sanctions and strategy: risk measurements, data and...

© 2016 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.

SEPTEMBER 19, 2016

ACAMS NJ CHAPTERSANCTIONS AND STRATEGY: RISK MEASUREMENTS, DATA AND METRICS TO MEASURE, COMMUNICATE & MITIGATE RISKS

OUR PRESENTER

2


Joseph F. HanveyDirector, New York, NY

Direct: +1 908.400.5192Mobile: +1 908.400.5192Email: [email protected]

3

AREAS OF EXPERTISE• Anti-Money Laundering• Economic Sanctions• Regulatory Compliance• Financial Services Operations

INDUSTRY EXPERTISE• Financial Services• Capital Markets• International Banking

EDUCATION• B.A. – St. John’s University, New York

PROFESSIONAL EXPERIENCEJoe Hanvey is a Director with Protiviti in the firm’s Regulatory Risk Consulting practice assisting financial institution clients on regulatory and risk management issues with a focus on Bank Secrecy Act (BSA), Anti-Money Laundering (AML), and Economic Sanctions. Joe has extensive experience leading international engagements assisting financial institutions respond to formal and informal enforcement actions by banking supervisors and U.S. Authorities. Working with financial institutions subject to regulatory agreements, Joe has developed, enhanced and submitted BSA/AML and Economic Sanctions compliance programs for regulatory submission resulting in subsequent implementation for international financial institutions with wholesale banking, insurance, securities and investment advisory business activities.Joe joined Protiviti in 2014 after working previously as a Senior Manager for over 5 years with a large Financial Services Consulting Company leading BSA/AML and Sanctions engagements for domestic and international complex banking organizations and previously serving as the Head of AML for Nomura Securities International, Inc. responsible for the business operations for the Americas. Joe also served as the designated BSA/AML Officer for Canadian Imperial Bank of Commerce responsible for U.S. operations which included oversight of the institutional securities activities in U.S. and retail operations in Tel Aviv. He is a former examiner with FINRA (legacy NASD) where he was a lead participant in the SEC’s June 2001 AML Sweeps and is also the founder and former chair of the AML Strategic Leadership Group, a financial services industry group created in October 2002 bringing together over 1900 domestic and international industry leaders. Joe currently maintains an active security clearance with a focus on Threat Finance.

PRINCIPAL AREAS OF PRACTICE• Lead U.S. Economic Sanctions Engagement conducting and coordinating on-site testing of sanctions

screening, monitoring and governance controls for business operations in U.S., U.K., Singapore, Germany and additional international locations.

• Developed a Global Targeting Operating Model of a BSA/AML and OFAC Compliance Program for an international complex banking organization in response to regulatory enforcement actions.

• Managed a cross-border project conducting assessments of BSA/AML and Sanctions Compliance Processes and assisted the Bank Develop Enterprise-Wide Enhancements to the bank’s Policies and Procedures.

• Designed the BSA/AML and OFAC Testing Audit Program for the U.S. Operations of an International Bank for regulatory review and, subsequently, conducted the BSA/AML and OFAC Testing following approval.

• Managed a wide variety of anti-money laundering projects assisting clients enhance surveillance and monitoring programs, due diligence controls, metrics and analytics reports, wire analysis screening, and risk assessments.

© 2016 Protiviti Inc.CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party. 4

SANCTIONS AND STRATEGY


SANCTIONS AND STRATEGY (CONT.)

ABOUT OUR DISCUSSION

7


SOURCE: UNCERTAIN

MEASURING, COMMUNICATING AND MITIGATING RISKS


MEASURING, COMMUNICATING AND MITIGATING RISKS (CONT.)

9

Gather metrics, establishing parameters, weightings to measure and manage can be through generation of a Risk Index Score based on changes in risk factor outcomes.

Time-oriented measures (past, present, future) should be used to extrapolate future-oriented compliance, operational and reputational risk measures.

Visibility of increasing risk and corresponding mitigating controls should be established allowing management to understand, review and decision shifts in performance of underlying compliance, operational and reputational risk factors.

Am I Riskier Today than I was

Yesterday?

Is My Risk Increasing?

What are the Underlying Causes?

Risk monitoring is an ongoing and continual assessment process. For a financial institution, capital risk is measured with each transaction and, similarly, compliance risks should also be monitored for changes in the business environment as the impact of compliance risks changes over time. The following three risks are at the very heart of every compliance concern:


MEASURING, COMMUNICATING AND MITIGATING RISKS (CONT.)

10

Am I Riskier Today than I was Yesterday?

Is My Risk Increasing?

considers the coverage of customers and products and the comprehensiveness of rules and scenarios

Transaction Monitoring

considers compliance with BSA reporting requirements, wire transfer information, and procedures for safeguarding the information/documentation

BSA Recordkeeping and Retention

considers the investigations and escalation processes, timeliness of SAR filing, and quality assurance processes

Investigation and Suspicious Activity Reporting

considers the policies, procedures and controls for Customer Due Diligence, client risk rating methodology, and counter-party risks

Customer Due Diligence

considers the screening thresholds, transaction monitoring, due diligence controls, training and testing

Sanctions

Utilizing Existing Data and Technology Platforms to Measure, Communicate and Mitigate Risks in your Bank Secrecy Act (“BSA”) / Anti-Money Laundering (“AML”) and Sanctions Programs:

• What data is currently available to us?

• What data is still needed?

• What is an acceptable level of dataquality, and who is ultimately responsiblefor ensuring data is delivered at thatquality?

• How will we keep this data updated, andrespond to changing systems andtechnology across the institution?

• Where does Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) and Officeof Foreign Assets Control (OFAC) fit intothe technology hierarchy?


INFORMATION NEEDS THROUGHOUT A FINANCIAL INSTITUTION

11

REGULATORY EXPECTATIONS INFORMATION REQUIREMENTS

• Understand risk issues• Review/approve policies, risk strategies & tolerances• Monitor risk management process/results• Determine strategic intent

• Sustain business/risk strategies & policies• Allocate capital • Review/approve policies, management & processes• Establish and Monitor accountabilities• Monitor internal/external events• Review/approve risk strategies/tolerances• Build risk management infrastructure• Monitor and drive Business Risk Management Plan • Align compliance and compensation

• Sustain policies & procedures• Create assessment tools & measurement methodologies • Demonstrate knowledge in specific risks• Responsive risk strategies• Monitor risk management process & results• Escalate and track issues• Provide performance assurance & drive continuous sustainability

• Execute Business Risk Management Plan • Identify, source, & measure risks• Apply control resources• Identify & correct control gaps• Provide timely management reporting• Escalate and resolve issues

Board

CEO

CFO CIO CTO COO

CLO HR CRO

1st Line

2nd Line

3rd Line

Affiliates & subsidiaries

Risk Mgmt

Risk Mgmt Committees

Internal Audit

Support Functions


INFORMATION NEEDS THROUGHOUT A FINANCIAL INSTITUTION (CONT.)

12



Investigations and Suspicious Activity

Reporting

BSA Recordkeeping and Reporting Sanctions

Operational Compliance Reputational

Analyst productivity and length of reviews.

Communicating with LoB, analyst coverage and QC reviews.

Resources capable of managing risk?

FTEs managing current and remedial activities?

Sustaining environment, reporting risks and backlogs.

Controls effective and sustainable?

Ratio of higher risk activities to overall activities?

Are risks identified, escalated and decisioned?

Reporting current and anticipated backlogs and risk concerns.

Information Needs

Management

Control Persons

Senior Leadership

Communication Model

Control Effectiveness

Operational Monitoring

Risk Strategy

A financial institution must develop and maintain a sound compliance management system that is integrated into the overall risk management strategy of the institution. However, financial institutions face multiple challenges with respect to obtainingand leveraging the right metrics. To ensure the right metrics are being utilized, a well-defined governance framework must be established, along with clearly articulated roles and accountability to meet regulatory requirements.


CUSTOMER DUE DILIGENCE

13



Reporting

BSA Recordkeeping and Reporting SanctionsTransaction

Monitoring

The concept of Customer Due Diligence (CDD) begins with verifying the customer’s identity and assessing the risks associated with that customer. The objective of CDD should be to enable the bank to predict with relative certainty the typesof transactions in which a customer is likely to engage. These processes assist the bank in determining when transactions are potentially suspicious. ~ (FFIEC)

With the ultimate focus on monitoring account behavior, there are several ways to monitor accounts that require extra due diligence. These range from acquiring more information about accounts holders to analyzing their international transfers and trades.

