Sanctions Risk Management Symposium
Size: px
Start display at page:

Download "Sanctions Risk Management Symposium"

Transcription

1 Conducting Sound Audits of Sanctions Compliance Programs and Continued Reviews of Workflows and Processes to Identify Problems Before the Examiners Do Tuesday, September 19, 2017, 1:30 2:30 PM Michaela Arndt Head, Sanctions Compliance, Americas and Group Head, US Sanctions Standard Chartered Bank Marie McCormack Deputy Chief Compliance Officer & Associate General Counsel AIG Salvatore Scotto Sanctions Compliance Bank of China Saskia Rietbroek Principal SanctionsAlert.com (moderator) September 18-19, 2017 The Princeton Club New York, NY 1

2 Sanctions Risk Management Symposium Michaela Arndt Head, Sanctions Compliance, Americas and Group Head, US Sanctions Standard Chartered Bank Practices for Testing and Validation of Sanctions Risk Appetite 2

3 Practices for Testing and Validation of Sanctions Risk Appetite Ring Fencing of Client Business Activities Transaction Monitoring and Investigations Periodic and Trigger Based CDD Reviews 3

4 Sanctions Risk Management Symposium Marie McCormack Deputy Chief Compliance Officer & Associate General Counsel AIG Compliance Testing Methodology 4

5 COMPLIANCE TESTING METHODOLOGY PLAN DEVELOPMENT Assessment Unit Key Stakeholders Reporting Timing Output Risk Assessment Socialization Procedures Review Type Quality Assurance Scope Assurance Functions Periodic Re-evaluation

6 Compliance Testing Review - Methodology CORE AS REQUIRED Planning Fieldwork Reporting Remediation

7 Compliance Testing Methodology - Components PLANNING FIELDWORK REPORTING REMEDIATION OBJECTIVE To understand risks and controls, as well as confirm test procedures To validate, via sampling, the operational effectiveness of controls To document and confirm issues in a formal report that will be used to communicate results to management To address issues identified and verify implementation COMPONENT Fact Gathering Process Walkthrough Identify Key Risks and Controls Assess Design of Key Controls Finalize Test Scope Develop Test Steps Identify Population and Sample Methodology Perform Testing Assess Effectiveness of Key Controls Identify Issues and Root Causes for Ineffective or Absent Key Controls Confirm Factual Accuracy with Process Owner Obtain Action Plans, Action Plan Owners, and Target Dates Share Issues with Management Agree on Action Plans, Action Plan Owners and Target Dates Assign Issue and Report Ratings Open Issue Follow-Up Periodically Until Closure

8 Salvatore Scotto Sanctions Compliance Bank of China Evaluating the Effectiveness of the Screening Process 8

9 Systematic Testing Expectations qtransaction Monitoring Program Risk Assess Gap analysis between RA, Program and Products/Services/Customers & Counterparties End-to-End Testing of the TM Program Review of Policies & Procedures for Alert Handling Ongoing Testing & Analysis qfiltering Program Risk Assessment and Program review Gap analysis between Filtering Program, Risks, Transactions & Product Profiles End-to-End Testing of the Filtering Program Review of Filtering Program Documentation Ongoing Testing & Analysis qtransaction Monitoring & Filtering Program Identification of all Data Sources Data Validation & Mapping Review of Governance & Change Management qremediation Plan 9

10 Testing Flow Customer Identification and Customer Identification and On-boarding On-boarding Verification Against External Verification against external and internal lists and Internal Lists Transaction Processing Transaction Processing Product (Deposits) Account Database Product (Credit) Account Database Client Client Database Database Transaction Processing Systems Systems Product Trade Account Database Product (Trade) Account Database Direct Interface to Interdiction software Direct interface to interdiction software Interdiction Software Interdiction Software OFAC, Lists OFAC, Internal Lists Transaction Monitoring Transaction Monitoring Other Bank Prodducts List management Is all data Is all data captured captured and verified? verified? Is data manually Is data manually added in to in to product account product account systems Data quality Data Quality Testing testing control process and governance List management control, process and Governance. Threshold and rules Threshold and rules settings settings Scenario Utilized Scenario utilized testing Testing 10

11 Sanctions Risk Management Symposium Questions? 11 September 18-19, 2017 The Princeton Club New York, NY

12 Bonus Slides Provided by 12

13 OFAC Enforcement Actions 2003 Sept What Sanctions Program Was Violated What Sanctions Program Was Violated? Source data: OFAC Analysis and Compilation by SanctionsAlert.com Cuba Iran Sudan Yugoslavia Libya Kingpin/SDNT Iraq Burma WMD Terrorism CUBA IRAN SUDAN YUGOSL LIBYA KINGPIN IRAQ BURMA WMD TERRORISM 13

14 Common Deficiencies in Sanctions Risk Assessment Not properly documented Did not incorporate all lines of business or entities Did not consider all major risk categories Policies did not specify frequency of risk assessment updates No documented methodology for assigning risk rankings Policies, procedures not commensurate with bank/company s risk profile Not aligned to policies and procedures 14

15 Common Deficiencies in Configuration Sanctions List Screening Scanning against inapplicable watch lists offered by vendor Scanning against more lists than necessary Not scanning against relevant lists Inadequate mapping of data fields to watch lists Data integrity issues Inadequate algorithms/fuzzy logic 15

Similar documents
2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback