a.risk.perspective aml
TRANSCRIPT
Mohammad Fheili ⌂⌂⌂ [email protected]
The 5th Annual Forum for
HEADS OF AML/CFT UNITS AT ARAB BANKS AND FINANCIAL INSTITUTIONS
November 10th & 11th of 2015Movenpick Hotel
The Many Faces
of Compliance Risk
Mohammad Fheili ⌂⌂⌂ [email protected]
Over 30 Years of Experience in Banking . . .Mohammad Fheili currently serves in the capacity of anExecutive at JTB Bank in Lebanon. He has successfully delivered over 1,500 hours of training
to professional bankers. He served as an Economist at Association of Banks in
Lebanon (ABL), and as a Senior Manager at BankMed andFransabank.
He worked as an Advisor to the Union of Arab Banks. Mohammad also served as Basel II Project Implementation
Advisor to CAB and HBTF Banks in Jordan. Mohammad received his college education (undergraduate
& graduate) at Louisiana State University (LSU), and hasbeen teaching Economics and Finance for over 25continuous years at reputable universities in the USA (LSU)and Lebanon (LAU).
Finally, Mohammad published over 25 articles, of thosemany are in refereed Journals (e.g., Journal of MoneyLaundering & Control; Journal of Operational Risk; Journalof Law & Economics; etc.) and Industry Bulletins.”
[email protected]+(961) 3 337175
Mohammad Fheili ⌂⌂⌂ [email protected]
A Risk Perspective . . . Between Ambiguity, Ignorance, Uncertainty, Risk
and Fear . . . Between Compliance Risk & The Risk of Non‐
Compliance?
Risk
Mohammad Fheili ⌂⌂⌂ [email protected]
Client is Engaged
Compliance Cycle
Service Cycle
st1Client Interface
Start
Interface
End
CIP, KYC
AML Compliance (Regulator Decides)Client Engagement is Constrained by: The Bank isDeemed AML‐Compliance Responsible & Accountable
Customer Satisfaction (Customer Decides)Client Engagement is Driven by: The Potential forRevenue: Interest Income, Commissions & Charges;and a Word‐of‐Mouth Free Marketing
Branch
Both Cycles Are Ongoing Processes; None is a Destination
by itself
The Most Critical CustomerInterface; Manage With Care:You Either Collect all theneeded information (CIP &KYC), or you have planted theseeds of Troubles to Come . . .
Mohammad Fheili ⌂⌂⌂ [email protected]
On Going Monitoring & Compliance
Client is Engaged
Compliance Cycle
Service Cycle
st1Client Interface
Start
Interface
End
CIP, KYCDD, EDD
Branch
On Going Follow up & Service
Handling Complaints Cross‐Selling Updating Customer
Profile (CIP), Etc….
Possible Source of RISK: IF “Satisfaction” is Competing with “Compliance”
End
Customer Risk ScoringCustomer Due Diligence RiskAutomated Transaction Monitoring SystemsCash Aggregation and Reporting Systems,Etc…..
Scope & Scale of Client Engagement is a Function of: Client Satisfaction AML Compliance Ability to Have “Satisfaction” and
“Compliance” both Converge for the interest of the Bank.
Mohammad Fheili ⌂⌂⌂ [email protected]
AML ComplianceCustomer
Satisfaction
Process Gap
Closing The Gap:To Secure Accuracy, Completenessand Consistency of Client‐Data,Bank\Compliance Officer MustPersuade the Client to Supply theneeded Information; NOT FIGHTWITH HIM/HER
Lack of Awareness Absence of Know‐How Fear of Losing the Business Corporate Culture Failure to See the Value Added
in AML Compliance, Etc….
No Sustainable Compliance Client Retention is Weak
Reputation is Tainted Etc…. Caused By:
Significantly Impact:
Mohammad Fheili ⌂⌂⌂ [email protected]
But Technology & Automation did not change “The Person”; it ONLY Changed “Processes” and “Transactions”
SIMPLE! Bricks & Mortals
Data is Important, BUT People Come
1st
Data Come 1st; People Turned into
Shadows!
