risk based approach bachir el nakib july 2009 [compatibility mode]
DESCRIPTION
Implementation of RBA in LebanonTRANSCRIPT
B ildi Ri k P filBuilding Risk Profile
Bashir A. El-Nakib, CAMS, ACFE, CFAPManaging Partner/CEO
Compliance ALert July 09, 2009 1
THE ONLY ISSUE?COMPLIANCE & REGULATORY RISK
The problem is KYC - CUSTOMERSCORRESPONDENTSKNOW YOUR - CORRESPONDENTS
- EMPLOYEES- SHAREHOLDERS
7/8/2009 Risk Based Approach 2
Outline
Introduction/OverviewIntroduction/Overview
Background
Developing a Risk Based ApproachDeveloping a Risk Based Approach
AML Program Elements
Embargoes & Sanctions
Identifying Risk
Risk Types & Characteristics
Red Flags
Issues/Challenges
Summary
Open Discussion
7/8/2009 Risk Based Approach 3
Definitions
Money Laundering
Money Laundering is the process by which criminals attempt to conceal the true origin and ownership of the proceeds of criminal activities.
Terrorist Financing
An offence by any means, directly or indirectly, unlawfully and willfully,An offence by any means, directly or indirectly, unlawfully and willfully, which provides or collects funds with the intention that they should be used or in the knowledge that they are to be used, in full or in part, in order to carry out an act intended to cause death or serious bodily injury to a i ili t th t t ki ti t i th h tiliti icivilian, or to any other person not taking an active part in the hostilities in a
situation of armed conflict, when the purpose of such act, by its nature or context, is to intimidate a population, or to compel a government or an international organization to do or to abstain from doing any act.international organization to do or to abstain from doing any act.
7/8/2009 Risk Based Approach 4Source: United Nations 1999 International Convention for the Suppression of the Financing of Terrorism
Regulatory ConcernsRegulatory ConcernsC f• Certain types of transactions have come under intense regulatory and law enforcement scrutiny, especially in the US.
– Transactions involving shell companies.
– The potential for abuse of cover payments to launder p p yfunds or to avoid SIC/UN/BOE/OFAC regulations.
7/8/2009 Risk Based Approach 5
Development of Local StandardsBanks AML Due
Diligence Guidelines on Measures Against Money Laundering
• Required financial entities to design their own detailed Policy Manual to suit the nature of their particular environment in
hi h th t d
Law 318 Money Laundering
which they operated• Permitted compliance based on commercial considerations BDL Basic Circulars 83
Standard
M L Procedures Standards
Risk based approach to Know Your Customer (KYC)Banks Project to rectify existing higher risk accounts
Interim Circular Banks Project to rectify existing higher risk accountsEnhanced procedures to identify and monitor special risk cases Compulsory Procedures Guidelines
20, 35, 136, 190
Announcement (4) Know Your Customer (KYC) for Transit subjectsR ll t ld t f KYC i l t ti
7/8/2009 6
• Roll-out over old customers for KYC implementation
Compliance Processp
4 Ph4 Phases
Risk identification
Risk assessment
Risk Monitoring
Risk Reporting
s o to g
7/8/2009 Risk Based Approach 7
Risk Reporting77
Proposed Enhanced Due Diligence for High-Risk FFIs
• Would apply to offshore banks and FIs in non-compliant jurisdictions.
– Enhanced Due Diligence (EDD):
• Obtain documentation of the FFI’s AML program.
• Monitor activity in the correspondent’s accounts for risks posed by the client’s customers not subject to EDD.
• Identify nested correspondents and assess associated risks• Identify nested correspondents and assess associated risks.
• Identify FFI ownership for non-publicly traded institutions.
7/8/2009 Risk Based Approach 8
Risk Based Approach to KYC2a. Borrowing
CustomersExisting KYC Process
3. Risk Assessment
e as
R
isk
e as
R
isk
1. Accept or Reject business?•Profitability•Suitability
(BCA)
Man
age
Leve
l 1
Man
age
Leve
l 1
3. Impose Basic KYC only
Suitability•Reputation Risk •Sanctions •Suspect blacklists
Accept
2b. Non-Borrowing Customers risk profiled using agreed and easy to
kk
implement filters.
Man
age
as
evel
3 R
isk
Man
age
as
evel
3 R
isk
3. Separate out Level 3 customers
i d
3b. Impose Enhanced KYC
7/8/2009 9
M LeM Leusing agreed filters.
