CBI REPORT ON AML COMPLIANCE IN THE CREDIT UNION SECTOR SAMPLE ACTION PLAN. Governance

Transcription

1 Governance Roles and responsibilities for Board, MLRO, Risk Officer, Compliance Officer, IA, Committees etc. defined and documented AML 1 as standing item on Board agenda Mechanism for escalation of AML issues in place Appropriate records maintained of Board discussions of AML Board proactive in discussing and assessing ML/TF issues and risks Board has an upstream focus on AML legislation MLRO has appropriate level of seniority to influence staff and senior management MLRO has appropriate time to devote to the role and experience and expertise to address issues promptly and appropriately MLRO provides regular training sessions to staff MLRO provides the Board with sufficiently detailed information to make informed and appropriate decisions MLRO produces regular M.I. to the Board regarding AML activities at the Credit Union (including an annual MLRO Report) Risk Based Approach A bespoke ML/TF risk assessment of the Credit Union to include all risk categories has been undertaken and documented (standalone or in AML Policy) Methodology for risk assessment documented 1 AML refers to AML, CFT and FS 1

2 Members classified in accordance with their level of risk Appropriate controls devised to mitigate risks and controls aligned to and embedded in operational procedures Risk assessment identifies gaps with action plan to address such gaps Risk assessment reviewed and approved by the Board annually and used to inform the Credit Union's approach to management of ML/TF risk Policies and procedures "Specific and relevant" AML policies and procedures "developed, implemented and reviewed at least annually" Involvement of key staff in development and ongoing improvement of AML policies and procedures CDD policy and procedures for opening of accounts Procedures for ongoing monitoring, determining the intended nature of the business relationship and identifying and, where necessary, verifying beneficial owner(s) Inactive account procedures CDD to be reviewed and, if necessary, updated when account reactivated Procedures for high risk scenarios e.g. large cash lodgements from businesses PEP and Financial Sanctions procedures STR and transaction monitoring procedures Training procedures Record retention policy and procedures 2

3 Training Relevant and tailored training provided to staff and key personnel involved in management of ML/TF risk Training provided to new hires and at least on an annual basis thereafter for Board members, staff and volunteers Training content reviewed and updated on a regular basis and signed-off by senior management Training includes an assessment/exam, which must be passed in order for training to be completed Enhanced training for senior management and staff in key roles Training records maintained and relevant M.I. circulated to senior management Record Keeping Documented record retention policy and procedures relating to all AML records Policies and procedures adhered to in practice Assurance testing conducted at appropriate intervals to ensure records are retained and/or destroyed in line with policy 3

4 Customer Due Diligence (CDD) Clear and detailed policies and procedures provided to staff setting out acceptable forms of ID&V for all member types Formal and documented process for escalation and approval of exceptions to CDD requirements Testing of CDD processes and files to ensure adherence in practice to all procedures Clubs, Societies and Company Accounts: Take steps to verify name, legal status, place of residence and purpose of club/society; Identify and verify at least two elected officials and/or signatories and/or directors; Identify and verify the beneficial owner(s) or controller(s) of the club, society or company; Conduct checks to ensure a company is a bona fide company registered in the State and obtain copies of constitutional documents. Minor accounts: Obtain verification of child's identity through a passport or birth cert; Where the parent/guardian is not a member of the Credit Union, standard ID&V procedures should be followed; Where the parent/guardian is a member of the Credit Union, opening of a minor account should be treated as a trigger event to review CDD; 4

5 Procedures in place to re-verify account holder when minor reaches adulthood; Appropriate systems and controls to monitor minor accounts Establish nature and intended purpose of business relationship at outset of the relationship don't assume Take measures to establish rationale for changes in behaviour/patterns of use and take appropriate steps "Detailed, documented assessment" determining scenarios where beneficial ownership may be a factor Politically Exposed Persons Systems and processes exist to enable Credit Union to determine if a member is a PEP at account take-on and during course of the business relationship Policies and procedures ensure effective management of PEP relationships including reporting to senior management, senior management sign-off and application of EDD including source of wealth and source of funds Existing Members Review and analysis of pre-1995 member files conducted to determine where CDD deficiencies exist and remediation plans in place to address shortcomings in CDD Trigger events used to prompt a review of existing CDD request for new loan/change of address/account review/account re-activation etc. 5

6 Higher Risk Scenarios Large cash lodgements from local businesses: Risk associated with this practice assessed and appropriate controls in place to mitigate the risk corroborate that business is cash intensive and level of turnover justifies large cash lodgements; Board has awareness and oversight of such practices and has reviewed and signed-off on risk assessment and controls; Procedures in place outlining CDD and ongoing monitoring requirements in respect of such practices Use of Member Accounts for Business Proceeds: Risk associated with this practice assessed and appropriate controls in place to mitigate the risk; Board has awareness and oversight of such practices and has reviewed and signed-off on risk assessment and controls; Procedures in place outlining CDD and ongoing monitoring requirements in respect of such practices 6

7 Ongoing Monitoring Approach to ongoing monitoring is appropriate to the business of the Credit Union and thresholds are set based on assessment of standard account activity and what would be deemed to be outside the norm Methodology for monitoring is documented Information obtained at outset of relationship to assist in determining whether account activity is in line with expectations Records maintained of ongoing monitoring conducted and resulting decisions made Suspicious Transaction Reporting Clear, documented procedures for internal and external reporting (reports should be in writing and acknowledged by MLRO and reports should be made within a reasonable timeframe) Staff and volunteers clear on their obligations to report and penalties for not doing so Relevant training provided to staff and volunteers including guidance as to activities that may be deemed suspicious and what constitutes a suspicion Staff encouraged to question reasons for unusual transactions subject to tipping-off considerations Appropriate records maintained of reports generated and decisions to report/nor report and rationale for such decisions In situations where the predicate offence is identified a separate report (in addition to the STR) is made to An Garda Siochana 7

8 EU Financial Sanctions Documented risk assessment of FS exposure Policies, procedures, systems and controls in place to facilitate adherence to FS obligations screen, escalate, freeze and report Frequency of screening is appropriate and aligned to documented risk assessment of FS exposure Implications of provision of new services considered e.g. international funds transfers CBI Report on AML Compliance in Banking Sector Additional points re risk assessment Policy and procedures to set out circumstances under which new business will not be accepted or existing business will be terminated Three (Four) lines of defence model encouraged: front line, risk, compliance and internal audit When/if outsourcing part of AML/CFT responsibilities there must be a contract or SLA in place 8