Managing Risk Governance and Streamlining Reporting Processes · • Risk Assessment is the...

Managing Risk Governance and Streamlining Reporting ProcessesStreamlining Reporting Processes

Presenters:Nathaniel Cole, CAMS, Chief Executive Officer, Forensics & Compliance Institute

Eric Nii Boi Quartey, MICA, DipFM, ACIB, Head of Compliance & Anti-Money Laundering Reporting Officer, Merchant Bank Ghana Ltd

Exploring new ideas for governing the risk assessment

process, from senior-level oversight to project-level

Managing Risk Governance and Streamlining Reporting Processes

&

Identifying options for tailoring reports to the needs of

the business and senior management

Nathaniel Cole, CAMS, CPA, FCA, CFE, FCA, CFC, Cr.FA, CFF, SIRM

CEO, Forensics & Compliance Institute

Regional Director Nigeria- Professional Risk Managers International Association

(PRMIA)

process, from senior-level oversight to project-level

management

• Determining how to effectively communicate risk


• Determining how to effectively communicate risk

assessment results to your institution’s Board

• Integrating internal audit findings on risk

assessment process

Nathaniel Cole, CAMS, CPA, FCA, CFE, FCA, CFC, Cr.FA, CFF, SIRM

CEO, Forensics & Compliance Institute

Regional Director Nigeria- Professional Risk Managers International Association

(PRMIA)


Risk Assessment

• Risk Assessment is the foundation for all other AML/CFT Compliance

Process.

• The starting point for having a good handle in understanding the AML/CFT

faced by organizations is to have a good and effective risk assessment.

• Risk assessment is not an end by itself neither is it the beginning of an end.

43rd Annual AML & Financial Crime Conference, Africa

• Risk assessment is not an end by itself neither is it the beginning of an end.

• Risk Assessment is very fundamental to understanding the risk that entities

face in terms of risks.

• Risk assessment is an evaluation of the likelihood of an adverse event

occurring and the magnitude of impact should it occur.

• Risk assessment usually tries to answer the following three questions :

• - What can go wrong?

• - How likely is that to happen?

• - What would the consequences be if things went wrong?


THE FOUR AML/CFT RISK PILLARS

• Establishment and Implementation of Internal Controls

• Independent Testing of AML/CFT Program To Verify

Compliance


• Designated Compliance Officer for AML/CFT

• Adequate AML/CFT Training


State of Risk Assessment Process In Africa

• In Africa the state of risk assessment process for financial institutions is in a very poor state and still relatively undeveloped as most organizations do not have a good handle on their risk assessment.

• In 2012 the Deputy Governor, Financial System Stability, Central Bank of Nigeria (CBN), Dr. Chiedu K. Moghalu, spoke on “Risk-Ability: Risk Management Knowledge and Infrastructure for Nigeria’s Financial Services Industry,” at a Chief Risk Officers’ retreat.


• His conclusion in respect of Risk Management in respect of Nigerian Financial Institutions in regard to all risks management functions including AML/CFT Risk Management is that “

“RISK MANAGEMENT STILL AT RUDIMENTARY STAGE IN NIGERIA”

This sums up the state of overall risk management in Africa in general. When this is now taken to AML/CFT Risk Management, we can easily infer that it will be in the same state if not worse as it represents part of the risk universe faced by Financial Institutions in Africa.


How We View Risk Management and AML/CFT Risks

• Risk management is sometimes seen as a purely defensive strategy

• Risk management as a balance between Risk and Rewards

• The third way is the technical way of looking at risks by understanding the difference

between risk and uncertainty which in most cases can be quantified and sometimes

the variability cannot be quantified.

• In respect of AML risks some unfortunately sees them as purely a compliance issue

which to some is just a cost center that creates no value when in fact their


which to some is just a cost center that creates no value when in fact their

organizations strategy should account for all types of risks including AML/CFT Risks

which is now taking a toll on the financial community everywhere including Africa as

regulators are getting very serious in respect of managing and controlling the

AML/CFT Risks they face.


The AML/CFT Risk Assessment Process

• An assessment of the risk associated with the client and his/her potential vulnerability to being used for money laundering purposes.

• An assessment of the risk associated with the type of customer and the nature of their business or source of wealth.


• An assessment of the anticipated volume of activity (i.e. thresholds)

• A review of the relevant KYC information for all customers against PEP / Warning list databases.

• Local assessment criteria to reflect any money laundering risks specific to the operating environment in the country concerned.


Risk Assessment Quantitative Issues

• A well developed AML/CFT and documented risk based AML/CFT risk

assessment will assist Financial Institutions in identifying and measuring

their AML/CFT Risk Profile.

• This serves as the Foundation of the a risk based AML/CFT Compliance

Program that will support the identified Four Pillars.

• A subset of AML\CFT risk Assessment is now the country risk assessment

and quantitative values and the same rating used risk assessment should


and quantitative values and the same rating used risk assessment should

be used for country risk assessment.

• This will allow easy combination or consolidation of the Financial Institutions

combined AML/CFT and Sanctions Risk Rating.

• The methodology used in applying or maintaining an AML/CFT Risk

Assessment should be looked at in the context of building a business plan

for a new business in which several factors must be considered including

benchmarking. The same should be used for risk assessment.


Current Risk based Approach To KYC

• In most jurisdictions in Africa the most prevalent practice is to assign risk categories to clients (for example)

• Level 1 (representing low risk)• Level 2 (representing medium risk)• Level 3 (representing special or high risk


• Level 3 (representing special or high risk customers or accounts)

• The risk will determine the KYC information required and the subsequent intensity of management and monitoring of the account (Enhanced Due Diligence)

• The risk will also determine the account monitoring (risk-based account/transaction monitoring)


Flaws with Current Approach and Addressing the Flaws

• The traditional buckets of low, medium or high risk customer in some

quarters represent or present only a one-dimensional view of risk which is

not satisfactory in properly addressing the risks faced by Financial

Institutions.

• This one dimensional view of risk provides no differentiation in respect of

degrees of risks.


degrees of risks.

• A better approach is exploring other ways of dealing with these risks and to

have a more accurate view of ranking these risks, there should be a

process that will allow the analysis of an individual profile.


Exploring Ways To Address the Flaws in Bucket Risks Approach

• The individual risk profile should be combined or matched with the

individual’s social network. This is who are these individuals linked to and

how they are linked to the customer or client.

• In addition, which negative media are these linked individuals connected

with that is of interest to the Financial Institution.

• This negative media could be a direct or indirect link to the customer or

individuals.


individuals.

• This approach or methodology requires we assign value to measure the

degree of risk and it easier to focus on the highest risk first and down the

line in that order.

• Normally if the current RBA is used it will account for the typical assessment

criteria such as products, geography, historical transaction amounts etc.

and this can lead to erroneous classification or categorization of the

customer as low risk when in fact they should be classified as high risks

when their links and news issues are factored into the risk profile.


Exploring Dynamic Risk Management

• Requires Technical solutions to risk assessment and management

• It usually requires a daily risk surveillance model

• Optimal balance of risk mitigation required

• Alert Management issues would need to be addressed


• Alert Management issues would need to be addressed

• Introduction of classification or prioritization hierarchy into the screening

process or technology.

• Requires ordering alerts by risk and accuracy of the marching effort

• Provides a transparent framework which allows thresholds to be drawn and

provides an objective way to decide what the Financial Institution should

review and in what order based on the institutions requirements or risk

profile or risk appetite.


Way Forward To Dynamic Environment

• Financial Institutions must re-evaluate their AML/CFT programs and

address their weaknesses. This process can be jumpstarted by doing the

following:

- Understand the benefits of shifting from a static to a dynamic risk

management

- Do a cost benefit analysis to assess the viability for your financial institution


- Consider if rules based is best for you or maybe the more dynamic

principles based would be the better option.

- Implement solutions that will provide you with a more interconnected view of

risk with features such as link analysis

- Link monitoring features is also a good one to consider

- News monitoring is also another feature to consider


US Office of the Superintendent of Financial Institutions

(OSFI) Directive To Consider In Exploring New options

• Design EDD to Ensure more focus and attention is paid to higher risk

customers and the attention is also commensurate with the risk level

• Build an Enterprise-Wide Risk Assessment methodology and EDD

approach across all business lines for consistent and appropriate

identification and monitoring of high-risk clients

• Perform enhanced monitoring not just when on boarding but also at

transaction level and project level.


transaction level and project level.

