Risk Based Approach and Enterprise Wide Risk Assessment Edwin Somers / Inneke Geyskens-Borgions 26 September 2017
Contents I. Risk Based Approach 3 II. Enterprise Wide Risk Assessment 11 II.1. Introduction 12 II.2. EWRA process 15 II.3. EWRA Outcome 22 III. Conclusion Implementation of the Risk Based AML/CFT Framework 24 2017 Deloitte Belgium 2
I. Risk Based Approach 2017 Deloitte Belgium 3
Risk Based Approach Regulatory framework FATF 2014 Guidance for a Risk Based Approach in the Banking Sector A Risk Based Approach to AML/CFT means that financial institutions are expected to: Identify, assess and understand the ML/TF risks to which they are exposed; and Take AML/CFT measures commensurate to those risks on order to mitigate them effectively.! A Risk Based Approach does not exempt institutions from mitigating ML/TF risks where these risks are assessed as low The Risk Based Approach is the essential foundation of a AML/CFT framework The Risk Based Approach is the over-arching requirement applicable to all relevant FATF recommendations 2017 Deloitte Belgium 4
Risk Based Approach Regulatory framework Law 20 July 2017 Stronger, more explicit and more general focus on Risk Based Approach as cornerstone to build an AML/CFT framework 2017 Deloitte Belgium 5
Risk Based Approach Principles RISK BASED APPROACH (Law 20 July 2017/AMLD IV) A risk based approach implies that, in a more clear way than before, all measures (organisation, business and transaction wise) should aim at avoid/minimalising the risk of being misused for money laundering or terrorism financing purposes. A risk based approach should enable financial institutions to take less profound measures in situations where the risk is limited. The resources that are redeemed, should be used for more profound measures in situations where the risk is higher. RAISE IN EFFICIENCY Profound and actual knowledge/insights in ML/FT risks required ENTERPRISE WIDE RISK ASSESSMENT (EWRA) 2017 Deloitte Belgium 6
Risk Based Approach Components The Risk Based Approach consists of two components: 1. RISK ASSESSMENT Identification, assessment and monitoring of the ML/TF risks at entity (and group) level Enterprise Wide Risk Assessment (entity/group level) vs Individual Risk Assessment (client level) 2. RISK MITIGATION Implementation of risk-sensitive measures to manage and mitigate the ML/TF risks The Risk Based Approach: Is considered as an essential foundation of an adequate AML/CFT framework and the overarching requirement that must be complied with when applying the other AML/CFT requirements Is not seen as a zero failure approach Allows financial institutions to apply preventive measures that commensurate to the nature of the risks to which they are exposed > Evidence based! ALL MEASURES SHOULD AIM AT LIMITING THE RISK OF BEING USED FOR ML/TF 2017 Deloitte Belgium 7
Risk Based Approach Risk Mitigation To mitigate the ML/FT risks to which they are exposed, financial institutions must implement risk-based customer due diligence and ongoing monitoring measures. Financial institutions should be able to prepare a customer risk profile. This will determine the level and type of customer due diligence, ongoing monitoring and support the FI s decision whether to enter into, continue or terminate the business relationship The risk criteria and profiles must be reviewed periodically and review is needed when there are changes in circumstances or when relevant new threats emerge. The criteria and parameters used for the allocation of a risk level for each of the clusters of customers must be properly documented and communicated to relevant personnel within the financial institution. This approach must be applied consistently. The extent of the customer due diligence and ongoing monitoring measures may be adjusted in line with the ML/FT risk associated with a individual business relationship. The extent of the measures that are applied must increase where the ML/TF risks associated with a business relationship are higher. The extent of the measures that are applied may decrease where the ML/TF risks associated with a business relationship are lower. Simplified CDD Normal CDD Enhanced CDD 2017 Deloitte Belgium 8
Risk-based approach A model for a risk-based approach - Template for discussion purposes only - 2017 Deloitte Belgium 9