Risk Based Approach to KYCppLevel 3 riskLevel 3 risk Level 2
RiskLevel 2
RiskLevel 1
RiskLevel 1
Risk
Monitoring to identify account activity which requires account to be
Monitoring to identify account activity which requires account to be
Account Enhanced KYC
-Basic KYC Plus
Enhanced KYC
-Basic KYC Plus Basic KYCBasic KYCrequires account to be
reclassified as Level (3)
Monitoring of transactions against customer profile
12 th
requires account to be reclassified as Level (3)
Monitoring of transactions against customer profile
12 th
Opening -Nature of business
-Origin of funds
-Purpose of account
-Nature of business
-Origin of funds
-Purpose of account
Basic KYC
-Evidence of Identity
-Evidence of address
Basic KYC
-Evidence of Identity
-Evidence of addressevery 12 months.every 12 months.
-Type & level of activity-Type & level of activity
Monitor Account Activity which Monitor Account Activity which Ongoing 6 Monthly Review
-Monitoring of transactions against customer profile
6 Monthly Review
-Monitoring of transactions against customer profile requires account to be classified as
Level (2) or (3)requires account to be classified as Level (2) or (3)
g gAccount
Management
customer profile
-KYC Relationship review approved by Senior management
customer profile
-KYC Relationship review approved by Senior management
7/8/2009 10
Recent Enforcement Actions
• Non-compliance penalties continue to rise.
– UBS Bank - $100 Million (May 2004)
– Riggs Bank - $ 25 million (May 2004)
AmSouth $ 50 Million (October 2004)– AmSouth - $ 50 Million (October 2004)
– Riggs Bank - $ 41 Million (Jan 2005)
– Arab Bank - $ 24 Million (August 2005)Arab Bank $ 24 Million (August 2005)
– Bank of New York - $ 38 Million (Nov 2005)
– ABN AMRO - $ 80 Million (December 2005)
– AMEX - $65 Million (August 2007)
– Lloyds TSB - $130 Million (October 2007)
– Bank of Cyprus - $162 Million (October 2007)
– Lloyds TSB Bank - $350 Million (10 Jan 2009)
7/8/2009 Risk Based Approach 11
Compliance Guidance NeededCompliance Guidance Needed• Large fines have led to some unintended consequences.
Fi h l d t fl d f d f i SAR fili I th 12 th- Fines have led to a flood of defensive SAR filings. In the 12 months following the Amsouth and Riggs fines, filings jumped by 40%.
- KYC requirements and the high price of a compliance mistake have q g p pmade it very difficult for even the most diligent money transmitter to find banking services. (The guidelines published last year may help.)
• Increasing tendency to “criminalize” AML errors• Increasing tendency to criminalize AML errors
- Lapses are unavoidable for any large bank with significant transaction volume or a large client base.
- Does it make sense to impose penalties – sometimes large penalties –on banks with strong compliance regimes that have an AML lapse?
7/8/2009 Risk Based Approach 12
Business Challengesg
• Financial Institutions • Regulatory • TechnologyFinancial InstitutionsNeed more effective complianceRe use
• Regulatory
Increasing compliance regulation globally
• Technology
IT compliance spend = $34Bn (5% AML*)Re-use
investments-integrate with fraud and financial crime
regulation globally -FATFIncreasing pressure from regulators on FIs
$34Bn (5% AML )Annual spending expected to continue to increase*and financial crime
detectionTechnical integration vs
o egu ato s o sAML requirements now extend to securities, insurance, real estate
increaseTechnology is NOT the big cost!Investigations are 64% integration vs
organisational integration
industries and casinos as well as banksRegulatory compliance is primary driver of AML
gof costs**Industry vendor consolidation
is primary driver of AML investments
* Tower Group** Celent
7/8/2009 Risk Based Approach 13
Why should I care about these Requirements?y s ou d ca e about t ese equ e e ts
• Money Launderers and Terrorists seek out vulnerable banks• The Regulator will fine the bank heavily• The Regulator will fine the bank heavily
– Ignorance is no defense! • OFAC can and will seize customers funds
– Banco Delta Asia Ltd. Macau• US, European and other banks won’t Correspond with you
– Strict Due DiligenceStrict Due Diligence– Correspondent Bank Certifications– Demand due diligence (KYCC)
f f• The cost of a Fine is insignificant, compared to the internal cost and loss of business.– Restructuring, new procedures, new systems, training– Loss of reputation– Loss of shareholder value
7/8/2009 Risk Based Approach 14
What are sanctions:What are sanctions:• Definition:
Sanctions are punitive or coercive measures against a state or its nationals failing to comply with.
• Types of sanctions:Multilateral sanctions (e.g. UN sanctions)
Country or regime sanctions (eg Taliban, Congo DRP, Sudan, Syria, Iran)
• All UN member states, are obliged to implement UN Security Council
Bilateral sanctions (e.g. US sanctions against Cuba)
List-based sanctions (eg against known terrorists)
All UN member states, are obliged to implement UN Security Council sanctions domestically.
