Juan Carlos Ramirez, VP, AML/ATF & Sanctions Audit, Scotiabank. Compliance and Risk Management

Transcription

1 Juan Carlos Ramirez, VP, AML/ATF & Sanctions Audit, Scotiabank Compliance and Risk Management

2 Governance Service providers Operational Risk Fraud AML Sanctions Risk Management Compliance Assessment Financial Reporting Cyber Security

3 Risk identification What can go wrong? Types of risk? So what? Risk evaluation / Measurement High / Moderate / Low, Materiality Impact, regulatory implications Quantitative vs qualitative Control identification Key controls Design Effectiveness Automated / Manual Mitigation / Remediation Additional control activities Action plan to mitigate the risk Monitoring / Reporting Consolidation Effective challenge

4 Risk Identification Risk Categories Client Risk PEPs, multiple locations, complex entity structures, cash intensive. Business relationship risk Trust, Lawyers, Accountants, Broker Dealers, Credit Union. Product / Service Risk Payable through accounts, wires, drafts. Delivery Channel Risk Non-face-to-face, Internet, telephone, intermediaries. Overall Inherent Risk Geographic location risk Branches in other Countries, not FATF members. Other relevant factors Sanctions, electronic payment services, privately owned ATMs

5 Qualitative/ Quantitative Annual Ongoing /Quality control Frequency Risk Assessment Identification Self Assessment 1 st line 2 nd line 3 rd line

6 Is just one element of the risk assessment Should be aligned with the inherent risk assessment It should be tailored to the size and operation of the institution Participation of the 3 lines 1 st line has the business knowledge 2 nd line has the knowledge about specific regulatory requirements and risk implications 3 rd line provides insight about issues identified and systemic problems

7 COSO Framework Risk Control Credit Market Liquidity ML/TF IT Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities AML/ATF Framework Risk Self Assessment of controls Client Business Product / Service Delivery channels Geographic location Other Relevant Training Policies and Procedures KYC/CDD /EDD/SOF Transaction Monitoring/ Reporting Specific Higher Risk

8 Not everyone in the organization perceives the AML Risk in the same way.

9 Roles and responsibilities Segregation of duties Frequency Authority levels Record retention How to manage exceptions escalation

10 Agreement in the perception of risk Identification of controls that mitigate the risk Identify the key one(s) How can we assess that the control is working as expected?

11 Policies Updated (regulatory requirements operation) Embedded on business areas Properly communicated awareness Standard in subsidiaries outside Canada Procedures Clear roles and responsibilities Who, how, when, where? Authority limits, exception management Reporting procedures Open reporting channels (Whistle Blower/Hot lines)

12 Training Documented training program Tailored to the business/process/unit Defined frequency Identification of individuals for mandatory training (Internal / External) Board Members and Senior Management

13 KYC / CDD Client identification procedures PEP identification procedures Sanction procedures IT controls mandatory fields / validations Onboarding verification and approvals Source of funds verification procedures Identification of higher risk clients

14 Transaction monitoring Assessment between the 1 st and 2 nd line All products / services should be included If there is an IT solution Review process adequacy of rules Effectiveness of the rules Mechanisms to monitor high risk customers Validation of mapping and interphases Data quality / Completeness

15 Record Keeping and Retention Paper records Controls to identify and retrieve customer information Clear retention periods (branch/unit warehouse) Periodic reviews of service providers Supervision of destruction process Periodic review of customer files - EDD Electronic records Back up process Logical access Adequate process to ensure the 5 years retention period and retrieval within 30 days

16 Transaction reporting Escalation of issues related to information requested and not received on time. Adequate supervision of cases before reporting for accuracy and completeness of information. Purpose Who, when, where? Structure of the transaction Typology and reason for suspicion Process to ensure self disclosure of errors and omissions.

17 Other High Risk Areas Use of Agents and Mandataries Fraud with Mortgage Loans and other products PEFPs Correspondent Banking Electronic Fund Transfers

18 Other High Risk Areas New and development technologies Cash shipment Bearer shares Trade Finance Drafts in other currencies