Technology‐Intensive Production Processes
>>> More COMPLEX!
Mohammad Fheili ⌂⌂⌂ [email protected]
No Doubt, We Are Evolving . . .!
WeMust Recognize that: The absolute Impossibility of Accurately Predicting the Future, Particularly at the Detail Level (and the Devil of Money
Laundering and Sanction Violation Reside in the Details) The Decisions/Reactions of People Creating the Future are only Partially Predictable, and are Linked to their Current
Set of Relationships Through a Complex Responsive Process (AML Compliance Starts & Ends with The Person) We like to convince ourselves that “Technology” is (or Has) the Solution to Everything. BUT Technology ONLY Changed
the Process/Transaction but NOT the Person (Potential Source of AML Risk)
Automated Processes
Data‐Rich Decision Processes
Complex Products & Services
E‐Banking M‐Banking E‐Payments Etc.
Rendering AML Compliance Increasingly COMPLEX & Cumbersome!
From
Papers
Mohammad Fheili ⌂⌂⌂ [email protected]
Data
Technology
RelationshipsProcess
Connected Eco‐System
Revenue Pressuresbrought on by regulatorycompliance, Low interestRates, Increased CustomerDemands and newcompetitive threatsrequire new BusinessModels that are bothStrategic and Integrated inApproach.
In a connected ecosystem,human interactive virtualenvironments allow FSIsto foster collaboration in across functional,integrated approach toregulatory readiness.
FSIs must enhance customerengagement by creatingcompelling multi‐channelexperiences and developinginnovative business modelsthat capitalize on theemergence of a networkedsociety.
Financial ServiceInstitutions risk losingground on competitionunless they can restoremarket and customertrust, manageregulatory changeseffectively, lowerexpenses and introducenew revenue streams.Organizational
Agility: Readiness To Cope
Mohammad Fheili ⌂⌂⌂ [email protected]
Mohammad Fheili ⌂⌂⌂ [email protected]
NON-FINANCIAL Services
(Unintentional Risks Taking) (esp. Operational risk)
The Core Banking Activities
FINANCIAL Transactions / Services(Intentional Risk Taking)
(esp. lending money and taking in deposits which = Credit Risk, Market Risk, Liquidity Risk etc.)
Are The Product
of
=
Financial risk and other risks must therefore be measured,managed and optimised as a core competency.
&
Core Drivers of FinancialPerformance Measurement / Evaluation
EarningsCapital
Adequate Capital
1. This Reality Changed The Way Banks Look At RISKS
Mohammad Fheili ⌂⌂⌂ [email protected]
Return
Risk
Return
Risk
Speculative RiskManaging Revenue
Hazard + OthersManaging Costs
Market Risk
Reputation Risks
Operational Risk
Liquidity Risk
FX Risk
Other Risks
Other Risks
Where Should We House AML & Compliance Risks
Intentional Risk Unintentional
Risk
AML RISK
Compliance RISK
CREDIT RISK
2. This Reality Changed The Way Banks Look At RISKS
Mohammad Fheili ⌂⌂⌂ [email protected]
In Desperate Search for Risks (Intentional & Unintentional) which May Be Encountered
By The Financial Institution . . .
Non‐Identifiable Risk
Non‐Identifiable Risk
Financial Institution’s Risk Population
What is Normally Used in Risk Identification: • CIP• KYC• DD• EDD• Complete Credit File,
EAD, LGD, PD, UL, EL, etc. and Proper Follow Up
• Comprehensive & Consistent Data about the Market
• Etc.
Identified & Identifiable
Risks
• Expected Losses are normally controlled or met using Gross Income,
• While Unexpected Losses require Capital.
3. This Reality Changed The Way Banks Look At RISKS
Mohammad Fheili ⌂⌂⌂ [email protected]
Understand Potential Outcomes.
Aware of Probability of Occurrence
“Blank” over the Nature & Scope of the Outcomes.
Aware of Probability of Occurrence
“Blank” over the Nature & Scope of the Outcomes.
Unaware of Probability of Occurrence
Understand Potential Outcomes.