• Financial Institutions must comply with sanctions in all jurisdictions within which they operate.
7/8/2009 Embargoes & Sanctions May 13, 2008
15
Managing SanctionsManaging Sanctions
• Off-the-shelf shelf filtering software is availableOff the shelf shelf filtering software is available• Can check incoming and outgoing payments and any other
transaction or customer information entered onto systems.• However judgment is required:• However, judgment is required:
– Names may not be a complete match– May get a country match but the transaction is not sanctioned.
• Must have a process for assessing and then declining or approving transactions with full audit trail.
• Staff must have targeted training depending upon factors such as:g g p g p– Nationality– Type of business (eg domestic, global trade, international payments etc)– Decision making capacityDecision making capacity.
7/8/2009 Embargoes & Sanctions May 13, 2008
16
Compliance Costs Increase KYC AML OFACCompliance Costs Increase – KYC, AML, OFAC
Compliance is expensive. Non-compliance is very expensive.
• Technology costs – the bar keeps movingTh N• Then Now
• OFAC Scan repair items Scan all items• KYC/AML Recordkeeping and Money LaunderingKYC/AML Recordkeeping and Money Laundering
Travel Rules Pattern Recognition• Cost of non-compliance
- Enforcement actions- Prosecutions
Reputational damage- Reputational damage
7/8/2009 Embargoes & Sanctions May 13, 2008
17
Compliance Requirements IncreaseCompliance Requirements Increase
Section 312 of the USA PATRIOT Act increases costs and risks.
• Requires due diligence risk assessment for Foreign Financial Institutions (FFIs)(FFIs)- Nature of the FFI’s business & the markets its serves- Nature of the correspondent account, including account purpose, types of
services provided and anticipated account activityservices provided, and anticipated account activity.- Nature and duration of of bank’s relationship with the FFI – and affiliates.- FFI’s home supervisory regime.- Info known or reasonably available regarding the FFI’s AML record.
• New FFI due diligence rules are effective:
July 5 2006 for new account openings- July 5, 2006 for new account openings.
- October 2, 2006 for existing accounts.
7/8/2009 Embargoes & Sanctions May 13, 2008
18
Watch list Filteringg• Scanning of customer records & transactions against
– Government sanction lists – OFAC, BOE, UNO etc, ,– High risk individuals- terrorists, organized crime, fraudsters etc– Exposed individuals – PEPs, public figures, high profile– 3rd party database providers – World Compliance, Thomson, Bridger, World-Check,
D J F ti C li t L i N i tDow Jones-Factiva, Complinet, Lexis-Nexis, etc.,
• Key Issues– Character VariationsCharacter Variations– Phonetic Variations– Transliterations & cultural differences
• Using intelligent name matching algorithms with :– Normalization of names – capitals, abbreviations, spaces, punctuation– Reference libraries – common short names, cultural inputs
Reduction to simplified representation phonetics soundex– Reduction to simplified representation – phonetics, soundex– Indexing – decision tree– Similarity assessment – string equality, sub-sets, edit distance
7/8/2009 Embargoes & Sanctions May 13, 2008
19
What is it Regulators are looking for banks to do?What is it Regulators are looking for banks to do?• All accounts risk ranked systematically
• All transactions risk ranked systematically
• All transactions and all customer activity profiled to determine “usual and normal”behavior
• Peer groups used to find unusual behaviour in similar accounts
• How is previously unknown behavior detected and alerted
• Profiles to be dynamically created and adapted
• Rules must be dynamically created, adapted and implemented
• The Regulators want banks to actively find money laundering!
• Regulators are becoming more IT aware, than ever before!
7/8/2009 Risk Based Approach 20
Why a Risk Based Approach?
Regulatory Guidance Characteristics
FATF Money Laundering Typologies
3rd EU Directive, Basel CDD paper, and Wolfsberg
Principles paper
Takes into consideration multiple risk factorsincluding customer/business type, geography, product/delivery channels, and transaction type
Principles paper
U.S. Comptroller’s Handbook
FSA & Other Regulatory Directives
Egmont Group
Establishes levels perceived risk for which proportional controls may be devised
Efficient and cost effective approach to AML ProgramMiFiD management:
BenefitsBenefitsRisk management framework accepted by regulators
More effective and efficient processes
7/8/2009 Risk Based Approach 21Industry leading practices
Components of a Risk Based Approach
Risk Indicators Mitigating Controlsg g
Customer/Business Type
Geography
AML Governance Structure
AML Policies & ProceduresTraining/Communications &
Product/Delivery Channels
Transaction Type
gAwarenessIndependent Testing
AML Risk BasedRisk Based Approach
Regulatory Environment
7/8/2009 Risk Based Approach 22
Increased regulatory expectations
New regulations
The Situation
• High risk individuals, companies and organisations are targeting financial organisations and the countries within which they operate.
• Their very existence depends on their ability to enter your organisation or country undetected. What are the risks:
R l t i k• Regulatory risk
• Reputational risk
• Business risk
• Shareholder risk
• Job risk
7/8/2009 Risk Based Approach 23
k
AML Process Elements
Policy, strategy, resource allocation
Program evaluation & continuous improvement Communications,
Risk and Compliance
,awareness
& trainingTechnology
BranchAML Officers
pOfficersAML Office
Corporate Partners
Investigations &Suspicious
Activity
Account opening, customer identification
& risk assessmentyReporting
& s assess e t
Financial intelligence, monitoring,
analysis, trending & Enhanced
7/8/2009 Risk Based Approach 24
Due Diligence
LOB Risk Assessment
Evaluate inherent risks
Assess controlsDevelop and
implement action plans
Determine residual risk/
establish
Evaluate Assess
risks
Determine Develop
plansthresholds
Determine Develop
Monitor and enhance controls
Maintain and retain records
Monitor Maintain
7/8/2009 Risk Based Approach 25
Anti-Money Laundering High Risk CharacteristicsHigh Risk Characteristics
Customer/Business Types Geography Product/Delivery Channel Transaction Types
• Politically Exposed Persons • Sanctioned List Countries
• Mobile to mobile • Off-shore
• Non Resident Aliens
• Money service businesses (e.g. check cashing, wire transmitter)
• Transaction activity with high risk countries (e.g. 311 USA Patriot Act and FATF)
• Private Banking, Trust, Commercial, Retail where it involves high net worth individuals and their corporate interests with personal and discrete
• Foreign wire transfers, money instruments and cash
• Use of “Omnibus” and “Concentration Accounts”
• Gaming and betting
• Real estate brokers
• Jewelry businesses
personal and discrete service
• Internet Delivery• Nominee Account
Concentration Accounts
• E-Bill Payment
• Correspondent Bank Clearing
• Travel agencies
• Car, boat, aircraft, and farmequipment dealerships
• Prepaid stored valued card
• Payable through accounts• Charitable organizations
• Law, accounting, and medical firms
• Pawn brokers
y g
• Pawn brokers
• Phone or debit card businesses
• Off-shore Trusts
7/8/2009 Risk Based Approach 26
Risk-based Approach and the KYC Process
Risk-Scorings Sco g
• Simplified Due Diligence?Simplified Due Diligence?• Enhanced Due Diligence?
7/8/2009 Risk Based Approach 27
Risk based Approach and the KYC ProcessRisk-based Approach and the KYC Process
– How do we perform risk assessment?– Do we have the right tools to do the job?– How does the risk assessment program define and
score the risks of products? Customers? And jurisdictions?jurisdictions?
– How do we develop risk based matrices? With or without the help of outside vendors?without the help of outside vendors?
7/8/2009 Risk Based Approach 28
Risk based Approach and the KYC ProcessRisk-based Approach and the KYC Process
Simplified or Enhanced Due Diligence?Simplified or Enhanced Due Diligence?
Simplified CDD Level 1 - Tick-box / Red-Flag Check p g
Limited CDD Level 2 - Public Record Research
Standard CDD Level 3 - Public Record Research Limited Source Enquiries
Enhanced CDD Level 4 In depth Public RecordEnhanced CDD Level 4 - In-depth Public Record Research & EnquiriesSpecific issues
The Risk-based approach requires a levelled approach to CDD
7/8/2009 Risk Based Approach 29
Risk Based Approach MatrixRisk-Based Approach MatrixB ildi RBA t i i ll b ti ff t• Building an RBA matrix is a collaborative effort between:– The Compliance UnitThe Compliance Unit– The Economic Center– The Business UnitsThe Business Units– The Management Information Services (MIS)
Department– IT Division– Others….
7/8/2009 Risk Based Approach 30
Main RBA FactorsMain RBA Factors
Customer Risk Country RiskCustomer Risk Country Risk
Sector Risk Product Risk
7/8/2009 Risk Based Approach 31
RBA ElementsCustomer Risk•Overall background and reputationBusiness interests and practices Mgt
Country Risk•Political stabilityLegal status•Business interests and practices-Mgt
•Business associates and networks/ Business Link
•Legal status•Economic situation•Standing of the financial services
•Political Affiliations (PEPs)•Beneficial ownership and control•Source of funds
industry•Exposure to organised crime and Money launderingSource of funds Money laundering•Corruption
S t Ri k P d t Ri kSector Risk•Weapons and Metal trading•Precious metals
Product Risk•Private Banking•Correspondent Banking
•Art•Real Estate•Exchange Dealership
•Structured Finance•Commodities
7/8/2009 Risk Based Approach 32
•Exchange Dealership
RBA MatrixRBA Matrix
• An RBA Matrix is built to:– Assess Risks– Capture identified risks
Estimate their probability of occurrence and– Estimate their probability of occurrence and impactR k th i k b d th b– Rank the risks based on the above information.