We are familiar with the information needed to be collected including Purpose of accounts, Source of funds, Ownerships/ control over account, banking references, location of business, proximity to customer, international trades from account, description of business operations/anticipated volume of currency and product use, customer-follow-up to understand changes in account behaviors, and establishing the expected/anticipated pattern of account.


TRANSACTION MONITORING

14



Reporting

BSA Recordkeeping and Reporting SanctionsTransaction

Monitoring

Regulatory Enforcement: In one 2012 and another 2013 Consent Order between the Office of the Comptroller of the Currency (OCC) and large financial institutions, the OCC required banks to establish “sufficient management information and metrics to manage and adjust the system”.

Industry Practices: In 2010 written testimony delivered to the Permanent Subcommittee on Investigations, a compliance officer provided background on their bank’s monitoring on Fraud and AML representing metrics are used in that monitoring.


INVESTIGATIONS AND SUSPICIOUS ACTIVITY REPORTING

15




Reporting


Metrics should serve to control and proactively monitor risk, assess effectiveness of investigation and reporting controls. Typical key performance measures would include assignment and aging reporting, and other relevant data assessing an analysts alert handling and investigation response time.

In 2013, the U.S. Senate’s Committee on Banking, Housing, and Urban Affairs helda hearing on Examining Bank Secrecy Act Compliance and Enforcement. Inresponse to written questions received regarding FTE reductions, the OCCComptroller reported that compliance management metrics failed to point out therisk of declining staff, and banks often cut staff while making the case that systemenhancements permit efficiencies. It is something we now pay closer attention toand expect the banks to have better MIS to provide early warning internally whenstaff cannot keep pace with workload or quality.


BSA RECORDKEEPING AND REPORTING

16




Reporting


The BSA recordkeeping requirements include the requirement that a financial institution’s records be sufficient to enable transactions and activity in customer accounts to be reconstructed if necessary as these records and reports have a high degree of usefulness in criminal, tax, and regulatory investigations or proceedings.

Additional reporting requirements include Currency Transaction Reports and Exemptions (CTR), Form 8300, Report of International Transportation of Currency or Monetary Instruments (CMIR), and Reports of Foreign Bank and Financial Accounts (FBAR).

Recordkeeping requirements include the Funds Transfer and Travel Rule Requirements, and Recordkeeping Requirements for the Purchase and Sale of Monetary Instruments.

In 2008 guidance, the Board of Governors of the Federal Reserve System (FRB) issued SR 8-08 clearing outlining their expectation that a firm-wide sustainable compliance function be established that includes identifying and responding to changes in risk profile based on business activities.


SANCTIONS

17




Reporting


Treasury Strategic Objective 4.4 (Protect the integrity of the financial system by implementing, promoting, and enforcing anti-money laundering and counterterrorism financing standards): TFI administered and enforced economic and trade sanctions based on U.S. foreign policy and national security under Treasury authorities. In order to gauge its performance, TFI created a composite measure meeting its performance target (8.3) on a risk index composite measure in FY 2013, FY 2014 goal of 8.5 for this metric is 8.5 and FY 2015 goal of 8.5.

In August 2014, the FDIC, in response to FDIC OIG Audit 14-009, indicated that they were considering the adoption of new metrics and greater use of data analytics to facilitate the identification of BSA/AML problems at institutions.


SANCTIONS (CONT.)

18




Reporting


Risk Indicator Example

Sanction Risks must be Tracked and Resolved

• In one 2015 OFAC action, it was reported that several employees who had responsibilities for a particular client assumed that once the entity was designated, then all of its subsidiaries and related entities are treated as one customer group, and as such, required to be designated. However, while knowledge existed, controls weren’t updated.

A nation that is boycotted is a nation that is in sight of surrender. Apply this economic, peaceful, silent, deadly remedy and there will be no need for force. It is a terrible remedy. It does not cost a life outside the nation boycotted but it brings a pressure upon the nation which, in my judgement, no modern nation could resist

SANCTIONS AND THEATRE

19


UNDERSTANDING PURPOSE

Unilateral

20

“A nation that is boycotted is a nation that is in sight of surrender. Apply this economic, peaceful, silent, deadly remedy and there will be no need for force. It is a terrible remedy. It does not cost a life outside the nation boycotted but it brings a pressure upon the nation which, in my judgement, no modern nation could resist”

Prevent War, Foreshadow It or Accompany It?


UNDERSTANDING POLITICS

Political

21

Fidel Castro had two relatives sitting in Congress as Members of the House of Representatives:

• Mario Rafael Diaz-Balart (25th district FL, Miami) (1961, Ft. Lauderdale)

• Lincoln Diaz-Balart (21st District – FL, Miami (1954, Cuba)

Mother is Mirta, Fidel’s first wife (their Father’s sister)


UNDERSTANDING REACH

“Extraordinary broadness of OFAC’s interpretation of “property interest,” has been repeatedly confirmed in federal court.”

Tangible or Intangible

22


UNDERSTANDING INDUSTRY

Lary v. Republic of CubaUnited States Court of Appeals,Second Circuit.February 27, 1987S.D.N.Y., 643 F. Supp. 194

Paradissiotis v. RubinUnited States Court of Appeals, Fifth Circuit.Chris PARADISSIOTIS, Plaintiff-Appellant, v. Robert E. RUBIN, Secretary of the United States Department of Treasury; et al., Defendants, Robert E. Rubin, Secretary of the United States Department of Treasury; R. Richard Newcomb, Director of the Office of Foreign Assets Control, Defendants-Appellees.April 1, 1999

Present or Future

23


EVIDENCING AND TESTING

Townshend ActsBehavioral Changes

24

Series of acts passed and named after Charles Townshend, the Chancellor of the Exchequer, who proposed the program.


OFAC CONSIDERATIONS: PROCESSORS

OFAC does not have a set requirement identifying specific data to be screened or the type of information required to be screened. Third-Party Service Provider (TPSP), payment processors, can provide additional visibility on user activity.

Industry practices continue to be strengthened around payment processors, third party providers, vendors and other intermediaries resulting from guidance from various regulators and financial services industry groups including the Financial Crime Enforcement Network advisory FIN 2012 A010 issued in 2012.

Specifically, Due Diligence and OFAC Screening is expected to be conducted on all counter parties to assess 1) types of products and services offered, 2) Location(s) and market(s) served, 3) Anticipated account activity, and 4) purpose of the account.

Source: Conference State Bank Supervisors Third Party Payment Processors

Requirements

25

Merchants

Developers

Consumers

Third Party Processor

https://www.fincen.gov/statutes_regs/guidance/html/FIN-2012-A010.html

https://www.csbs.org/regulatory/resources/Documents/Third_Party_Payment_Processor_Job_Aid%20revised%20Aug14.pdf


SENDER COUNTRY MOTIVES

26

Source: Economic Sanctions Reconsidered

Country Target Goal First year Last yearUNITED STATES JAPAN Shipping for Allies 1917 1918UNITED STATES MEXICO Expropriation dispute 1938 1947UNITED STATES GERMANY, (JAPAN) Regime change 1939 1945UNITED STATES GERMANY, (JAPAN) Military victory 1939 1945UNITED STATES JAPAN Withdraw from Southeast Asia 1940 1941UNITED STATES (GERMANY), JAPAN Regime change 1941 1945UNITED STATES (GERMANY), JAPAN Military victory 1941 1945UNITED STATES ARGENTINA Destabilize Peron 1944 1947UNITED STATES NETHERLANDS Recognize Indonesia 1948 1949UNITED STATES USSR, COMECON Impair military potential 1948 1994UNITED STATES CHINA Impair military potential 1949 1970UNITED STATES CHINA Military disruption, Korea 1950 1953UNITED STATES NORTH KOREA Regime change 1950 --UNITED STATES NORTH KOREA Military impairment 1950 --UNITED STATES IRAN Destabilize Mussadiq 1951 1953UNITED STATES NORTH VIETNAM Military impairment 1954 1974UNITED STATES EGYPT Suez nationalization 1956 1956UNITED STATES ISRAEL Intermittent, various 1956 1983UNITED STATES LAOS Destabilization 1956 1962UNITED STATES UNITED KINGDOM End Suez intervention 1956 1956UNITED STATES CUBA Destabilize Castro 1960 1989


Interest in Outcome

Country Target Goal First year Last yearUNITED STATES CUBA Disruption of military adventures 1960 1989UNITED STATES DOMINICAN REPUBLIC Destabilize Trujillo 1960 1962UNITED STATES CEYLON Expropriation dispute 1961 1965UNITED STATES GDR Berlin Wall 1961 1962UNITED STATES BRAZIL Expropriation, destabilization 1962 1964UNITED STATES EGYPT Military disruption,Yemen,Congo 1963 1965UNITED STATES INDONESIA Regime change 1963 1966UNITED STATES INDONESIA End "Crush Malaysia" 1963 1966UNITED STATES SOUTH VIETNAM Destabilize Diem 1963 1963UNITED STATES CHILE Reduce copper price 1965 1966UNITED STATES INDIA Agriculture policy 1965 1967UNITED STATES PERU French fighter jets 1968 1968UNITED STATES PERU Expropriation 1968 1974UNITED STATES CHILE Destabilize Allende 1970 1973UNITED STATES (INDIA), PAKISTAN Military disruption, Pakistan 1971 1971UNITED STATES INDIA,(PAKISTAN) Military disruption, Pakistan 1971 1971UNITED STATES UGANDA Destabilize Amin 1972 1979UNITED STATES SOUTH KOREA Human rights 1973 1977UNITED STATES TURKEY Military disruption, Cyprus 1974 1978UNITED STATES CHILE Human rights, Letelier 1975 1990UNITED STATES KAMPUCHEA Human rights, deter Viets 1975 1979

SENDER COUNTRY MOTIVES (CONT.)


Inform Decision-making

Country Target Goal First year Last year

UNITED STATESNORTH VIETNAM

Account for MIAs, withdrawal from Cambodia 1975 1998

UNITED STATES SOUTH AFRICA Nuclear policy 1975 1982UNITED STATES SOUTH KOREA Nuclear proliferation 1975 1976UNITED STATES USSR Freer emigration 1975 1994UNITED STATES ARAB LEAGUE Antiboycott 1976 --UNITED STATES TAIWAN Nuclear policy 1976 1977UNITED STATES URUGUAY Human rights 1976 1981UNITED STATES ARGENTINA Human rights 1977 1983UNITED STATES BRAZIL Human rights 1977 1984UNITED STATES EL SALVADOR Human rights 1977 1981UNITED STATES ETHIOPIA Human rights, expropriation 1977 1992UNITED STATES GUATEMALA Human rights 1977 2005UNITED STATES NICARAGUA Destabilize Somoza 1977 1979UNITED STATES PARAGUAY Human rights 1977 1981UNITED STATES ARGENTINA Nuclear policy 1978 1982UNITED STATES BRAZIL Nuclear policy 1978 1981UNITED STATES INDIA Nuclear policy 1978 1982UNITED STATES LIBYA Destabilize Gadhafi 1978 2004UNITED STATES LIBYA Nuclear proliferation 1978 2004UNITED STATES USSR Human rights (dissidents) 1978 1980UNITED STATES BOLIVIA Human rights, drugs 1979 1982



Without Military Force

Country Target Goal First year Last yearUNITED STATES IRAN Return hostages 1979 1981UNITED STATES PAKISTAN Nuclear policy 1979 1997UNITED STATES IRAQ Terrorism 1980 2003UNITED STATES USSR Invasion of Afghanistan 1980 1981UNITED STATES USSR Impairment, Afghanistan 1980 1981UNITED STATES NICARAGUA Destabilize Sandinistas 1981 1990UNITED STATES POLAND Various, Solidarity 1981 1987UNITED STATES USSR Impairment, Poland 1981 1982UNITED STATES CHILE Restore democracy 1983 1990UNITED STATES GRENADA Destabilize Bishop-Austin regime 1983 1983UNITED STATES ROMANIA Human rights, emigration 1983 1989UNITED STATES USSR KAL shooting down 1983 1983UNITED STATES ZIMBABWE Foreign policy 1983 1988UNITED STATES IRAN Nuclear proliferation, terrorism, etc. 1984 --UNITED STATES LEBANON Hostage taking, Hezbollah activities 1984 1997UNITED STATES SOUTH AFRICA Apartheid 1985 1991UNITED STATES ANGOLA Cuban troops; Marxism 1986 1992UNITED STATES SYRIA Terrorism 1986 --UNITED STATES EL SALVADOR Amnesty 1987 1988UNITED STATES HAITI Human rights, drugs, elections 1987 1990UNITED STATES PANAMA Destabilize Noriega 1987 1990



Demonstration of U.S. Resolve

Country Target Goal First year Last yearUNITED STATES BURMA Human rights, elections 1988 --UNITED STATES CHINA Human rights (Tiananmen Square) 1989 --UNITED STATES SUDAN Human rights; democracy 1989 --UNITED STATES (JORDAN), YEMEN et al. Enforce UN embargo v. Iraq 1990 1997UNITED STATES CUBA Destabilize Castro 1990 --UNITED STATES EL SALVADOR Human rights, end civil war 1990 1993UNITED STATES JORDAN, (YEMEN et al.) Enforce UN embargo v. Iraq 1990 1994UNITED STATES

KENYAPolitical repression, human rights, democracy 1990 1993

UNITED STATES ROMANIA Democracy, elections 1990 1993UNITED STATES ZAIRE Democracy 1990 1997UNITED STATES CHINA Nuclear proliferation 1991 --UNITED STATES INDONESIA Human rights in East Timor 1991 1997UNITED STATES PERU Democracy, human rights 1991 1995UNITED STATES THAILAND Coup 1991 1992UNITED STATES USSR Coup 1991 1991UNITED STATES AZERBAIJAN End Armenia embargo 1992 2002UNITED STATES CAMEROON Human rights, democracy 1992 1998UNITED STATES MALAWI Democracy, human rights 1992 1993UNITED STATES

NICARAGUACivil control over military; expropriation claims 1992 1995

UNITED STATES GUATEMALA Coup 1993 1993UNITED STATES NIGERIA Human rights, democracy, narcotics 1993 1998



Moral Outrage

Country Target Goal First year Last yearUNITED STATES NORTH KOREA Nuclear proliferation 1993 1994UNITED STATES SUDAN Terrorism, religious persecution 1993 --UNITED STATES THE GAMBIA Democracy 1994 1998UNITED STATES (PERU), ECUADOR Border conflict 1995 1998UNITED STATES PERU, (ECUADOR) Border conflict 1995 1998UNITED STATES COLOMBIA Narcotics, human rights 1996 1998UNITED STATES NIGER Democracy 1996 2000UNITED STATES PARAGUAY Possible coup attempt 1996 1996UNITED STATES ZAMBIA Human rights; constitutional reform 1996 1998UNITED STATES INDIA Nuclear proliferation 1998 2001UNITED STATES PAKISTAN Nuclear policy 1998 2001UNITED STATES YUGOSLAVIA, SERBIA Destabilize Milosevic 1998 2001UNITED STATES YUGOSLAVIA, SERBIA Kosovo 1998 1999UNITED STATES INDONESIA Independence for East Timor 1999 2002UNITED STATES IVORY COAST Coup, democracy 1999 2002UNITED STATES PAKISTAN Coup, democracy 1999 2001UNITED STATES ECUADOR Coup 2000 2000UNITED STATES NORTH KOREA Nuclear proliferation 2002 2006



Enforcement Actions

Sector Sanctions Program Entity Settlement YearFinancial Services Libya Sanctions Allfirst Financial Inc. $4,000 2003

Banking Libya Sanctions Banco di Napoli $2,300 2003Banking Cuba Sanctions Bancomer S.A. $5,000 2003Banking Yugoslavia Sanctions Bank of New York $24,750 2003Banking Sudan Sanctions Citigroup, N. A. $2,500 2003Banking Terrorism Sanctions Regulations Citigroup, N. A. $2,925 2003Banking Libya Sanctions Credit Lyonnais $5,500 2003Banking Iran Sanctions First Security Bank $63,200 2003Banking Iran, and Cuba Sanctions Fleet Bank $41,050 2003Banking Libya Sanctions National Australia Bank $4,780 2003Banking Cuba, Sudan, and Kosovo Northern Trust $18,027 2003Banking Sudan Sanctions Safra national Bank $5,381 2003Banking Kosovo Sanctions Union Bank of CA $14,913 2003Banking Iran Sanctions Union Bank of CA $12,000 2003Banking Sudan Sanctions Union Planters Bank $4,500 2003Banking Sudan Sanctions Wells Fargo Bank $5,500 2003Banking Kosovo Sanctions State Bank of India $5,500 2003

BankingCuba Sanctions

Bank of the West on behalf of Sanwa Bank

$72,220 2003

Banking Sudan Sanctions Deutsche Bank A.G. $5,500 2003Banking Sudan Sanctions Deutsche Bank A.G. $4,500 2003Banking Iraq Sanctions UBS (USA) Inc. $14,750 2003

INDUSTRY IMPACT


Governance

Sector Sanctions Program Entity Settlement YearBanking Cuba Sanctions UBS (USA) Inc. $5,000 2003Banking Libya Sanctions HSBC Bank USA $1,944 2003Banking Iran Sanctions HSBC Bank USA $5,500 2003Banking Yugoslavia Sanctions HSBC Bank USA $11,000 2003Banking Reporting and Procedures Regulations State Street Bank & Trust Co. $22,000 2003Banking Kosovo Sanctions Bank United $5,843 2003Banking Iraq Sanctions Union Bank of California $4,800 2003Banking Libya Sanctions Société Générale $11,000 2003


Bank Polska Kasa Opieki SA/Bank Pekao SA

$9,725 2003

Banking Iran Sanctions National City Bank $5,500 2003Banking Kosovo Sanctions National City Bank $250 2003Banking Libya Sanctions Banco Bradesco S.A. $9,000 2003


Bank Audi (USA) nka InterAudi Ban

$13,750 2003

Banking Libya Sanctions MashreqBank $5,500 2003Banking Libya Sanctions Harris Bank International $11,000 2003Banking Sudan Sanctions Bank of America $4,308 2003Banking Iran Sanctions Bank of America $158,039 2003Banking Libya Sanctions Bank of Communications $2,684 2003Banking Libya Sanctions Barclays Bank PLC $10,108 2003Banking Cuba Sanctions Intrust Bank $8,000 2003Banking Libya Sanctions Société Générale $6,600 2003

INDUSTRY IMPACT (CONT.)



Sector Sanctions Program Entity Settlement YearBanking Libya Sanctions South Trust Bank $2,750 2003


Bridgeview Bank on behalf of Uptown National Bank of Chicago

$5,500 2003

Banking Kosovo Sanctions Arab Banking Corp. $5,500 2004Banking Cuba Sanctions Bank of China $10,000 2004


Eastern Financial Florida Credit Union

$4,000 2004

Banking Cuba, Libya andSudan Sanctions JP Morgan Chase & Co.

$17,304 2004

Banking Cuba, Iran, Libyaand Sudan JP Morgan Chase & Co.

$73,281 2004

Banking Kosovo Sanctions American Express Bank, Ltd. $3,291 2004

Banking Sudan Sanctions and ForeignNarcotics Kingpin regulations Bank of America

$13,573 2004

Banking Iran and Sudan Sanctions Bank One $6,683 2004Banking Libya Sanctions Barclays Bank PLC $14,970 2004

Banking Cuba, Libya andSudan Sanctions Bank of New York

$34,623 2004

Banking Libya Sanctions Bank of New York $27,500 2004Banking Kosovo Sanctions Bank of New York $5,500 2004Banking Cuba Sanctions Columbia Bank $1,000 2004Banking Sudan Sanctions Commerzbank AG $5,500 2004



Due Diligence

Sector Sanctions Program Entity Settlement YearBanking Libya Sanctions Deutsche Bank $5,500 2004

Banking Sudan Sanctions Deutsche Bank $5,500 2004

Banking Libyan Sanctions Program JP Morgan Chase $26,980 2004

Banking Kosovo Sanctions M & T Bank $2,250 2004

Banking Kosovo Sanctions Mellon Bank N.A. $10,400 2004

Banking Cuba Sanctions Union Bank of Florida $1,950 2004

Banking Cuba Sanctions Austin Bank $750 2004

Banking Cuba Sanctions Citicorp Vendor Finance, Ltd. $1,463 2004

Banking Iran Sanctions HSBC Equator (USA), Inc. $2,750 2004

Banking Cuba Sanctions North Fork Bank $3,000 2004

Banking Cuba Sanctions Paragon Federal Credit Union $3,850 2004


Southeast Corporate Federal Credit Union

$850 2004

Banking Cuba Sanctions University Credit Union $1,275 2004

Banking Cuba and Sudan Sanctions ABN AMRO Bank, Inc. $25,848 2004

Banking Cuban Sanctions Program American Express Bank Ltd. $5,042 2004

Banking Iran Sanctions Central Carolina Bank $8,466 2004



Investigations

Sector Sanctions Program Entity Settlement YearBanking Kosovo Sanctions Comerica Bank $850 2004Banking Kosovo Sanctions Corporate One Federal Credit Union$5,500 2004Banking Cuba Sanctions HSBC Bank USA $8,375 2004Banking Libya and Iran Sanctions Wachovia Bank $11,000 2004

BankingIran Sanctions

Wachovia Bank on behalf of First Union Bank

$18,470 2004


Webster Bank on behalf of Village Bank & Trust

$2,824 2004

Capital Markets Cuba Sanctions Church Pension Fund $74,294 2004Banking Cuba Sanctions Citicorp Vendor Finance Ltd. $7,380 2004

Capital MarketsCuba Sanctions

Merrill Lynch, Pierce, Fenner & Smith, Inc.

$22,904 2004

Banking Kosovo Sanctions Arab Bank PLC $2,450 2004Banking Iran Sanctions Banco de Chile $5,500 2004Banking Iran Sanctions Banco do Brasil $10,163 2004Banking Iran Sanctions Bank One $5,500 2004Banking Iran Sanctions Central Carolina Bank $3,750 2004Banking Libya Sanctions Citibank $5,500 2004


Citibank on behalf of California Federal Bank

$5,500 2004



Escalation

Sector Sanctions Program Entity Settlement YearBanking Libya Sanctions HSBC Bank USA $5,500 2004

BankingBurma Sanctions

Hanmi Bank on behalf of Pacific Union Bank

$450 2004

BankingLibya Sanctions

International Commercial Bank of China

$5,988 2004

Banking Cuba and Libya Sanctions JP Morgan Chase Bank $9,748 2004Banking Cuba, Iran and Sudan Sanctions JP Morgan Chase Bank $18,094 2004Banking Kosovo Sanctions LaSalle Bank N.A. $3,050 2004Banking Kosovo Sanctions Lee Bank $16,500 2004


Nordea Bank Finland, PLC on behalf of Christiania Bank

$5,900 2004

Financial Services

Cuba Sanctions

American Express Company, Inc. on behalf of American Express, S.A. de C.V.

$18,391 2004

Financial Services

Iran Sanctions

American Express Company, Inc. on behalf of Inc. on behalf of American Express Bank Ltd.

$2,750 2004

Financial Services

Libya Sanctions

American Express Company, Inc. on behalf of Inc. on behalf of American Express Bank Ltd.

$5,500 2004

Banking Kingpin Act First National Bank $19,200 2004



Reporting

Sector Sanctions Program Entity Settlement YearBanking Iran Sanctions Hanmi Bank $7,000 2004

BankingKosovo Sanctions US Bancorp on Behalf of California United Bank

$7,250 2004

Banking Kosovo Sanctions Hudson United Bank $3,347 2004

Banking

Cuba Sanctions

Santander Bank & Trust (Bahamas) Ltd. (formerly Santander Central Hispano Bank & Trust [Bahamas] Ltd.)

$20,000 2004

Banking Iran Sanctions PNC Bank $8,200 2005Banking Libya Sanctions Union Bank of California $5,500 2005Banking Iran Sanctions Wells Fargo Bank $42,833 2005Banking Sudan Sanction Atlantic Bank $5,500 2005Banking Iran Sanctions Bank of America $2,760 2005Banking Sudan Sanction Bank of China $11,000 2005Banking Iran Sanctions SunTrust Bank $30,800 2005Banking Libya Sanctions The Bank of New York $5,845 2005Banking Cuba Sanctions United National Bank $11,000 2005Banking Libya Sanctions Wachovia Bank $5,500 2005Banking Kingpin Act Bank of New York $4,650 2005Banking Iran Sanctions Bank-Fund Staff Federal Credit Union $14,000 2005



Remediation

Sector Sanctions Program Entity Settlement Year

Capital Markets Cuba Sanctions E. & J. Gallo Winery $3,750 2005

Banking Libya Sanctions Skandinaviska Enskilda Banken $4,500 2005

Banking Iran Sanctions SunTrust Bank $40,423 2005

Banking Libya Sanctions U.S. Bank $2,586 2005

Capital MarketsIran Sanctions

Fidelity Brokerage Services, Inc. dba Fidelity Investments

$63,853 2005

Banking Iran Sanctions Citizens Security Bank and Trust $17,831 2005

InsuranceFry (Kosovo) Sanctions

NYMagic, Inc. on behalf of Mutual Marine Office, Inc.