• Make sure that EDD measures apply to all high risk situations and that they

address and mitigate the risk factors identified.

• Update customer information and changes to products etc. in a timely

fashion.

• Implement Effective CAMLO Oversight.


Exploring Ways To Conduct RBA Without The Country Risk

Assessment When Not Currently Available

We have offshore activities going on without the country risk

assessment as required by the Revised FATF RBA. We

therefore need to enhance the processes we use for such

assessment in the absence of the country risk assessment

which most countries are just starting to address.

Some steps to take to address this deficiency in information are:


Some steps to take to address this deficiency in information are:

1. Identify and isolate countries of greatest potential AML/CFT

Risk to the FI.

2. Core elements of an effective country risk assessment must

be reviewed.

3. Four key data sets are required and will be briefly addressed.


General Framework To Conduct Country Due Diligence

1. Countries of known direct business activity or future anticipated and

immediate anticipated business activity.

2. Countries of known association to the Financial Institution especially

through a counterparty, second or third-party relationships.


3. Countries identified as countries of indirect interest to the financial institution

4. Those other countries that may be deemed to have a material indirect

impact on the business conducted by the financial institution.


Next Step In Country Risk Identification-Data Gathering

Gather the data relating to the countries identified as presenting risk to the FI through the use of several public resources which are available to facilitate due diligence required to build and maintain the country risk assessment such as :

1. Keystone resources such as FATF, the EU Sanctions List, the USA PATRIOT ACT Section 311 list.


the USA PATRIOT ACT Section 311 list.

2. Official Government resources such as US Department of State, CIA, Organization for Economic Development and Co-Operative Development (OECD), IMF etc.

3. Third-party vendors and solutions providers such as Lexis-Nexis.

4. Global Media resources such as Wall Street Journal, the Economist, Financial Times etc.


Exploring New Approaches To Employee Risk On Projects

• An important aspect of adopting the Risk Based approach

• Ensure that the correct employee is employed

• Consult any relevant lists of bank employees dismissed that may be maintained

• Risk rate job categories


• Risk rate job categories

• Apply the risk-based approach to employee vetting –higher level of vetting for higher risk job categories

• Risk rating job categories allows the bank to structure the level and depth of AML training to be provided to employees


OTHER AREAS TO EXPLORE FOR RISK ASSESSMENT INNOVATION

• Integrating AML/CFT Risk Assessment into the FIs traditional

risk areas such as operational Risks is an option to be

explored.

• Each FI should move away from the integrated approach to

risk management and explore the Enterprise Risk

Management (ERM) Framework that cuts across all areas of


Management (ERM) Framework that cuts across all areas of

the enterprise risks with a holistic approach.

• If ERM is effectively applied, it will be a holistic approach

that will also cover AML/CFT risk assessments.



Business & Project Risk Assessment Conduct Risk Assessment of the following elements:

• – Bank’s risk appetite;

• – AML/TF Typologies;

• – Customer types;

• – Economic activity;


• – Economic activity;

• – Products and services;

• – Delivery channels;



Relationship Risk Assessment

– Assess overall client relationships (including duration, number of accounts,

products and services and activities).

– Conduct on-going risk assessments based on the aggregated risk of a

customer relationship


Linking Customer Risk with Due Diligence Requirements

Linking Channel Risk with Due Diligence Requirements


IMPLEMENTING A PEP RISK FRAMEWORK

• Using the AML Review Thinking Map, in all cases we need to have considered the following :

– Client Verification and Identification


– Client Verification and Identification

– Client Occupation and Business Activity

– Source of Funds

– Destination of Funds

– Product and Transaction Type (Types of

Funds)


STREAMLINING REPORTING PROCESSES FOR --DISCUSSION

• Identifying options for tailoring reports to the needs of the business and senior management.

• Purpose


• Purpose

• Audience

• Management needs

• Communication & Channels

• Integrating internal audit findings on risk

assessment process

• Independence

• Objectivity


STREAMLINING REPORTING PROCESSES FOR --DISCUSSION


• Objectivity

• Understanding of AML issues

• Internal Audit Review and Independent Testing

QUESTIONS?


Managing Risk Governance and Streamlining Reporting Processes · • Risk Assessment is the...

Documents

Transcript of Managing Risk Governance and Streamlining Reporting Processes · • Risk Assessment is the...