Unaware of Probabilityof Occurrence
Risk
Uncertainty
Am
biguityIgnorance
The Purpose behind RiskIdentification is to carry thisstep further to:• Provide Evidence on
Probability of Occurrence• Push Towards Increased
Understanding ofPotential Outcomes.
There is a BIG differencebetween Ambiguity,Ignorance, Uncertainty andRISK.
Increasing Our Understanding of Potential Outcomes
Increa
sing
Evide
nce on
Proba
bility of
occurren
ce
4. This Reality Changed The Way Banks Look At RISKS
Mohammad Fheili ⌂⌂⌂ [email protected]
Increasing Our Understanding of Potential Outcomes
Increa
sing
Evide
nce on
Proba
bility of
occurren
ce
RiskManagement Ambiguity
Unc
erta
inty
Data‐Rich, Information‐Driven Decision‐Making Process: KYC, CIP, DD, EDD, RBA, Etc.. EL, UL, PD, EAD, LGD, Etc… DEaR, VaR, Etc…
Ignorance
The FinancialInstitution is expectedto collect the neededdata to move closer toRisk Management andAway from Ambiguity,Ignorance, andUncertainty.
5. This Reality Changed The Way Banks Look At RISKS
Mohammad Fheili ⌂⌂⌂ [email protected]
Universe ComplianceThe of
Soft: Regulatory, Data, Figures, etc.
Hard: Regulatory, Legal, Incriminating,
People, etc.
Mohammad Fheili ⌂⌂⌂ [email protected]
Basel I
Basel II
Credit Risk
Credit RiskMarket Risk
Operational Risk
1986 proposed
1999 proposed
1988 effective
2007 effective
Basel III
Credit RiskMarket Risk
Operational RiskCapital Quality
Additional BuffersLiquidity: LCR, NSFR
2009 proposed
Kick Off in 2011
Amendm
ents
Amendm
ents
Basel 2 ½
Basel 1 ½
Amendm
ents Basel3
½ Basel IV
2015 Anticipated
Kick Off in 20??• Capital Requirements
• Liquidity Requirements
• Disclosure Requirements
• National Divergences
• Risk Sensitivity
• Use of Internal Models inDecision Making
• Total Risks = Credit PlusMarket Risks
• Internal Models Emerged
• Later on, Tier 3 Capital
• Enhanced Pillar 2, 3
• Complex Securitizationobtained higher RiskWeights.
• Trading Books
Regulations • How Often the Banking Model Has Changed
• How Often Regulatory Guidelines Have Changed
• How Complex The Banking Environment Has Become
• How Technology Has Evolved
• HowMany Crisis Have We Had.
1. The Soft Side of Compliance: The Basel Accord
Mohammad Fheili ⌂⌂⌂ [email protected]
MAXIMIZE PROFIT subject to:RISK , REGULATORY,
Compliance, Reporting, Etc. Constraints
RISK . . . Default Liquidity Maturity Others . . . REGULATORY . . . Basel I Basel II Basel III Basel IV (In the making)
TLAC Requirements Sanctions Rules USA_FATCA Requirements
OECD_CRS (1st Reporting 2017) IFRS9 AML, Etc. . . .
Uses of Funds Sources of Funds
Reserves Loans Securities Other
Investments Fixed Assets . . .
All Types of Deposits
Borrowings Other
Sources Capital . . .
Off-Balance Sheet
Legal Issues . . .
2. The Soft Side of Compliance: The Banking Model
Mohammad Fheili ⌂⌂⌂ [email protected]
PRIMARY SECONDARY
PEOPLE
Employee Fraud / Malice (Criminal)
PROCESSES
Payment / settlement / delivery risk
SYSTEMS
Technology investment risk
EXTERNAL
Legal / Regulatory Risk / Public Liability
Unauthorized activity / Employee misdeed (Willful) Employment LawWorkforce disruption Loss or lack of key personnel
Documentation or contract riskValuation / Pricing Internal / External reporting and complianceProject risk / Change management Selling Risks
System development and implementationSystems failuresSystems security breachSystems capacity
Criminal Activities Out‐sourcing / Supplier RiskIn‐sourcing RisksDisaster and Infrastructural utilities FailuresPolitical and Government Risks
People are the Source of Many Risksand the Solutions to the Managementof all Risks!
There are no right answers here only“acceptable” ones and what isacceptable is very much driven by:• People’s risk attitudes and• The Organization’s culture (i.e.,
People)!
3. The Soft Side of Compliance: Treatment of Operational Risk (Where COMPLIANCE Resides)
Mohammad Fheili ⌂⌂⌂ [email protected]
4. The Soft Side of Compliance: Treatment of Operational Risk
• Expected Losses Are Controlled Using Gross Income, • Unexpected Losses Require Additional Capital.
Mohammad Fheili ⌂⌂⌂ [email protected]
Non‐Com
pliance By Mistake
… Due to lack of
understanding …
1. The Hard Side of Compliance: Compliance Choices!
Simply Comply
Comply By Fear
Mohammad Fheili ⌂⌂⌂ [email protected]
2. The Hard Side of Compliance: Bank Clients
Legal Obligation Where itsimpact on the FinancialInstitution’s Reputation andPerformance is often severe.Profitability suffers, and ittriggers immediate additionalexpenses for Damage Control.
Regulator Obligation Issuesof non‐compliance are handledinside closed doors Regulators.
The Issue of
Jurisdiction
AML Compliance: It’s Time for Thicker Gloves . . . Sometimes You Lose By A Knock Out
AML Compliance: It’s Time for Thicker Gloves . . . Sometimes You Lose By A Knock Out
Mohammad Fheili ⌂⌂⌂ [email protected]
The FI The Amount The Sanctions [Countries]
$8.9 Billions Sudan, Iran, Cuba
$1.3 Billions and $665 millions in Civil Penalties
Cuba, Iran, Libya, Sudan, Burma
$619 millions Cuba, Iran
$536 millions Iran, Sudan
$350 millions Iran
$298 millions Cuba, Iran
$227 millions Iran, Sudan, Libya, Burma
No criminal intent but hefty fines… Thus the element of
Fear.
Not to mention the implications on Reputation.
3. The Hard Side of Compliance: The Cost Of Non‐Compliance
Mohammad Fheili ⌂⌂⌂ [email protected]
As the Financial industry has evolved:Offering New high‐risk products,Acquiring new types of customers, andAdapting to frequently changing money laundering requirements
Banks increasingly rely on complex models to meet the challenges ofAML Compliance.Bank Regulators are Resolved to Punish banks and other Financial Institutions thatfall behind in the struggle to stay current with Anti‐Money Laundering (AML)Regulations.
This hardline approach is evident in several recent high‐profile enforcementactions, fines, and penalties assessed by regulators against financial institutionswith lax controls over money laundering.
Some of these actions were the result of a Bank’s failure to appropriately applythe concepts of a model risk management framework to design, execute, andmaintain the models it deployed to manage AML Risk.
4. The Hard Side of Compliance: Changing Environment!
Mohammad Fheili ⌂⌂⌂ [email protected]
The Regulator Aims for Continuous Compliance Which can only be made possible through Full Automation of The Compliance Process.
The Regulator Aims for Continuous Compliance Which can only be made possible through Full Automation of The Compliance Process.
Mohammad Fheili ⌂⌂⌂ [email protected]
Many Banks are using AML Models for: Customer Risk Scoring Customer Due Diligence Risk Automated Transaction Monitoring Systems Cash Aggregation and Reporting Systems, and Watch‐List Filtering Systems.
The Term “Model” refers to; A Quantitative Method, System, or Approach
That Applies Statistical, Economic, Financial, or Mathematical theories, Techniques, and Assumptions
To process input data into quantitative estimates. This framework enables banks to predict andidentify risk more accurately and, therefore, make better top‐level and line‐of‐business decisionsbased on model results.
BUT BANKS often rely on Vendor Input, Feedback, . . . Much more than a Comprehensive Self‐Assessment
Automated AML Compliance Processes, . . .
5. The Hard Side of Compliance: Modeling Risk & Reporting!
Mohammad Fheili ⌂⌂⌂ [email protected]
LowHighLo
wHigh
Accept
Mitigate
Transfer
Avoid
Frequency of Occurrence of Mistakes in Serving the Client
Severity of
Losses Resultin
g From
The
se
Mistakes
High‐Frequency / High‐Impact Client Account (Or Transaction) Behavior
Low‐Frequency / High‐Impact Client Account
(Or Transaction) Behavior
High‐Frequency / Low‐Impact Client Account (Or Transaction) Behavior
Low‐Frequency / Low‐Impact Client Account
(Or Transaction) Behavior
Operational Risk (Frequency/Impact) Characterization of Money Laundering ML‐Incidents Population of the Bank
It’s likely that any change in theFinancial Institution will havesome impact on its OperationalRisk Profile: AML ProcessesAutomation tends to replacepeople with systems.In terms of operational losses,the result may be a transitionfrom High‐Frequency, Low‐Impact losses TO Low‐Frequency,High‐Impact losses. The eventtype will change as well.
Risk‐Culture Awareness maybe a superior solution to Automation
Compliance is turning Time Consuming
Mohammad Fheili ⌂⌂⌂ [email protected]
LowHighLo
wHigh
Accept
Mitigate
Transfer
Avoid
Here there are clear evidence of High Risk due to Unusual accountactivities, Sanctioned Countries, High‐Risk Professions, etc. IF COST(and/or FEAR) is an Issue, an FI would be more likely get engaged inDe‐Risking with Low‐Frequency/High‐Impact & High‐Frequency/High‐Impact Client Incidence: Discontinue Relation with Existing, anddecline Business with New Clients with similar Risk Profile.
These would be somemissing information onthe KYC/CIP, slacking onStaff Training in AML,etc.
Although ML incidents are characterizedwith low impact, there is a need tocarefully probe about their Root‐Causes:• Due Diligence• Enhanced Due Diligence• Risk‐Based ComplianceTo prevent having these incidents turn intoHigh‐Frequency/High‐Impact Or Incidentsof Non‐Compliance
Frequency of Occurrence
Severity of
Losses Resorting to Automation
may not always be thebest solution; especially ifthe Financial Institution isnot adequately equippedwith the capacity toManage Advanced ITEnvironment.
Mohammad Fheili ⌂⌂⌂ [email protected]
Level Of Maturity in AML Compliance
Nature & Extent o
f Efforts Dep
loyed
DD
EDD
RBA
Moving in this direction is a clear indication that there is a desireon the part of the FI to continue on serving the client. Otherwise,the FI would be engaged in De‐Risking
Due Diligence
Enhanced Due Diligence
Risk‐Based Approach to AML Compliance
Enhancing Compliance Capabilities …
AML Cost
Skills Needs
Know‐How
AML Analytics
Those Enhanced AML Compliance Steps requirethe Use of Technology. Increase reliance onTechnology; Increase exposure to TechnologyFailures. In such an instance, does the FI have agood track record with Managing TechnologyIssues?
Mohammad Fheili ⌂⌂⌂ [email protected]
Level Of Maturity in AML Compliance
Nature & Extent o
f Efforts Dep
loyed
Where the FI is on this Continuumof AML Compliance Maturity hasto do with:• Profile of its Portfolio of Clients• The FI’s Geographical Spread• Management Sensitivity to
rising Cost of Compliance (Costis Real)
• Perceived Benefits (hard to relateto the Benefits of Complianceoutside the scope of Avoiding heftyPenalties)
• Resource Availability• Tolerance for Risk• Fear (of Penalty)• Etc.
DD
EDD
RBA
Due Diligence
Enhanced Due Diligence
Risk‐Based Approach to AML Compliance
Enhancing Compliance Capabilities …
AML Cost
Skills Needs
Know‐How
AML Analytics
Mohammad Fheili ⌂⌂⌂ [email protected]
Mohammad Fheili ⌂⌂⌂ [email protected]