$42,197 2005

InsuranceIran, and Libya Sanctions

NYMagic, Inc. on behalf of Mutual Marine Office, Inc.

$4,303 2005

Banking Libya and Iran Sanctions ABN AMRO Bank, N.V. $40,000,000 2006

Banking Iran Sanctions The Chinese American Bank $7,370 2006

Banking Iran Sanctions Chevy Chase Bank $3,353 2006

Banking Iran Sanctions Downey Savings and Loan $44,899 2006

Banking Cuba Sanctions Kinecta Federal Credit Union $3,102 2007

Banking Iran Sanctions Fleet National Bank $7,277 2007



Training


Insurance Narcotics Trafficking Sanctions Regulations

American Bankers Life Assurance Company of Florida

$1,272 2007

Banking Burma, Sudan and Cuba Sanctions National Australia Bank Ltd. $100,000 2007

Banking Cuba Sanctions Lakes Community Credit Union $1,484 2007

Banking Global Terrorism Sanctions Regulations Wachovia Bank $11,000 2007

Banking Global Terrorism Sanctions Regulations BB&T Corporation $10,000 2008

Banking Iran Sanctions La Salle Bank Midwest, N.A. $5,500 2008

Banking Cuba Sanctions Bank Atlantic $7,500 2008

Banking Iran Sanctions Key Bank National Association $200,000 2008

Banking Libya Sanctions Fleet National Bank. $1,338 2008

Banking Cuba Sanctions Citigroup, N. A. $16,250 2008

Financial Services Narcotics Trafficking Sanctions Regulations America Servi Express, Inc

$2,465 2008

Capital Markets Narcotics Trafficking Sanctions Regulations Morgan Stanley

$3,162 2008



Experienced Hires



United Advantage Northwest Federal Credit Union

$2,970 2008

Capital Markets Narcotics Trafficking Sanctions Regulations A.G. Edwards and Sons. Inc,

$122,358 2008

Insurance Liberian/SDN Sanctions Geico Corporation $1,086 2008

Insurance Cuban Sanctions Aetna Life Insurance Company $5,210 2008

Banking Iran and Sudan Sanctions Lloyds TSB Bank PLC $350 Million 2009

Capital Markets Cuban Assets Control Regulations EFEX Trade, LLC $2,000 2009

Banking Sudanese Sanctions Regulations and Cuban Assets Control Regulations

Australia and New Zealand Bank Group, Ltd.

$5,750,000 2009

Financial Services Iranian Transactions Regulations Gold & Silver Reserve, Inc $2,950,000 2009

Capital MarketsInternational Emergency Economic Powers Act (IEEPA) and New York state law Credit Suisse AG

$536 Million 2009

InsuranceForeign Narcotics Kingpin Sanctions

GEICO General Insurance Company

$11,000 2010

Banking Cuban Assets Control Regulations United Nations Federal Credit Union $500,000 2010



Reputational Risks


Banking Sudanese Sanctions Regulations Compass Bank $750,000 2010

BankingIran's Proliferation Activities

Europäisch¬-Iranische Handelsbank Not Available 2010

BankingSudanese Sanctions Regulations

Sumitomo Mitsui Banking Corporation $229,380 2010

Banking Narcotics Kingpin Sanctions Regulations Discover Financial Services $8,720 2010

Banking the Iranian Transactions Regulations Wells Fargo Bank $67,500 2010

Insurance Cuban Assets Control Regulations Allegations

Metropolitan Life Insurance Company $22,500 2011

Insurance Iranian Transactions Regulations Allegations

McGriff, Seibels & Williams of Texas, Inc $122,408 2011

Insurance Iranian Transactions Regulations Allegations HCC Insurance Holdings, Inc. $56,960 2011

InsuranceIranian Transactions Regulations

General Reinsurance Corporation (“Gen Re”) $131,424 2011

Financial Services Iranian Transactions Regulations Société Générale $164,977 2011



Disclosures (SEC)


Shipping Lines

Iranian Transactions Regulations

Norton Lilly International (“Norton”), Mobile, AL $25,000 2011

Shipping Lines

Cuban Assets Control Regulations, 31 C.F.R. part 515, the Iranian Transactions Regulations, 31 C.F.R. part 560, and the Sudanese Sanctions Regulations, 31 C.F.R. part 538,

CMA CGM (America) LLC $640,000 2011

Banking

Cuban Assets Control, Weapons of Mass Destruction Proliferators Sanctions Regulations, Global Terrorism Sanctions Regulations, Iranian Transactions Regulations, Sudanese Sanctions, Former Liberian Regime of Charles Taylor Sanctions Regulations, Reporting, Procedures, and Penalties Regulations

JPMorgan Chase Bank $88 Million 2011

ManufacturingIranian Transactions Regulations, Sudanese Sanctions Regulations, and Cuban Assets Control Regulations

Flowserve Corporation $661,053 2011

Financial ServicesIranian Transactions Regulations Zurigo Trading, Inc. $10,000 2011



Additional Actions (NYDA, DOJ)


Banking

Cuban Assets Control Regulations (“CACR”), 31 C.F.R. part 515; the Burmese Sanctions Regulations (“BSR”), 31 C.F.R. part 537; the Sudanese Sanctions Regulations (“SSR”), 31 C.F.R. part 538; the now-repealed Libyan Sanctions Regulations (“LSR”), 31 C.F.R. part 550; and the Iranian Transactions Regulations (“ITR”), 31 C.F.R. part 560. ING Bank N.V.

$619 Million 2012

BankingSudanese Sanctions Regulations, 31 C.F.R. part 538 National Bank of Abu Dhabi $855,000 2012


NEVER FINISH THE RACE

45

EXPECTATIONS AND STANDARDIZATION

Compliance Area OFAC Components Description

Data Currently Screened

Automate Metrics Monitoring (e.g.

Datazen)

GovernanceDefine and communicate Policy on Organization's Sanctions program

Policy to comply with high standards of Sanctions-related compliance in all markets and jurisdictions to ensure compliance with applicable legislation and regulations

Should be a set of consistent Enterprise-wide Standards Policies and Procedures should address all stages of

Sanctions procedures including customer screening, wire / check screening, investigating and decisioning potential matches, rejecting / freezing / blocking Sanctions hits, Sanctions list maintenance and testing and management and external law enforcement reporting

Sanctions policy should extend beyond the requirement to meet all applicable local laws and regulations i.e. policies which support Institution's values

GovernanceConduct and Refresh Enterprise-Wide Sanctions Risk Assessment

Establish guidance in policies and procedures for conducting Sanctions Risk Assessment and frequency of the risk assessment (at least annually). Consider conducting more frequently based upon level of risk (e.g., high risk areas should be re-evaluated more than once per year)

Report Sanctions Risk Assessment to appropriate Senior Management, committees and Board

Utilize results to set thresholds for monitoring clients and transactions based on line of business and region

Establish guidance in policies and procedures for refreshing Sanctions Risk Assessments at least annually, if not more frequently based upon risk-level

Compliance Area OFAC Components Description Data Currently

Screened

Automate Metrics

Monitoring (e.g.

Datazen)

Training and Education

Train all new hires

Global training program for all new hires to include U.S. Sanction Program requirements

Required training to be completed within a defined time period i.e. XX number of days after initial start date, part of the overall OFAC training program

Annual employee training (enterprise-wide program)

Develop training specific to controls, employee oversight responsibilities, and advanced training for others involved in U.S. OFAC Program Risk Management Decisions

Require employees involved in USD Clearing and those global employees that support controls identified in enforcement actions to sign annual compliance attestation confirming they have attended training and are aware of all U.S. OFAC-related issues

Training tailored to specific business lines in high-risk services, geographies and customers

Specific business lines will be more high risk so will require additional training for staff to understand the inherent risks in their business line (i.e., jurisdictions with strong commercial ties)

Advanced Training for OFAC Compliance Staff

Training to ensure OFAC staff are current with changes to U.S.Sanctions Programs

Affiliate DueDiligence

Affiliate Due Diligence (ADD)

Define an enterprise-wide policy specifically for due diligence on affiliates (majority owned subsidiaries)

Periodic reviews of ADD compliance including site visits Define ADD standards for adherence by all internal affiliates

Identify and manage relationship with Internal affiliates

Define an enterprise-wide policy for the identification of appropriate relationships including a sign-off process

EXPECTATIONS AND STANDARDIZATION (CONT.)


Screened

Automate Metrics

Monitoring (e.g.

Datazen)

Customer Due

Diligence

Conduct Initial Customer Screening

Policy specifically requiring Customer Screening against sanctions lists upon initial onboarding of clients including beneficial owners

Utilize RDC as well as World Check for initial screening

Conduct Ongoing Customer Screening

Ongoing customer screening against sanctions lists Frequency of ongoing customer screening Information / relevant data fields to be screened (e.g., capture

changes in customer information, all records including electronic and manually obtained documents, beneficial ownership or name fields on account, address / country)

Due Diligence

Screen employees against all Sanctions Lists

Defined information and documentation requirements Ensure legal is consulted regarding the obtaining and storing of

screening information

Screen vendors against all Sanctions Lists

Defined information and documentation requirements Standards for vendor approval process



Screened

Automate Metrics

Monitoring (e.g.

Datazen)

TransactionMonitoring

Manage Higher Risk Products, Services and Transactions: Trade Finance and Correspondent Banking

Standards and Policies when engaging in higher risk activities Establish defined fields and related documentation

requirements Establish manual / automatic screening process

Screen incoming wires

Screen incoming wires Procedures for managing false positives and decisioning alerts Decisioning process: procedures for managing false positives,

decisioning alerts, and blocking / rejecting transactions) Established metrics collection process identifying actual or

attempted transactions that impact business activities Procedures for responding to Requests for Information from

other financial institutions which received a transaction identified as having a potential Sanctions list match (e.g., immediately route to investigations for response)

Escalation process for decisioning and reporting of positive matches



Screened

Automate Metrics

Monitoring (e.g.

Datazen)

Transaction Monitoring Screen outgoing wires

Screen outgoing wires Procedures for managing false positives and decisioning alerts Decisioning process: procedures for managing false positives,

decisioning alerts, and blocking / rejecting transactions) Established metrics collection process identifying actual or


other financial institutions which received a transaction involving a potential Sanctions list match (e.g., immediately route to investigations for response)




Screened

Automate Metrics

Monitoring (e.g.

Datazen)


Screen checks (incoming / deposited checks and those issued via Accounts Payable for vendors) and monetary instrument sales

Screen all checks deposited / checks written to Vendors and monetary instrument sales

Procedures for managing false positives and decisioning alerts Decisioning process: procedures for managing false positives,

decisioning alerts and blocking / rejecting transactions) Established metrics collection process identifying actual or


other financial institutions which received a transaction involving a potential Sanctions list match (e.g., immediately route to investigations for response)




Screened

Automate Metrics

Monitoring (e.g.

Datazen)


Screen ACH (Automated Clearing House) payment transactions - US domestic and International transactions

Screen all ACH payment transactions Procedures for managing false positives and decisioning

alerts Decisioning process: procedures for managing false positives,

decisioning alerts and blocking / rejecting transactions Established metrics collection process identifying actual or


other financial institutions which received a transactioninvolving a potential Sanctions list match (e.g., immediately route to investigations for response)

Investigate potential Sanctions List violations

Policy to address proper procedures to investigate / evaluate potential Sanctions list matches including case management, when a hit cannot be immediately decisioned

Desktop procedures for decisioning hits against a Sanctions List with guidance by data field

Clear escalation process for approval / consultation that transaction is a violation of Sanctions List

Procedures for moving funds out of queue and into holding account

Retain a clear audit trail of the investigation of potential target matches and the decisions / actions taken



Screened

Automate Metrics

Monitoring (e.g.

Datazen)


Determine if Sanctions List hit is a permissible transaction

Policy and desktop procedures should address both general and specific OFAC licenses, as well as transactions for Non-governmental organizations (NGOs) for humanitarian purposes in sanctioned countries (Exceptions Lists)

Sanctions Officer is responsible for interpreting all OFAC licenses

If Specific OFAC license is on file, procedures should still require Sanctions Officer approval to release, block or reject transaction

If no license and not a permitted transaction, must determine to block or reject the transaction

If QC process identified released transaction, escalation and reporting through VSD and related protocols and accountabilities established

Process document to obtain licences

Establish OFAC Block procedures

Establish systems and controls for freezing / blocking accounts Process for obtaining a licence from OFAC and the

circumstance where this appropriate



Screened

Automate Metrics

Monitoring (e.g.

Datazen)


Establish OFAC Block procedures

Procedures to open an OFAC block account to hold blocked funds (interest bearing-account)

Internal log / documentation requirements for tracking OFAC block transactions

Address release of blocked funds (e.g., receipt of general or specific license)

Define and update process for monitoring enforcements following review of alerts - alert management of internal affiliates

Procedures to disposition OFAC alerts and when escalation is required

Internal log for tracking OFAC alerts and decisioning Address decisioning of closed alerts not escalated

List Maintenance

Maintaining and Updating Lists-Sanctions Software List Management

Change protocols established for List Maintenance Established lists such as 'good guy‘ and 'bad guy' lists have an

approval process (and responsibilities identified) for adding and removing names to / from list?

Add account related information based on new information received during investigation of a potential true match to Sanctions List

Screening Maintain Sanctions screening software program

Utilize appropriate technology that will screen wires, payments, new and existing customers, new and existing employees, vendors and can be adaptable to Organization's needs based on its Sanctions Risk Assessment



Screened

Automate Metrics

Monitoring (e.g.

Datazen)

TestingSanctions Testing program

Sanctions Testing program addressing end-to-end sanctions screening including assurance testing of screening lists, system feeds, thresholds, higher risk products including correspondent banking, trade finance and higher risk investment banking activities

Any breaches of policy needs to be reported to management Defined policies and processes that includes:

Modifying the audit program, plan and methodology that is comprehensive and includes all relevant components of the OFAC program including systems used to support compliance

Create new work papers that clearly document the testing performed, are consistent in methodology and presentation, address all audit plan items and describe the sampling methodology – explain sample size selected

Document the activities performed - formal interviews, walk-throughs, documents assessed and other factors

Previous audit or regulatory findings should be clearly incorporated into the audit program

Track Management to reported items

Policies should address time periods in which management must submit reports



Screened

Automate Metrics

Monitoring (e.g.

Datazen)

OFAC Reporting

Report Blocked and Rejected Payments - OFAC / OFAC / EU / Other Applicable Agencies

Regulatory processes and report templates to use for communicating with OFAC, Federal Reserve Board, NY Department of Financial Services and other regulatory and/orgovernment agencies

Desktop procedures should include all steps that must be followed when rejecting or blocking payments, including documentation needed for case file

Policy and procedures for notifying appropriate management Annual OFAC report to be completed by Sanctions Officer

Report Blocked and Rejected Payments - Internally

Policy and procedures for notifying appropriate management Information sharing protocols on actual or attempted

transactions that have impact on business activities Monthly account reconciliation of blocked accounts

Metrics / Management

Reporting Report on number of Sanctions Lists hits

Statistics should include number of hits decisioned at each level, number of false positives, number of true matches, number of rejects, freezes, licenses and blocks statistics by line of business and related activity

Should also include hits related to customer, employee and vendor screening names, false positives and alerts decisioned



Screened

Automate Metrics

Monitoring (e.g.

Datazen)

Metrics / Reporting

Report on frequency and accuracy of file updates to technology

Statistics should include number of names / entities to be added / dropped from list based on Sanctions List update from regulatory authority (e.g., OFAC, EU)

Number of names / entities successfully added / dropped Number of subsequent potential matches for further

investigation

Report on compliance of affiliates

Frequency of reports should be determined by Head of Sanctions or relevant committee

Determine which members of Senior Management and relevant committees to receive reports

Include in statistics the number of alerts arising from internal affiliates including information on resolution

Information Sharing -

Internally and Externally (law enforcement

and other agencies)

Sharing Information with affiliates

Modify protocols, including a point of contact for responding to and submitting Requests for Information

Establish protocols for sharing information among internally specifically when responses are delayed and/or not timely received



Screened

Automate Metrics

Monitoring (e.g.

Datazen)

Record Retention

Document retention of data and information

Establish a policy for the retention and maintenance of data Periodic review of information

Documentation and records for transactions that were rejected, frozen or blocked due to Sanctions violations must be kept on file

Policy should specify which documents must be retained and the time period for which they must be retained (minimum 5 years)


EXAMPLES OF METRICS

59


SANCTIONS METRICS

60

Illustrative Sanctions Metrics

Reporting Type Intended Recipients Metrics Included in Report Frequency

Senior Leadership Committee

BSA/AML & Sanctions

Committees

Actual Sanction Matches vs. Potential Sanctions Matches Monthly

Days outstanding before reporting transactions to OFAC ("total number of days takes to submit OFAC report") Monthly

Management Line of Business Management

Blocked / Rejected Incoming / Outgoing Transactions Quarterly

Ratio of OFAC alerts to matches Monthly

Number of Accounts reported to OFAC and Chapter 500 reference for each account

Monthly / AnnuallyTotal Dollar Amount of Assets frozen for OFAC reasons

Number of OFAC Rejected Transactions Monthly / Annually

Control Persons Team Leads

Number of OFAC Blocked Transactions Weekly

Number and Description of any OFAC violations Weekly

Number Total Escalations to OFAC Unit by LOB Weekly

Number and Percentage of false positives for non-customers on sanctions list Weekly


SANCTIONS METRICS (CONT.)

61

Illustrative Sanctions Metrics



BSA/AML & Sanctions

Committees

Customer Due Diligence files escalated for further action and review (with sanction concerns) Monthly

Number of Customer Accounts located in a jurisdiction that has “Conflict of Law” with U.S. Sanctions Monthly


Number of Customer Accounts located in a jurisdiction known to have material trade with sanctioned jurisdictions Quarterly

Number and Volume of Transactions where the institution sent or received funds to/from a jurisdiction known to have material trade with sanctioned jurisdictions

Monthly

OFAC Matches as a Result of Updates to OFAC Lists Daily/ Weekly

Blocked Transactions by number, volume and amount identified further by outgoing and incoming

Monthly / Annually Identify date and time of OFAC Updates and provide corresponding frequency of internal file updates


Number of Screen checks (incoming / deposited checks and those issued via Accounts Payable for vendors) and monetary instrument sales

Weekly

Number of ACH (Automated Clearing House) payment transactions screened including US domestic and International transactions Weekly


CUSTOMER DUE DILIGENCE METRICS

62

Illustrative Customer Due Diligence


Senior Leadership Committees

BSA/AML & Sanctions

Committees

• Ratio of high risk customers to total customers.• Days needed to complete onboarding.• Days needed to complete enhanced due diligence reviews.• Days needed to complete customer refresh reviews.

Monthly

• Ratio of individual accounts to institutional accounts.• Ratio of foreign customers to domestic customers.• Ratio of regulated customers to non-regulated customers.

Quarterly

Management

2nd Line and Control Management

Reports

• Number of New Customer Accounts by risk rating and account type.

• Number of New Customer Relationships established.• Number of reviews resulting in rejections.• Number of reviews resulting in investigation referrals.

Daily/ Monthly/ Quarterly

• Number of existing clients with expiring and dateddocumentation and information.

• Number and details of records escalated to 1st Line.


1st Line Management

• Number of reviews resulting in rejections.• Number of Customers by Risk Rating.• Number of New Accounts and Relationships established.

Monthly/ Quarterly/ Annually

Control PersonsTeam Leads

• Reviews assigned, in-progress and completed/rejected by FTEs.

• Identifying aging reviews 30, 60, and 90 days.• Average number of quality control issues identified by line of

business, product, FTE, and customer type.

Weekly/ Monthly

Analysts


CUSTOMER DUE DILIGENCE METRICS (CONT.)

63




BSA/AML & Sanctions

Committees

New Accounts Opened with Customer Due Diligence Exceptions Requiring Approval / Sign-Off. Monthly

Accounts Closed for BSA/AML Reasons (with breakdowns, as appropriate, by business unit, business line, closure reason).

QuarterlyRepeat Audit Findings and Past Due Items from Internal Audits or Regulatory Examinations.

Management

2nd Line and Control Management Reports

Customer Due Diligence Policy Exceptions Up for Review. Daily/ Monthly/ Quarterly

Confirmed Domestic and Foreign PEPs Identified.

Percentage of accounts with invalid country codes, SSNs, Birth Dates, and related customer due diligence categories. Daily/ Weekly/

MonthlyDistribution of Customers Across Geographic Locations.

1st Line Management

High Risk Customers by Business Unit / Business Line / Customer Entity Type.

Monthly/ Quarterly/ AnnuallyNew High Risk Accounts Opened (with breakdowns, as

appropriate, by business unit, business line, customer entity type).

Control PersonsTeam Leads

Impact of new high risk accounts established and existing customer account ratings modified to the institution’s risk assessment. Weekly/ Monthly

Analysts Number of Accounts with Risk Ratings Changed.


CUSTOMER DUE DILIGENCE METRICS (CONT.)

64




BSA/AML & Sanctions

Committees

Number of customers/accounts exited by LOB, Total, product, and rationale. Annually

Number of high risk customers escalated to for compliance sign-off and/or approval.


Number of client files under customer refresh process.

Management 2nd Line and Control Management Reports

Average number of QA observations by Line of Business, Product and Analyst.


Average number of QA defects by BSU Analyst and tracking of QA status.

Customer Accounts restricted due to incomplete Customer Due Diligence information and/or documentation.

Daily/ Weekly/ Monthly

Number and Percentage change of customers on internal watch list/do not conduct business from prior period.

High Risk Private Banking Customers (>$1MM) to High Risk Banking Customers.


TRANSACTION MONITORING METRICS

65

Illustrative Transaction Monitoring



BSA/AML & Sanctions Committees

Transaction Count and Volume Monthly

Percentage of investigations and SARs assessed through the examination process, internal testing, and/or quality assurance process resulting in observations



Aging of Open Alerts / Cases (with breakdowns, as appropriate, by scenario or collection of scenarios, business unit, investigator) Quarterly

Case Inventory by Analyst Monthly

Number of Investigations Processed per line of business within the periodMonthly / Annually

Alerts, rules and escalated activity that lead to investigations and no SAR filings

Alert-to-SAR Ratio (with breakdowns, as appropriate, by scenario or collection of scenarios, business unit, investigator)

Monthly / AnnuallyAlert-to-Case Ratio (with breakdowns, as appropriate, by scenario or collection of scenarios, business unit, investigator)


Number of cases opened along with aging criteria Weekly

Percentage of cases assessed through an internal or external testing process resulting in observations Quarterly/ Annually

Volume of Alerts / Cases Generated (with breakdowns, as appropriate, by scenario or collection of scenarios, business unit, investigator) Monthly


TRANSACTION MONITORING METRICS (CONT.)

66

Illustrative Transaction Monitoring



BSA/AML & Sanctions Committees

Significant Investigations in process Monthly

Scenarios with Significant Alert Volume Changes Monthly\

Number of cases auto closed by the system and/or an analyst Monthly/ Quarterly/ Annually


Case Inventory by Analyst Quarterly

Ratio of alerts to casesMonthly

Ratio of cases to SAR filings

Investigations created manuallyMonthly/ Quarterly/

AnnuallyRules / Scenarios Threshold Changes


Volume of non-customer transactions of products and services

Daily/ Weekly/ Monthly

Volume and Value of Total Wires by High Risk Customers (HRC) to Total Wires

Volume of activity to HRC % of high risk products within HRC

Business Operations in HRC

Case Inventory by Analyst


BSA RECORDKEEPING AND REPORTING METRICS

67

Illustrative BSA Recordkeeping and Reporting Measurements



BSA/AML & Sanctions Committees Number of CTRs and CMIRs filed


Number of Monetary Instruments Sold

Transactions performed under BSA Reporting Requirements (i.e., Breaking up a transaction into amounts less than the reporting/recordkeeping thresholds


Results of Quality Control reviews performed on BSA record retention (i.e., Retention of copies of SARs and supporting documentation for five years from the date of filing)


Number of Nostro Accounts Opened

Monthly / Annually

Total number of non-customer transactions

Number and percentage of late form filing for (FBAR, CTR, CMIR, SARs)

Cash Transfer logs, large item reports, significant balance change reports


INVESTIGATIONS AND SUSPICIOUS ACTIVITY REPORTING METRICS

68

Illustrative Investigations and SAR Measurements


Senior Leadership Committee BSA/AML & Sanctions Committees

Identifying the highest volume of accounts and relationships by internal journal transfers (irrespective of risk rating)

Monthly

SARs Filed (with breakdowns, as appropriate, by business unit, alert source, investigator, reason as identified on SAR form)

Monthly


314(a) Matches, Subpoenas and Law Enforcement Requests Quarterly

% changes in a given year Monthly

Projected volume of alerts and cases to identify trends in alerts and cases generated

Monthly / AnnuallyAverage Alert Handling Response Time

Number of joint SAR Filings

314(b) Requests Incoming / Outgoing by Rationale Monthly/ Annually


Active Customers with 3+ SARs Filed Weekly

SAR Filing Errors requiring updated SAR filings Weekly

Number of criminal and grand jury subpoenas received Monthly


INVESTIGATIONS AND SUSPICIOUS ACTIVITY REPORTING METRICS (CONT.)