7/8/2009 Risk Based Approach 33
• These variables may increase or decrease the risk posed by a particular customer or transaction, for example:
– The level of regulation or governance regime to which a customer is subject (A customer is located in a highcustomer is subject. (A customer is located in a high regulated jurisdiction poses less risk than a customer located in a low risk jurisdiction)
– Type of the entity: publicly owned entities pose less risk than private entitiesthan private entities
– The use of intermediate = Anonymity
7/8/2009 Risk Based Approach 34
High risk products and servicesExamples
The following examples are sample of high risk products that are vulnerable to ML & TF:
Facilitate a higher degree of anonymity– Facilitate a higher degree of anonymity
– Involve the handling of high volume of currency. g g y
– Rapid transactions speed
– Wide geographic availability
7/8/2009 Risk Based Approach 35
High risk products and servicesExamples
• Wire transfers:• Correspondent Banking: (Factors to consider)p g ( )
– Account purpose– Location of the respondent bankp– Nature of the banking license– The respondent money laundering detection and p y g
prevention controls– The respondent bank regulation and supervision in
its country
7/8/2009 Risk Based Approach 36
Break TimeBreak Time
7/8/2009 Risk Based Approach 37
Red Flags
Sudden and inconsistent change in account activity or a concerning patternpatternA business account had sudden excessive cash activity inconsistent with past behavior. No checks were made to suppliers or received from customers; the company is not know by local competitors. The business address is a p y y presidential apartment and the phone number on file communicates with a fax machine.
Frequent foreign wires to/from higher risk countriesFrequent foreign wires to/from higher risk countriesA charitable organization had hundreds of thousands of dollars coming into their account via settlement of credit card transactions. Wires were sent to individuals and entities in high risk countries; foreign counter parties were g ; g plimited and could not be traced or identified. The purpose of the charity could not be identified and it was determined that the organization was operated out of a residential apartment.
7/8/2009 Risk Based Approach 38
Red Flags
Absence of cash with a cash intensive business accountA business customer that operates a restaurant/grill receives only depositedA business customer that operates a restaurant/grill receives only deposited checks into its account. Deposits consisted of checks from different businesses/individuals payable to different parties.
Following the deposits were ACH debit transfers to another bank. There wereno cash deposits made into account, which is inconsistent with the type of business.
7/8/2009 Risk Based Approach 39
Case Study BackgroundCase Study - Background
An offshore financial institution incorporated in Bermuda is looking toAn offshore financial institution incorporated in Bermuda is looking to provide a structured finance loan to a group of investors.
The country into which the funds will flow and in which the project will be i d t th I C t d Middl E t t icarried out are the Ivory Coast and Middle Eastern countries.
The sector in which the transaction is due to take place is the construction sector and therefore inherently a high money laundering risk.y g y g
It is unclear whether the directors and shareholders of the company are the beneficial owners.
Rumours have been identified in the public record suggesting that the two businessmen and the company are linked to a PEP and that the foreign bank involved in the transaction is a pocket bank of the same PEP.
7/8/2009 Risk Based Approach 40
Case Study BackgroundCase Study - Background
The transactional structure presented by the customer is very complex and the reasoning behind the complexity and non transparency is unclearand non-transparency is unclear.
A number of companies within the structure have not yetA number of companies within the structure have not yet been incorporated and are “work-in progress”.
7/8/2009 Risk Based Approach 41
Case Study – Results of Risk-Scoring
Customer Risk
O ll b k d d
Country Risk
K f k AML l•Overall background and reputation•Business interests and practices
•Known of weak AML rules •Known of terrorist financing, Smuggling & other moneyBusiness interests and practices
•Business associates and networks
Smuggling & other moneylaundering activities
•Political Affiliations (PEPs)•Beneficial ownership and controlS f f d•Source of funds
Sector Risk Product Risk
•Real Estate •Structured Finance•Complex transaction
7/8/2009 Risk Based Approach 42
Case Study ApproachCase Study - Approach
The scope of research should be divided into two phases:The scope of research should be divided into two phases:
Phase I - involve public record research into all parties (individuals and companies) involved. This also included an overview of theand companies) involved. This also included an overview of the business networks and associations of the businesses and the individuals.
Phase II - given the low profile of the individuals that could be available in public records, a series of discreet enquiries within the local business communities in which the individuals are activelocal business communities in which the individuals are active should be undertaken in order to ascertain their overall business reputation and to ascertain whether there is indeed any substance to the allegations of their business being a front-
i f PEPoperation for a PEP.
