IIB - INTERNATIONAL BANKING ANTI-MONEY LAUNDERING SEMINAR

Transcription

1 IIB - INTERNATIONAL BANKING ANTI-MONEY LAUNDERING SEMINAR Practical Suggestions and Tips for an Effective BSA/AML Compliance Function - Risk Assessment and Transaction Monitoring May 15, 2012

2 Disclaimer This publication contains general information only and Deloitte Financial Advisory Services LLP is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte Financial Advisory Services LLP shall not be responsible for any loss sustained by any person who or entity which relies on this publication. 1 Copyright 2012 Deloitte Development LLC. All rights reserved.

3 Challenges - Where is the risk? Identifying where AML risk originates and how the factors interrelate can be a complicated task Customers Regulation Trusts Individ. PEPS Corps. Transactions US US Head Office FATF Geographies Customers Frequency Volume Value Transactions Operations Channels In person Internet Telephone Products Credit Deposits Corresp. Banking Outsourcers Service Providers Trade Finance Affiliates 2 Copyright 2012 Deloitte Development LLC. All rights reserved.

4 An Approach to BSA/AML (OFAC) Risk Assessment Risk Assessment typically follows a three-step approach: Step 1: Assessment of Inherent Risk Objective is to measure the risk of the entity or business units based on their business activities, irrespective of any controls For example, a business unit operating in a higher risk jurisdiction and/or offering higher risk products/services would have a higher inherent risk Step 2: Assessment of Control Environment Objective is to assess the control environment in light of the mitigating controls implemented Examples of strong internal controls: clear policies and procedures, strong KYC processes, effective systems, training program and independent audit Step 3: Determine Residual Risk Upon completion Phases 1 and 2, determine residual risk, e.g., utilizing a Residual Risk Rating Matrix, based on the overall inherent and control assessment rating. For example, a business unit with a higher inherent risk but strong governance, internal controls and/or systems, etc. may have a lower overall residual risk than a medium risk business unit with weak controls 3 Copyright 2012 Deloitte Development LLC. All rights reserved.

5 Inherent Risk is typically based on selecting relevant, broad categories of risk: Customer Base Products and Services Transactions Delivery Channels Geography/Jurisdictions Other Step 1: Assessment of Inherent Risk These broad risk categories are then sub-divided into inherent risk factors derived from regulatory guidance and industry leading practices. This tends to be more quantitative in nature. Greater reliance on quantitative data in this section to reduce subjectivity. Each inherent risk factor is assigned a weight based on its importance from an institutional, industry and regulatory perspective. The overall inherent risk is then derived based on the results of the assessment and the weights assigned to each risk factor. 4 Copyright 2012 Deloitte Development LLC. All rights reserved.

6 Step 1: Inherent Risk Customer Base Risk Factors As an example, the Customer Base risk category can be sub-divided into the following risk factors: Business/Occupation o o Industry type (i.e., the nature of the business that is conducted by a customer) is typically considered given that certain industry types inherently present a higher sanctions risk than other industries NAICS code Ownership Type o o Individual vs. Business Public vs. Private Legal Entity Type o e.g., Corporation, LLP, LLC, Sole Proprietor, Not-for-Profit Length of Relationship o Typically, the longer the relationship the less risky the customer because you know the customer better and their expected business activity 5 Copyright 2012 Deloitte Development LLC. All rights reserved.

7 Step 1: Assessment of Inherent Risk - Illustration Inherent AML risk is assessed across a defined set of main risk areas. Multiple risk factors are evaluated within each main risk area to determine the overall inherent AML risk for each entity/business assessed. Legend: For each country / risk area / risk factor the inherent AML risk can be rated on a scale of: 5 Sample Main Risk Areas 1 Customer Base Inherent Risk Examples of Risk Factors Maturity/stability Individual/ Business Domicile/residency Industry Type PEP status E - Legal banking Entity Status Indirect Length of customers Relationship Risk Model Snapshot 2 Product / Account Type Inherent Risk Portfolio of product offerings: Sales Deposits finance Mortgage Correspondent Banking Life Credit insurance Anonymous Mortgages savings accts Inherent AML Risk 3 Transactional Inherent Risk Portfolio of transaction types: Domestic Cash /Checks transfers Cash Transfers deposits International checks / Domestic Wires International transfers / Domestic ACH Summary Dashboard 4 Business Strategy Inherent Risk M&A activity Business strategy changes Expected growth Product portfolio expansion Staff turnover Summary Dashboard provides an overview of the overall risk for each by 5 country main risk by areas 5 main risk areas 5 Geography Inherent Risk Country risk rating model: Positive factors (FATF, EU, BIS) Negative factors (OFAC, NCCT, 311, offshore, etc.) 6 Copyright 2012 Deloitte Development LLC. All rights reserved.

