 2
STRONG 0
LEVEL Max Count of “ N ” for each Control Area
P&P
AML Controls
Sample Control Areas
Governance
Training
Risk Assessment
Screening
Auditing / Testing
1
2
3
4
5
6
7
8
Examples of Questions
• Do you perform regular testing
of adherence to the AML program, policies and
procedures?
• Are all new employees required
to attend and pass the initial
AML training within the first
months after being hired?
• Is the AML officer certified by
the local authority or a
recognized international
organization (e.g., ACAMS)?
•
Do you utilize an automated
screening filter to match customer names against the
Watch list names?
• For all individual customers, do
you at minimum obtain the
name, DOB, residential address
and identification number?
Structured Answers
Comment Comment
N/A N/A
N N
Y Y
POLICIES & PROCEDURE
S PROCESS
Comment Comment
N/A N/A
N N
Y Y
POLICIES & PROCEDURE
S PROCESS
Summary Dashboard
PROCESS POLICIES & PROCEDURES
I. General Policies & Procedures
II. Governance
III. Training
IV. Risk Assessment
V. Customer Risk Rating
VI. CIP / KYC / EDD
VII. PEPs
VIII. Screening
IX. Surveillance
X. Reporting
XI. Recordkeeping
XII. Auditing / Testing
OVERALL AML CONTROLS MEDIUM STRONG
MEDIUM STRONG
STRONG STRONG
STRONG STRONG
WEAK MEDIUM
WEAK WEAK
MEDIUM MEDIUM
MEDIUM STRONG
WEAK WEAK
MEDIUM MEDIUM
WEAK WEAK
MEDIUM STRONG
STRONG MEDIUM
# Question
OVERALL RATING OF CONTROLS
Summary Dashboard
provides a summary of the
overall assessment of
mitigating controls
CIP / KYC / EDD
Step 2: Mitigating Controls - Illustration
Mitigating controls in form of AML policies, procedures and processes are assessed for each
entity/business assessed.
AML Officer and Function
9 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Step 2: Residual Risk - Illustration
• Once the overall inherent risk and the control risk ratings are derived, then
residual risk can be determined. The matrix below is an example of how
residual risk can be determined.
• Upon assessing their residual risk, a FI is better able to execute a more effective, risk-based
transaction monitoring program, allocate resources to monitoring higher risk customers,
identify training priorities, influence hiring practices, identify system development needs,
and align due diligence with the level of risk.
High Moderate Low
Weak High Moderate Low
Moderate High Moderate Low
Strong Moderate Low Low
Final AML
Controls
Assessment
Final Inherent Risk Assessment
10 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Supervisory Guidance on Model Risk Management
10
Joint release by the OCC (Bulletin 2011-12) and Board of Governors
of the Federal Reserve (SR Letter 2011-7)
OCC
http://www.occ.gov/news-issuances/bulletins/2011/bulletin-2011-12a.pdf
Fed
http://www.federalreserve.gov/bankinforeg/srletters/sr1107a1.pdf
11 Copyright © 2012 Deloitte Development LLC. All rights reserved.
What is a model?
Draft - For Discussion Purposes 11
Examples of Potential AML “Models”
Transaction Monitoring
Enterprise / BU Risk Assessment
Customer Risk Rating Process
Alert / Case Scoring
12 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Typical AML Program
13 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Documentation & Management
Documentation
If it is not documented it did
not happen and does not
exist.
Documentation should be
complete and
comprehensive
• Documentation needs to be
updated / re-created as
aspects of the model change
(i.e. scenario or threshold
changes)
• Exam is likely to begin with a
documentation request
Management
• Management oversight
• Meeting minutes
where decisions are
made
• Decisions
incorporated into
documentation
• Annual Testing /
Validation
• Appropriate permissions
granted to various
systems
14 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Contact Information
Peter Fitzgerald, Principal, Deloitte Financial Advisory
Services LLP
212-436-5221
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
Copyright © 2011 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited