Managing Risk Governance and

Transcription

1 Managing Risk Governance and Streamlining Reporting Processes Presenters: Nathaniel Cole, CAMS, Chief Executive Officer, Forensics & Compliance Institute Eric Nii Boi Quartey, MICA, DipFM, ACIB, Head of Compliance & Anti-Money Laundering Reporting Officer, Merchant Bank Ghana Ltd

2 Exploring new ideas for governing the risk assessment process, from senior-level oversight to project-level management & Identifying options for tailoring reports to the needs of the business and senior management Nathaniel Cole, CAMS, CPA, FCA, CFE, FCA, CFC, Cr.FA, CFF, SIRM CEO, Forensics & Compliance Institute Regional Director Nigeria- Professional Risk Managers International Association (PRMIA)

3 Determining how to effectively communicate risk assessment results to your institution s Board Integrating internal audit findings on risk assessment process Nathaniel Cole, CAMS, CPA, FCA, CFE, FCA, CFC, Cr.FA, CFF, SIRM CEO, Forensics & Compliance Institute Regional Director Nigeria- Professional Risk Managers International Association (PRMIA)

4 Risk Assessment Risk Assessment is the foundation for all other AML/CFT Compliance Process. The starting point for having a good handle in understanding the AML/CFT faced by organizations is to have a good and effective risk assessment. Risk assessment is not an end by itself neither is it the beginning of an end. Risk Assessment is very fundamental to understanding the risk that entities face in terms of risks. Risk assessment is an evaluation of the likelihood of an adverse event occurring and the magnitude of impact should it occur. Risk assessment usually tries to answer the following three questions : - What can go wrong? - How likely is that to happen? - What would the consequences be if things went wrong? 4

5 THE FOUR AML/CFT RISK PILLARS Establishment and Implementation of Internal Controls Independent Testing of AML/CFT Program To Verify Compliance Designated Compliance Officer for AML/CFT Adequate AML/CFT Training 5

6 State of Risk Assessment Process In Africa In Africa the state of risk assessment process for financial institutions is in a very poor state and still relatively undeveloped as most organizations do not have a good handle on their risk assessment. In 2012 the Deputy Governor, Financial System Stability, Central Bank of Nigeria (CBN), Dr. Chiedu K. Moghalu, spoke on Risk-Ability: Risk Management Knowledge and Infrastructure for Nigeria s Financial Services Industry, at a Chief Risk Officers retreat. His conclusion in respect of Risk Management in respect of Nigerian Financial Institutions in regard to all risks management functions including AML/CFT Risk Management is that RISK MANAGEMENT STILL AT RUDIMENTARY STAGE IN NIGERIA This sums up the state of overall risk management in Africa in general. When this is now taken to AML/CFT Risk Management, we can easily infer that it will be in the same state if not worse as it represents part of the risk universe faced by Financial Institutions in Africa. 6

7 How We View Risk Management and AML/CFT Risks Risk management is sometimes seen as a purely defensive strategy Risk management as a balance between Risk and Rewards The third way is the technical way of looking at risks by understanding the difference between risk and uncertainty which in most cases can be quantified and sometimes the variability cannot be quantified. In respect of AML risks some unfortunately sees them as purely a compliance issue which to some is just a cost center that creates no value when in fact their organizations strategy should account for all types of risks including AML/CFT Risks which is now taking a toll on the financial community everywhere including Africa as regulators are getting very serious in respect of managing and controlling the AML/CFT Risks they face. 7

8 The AML/CFT Risk Assessment Process An assessment of the risk associated with the client and his/her potential vulnerability to being used for money laundering purposes. An assessment of the risk associated with the type of customer and the nature of their business or source of wealth. An assessment of the anticipated volume of activity (i.e. thresholds) A review of the relevant KYC information for all customers against PEP / Warning list databases. Local assessment criteria to reflect any money laundering risks specific to the operating environment in the country concerned. 8

9 Risk Assessment Quantitative Issues A well developed AML/CFT and documented risk based AML/CFT risk assessment will assist Financial Institutions in identifying and measuring their AML/CFT Risk Profile. This serves as the Foundation of the a risk based AML/CFT Compliance Program that will support the identified Four Pillars. A subset of AML\CFT risk Assessment is now the country risk assessment and quantitative values and the same rating used risk assessment should be used for country risk assessment. This will allow easy combination or consolidation of the Financial Institutions combined AML/CFT and Sanctions Risk Rating. The methodology used in applying or maintaining an AML/CFT Risk Assessment should be looked at in the context of building a business plan for a new business in which several factors must be considered including benchmarking. The same should be used for risk assessment. 9

10 Current Risk based Approach To KYC In most jurisdictions in Africa the most prevalent practice is to assign risk categories to clients (for example) Level 1 (representing low risk) Level 2 (representing medium risk) Level 3 (representing special or high risk customers or accounts) The risk will determine the KYC information required and the subsequent intensity of management and monitoring of the account (Enhanced Due Diligence) The risk will also determine the account monitoring (risk-based account/transaction monitoring) 10

11 Flaws with Current Approach and Addressing the Flaws The traditional buckets of low, medium or high risk customer in some quarters represent or present only a one-dimensional view of risk which is not satisfactory in properly addressing the risks faced by Financial Institutions. This one dimensional view of risk provides no differentiation in respect of degrees of risks. A better approach is exploring other ways of dealing with these risks and to have a more accurate view of ranking these risks, there should be a process that will allow the analysis of an individual profile. 11