7/8/2009 Risk Based Approach 43
Case Study Results of Risk ScoringCase Study – Results of Risk-Scoring
Enhanced CDD Level 4Enhanced CDD – Level 4
Simplified CDD Level 1 - Tick-box / Red-Flag Check p g
Limited CDD Level 2 - Public Record Research
Standard CDD Level 3 - Public Record Research Limited Source Enquiries
Enhanced CDD Level 4 In depth Public RecordEnhanced CDD Level 4 - In-depth Public Record Research & EnquiriesSpecific issues
The Risk-based approach requires a levelled approach to CDD
7/8/2009 Risk Based Approach 44
Customer Risk Matrix
Products/Services UsedCustomer Type Deposit Unsecured Wire Transfer Private Trust ServicesCustomer Type Deposit
AccountUnsecuredLoan/CreditCards
Wire Transfer PrivateBanking
Trust Services
PEP Moderate Moderate High Highest HighestPEP Moderate Moderate High Highest Highest
High Net Worth Moderate Moderate High Highest Highest
High Risk Nationality Moderate Moderate High High High
High Risk Industry Moderate Moderate Moderate Moderate Moderate
Cash Intensive Business
Normal Moderate High Moderate Moderate
Salaried Employee Normal Normal Normal Normal Normal
Independent Consultant/Indiv
Moderate Normal Normal Normal NormalConsultant/Individual Entrepreneur
Unemployed Moderate Moderate Moderate Moderate Moderate
45Charity Moderate High High High HighCompliance ALert July 09, 2009
Account Opening Policies
Customer Risk Rating Applicable Policies
N lNormal •Presentation of valid original identity documents•Establish purpose of account•Establish source of funds•Retain copies•Retain copies•Check against UN and other watch lists
Moderate •Above plus …•Send registered letter to customer at provided address. Retain signed return receipt.
High •Above plus …Above plus …•Independent verification of account opening documents•Verification of source of funds•Interview with bank officer•Visit by bank officer to customer home/businessVisit by bank officer to customer home/business•Approval from branch manager•Updating of account information/documents every twelve months
Highest Ab l
46
g•Above plus …•Updating of account documents every six months•Approval from CEOCompliance ALert July 09, 2009
Transaction Type Risk MatrixTransaction Type Risk MatrixCustomer Risk Rating
Offshore Wire
Wire Transfer to High Risk
Cash deposit under threshold/structuring
Large Cash
Forex Early Loan Repayment
Transfer Jurisdiction transactions Deposit
Normal Standard Standard Standard Enhanced Standard Standard
Moderate Enhanced Enhanced Enhanced Enhanced Enhanced Enhanced
High Severe Severe Enhanced Enhanced Enhanced Enhanced
Highest Severe Severe Severe Enhanced Enhanced Enhanced
47Compliance ALert July 09, 2009
Transaction Execution/Monitoring PolicyTransaction Execution/Monitoring Policy
Transaction Risk Rating Applicable Policies
StandardStandard•Teller/staff monitoring•Automated system monitoring
Enhanced•Customer explanation for transaction•Compliance Officer Approval for execution•Compliance Officer Approval for execution
Severe•CEO Approval for execution
48Compliance ALert July 09, 2009
Continuous Control MonitoringContinuous Control MonitoringBusiness Process Areas Specific Compliancep p
Daily AML & ComplianceMonitoring
Statistics
Customer Profile
Customer Performance
Daily Transactions
Cash (In-Out)
AML & Compliance
Currency Transaction
Reporting AnalysisAnalysis of data collected
Building
TransactionActivities
Inward Swift
Outward Swift
Reporting Analysis
Suspicious ActivityReporting Analysis
Scenarios
Pattern Matching
Unusual BehaviorBank Drafts
Clearing
Terrorist ReportingAnalysis
KYC Analysis
Trend AnalysisTransfer A/C to A/C
KYC Analysis
Compliance ALert July 09, 2009 49
Case Study The BriefCase Study – The Brief
Aware of the provision of guidelines in terms of the documentation & verification required in order for the Bank to be compliant with theverification required in order for the Bank to be compliant with the money laundering legislation the Bank is subject to.
Based on the guidelines the issues which needed to be addressed h ld b d fi dshould be defined.
Based on the issues defined research and enquiries in all the relevant jurisdictions should be undertakenrelevant jurisdictions should be undertaken.