Risk Based Approach Risk Based Approach vs. Risk appetite Level of risk an institution is willing to take Balance to find = Challenging & Dynamic Strategic objectives in pursuit of value and profit Institutions that tends to take adverse risk: Should demonstrate a high level of scrutiny and enhanced due diligence measures that will allow compliance with AML/CFT obligations This can increase: The cost of compliance Regulator concern on the level of compliance 2017 Deloitte Belgium 10
II. Enterprise Wide Risk Assessment (EWRA) 2017 Deloitte Belgium 11
II.1. Introduction 2017 Deloitte Belgium 12
Enterprise Wide Risk Assessment key principles Must be aligned with the nature, complexity and size of the activities being carried out. Must be properly documented and communicated to relevant personnel within the financial institution. The assessment must be reviewed periodically and when there are changes in circumstances or relevant new threats emerge. Must consider all relevant inherent risk factors at the country, sectoral, group, entity and business relationship level. The assessment must be performed in a holistic manner. Must be performed based on a formally documented risk assessment methodology and approach. This approach must be applied consistently. The data collected for the Enterprise Wide Risk Assessment is aligned with the data requested in the Questionnaire of the NBB. 2017 Deloitte Belgium 13
Risk Based Approach Regulatory framework Law 20 July 2017 2017 Deloitte Belgium 14
II.2. EWRA Process 2017 Deloitte Belgium 15
Enterprise Wide Risk Assessment Approach Risk assessment typically follows a 3-phase approach: Phase 1: assessment of the Inherent Risk Phase 2: Assessment of the Mitigating Controls Phase 3: Assessment of the Residual Risk Must consider all relevant inherent risk factors at the customer/entity, products/services, transactions, channels, and geographical level. The assessment must be performed in a holistic manner Enables financial institutions to understand how and to what extent, they are vulnerable to ML/TF -> Measuring the exposure to ML/TF through an assessment of the mitigating controls. These are assed across various control categories, e.g. corporate governance, KYC/CDD/EDD, STR reporting, training and record keeping The Residual Risk is obtained by taking into account the inherent risk and the overall controls rating 2017 Deloitte Belgium 16
Enterprise Wide Risk Assessment - High Level Update on the Process 2.1. Set up methodology 2.2 Identification & analysis of risk factors 2.3. Set up risk based approach 2.4. Target Operating Model (To Be) Methodology Data Risk Analysis Report Collection Appetite Elaboration & Set-up of Methodology Mapping of Risk Indicators & Risk Factors Set-up Data Request Collect Data Define, Explain and Document different scoring and aggregation techniques Calculate Inherent Risk Calculate Control Measures EWRA Report Mapping of Control Measures Calculate Residual Risk! Tailor Made! Data Driven! Decision on acceptable risk levels 2017 Deloitte Belgium 17
Enterprise Wide Risk Assessment Process Flow An effective AML/CFT Compliance Program starts with an in-depth and Enterprise Wide Risk Assessment Scope Inherent risk Assessment Controls Assessment Residual Risk Action Plan and reporting (TOM) Define the scope and structure of the organization and its Business Lines. Select risk categories and factors to assess and determine the inherent risk present in all business lines and enterprise-wide. Assess design and operating effectiveness of mitigating controls Highlight risk categories without sufficient mitigation and business lines posing the greatest risk, and evaluate results against institution s risk appetite statement Develop action plan for underperforming controls based on identified gaps, create reporting and prepare documentation for audit purposes Risk Categories and risk factors Risk category Customers Products & Services Transactions Channels Geographies Other Qualitative Factors Risk factors (non exhaustive) Ownership structure Industry PEPs High degree of anonymity or limited High degree of currency or equivalents Readily frequently more value from one jurisdiction to another High degree of anonymity Account origination servicing Account servicing Location of business Location of customers Origin/destination of transactions Recent/expected growth New products/services 2017 Deloitte Belgium 18
Inherent Risk Area - ML/TF Business lines Consolidated Retail Corporate Private Enterprise-Wide 4,1 Transaction type Medium Low Low Medium 80% 4,2 Transaction amount Low Low Low Low 20% 6 Geographies Low Medium High Medium 15% 6,1 Location of Operations Low Low Low Low 10% 6,2 Location of Customers and Related Parties Low High High High 50% 7 Qualitative Risks High Medium Medium Medium 5% 7,1 Stability of Customer Base Low Low High Medium 2% 7,2 Integration of IT systems (providing for a holistic view of customers) Low Low High Medium 4% 7,3 Recent AML/CFT Compliance employee turnover High Low Low Medium 10% 7,4 Recent AML/CFT first line employees (e.g., front office) turnover in the past year Medium Medium High Medium 5% 7,5 Recent introduction of new products/services/channels High Medium Medium Medium 2% 7,6 Impacted by any acquisitions / mergers / portfolio purchases Low Low Low Low 2% 7,7 Recent special projects related to AML compliance (e.g., PEP remediation, KYC remediation) Medium Medium Medium Medium 5% 7,8 AML Regulatory Changes during the last year Medium Medium Medium Medium 15% 7,9 3rd Party Vendor Reliance / Partners (Outsourcing of Key AML Program Controls) High Low Low Medium 30% 7,10 Recent Internal Audit findings and/or examination findings that identified a significant or material issue relating to AML/CFT High Low Low Medium 5% 7,11 First line Monitoring and Testing Results that identified a significant or material issue relating to AML/CFT High High High High 10% 7,12 Second line Monitoring and Testing Results that identified a significant or material issue relating to AML/CFT Medium Medium Medium Medium 5% 8 Emerging risks Medium Medium Low Medium 5% 8,1 Expected account/customer/revenue growth Low Low Low Low 20% 8,2 Planned introduction of new products/services/channels High Medium Low Medium 20% 8,3 Planned acquisitions by <Company A> Low Low Low Low 20% 8,4 Planned Strategy Changes Medium Medium Low Medium 20% Overall Inherent ML/TF Risk Subjective Change / Override Overall Inherent ML/TF Risk Primary Risk Area Medium Medium Medium Medium 100% Medium Medium Medium Medium 100% Weights Underlying Risk Factor Enterprise Wide Risk Assessment Phase 1 Inherent Risk Assessment Scope Inherent risk Assessment Controls Assessment Residual Risk Action Plan and reporting Inherent ML/FT risk is assessed across 8 main risk areas. Multiple risk factors are evaluated within each main risk line to determine the overall inherent AML/CFT risk for each business line and Enterprise-Wide. Risk level scaling 8 main risk categories Risk model Snapshots For each risk sub-factor the risk is rated on 5 point scale. Customers Risk Level Score Very High 5 High 4 Medium 3 Low 2 Very low 1 Products Services Transactions For each risk category and risk factor the inherent AML/CFT risk is rated on 3 point scale. Channels 1 Customers Medium High Medium Medium 20% Risk Level Score High 3 Medium 2 Low 1 Geographies Qualitative Risks Emerging Risks 1,1 Legal Form / Ownership Structure Low High High Low 25% 1,2 Aging of Customer Relationship Low Medium Medium Low 10% 1,3 PEP Status High High High High 25% 1,4 Industry High High Low High 25% 1,5 Customer Risk Rating Low Medium High Low 5% 1,6 High Risk Customer Attribute Low Low Low Low 5% 1,7 Client relationship - unusual circumstances Medium Low Low Medium 5% 2 Products High Medium Medium High 15% 2,1 Products High Medium Medium High 3 Services High Medium Medium High 10% 3,1 Services High Medium Medium High 4 Transactions Medium Low Low Medium 20% 5 Channels Medium Low Low Medium 10% 5,1 Account Origination Medium Low Low Medium 60% 5,2 Servicing method High Low Low High 40% 6,3 Origin/Destination of Transactions Low Low High Low 40% 7,13 Recent NBB findings after inspec tion High High High High 5% 8,5 Expected Regulatory Changes/Requirements (e.g. AML 4/5th directive) High High High High 20% - Examples for illustration purposes only - 2017 Deloitte Belgium 19
Enterprise Wide Risk Assessment Phase 2 AML/CFT Controls Assessment Scope Inherent risk Assessment Controls Assessment Residual Risk Action Plan and reporting Mitigating controls in form of AML/CFT policies, procedures and processes are assessed for each business line and Enterprise-Wide in terms of Design and Operating Effectiveness. For each Control area, the Design is assessed using 3 point scale. Risk Control level scaling Level Score Partly consistent & Insufficiently 3 consistent Largely consistent 2 Fully consistent 1 For each Control line, the Operating Effectiveness is assessed using 3 point scale. 11 control areas, e.g. AML/CFT Roles and Responsibilities Training and Awareness IC Enterprise-Wide Risk Assessment and Risk-Based Approach IC - Customer Due Diligence IC - Suspicious Activity Report/Suspicious Transaction Report Filing Examples of Questions on operating effectiveness Does the AML/CFT Officer have the necessary authority, independence and resources to effectively execute all duties? Is AML/CFT training (general awareness, targeted/role-based) updated on a periodic basis? Have you performed an AML/CFT risk assessment in the last 12-18 months? Do you obtain and retain identifying information with regard to the beneficial owner of each customer? Is all identified ML/FT-related activity timely reported to the respective supervisory body (e.g. CTIF-CFI, Treasury,..)? AML/ CFT Controls Assessment Snapshots Risk Level Score Partly efficient & Insufficiently 3 efficient Largely efficient 2 Fully efficient 1 2017 Deloitte Belgium 20 - Examples for illustration purposes only -
Enterprise Wide Risk Assessment Phase 3 Residual Risk Assessment Scope Inherent risk Assessment Controls Assessment Residual Risk Action Plan and reporting Residual risk is derived by combining mitigating controls with the inherent ML/FT risk for every business line and enterprise-wide. Result is presented in a heat map. Residual risk scaling Residual Risk Snapshots Residual risk is defined for every business line and Enterprise-Wide according to the matrix below. ML/TF Residual Risk Determination ML/TF Inherent Risk Low Medium High Fully consistent/effective Low Low tending Medium Medium AML/CFT Controls Largely consistent/effective Partly or insufficiently consistent/effective Low tending Medium Medium Medium tending High Medium Medium tending High High - Examples for illustration purposes only - 2017 Deloitte Belgium 21
II.3. EWRA Outcome 2017 Deloitte Belgium 22
Enterprise wide risk assessment (EWRA) Examples 2017 Deloitte Belgium 23 - Examples for illustration purposes only -
III. Conclusion Implementation of the Risk Based AML/CFT Framework 2017 Deloitte Belgium 24
3.Conclusion Implementation of the Risk Based AML/CFT Framework 3. Need to optimize the management of the onboarding and review processes Strengthened definitions and CDD requirements will impact risk categories and the review of existing customers (adapted definition of UBOs, inclusion of domestic PEPs, ). More detailed CDD information and documentation requirements will lead to longer and more thorough onboarding processes, more review and analysis, etc. 2. A tailor made Risk Based Approach All policies, procedures, processes controls, should be risk based taking into account the necessary granularity at the level of the firm. 4. A data driven model More detailed customer and transaction information requirements and a closer follow-up of the client will lead to a considerable increase in available data. Therefore data management will become key in the new AML/CFT framework (data driven enterprise wide risk assessment, follow-up of customer data, enhanced record keeping requirements, ). Moreover the availability of more data will also put transaction monitoring standards to a next level. Further digitalization and the possible use of new data techniques could be envisaged to streamline the AML/CFT processes. Enterprise Wide Risk Assessment (EWRA) 6. International focus on terrorism prevention will cause firms to strengthen their preventive controls on sanctions and embargoes. In specific cases lookback programs will need to be set up 1. Risk identification and awareness as starting point In order to be able to build their own RBA, firms need to have a clear, consistent, documented and data driven view on their ML/FT risks. 5. Documentation is key The policy and process framework (including analysis, risk assessment process, ) should be documented in detail, including updates, validation and decision making. Also the practical application of this framework (client acceptance, internal investigations, alert handling, ) will need to be fully and consistently documented. 2017 Deloitte Belgium 25
3.Conclusion Implementation of the Risk Based AML/CFT Framework Challenges Success factors Respect the increasing regulatory requirements and expectations Being in line with the current national and international regulatory obligations. Meeting the AML/CFT expectations of the supervisory authorities. Being ready for future regulatory developments (new AML framework, 5 th AML Directive, stringent sanction and embargo screening requirements). Being In line with the applicable best practices as applied within the relevant institutions. Business ownership and Compliance support Guarantee the quality of execution of the AML/CFT processes Avoiding gaps in the execution of AML / CFT processes and this in all areas including risk, governance, 26 operations, technology and reporting. Deploying sufficient (quantitative) and capable (qualitative) employees to take up the AML / CFT responsibilities. Developing a differentiated Risk Based Approach based on an AML / CFT Risk Assessment Transferring important AML / CFT responsibilities to 1 st line departments and redefining the role of Compliance. The right balance between and the correct execution of the controls by the 3 lines of defense. Transformation as a project with business as usual as objective High quality support with a clear focus Execute the AML/CFT processes in a cost efficient way Need for technological support for the execution and management of AML / CFT processes, the rationalization of the AML / CFT reporting and harmonizing AML / CFT processes within the setting. The pursuit of further process automation to enhance the quality of AML / CFT processes and to avoid possible errors in (manual) processes. The efficient and risk-based bridging of the time required for the development and implementation of IT applications. 2017 Deloitte Belgium 26
3.Conclusion Implementation of the Risk Based AML/CFT Framework Challenges Success factors Business ownership and Compliance support Respect the increasing regulatory requirements and expectations Guarantee the quality of execution of the AML/CFT processes Execute the AML/CFT processes in a cost efficient way Business ownership, both in terms of the elaboration and implementation of the AML / CFT framework and processes as in its daily execution of utmost importance for its effective and efficient execution. Compliance resources must be used to provide the necessary substantive expertise and to optimally organize the relevant information flow and transfer, accelerating as such the project's lead time (and implementation of its results). Each line of defense must focus on adequate control and monitoring responsibilities within the global 3 lines of defense model. Transformation as a project with business as usual as objective The strengthening of the AML / CFT framework and the AML / CFT processes must be managed as a project to guarantee sufficient focus, resources and results. The project structure should keep the further business as usual fully in mind and should therefore fully involve the relevant departments of the institution so that knowledge and knowhow can be transferred to the best. The project must be managed centrally to ensure that all relevant business lines and departments are involved. It is important that the concerned departments will, by central steering, engage optimally in the project. High quality support with a clear focus Presence of strong central management of the project team and regular contacts with relevant stakeholders. Availability of specialists, both in terms of content, process and IT, to make the project to a success in an efficient way. Centralization of multidisciplinary skills within the project team with maximum focus on the project. Joint responsibility of the project members (managers and employees of the institution and group, external support). 2017 Deloitte Belgium 27
Contact details Edwin Somers Director FSI Governance, Regulatory & Risk E-mail: edsomers@deloitte.com Phone: + 32 2 800 2159 Mobile: +32 499 98 95 13 Inneke Geyskens-Borgions Manager Governance, Regulatory & Risk E-mail: igeyskensborgions@deloitte.com Phone: + 32 2 800 2417 Mobile: +32 499 42 63 71 2017 Deloitte Belgium 28
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms. Deloitte provides audit, tax and legal, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 225,000 professionals, all committed to becoming the standard of excellence. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication. 2017 Deloitte Belgium