12 Exploring Ways To Address the Flaws in Bucket Risks Approach The individual risk profile should be combined or matched with the individual s social network. This is who are these individuals linked to and how they are linked to the customer or client. In addition, which negative media are these linked individuals connected with that is of interest to the Financial Institution. This negative media could be a direct or indirect link to the customer or individuals. This approach or methodology requires we assign value to measure the degree of risk and it easier to focus on the highest risk first and down the line in that order. Normally if the current RBA is used it will account for the typical assessment criteria such as products, geography, historical transaction amounts etc. and this can lead to erroneous classification or categorization of the customer as low risk when in fact they should be classified as high risks when their links and news issues are factored into the risk profile. 12

13 Exploring Dynamic Risk Management Requires Technical solutions to risk assessment and management It usually requires a daily risk surveillance model Optimal balance of risk mitigation required Alert Management issues would need to be addressed Introduction of classification or prioritization hierarchy into the screening process or technology. Requires ordering alerts by risk and accuracy of the marching effort Provides a transparent framework which allows thresholds to be drawn and provides an objective way to decide what the Financial Institution should review and in what order based on the institutions requirements or risk profile or risk appetite. 13

14 Way Forward To Dynamic Environment Financial Institutions must re-evaluate their AML/CFT programs and address their weaknesses. This process can be jumpstarted by doing the following: - Understand the benefits of shifting from a static to a dynamic risk management - Do a cost benefit analysis to assess the viability for your financial institution - Consider if rules based is best for you or maybe the more dynamic principles based would be the better option. - Implement solutions that will provide you with a more interconnected view of risk with features such as link analysis - Link monitoring features is also a good one to consider - News monitoring is also another feature to consider 14

15 US Office of the Superintendent of Financial Institutions (OSFI) Directive To Consider In Exploring New options Design EDD to Ensure more focus and attention is paid to higher risk customers and the attention is also commensurate with the risk level Build an Enterprise-Wide Risk Assessment methodology and EDD approach across all business lines for consistent and appropriate identification and monitoring of high-risk clients Perform enhanced monitoring not just when on boarding but also at transaction level and project level. Make sure that EDD measures apply to all high risk situations and that they address and mitigate the risk factors identified. Update customer information and changes to products etc. in a timely fashion. Implement Effective CAMLO Oversight. 15

16 Exploring Ways To Conduct RBA Without The Country Risk Assessment When Not Currently Available We have offshore activities going on without the country risk assessment as required by the Revised FATF RBA. We therefore need to enhance the processes we use for such assessment in the absence of the country risk assessment which most countries are just starting to address. Some steps to take to address this deficiency in information are: 1. Identify and isolate countries of greatest potential AML/CFT Risk to the FI. 2. Core elements of an effective country risk assessment must be reviewed. 3. Four key data sets are required and will be briefly addressed. 16

17 General Framework To Conduct Country Due Diligence 1. Countries of known direct business activity or future anticipated and immediate anticipated business activity. 2. Countries of known association to the Financial Institution especially through a counterparty, second or third-party relationships. 3. Countries identified as countries of indirect interest to the financial institution 4. Those other countries that may be deemed to have a material indirect impact on the business conducted by the financial institution. 17

18 Next Step In Country Risk Identification-Data Gathering Gather the data relating to the countries identified as presenting risk to the FI through the use of several public resources which are available to facilitate due diligence required to build and maintain the country risk assessment such as : 1. Keystone resources such as FATF, the EU Sanctions List, the USA PATRIOT ACT Section 311 list. 2. Official Government resources such as US Department of State, CIA, Organization for Economic Development and Co- Operative Development (OECD), IMF etc. 3. Third-party vendors and solutions providers such as Lexis- Nexis. 4. Global Media resources such as Wall Street Journal, the Economist, Financial Times etc. 18

19 Exploring New Approaches To Employee Risk On Projects An important aspect of adopting the Risk Based approach Ensure that the correct employee is employed Consult any relevant lists of bank employees dismissed that may be maintained Risk rate job categories Apply the risk-based approach to employee vetting higher level of vetting for higher risk job categories Risk rating job categories allows the bank to structure the level and depth of AML training to be provided to employees 19

20 OTHER AREAS TO EXPLORE FOR RISK ASSESSMENT INNOVATION Integrating AML/CFT Risk Assessment into the FIs traditional risk areas such as operational Risks is an option to be explored. Each FI should move away from the integrated approach to risk management and explore the Enterprise Risk Management (ERM) Framework that cuts across all areas of the enterprise risks with a holistic approach. If ERM is effectively applied, it will be a holistic approach that will also cover AML/CFT risk assessments. 20

21 OTHER AREAS TO EXPLORE FOR RISK ASSESSMENT INNOVATION Business & Project Risk Assessment Conduct Risk Assessment of the following elements: Bank s risk appetite; AML/TF Typologies; Customer types; Economic activity; Products and services; Delivery channels; 21

22 OTHER AREAS TO EXPLORE FOR RISK ASSESSMENT INNOVATION Relationship Risk Assessment Assess overall client relationships (including duration, number of accounts, products and services and activities). Conduct on-going risk assessments based on the aggregated risk of a customer relationship Linking Customer Risk with Due Diligence Requirements Linking Channel Risk with Due Diligence Requirements 22

23 IMPLEMENTING A PEP RISK FRAMEWORK Using the AML Review Thinking Map, in all cases we need to have considered the following : Client Verification and Identification Client Occupation and Business Activity Source of Funds Destination of Funds Product and Transaction Type (Types of Funds) 23

24 STREAMLINING REPORTING PROCESSES FOR --DISCUSSION Identifying options for tailoring reports to the needs of the business and senior management. Purpose Audience Management needs Communication & Channels 24

25 STREAMLINING REPORTING PROCESSES FOR --DISCUSSION Integrating internal audit findings on risk assessment process Independence Objectivity Understanding of AML issues Internal Audit Review and Independent Testing 25

26 QUESTIONS? 26