7/8/2009 Risk Based Approach 50
Case Study Expected OutcomeCase Study – Expected Outcome
On the basis of the enhanced CDD that should be undertaken the BankOn the basis of the enhanced CDD that should be undertaken, the Bank could cross-reference the information provided by the customer to verify the claims made by the customer independently
C ld fi th id tit f th b fi i l d d t i thCould confirm the identity of the beneficial owner and determine the reasoning behind the complex transactional structure
The Bank would be in a position to disprove any rumours which had been p p yvoiced about links and front operations for a PEP
The exercise provides a complete and comprehensive documentation trail and supporting case within the scope of the CDD processtrail and supporting case within the scope of the CDD process
The exercise enables the Bank to decide on the level of ongoing monitoring, given the risks are classified as high.
7/8/2009 Risk Based Approach 51
E h d Ri k A t M th d lEnhanced Risk Assessment MethodologyConduct detailed analysis of each category
1 2 53 4
Assess Risk
Purpose of Account
Activity in Account
Nature of the business
Location Products and Services usedAccount Account business Services used
7/8/2009 Risk Based Approach 52
Compliance Customer’s Risk RatingCustomer/Account Information Risk Factor Review Risk Value
8. Account Debit Activity - Estimate monthly volume for all accts, please insure percentages total 100%
Volume/velocity consistent with nature of business 0
_____% cash Purchasing monetary instruments 1
_____% checks Foreign Swift transfers (repetitive) 1
_____% currency exchange Foreign Swift transfers (walk-in) 2
_____% ACH Foreign Swift transfers to high risk countries (NCCT list, OFAC, SIC)
5
_____% purchase official checks, money orders, etc. Domestic Swift transfers 1
_____% domestic wire transfers New Customer - Compare anticipated debit volume with other similar businesses in the area. Additional investigation should be conducted to explain any unusual business factors.
_____% foreign wire transfers: LIST COUNTRIES BELOW Existing Customer - Compare historical deposit volume and velocity with other similar businesses in the area. Additional investigation should be conducted to explain significant discrepancies.
100%
TOTAL
RISK
Business/Commercial Customer Risk Weighting ScoreNOTE: Compliance or Risk Management staff may modify the risk rate for a customer based on confidential information such as filing of SAR, receipt of
criminal subpoena, etc.
-23 to +4 = Low Risk (L)+5 to +14 = Moderate Risk (M)
+15 to +29 = High Risk (H)+30 and > = Extreme (E) Management Approval Req'd
7/8/2009 Risk Based Approach 53
Compliance Customer’s Risk RatingCustomer/Account Information Risk Factor Review Risk Value
6. Nature of Business Services (be specific)NAICS Code for principal line of business:
Money service business (see MSB section on page 2) +15
Brokered deposit relationship 30
Cash intensive business (see Question 9 for list) 10
ATM owner/operator 10
Customer qualifies as Phase I exempt person -15q p p
Customer is exempted as Phase II exempt person -5
7. Account Deposit Activity - Estimate monthly volume for all accts, please insure percentages total 100%.
Volume/velocity consistent with nature of 0
Total Deposits: $ ________________ business Purchasing monetary instruments 1
_____% cash Foreign swift transfers (repetitive only) 1
_____% checks Foreign swift transfers (repetitive and/or walk-in) 2
_____% currency exchange Foreign swift transfers to high risk countries (NCCT list, SIC, OFAC)
5
_____% ACH Domestic Swift transfers 1
_____% purchase official checks, money orders, etc. New Customer - Compare anticipated deposit volume with other similar businesses in the area. Additional investigation should be conducted to explain any unusual business factors.
_____% domestic wire transfers Existing Customer - Compare historical deposit volume and velocity with other similar businesses in the area. Additional investigation should be conducted to explain significant discrepancies.
_____% foreign wire transfers: LIST COUNTRIES BELOW
7/8/2009 Risk Based Approach 54----------- 100%
Compliance Customer’s Risk RatingCustomer/Account Information Risk Factor Review Risk Value
8. Account Debit Activity - Estimate monthly volume for all accts, please insure percentages total 100%
Volume/velocity consistent with nature of business 0
% cash Purchasing monetary instruments 1_____% g y
_____% checks Foreign Swift transfers (repetitive) 1
_____% currency exchange Foreign Swift transfers (walk-in) 2
_____% ACH Foreign Swift transfers to high risk countries (NCCT list, OFAC, SIC)
5
_____% purchase official checks, money orders, etc. Domestic Swift transfers 1
_____% domestic wire transfers New Customer - Compare anticipated debit volume with other similar businesses in the area. Additional investigation should be conducted to explain any unusual business factors.
_____% foreign wire transfers: LIST COUNTRIES BELOW Existing Customer - Compare historical deposit volume and velocity with other similar businesses in the area. Additional investigation should be conducted to explain significant discrepancies.
100%
TOTAL
RISK
Business/Commercial Customer Risk Weighting ScoreNOTE: Compliance or Risk Management staff may modify the risk rate for a customer based on confidential information such as filing of SAR, receipt of
criminal subpoena, etc.
-23 to +4 = Low Risk (L)+5 to +14 = Moderate Risk (M)
+15 to +29 = High Risk (H)+30 and > = Extreme (E) Management Approval Req'd
7/8/2009 Risk Based Approach 55
Enhanced Risk Assessment MethodologyEnhanced Risk Assessment Methodology
Identify specific risks categoriesIdentify specific risks categories
Product and Service Risk
ActionsImpact
Analysis
Risk Response (controls)
Quality of Risk
Customer Risk
Quantity of Risk
Response Effectiveness
Analysis
Geographic Risk
Identify Risk Categories
Assess Quantity of Risk Assess Quality of Risk Action Plans
7/8/2009 Risk Based Approach 56
Best Practices FrameworkAML Risk Assessment Risk Profile
Corporate Governance
Investigations
Risk-Based
& Reporting
ures
Project PlPrograRisk-Based
Customer Due Diligence
Customer Transactions
en P
roce
dulanning/ExPo
licie
sm
Manage
Single Customer View Data
Writ
texecutionem
ent
7/8/2009 Risk Based Approach 57Independent Audit
Training/Self Testing
Case Study: The United NationsCase Study: The United Nations
A FAMILY-RUN BUSINESS
7/8/2009 Risk Based Approach 58
Case Study: The United Nations
Kofi AnnanLeo Mugabe
Kojo Annan
• Son of Kofi Annan (Secretary General-UN) from first marriage
Kojo Annan Hani Yamani Kojo Amoo
• Worked for SGS/Cotecna (given UN deal to enforce sanctions in Iraqi ports)• Moved on to start own company, Sutton Investments• Sutton part of consortium with Air Harbour Technologies & Leo Mugabe (nephew of p g & g ( p
Robert Mugabe, Pres of Zimbabwe)• Air Harbour owned by Hani Yamani (son of Sheikh Yamani, Saudi Oil Min.)• Consortium won bid valued in $100s of millions to build Zimbabwe airport
7/8/2009 Risk Based Approach 59
p• Kojo Amoo-Gottfried, Ghana Ambassador to UN (nephew of Kofi)
Risk: Customer/Business TypeIdentifying PEPsIdentifying PEPs
How do you determine whether an account holder is a PEP?
• Seek information directly from the individual
• Review sources of income including past and present employment history and references form professional associates
• Review public sources of information (i.e. databases, newspapers, etc.)
• CIAs online directory of “Chiefs of State and Cabinet Members of Foreign Governments” http://www.odci.gov/cia/publications/chiefs/index.html
• Transparency International Corruption Perceptions Index
• Private vendors (i.e. world Compliance/ Regulatory DataCorp (RDC),Factiva and WorldCompliance)Factiva, and WorldCompliance)
7/8/2009 Risk Based Approach 60
Risk: Customer/Business TypeIdentifying PEPs (Cont )Identifying PEPs (Cont.)
FATF Recommendations for PEPs:FATF Recommendations for PEPs:
Determine whether a customer is a PEP
Obtain senior management approval for establishing relationship
Establish source of wealth of fundsEstablish source of wealth of funds
Conduct ongoing monitoring of relationship
7/8/2009 Risk Based Approach 61
Risk: Customer/Business TypeExamples of Black Lists
OFAC: Office of Foreign Assets & Control lists: Specially Designated Nationals
Examples of Black Lists
p y gWeapons of Mass DestructionBlocked Countries
S f & S SBIS: Bureau of Industry & Security - Issued by the United States
BOE: Bank of England
CSSF: Commission de Surveillance du Secteur Financier LuxembourgCSSF: Commission de Surveillance du Secteur Financier-Luxembourg
SECO: Secretariat d’Etat a l’economie – Switzerland
UN: United Nations: Al-Qaida & Taliban; Iraq; LiberiaUN: United Nations: Al Qaida & Taliban; Iraq; Liberia
MAS: Monetary Authority of Singapore
EU: EU Regulations g
FATF: Financial Action Task Force
Other: Vendor (i.e. SIDE-OFAC/World Check Lists) and internal Lists
7/8/2009 Risk Based Approach 62
SummarySummary– Risk-scoring defines the level of CDD required
– Beneficial Ownership and PEPs are key– Beneficial Ownership and PEPs are key
– Advantages:
• Institutions can mitigate their own risk exposure through the risk based approach and risk exposurethe risk-based approach and risk exposure
• Risk-Scoring also enables institutions to develop benchmarks and risk rating parameters
7/8/2009 Risk Based Approach 63
7/8/2009 Risk Based Approach 64
For Additional clarifications, please call:+961 1 787049
Bashir A. El-NakibCAMS ACFE CFAPCAMS, ACFE, CFAP
7/8/2009 Risk Based Approach 65