8 Step 2: Mitigating Controls & Residual Risk Mitigating Controls are typically assessed across various categories, e.g.: Management: Structure, Oversight and Governance Policies and Procedures Training Systems Internal Testing, Controls, and Reporting Controls are assessed using series of questions relevant to each category. This assessment tends to be more qualitative. Each control category is then assigned a weighting based on the importance that the institution places on the control. The overall control rating is then derived based on the results of the assessment and the weights assigned to each control. 7 Copyright 2012 Deloitte Development LLC. All rights reserved.

9 Step 2: Mitigating Controls - Illustration Mitigating controls in form of AML policies, procedures and processes are assessed for each entity/business assessed. Sample Control Areas Examples of Questions Structured Answers AML Controls Governance AML Officer and Function Training Risk Assessment Is the AML officer certified by the local authority or a recognized international organization (e.g., ACAMS)? Are all new employees required to attend and pass the initial AML training within the first months after being hired? PROCESS Y N N/A POLICIES & PROCEDURE S Y N N/A Summary Dashboard OVERALL RATING OF CONTROLS 5 6 CIP / KYC / EDD P&P For all individual customers, do you at minimum obtain the name, DOB, residential address and identification number? Comment Comment # Question PROCESS POLICIES & PROCEDURES I. General Policies & Procedures STRONG II. Governance STRONG III. Training WEAK WEAK IV. Risk Assessment V. Customer Risk Rating WEAK WEAK VI. CIP / KYC / EDD STRONG VII. PEPs VIII. Screening WEAK WEAK IX. Surveillance WEAK X. Reporting STRONG STRONG XI. Recordkeeping STRONG STRONG XII. Auditing / Testing STRONG OVERALL AML CONTROLS STRONG Summary Dashboard provides a summary of the overall assessment of mitigating controls 7 8 Screening Auditing / Testing Do you utilize an automated screening filter to match customer names against the Watch list names? Do you perform regular testing of adherence to the AML program, policies and procedures? ASSESSMENT OF CONTROLS Max Count of N for each LEVEL Control Area 0 STRONG 2 3+ WEAK 8 Copyright 2012 Deloitte Development LLC. All rights reserved.

10 Step 2: Residual Risk - Illustration Once the overall inherent risk and the control risk ratings are derived, then residual risk can be determined. The matrix below is an example of how residual risk can be determined. Upon assessing their residual risk, a FI is better able to execute a more effective, risk-based transaction monitoring program, allocate resources to monitoring higher risk customers, identify training priorities, influence hiring practices, identify system development needs, and align due diligence with the level of risk. Final AML Controls Assessment Final Inherent Risk Assessment High Moderate Low Weak High Moderate Low Moderate High Moderate Low Strong Moderate Low Low 9 Copyright 2012 Deloitte Development LLC. All rights reserved.

11 Supervisory Guidance on Model Risk Management Joint release by the OCC (Bulletin ) and Board of Governors of the Federal Reserve (SR Letter ) OCC Fed 10 Copyright 2012 Deloitte Development LLC. All rights reserved. 10

12 What is a model? Examples of Potential AML Models Transaction Monitoring Enterprise / BU Risk Assessment Customer Risk Rating Process Alert / Case Scoring Draft - For Discussion Purposes Copyright 2012 Deloitte Development LLC. All rights reserved.

13 Typical AML Program 12 Copyright 2012 Deloitte Development LLC. All rights reserved.

14 Documentation & Management Documentation If it is not documented it did not happen and does not exist. Documentation should be complete and comprehensive Documentation needs to be updated / re-created as aspects of the model change (i.e. scenario or threshold changes) Exam is likely to begin with a documentation request Management Management oversight Meeting minutes where decisions are made Decisions incorporated into documentation Annual Testing / Validation Appropriate permissions granted to various systems 13 Copyright 2012 Deloitte Development LLC. All rights reserved.

15 Contact Information Peter Fitzgerald, Principal, Deloitte Financial Advisory Services LLP Copyright 2012 Deloitte Development LLC. All rights reserved.

16 About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Copyright 2011 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited