a.risk.perspective aml

Mohammad Fheili ⌂⌂⌂ [email protected]

The 5th Annual Forum for

HEADS OF AML/CFT UNITS AT ARAB BANKS AND FINANCIAL INSTITUTIONS

November 10th & 11th of 2015Movenpick Hotel

The Many Faces

of Compliance Risk


Over 30 Years of Experience in Banking . . .Mohammad Fheili currently serves in the capacity of anExecutive at JTB Bank in Lebanon. He has successfully delivered over 1,500 hours of training

to professional bankers. He served as an Economist at Association of Banks in

Lebanon (ABL), and as a Senior Manager at BankMed andFransabank.

He worked as an Advisor to the Union of Arab Banks. Mohammad also served as Basel II Project Implementation

Advisor to CAB and HBTF Banks in Jordan. Mohammad received his college education (undergraduate

& graduate) at Louisiana State University (LSU), and hasbeen teaching Economics and Finance for over 25continuous years at reputable universities in the USA (LSU)and Lebanon (LAU).

Finally, Mohammad published over 25 articles, of thosemany are in refereed Journals (e.g., Journal of MoneyLaundering & Control; Journal of Operational Risk; Journalof Law & Economics; etc.) and Industry Bulletins.”

[email protected]+(961) 3 337175


A Risk Perspective . . . Between Ambiguity, Ignorance, Uncertainty, Risk

and Fear . . . Between Compliance Risk & The Risk of Non‐

Compliance?

Risk


Client is Engaged

Compliance Cycle

Service Cycle

st1Client Interface

Start

Interface

End

CIP, KYC

AML Compliance (Regulator Decides)Client Engagement is Constrained by: The Bank isDeemed AML‐Compliance Responsible & Accountable

Customer Satisfaction (Customer Decides)Client Engagement is Driven by: The Potential forRevenue: Interest Income, Commissions & Charges;and a Word‐of‐Mouth Free Marketing

Branch

Both Cycles Are Ongoing Processes; None is a Destination

by itself

The Most Critical CustomerInterface; Manage With Care:You Either Collect all theneeded information (CIP &KYC), or you have planted theseeds of Troubles to Come . . .


On Going Monitoring & Compliance

Client is Engaged

Compliance Cycle

Service Cycle

st1Client Interface

Start

Interface

End

CIP, KYCDD, EDD

Branch

On Going Follow up & Service

Handling Complaints Cross‐Selling Updating Customer

Profile (CIP), Etc….

Possible Source of RISK: IF “Satisfaction” is Competing with “Compliance”

End

Customer Risk ScoringCustomer Due Diligence RiskAutomated Transaction Monitoring SystemsCash Aggregation and Reporting Systems,Etc…..

Scope & Scale of Client Engagement is a Function of: Client Satisfaction AML Compliance Ability to Have “Satisfaction” and

“Compliance” both Converge for the interest of the Bank.


AML ComplianceCustomer

Satisfaction

Process Gap

Closing The Gap:To Secure Accuracy, Completenessand Consistency of Client‐Data,Bank\Compliance Officer MustPersuade the Client to Supply theneeded Information; NOT FIGHTWITH HIM/HER

Lack of Awareness Absence of Know‐How Fear of Losing the Business Corporate Culture Failure to See the Value Added

in AML Compliance, Etc….

No Sustainable Compliance Client Retention is Weak

Reputation is Tainted Etc…. Caused By:

Significantly Impact:


Banking Has Been Dynamically Changing….

The Good Old Days!


But Technology & Automation did not change “The Person”; it ONLY Changed “Processes” and “Transactions”

SIMPLE! Bricks & Mortals

Data is Important, BUT People Come

1st

Data Come 1st; People Turned into

Shadows!

Technology‐Intensive Production Processes

>>> More COMPLEX!


No Doubt, We Are Evolving . . .!

WeMust Recognize that: The absolute Impossibility of Accurately Predicting the Future, Particularly at the Detail Level (and the Devil of Money

Laundering and Sanction Violation Reside in the Details) The Decisions/Reactions of People Creating the Future are only Partially Predictable, and are Linked to their Current

Set of Relationships Through a Complex Responsive Process (AML Compliance Starts & Ends with The Person) We like to convince ourselves that “Technology” is (or Has) the Solution to Everything. BUT Technology ONLY Changed

the Process/Transaction but NOT the Person (Potential Source of AML Risk)

Automated Processes

Data‐Rich Decision Processes

Complex Products & Services

E‐Banking M‐Banking E‐Payments Etc.

Rendering AML Compliance Increasingly COMPLEX & Cumbersome!

From

Papers


Data

Technology

RelationshipsProcess

Connected Eco‐System

Revenue Pressuresbrought on by regulatorycompliance, Low interestRates, Increased CustomerDemands and newcompetitive threatsrequire new BusinessModels that are bothStrategic and Integrated inApproach.

In a connected ecosystem,human interactive virtualenvironments allow FSIsto foster collaboration in across functional,integrated approach toregulatory readiness.

FSIs must enhance customerengagement by creatingcompelling multi‐channelexperiences and developinginnovative business modelsthat capitalize on theemergence of a networkedsociety.

Financial ServiceInstitutions risk losingground on competitionunless they can restoremarket and customertrust, manageregulatory changeseffectively, lowerexpenses and introducenew revenue streams.Organizational

Agility: Readiness To Cope


NON-FINANCIAL Services

(Unintentional Risks Taking) (esp. Operational risk)

The Core Banking Activities

FINANCIAL Transactions / Services(Intentional Risk Taking)

(esp. lending money and taking in deposits which = Credit Risk, Market Risk, Liquidity Risk etc.)

Are The Product

of

=

Financial risk and other risks must therefore be measured,managed and optimised as a core competency.

&

Core Drivers of FinancialPerformance Measurement / Evaluation

EarningsCapital

Adequate Capital

1. This Reality Changed The Way Banks Look At RISKS


Return

Risk

Return

Risk

Speculative RiskManaging Revenue

Hazard + OthersManaging Costs

Market Risk

Reputation Risks

Operational Risk

Liquidity Risk

FX Risk

Other Risks

Other Risks

Where Should We House AML & Compliance Risks

Intentional Risk Unintentional

Risk

AML RISK

Compliance RISK

CREDIT RISK



In Desperate Search for Risks (Intentional & Unintentional) which May Be Encountered

By The Financial Institution . . .

Non‐Identifiable Risk

Non‐Identifiable Risk

Financial Institution’s Risk Population

What is Normally Used in Risk Identification: • CIP• KYC• DD• EDD• Complete Credit File,

EAD, LGD, PD, UL, EL, etc. and Proper Follow Up

• Comprehensive & Consistent Data about the Market

• Etc.

Identified & Identifiable

Risks

• Expected Losses are normally controlled or met using Gross Income,

• While Unexpected Losses require Capital.



Understand Potential Outcomes.

Aware of Probability of Occurrence

“Blank” over the Nature & Scope of the Outcomes.

Aware of Probability of Occurrence

“Blank” over the Nature & Scope of the Outcomes.

Unaware of Probability of Occurrence

Understand Potential Outcomes.

Unaware of Probabilityof Occurrence

Risk

Uncertainty

Am

biguityIgnorance

The Purpose behind RiskIdentification is to carry thisstep further to:• Provide Evidence on

Probability of Occurrence• Push Towards Increased

Understanding ofPotential Outcomes.

There is a BIG differencebetween Ambiguity,Ignorance, Uncertainty andRISK.

Increasing Our Understanding of Potential Outcomes

Increa

sing

Evide

nce on

Proba

bility of

occurren

ce



Increasing Our Understanding of Potential Outcomes

Increa

sing

Evide

nce on

Proba

bility of

occurren

ce

RiskManagement Ambiguity

Unc

erta

inty

Data‐Rich, Information‐Driven Decision‐Making Process: KYC, CIP, DD, EDD, RBA, Etc.. EL, UL, PD, EAD, LGD, Etc… DEaR, VaR, Etc…

Ignorance

The FinancialInstitution is expectedto collect the neededdata to move closer toRisk Management andAway from Ambiguity,Ignorance, andUncertainty.



Universe ComplianceThe of

Soft: Regulatory, Data, Figures, etc.

Hard: Regulatory, Legal, Incriminating,

People, etc.


Basel I

Basel II

Credit Risk

Credit RiskMarket Risk

Operational Risk

1986 proposed

1999 proposed

1988 effective

2007 effective

Basel III

Credit RiskMarket Risk

Operational RiskCapital Quality

Additional BuffersLiquidity: LCR, NSFR

2009 proposed

Kick Off in 2011

Amendm

ents

Amendm

ents

Basel 2 ½

Basel 1 ½

Amendm

ents Basel3

½ Basel IV

2015 Anticipated

Kick Off in 20??• Capital Requirements

• Liquidity Requirements

• Disclosure Requirements

• National Divergences

• Risk Sensitivity

• Use of Internal Models inDecision Making

• Total Risks = Credit PlusMarket Risks

• Internal Models Emerged

• Later on, Tier 3 Capital

• Enhanced Pillar 2, 3

• Complex Securitizationobtained higher RiskWeights.

• Trading Books

Regulations • How Often the Banking Model Has Changed

• How Often Regulatory Guidelines Have Changed

• How Complex The Banking Environment Has Become

• How Technology Has Evolved

• HowMany Crisis Have We Had.

1. The Soft Side of Compliance: The Basel Accord


MAXIMIZE PROFIT subject to:RISK , REGULATORY,

Compliance, Reporting, Etc. Constraints

RISK . . . Default Liquidity Maturity Others . . . REGULATORY . . . Basel I Basel II Basel III Basel IV (In the making)

TLAC Requirements Sanctions Rules USA_FATCA Requirements

OECD_CRS (1st Reporting 2017) IFRS9 AML, Etc. . . .

Uses of Funds Sources of Funds

Reserves Loans Securities Other

Investments Fixed Assets . . .

All Types of Deposits

Borrowings Other

Sources Capital . . .

Off-Balance Sheet

Legal Issues . . .

2. The Soft Side of Compliance: The Banking Model


PRIMARY SECONDARY

PEOPLE

Employee Fraud / Malice (Criminal)

PROCESSES

Payment / settlement / delivery risk

SYSTEMS

Technology investment risk

EXTERNAL

Legal / Regulatory Risk / Public Liability

Unauthorized activity / Employee misdeed (Willful) Employment LawWorkforce disruption Loss or lack of key personnel

Documentation or contract riskValuation / Pricing Internal / External reporting and complianceProject risk / Change management Selling Risks

System development and implementationSystems failuresSystems security breachSystems capacity

Criminal Activities Out‐sourcing / Supplier RiskIn‐sourcing RisksDisaster and Infrastructural utilities FailuresPolitical and Government Risks

People are the Source of Many Risksand the Solutions to the Managementof all Risks!

There are no right answers here only“acceptable” ones and what isacceptable is very much driven by:• People’s risk attitudes and• The Organization’s culture (i.e.,

People)!

3. The Soft Side of Compliance: Treatment of Operational Risk (Where COMPLIANCE Resides)


4. The Soft Side of Compliance: Treatment of Operational Risk

• Expected Losses Are Controlled Using Gross Income, • Unexpected Losses Require Additional Capital.


What is the Cost of

Non‐Compliance?


Non‐Com

pliance By Mistake

… Due to lack of

understanding …

1. The Hard Side of Compliance: Compliance Choices!

Simply Comply

Comply By Fear


2. The Hard Side of Compliance: Bank Clients

Legal Obligation Where itsimpact on the FinancialInstitution’s Reputation andPerformance is often severe.Profitability suffers, and ittriggers immediate additionalexpenses for Damage Control.

Regulator Obligation Issuesof non‐compliance are handledinside closed doors Regulators.

The Issue of

Jurisdiction

AML Compliance: It’s Time for Thicker Gloves . . . Sometimes You Lose By A Knock Out

AML Compliance: It’s Time for Thicker Gloves . . . Sometimes You Lose By A Knock Out


The FI The Amount The Sanctions [Countries]

$8.9 Billions Sudan, Iran, Cuba

$1.3 Billions and $665 millions in Civil Penalties

Cuba, Iran, Libya, Sudan, Burma

$619 millions Cuba, Iran

$536 millions Iran, Sudan

$350 millions Iran

$298 millions Cuba, Iran

$227 millions Iran, Sudan, Libya, Burma

No criminal intent but hefty fines… Thus the element of

Fear.

Not to mention the implications on Reputation.

3. The Hard Side of Compliance: The Cost Of Non‐Compliance


As the Financial industry has evolved:Offering New high‐risk products,Acquiring new types of customers, andAdapting to frequently changing money laundering requirements

Banks increasingly rely on complex models to meet the challenges ofAML Compliance.Bank Regulators are Resolved to Punish banks and other Financial Institutions thatfall behind in the struggle to stay current with Anti‐Money Laundering (AML)Regulations.

This hardline approach is evident in several recent high‐profile enforcementactions, fines, and penalties assessed by regulators against financial institutionswith lax controls over money laundering.

Some of these actions were the result of a Bank’s failure to appropriately applythe concepts of a model risk management framework to design, execute, andmaintain the models it deployed to manage AML Risk.

4. The Hard Side of Compliance: Changing Environment!


The Regulator Aims for Continuous Compliance Which can only be made possible through Full Automation of The Compliance Process.

The Regulator Aims for Continuous Compliance Which can only be made possible through Full Automation of The Compliance Process.


Many Banks are using AML Models for: Customer Risk Scoring Customer Due Diligence Risk Automated Transaction Monitoring Systems Cash Aggregation and Reporting Systems, and Watch‐List Filtering Systems.

The Term “Model” refers to; A Quantitative Method, System, or Approach

That Applies Statistical, Economic, Financial, or Mathematical theories, Techniques, and Assumptions

To process input data into quantitative estimates. This framework enables banks to predict andidentify risk more accurately and, therefore, make better top‐level and line‐of‐business decisionsbased on model results.

BUT BANKS often rely on Vendor Input, Feedback, . . . Much more than a Comprehensive Self‐Assessment

Automated AML Compliance Processes, . . .

5. The Hard Side of Compliance: Modeling Risk & Reporting!


LowHighLo

wHigh

Accept

Mitigate

Transfer

Avoid

Frequency of Occurrence of Mistakes in Serving the Client

Severity of

Losses Resultin

g From

The

se

Mistakes

High‐Frequency / High‐Impact Client Account (Or Transaction) Behavior

Low‐Frequency / High‐Impact Client Account

(Or Transaction) Behavior

High‐Frequency / Low‐Impact Client Account (Or Transaction) Behavior

Low‐Frequency / Low‐Impact Client Account

(Or Transaction) Behavior

Operational Risk (Frequency/Impact) Characterization of Money Laundering ML‐Incidents Population of the Bank

It’s likely that any change in theFinancial Institution will havesome impact on its OperationalRisk Profile: AML ProcessesAutomation tends to replacepeople with systems.In terms of operational losses,the result may be a transitionfrom High‐Frequency, Low‐Impact losses TO Low‐Frequency,High‐Impact losses. The eventtype will change as well.

Risk‐Culture Awareness maybe a superior solution to Automation

Compliance is turning Time Consuming


LowHighLo

wHigh

Accept

Mitigate

Transfer

Avoid

Here there are clear evidence of High Risk due to Unusual accountactivities, Sanctioned Countries, High‐Risk Professions, etc. IF COST(and/or FEAR) is an Issue, an FI would be more likely get engaged inDe‐Risking with Low‐Frequency/High‐Impact & High‐Frequency/High‐Impact Client Incidence: Discontinue Relation with Existing, anddecline Business with New Clients with similar Risk Profile.

These would be somemissing information onthe KYC/CIP, slacking onStaff Training in AML,etc.

Although ML incidents are characterizedwith low impact, there is a need tocarefully probe about their Root‐Causes:• Due Diligence• Enhanced Due Diligence• Risk‐Based ComplianceTo prevent having these incidents turn intoHigh‐Frequency/High‐Impact Or Incidentsof Non‐Compliance

Frequency of Occurrence

Severity of

Losses Resorting to Automation

may not always be thebest solution; especially ifthe Financial Institution isnot adequately equippedwith the capacity toManage Advanced ITEnvironment.


Level Of Maturity in AML Compliance

Nature & Extent o

f Efforts Dep

loyed

DD

EDD

RBA

Moving in this direction is a clear indication that there is a desireon the part of the FI to continue on serving the client. Otherwise,the FI would be engaged in De‐Risking

Due Diligence

Enhanced Due Diligence

Risk‐Based Approach to AML Compliance

Enhancing Compliance Capabilities …

AML Cost

Skills Needs

Know‐How

AML Analytics

Those Enhanced AML Compliance Steps requirethe Use of Technology. Increase reliance onTechnology; Increase exposure to TechnologyFailures. In such an instance, does the FI have agood track record with Managing TechnologyIssues?


Level Of Maturity in AML Compliance

Nature & Extent o

f Efforts Dep

loyed

Where the FI is on this Continuumof AML Compliance Maturity hasto do with:• Profile of its Portfolio of Clients• The FI’s Geographical Spread• Management Sensitivity to

rising Cost of Compliance (Costis Real)

• Perceived Benefits (hard to relateto the Benefits of Complianceoutside the scope of Avoiding heftyPenalties)

• Resource Availability• Tolerance for Risk• Fear (of Penalty)• Etc.

DD

EDD

RBA

Due Diligence

Enhanced Due Diligence

Risk‐Based Approach to AML Compliance

Enhancing Compliance Capabilities …

AML Cost

Skills Needs

Know‐How

AML Analytics

a.risk.perspective aml

Self Improvement