69

Illustrative Investigations and SAR Measurements


Senior Leadership Committee BSA/AML & Sanctions Committees

Number of Closed accounts resulting from Investigations and/or SAR filings Monthly

Investigations and/or SAR filings resulting in direct contact with the institution’s regulator Monthly


Number of investigations by maturity of account (i.e., less than 3, 6, 9 or 12 months) Quarterly

Number of analysts requiring additional and/or remedial training Monthly

Number of new clients undergoing CDD process Monthly/ Annually

Cases Open from X days from creation of investigation Monthly/ Annually


BRINGING IT TOGETHER

70

PROTIVITI OVERVIEW

71


WHO WE ARE

72

3,500professionals

Over 20 countriesin the Americas, Europe,

the Middle East and Asia-Pacific

70+offices

Our revenue*:

$743 million in 2015

*Inclusive of Protiviti’s Member Firm network, revenue for the year ending 2015 was $797M

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and our independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Ranked 57 on the 2016 Fortune 100 Best Companies to Work For® list, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

http://www.protiviti.com/

http://fortune.com/best-companies/protiviti-57/


GLOBAL PRESENCE

73

21

25

23

221

6

2

3

5

7

1417

15

1816

8

20

** Protiviti Member Firm

1923

21 AUSTRALIABrisbaneCanberraMelbourneSydney

22 CHINABeijingHong KongShanghaiShenzhen

23 INDIA*BengaluruHyderabadKolkataMumbaiNew Delhi

24 JAPANOsakaTokyo

25 SINGAPORESingapore

ASIA-PACIFIC

9 FRANCEParis

10 GERMANYFrankfurtMunich

11 ITALYMilanRomeTurin

12 THE NETHERLANDSAmsterdam

13 UNITED KINGDOMLondon

14 BAHRAIN*Manama

15 KUWAIT*Kuwait

16 OMAN*Muscat

17 QATAR*Doha

18 UNITED ARAB EMIRATES*Abu DhabiDubai

19 SAUDI ARABIA*Riyadh

20 SOUTH AFRICA*Johannesburg

EUROPE/MIDDLE EAST/AFRICA

1 UNITED STATESAlexandria, VAAtlanta, GABaltimore, MDBoston, MACharlotte, NCChicago, ILCincinnati, OHCleveland, OHDallas, TXDenver, COFt. Lauderdale, FLHouston, TXKansas City, KSLos Angeles, CAMilwaukee, WIMinneapolis, MNNew York, NY

Orlando, FLPhiladelphia, PAPhoenix, AZPittsburgh, PAPortland, ORRichmond, VASacramento, CASalt Lake City, UTSan Francisco, CASan Jose, CASeattle, WAStamford, CTSt. Louis, MOTampa, FLWashington, D.C.Winchester, VAWoodbridge, NJ

2 ARGENTINA*Buenos Aires

3 BRAZIL*Rio de JaneiroSão Paulo

4 CANADAKitchener-WaterlooToronto

5 CHILE*Santiago

6 MEXICO*Mexico City

7 PERU*Lima

8 VENEZUELA*Caracas

THE AMERICAS

24

4

910

11

1213


PROTIVITI’S SOLUTION OFFERINGS AND INDUSTRY KNOWLEDGE AND EXPERTISE

74

Proven value-added solutions Deep competency in the following industries

GOVERNMENT SERVICES

ENERGY AND UTILITIES

CONSUMER PRODUCTS AND SERVICES

FINANCIAL SERVICES

MANUFACTURING AND DISTRIBUTION

TECHNOLOGY, MEDIA AND COMMUNICATIONS

HEALTHCARE AND LIFE SCIENCESDATA AND ANALYTICS

INTERNAL AUDIT AND FINANCIAL ADVISORY

INFORMATIONTECHNOLOGY CONSULTING

BUSINESS PERFORMANCE IMPROVEMENT

RISK AND COMPLIANCE


ABOUT OUR RISK AND COMPLIANCE SOLUTIONS

75

• Risk Management Process Design and Implementation

• Risk Governance• Enterprise Risk Reporting

Enhancement

• Bank Secrecy Act/Anti-Money Laundering

• Office of Foreign Assets Control Sanctions Programs

• Third-Party Risk Management

• Regulatory Infrastructure Assessment & Design

• Compliance FunctionCo-Sourcing/Outsourcing

• Enforcement Action Advisory Services

• System Vendor Selection & Utilization

• Credit Operations Assessment, Design, and Implementation

• Credit/Loan Assess Services

• Transaction/ Acquisition and Lender Due Diligence

ENTERPRISE RISK MANAGEMENT

OPERATIONAL RISK

CREDIT RISKREGULATORY COMPLIANCE

MARKET & COMMODITY RISK

$

• Trading Area Risk Management Assessment, Process Views

• Commodity Risk Diagnostics

• Operations Process Maturity& Reengineering

• Risk Control Self Assessment& Loss Event Support

• Executive Reporting Evaluations (KPIs, KRIs)

• Risk Technology Software Selection

Powerful Insights:• Compliance Officers• Former Regulators• Internal Audit Professionals

• Modeling PhDs• Operations Managers • Former Risk Managers


PROTIVITI’S BSA/AML AND SANCTIONS SOLUTIONS

76

Protiviti’s AML Leadership Team includes former financial institution regulators, former financial institution compliance officers, fraud and forensic specialists, and AML technology system experts. We draw on our previous industry experience to help compliance officers, board members, and all three lines of defense to respond to situations of noncompliance, to improve processes and controls, and to provide ad-hoc support. At Protiviti, we understand the AML challenges faced by financial services organizations. Our solutions are designed to help your company exceed regulator’s expectations. We enable clients to take a disciplined approach to managing AML/Sanctions risk and provide sustainable solutions.

We provide expertise in the following areas: Design and Implementation of AML Risk Assessments; Program Development, Implementation and Assess; System Vendor Selection and Utilization; Program Remediation; Money Laundering Investigations; Independent Testing of AML Programs; and Training.

• We have deep knowledge of the Financial Services Industry and a proven track record of successful project delivery

• Many of our team members hold professional industry related certifications (e.g., CAMS, CFE, PMP, CRCM) and advanced experience in BSA/AML, Sanctions, Threat Finance & related topics

KNOWLEDGE

• Our team consists of industry leaders in their field of expertise across jurisdictions

• The size and skillset of our dedicated risk and compliance professionals allows our clients the flexibility to expand and reduce project teams as needed

• Additionally, with RHI as our parent company, we have the scalability to access qualified resources for large scale projects

RESOURCE

• We have extensive expertise and direct relevant experience in BSA/AML, sanctions, technology, and models

• We combine our former industry experience with our consulting acumen to develop customized client resolutions

• Our experiences span several areas of assessments and enhancements to all aspects of the BSA/AML and Sanction Program Requirements and Practices

EXPERIENCE

• Our BSA/AML and Sanctions practice is comprised of four primary disciplines: BSA/AML, Domestic and International Sanctions, Technology, and Model Risk

• We provide a wide variety of consultative services designed to assist organizations in all aspects of BSA/AML and Sanctions Compliance

BSA/AML & SANCTIONS


PROTIVITI’S BSA/AML AND SANCTIONS SUPPORT

77

BSA/AML and Sanctions Practice

• KYC Program Design and Assessment • Customer/Vendor Risk Rating (CRR/VRR)

Assess• Customer Information Program (CIP),

Customer Due Diligence (CDD), Enhanced Due Diligence (EDD)

• Sanctions and Client Screening (e.g., negative and positive media, Politically Exposed Persons (PEPs))

• Workflow and Case Management• File and Relationship Remediation

• Metrics/Management Reporting (Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs))

• Board and Senior Management Reporting• Linkages between BSA/AML Compliance and

Lines of Business• Project Management Office (PMO) creation

and management

• Transaction Monitoring Program Design and Assessment

• Alert/Case Management• Regulatory Reporting (Suspicious Activity

Report (SAR)), OFAC Blocked and Rejected• Information Sharing US PATRIOT Act

Sections 314(a) and 314(b)• Lookbacks, Transaction Testing, Remediation

and Reporting

• BSA/AML and OFAC Risk Assessment Methodology Development , Implementation and Assessment

• Customer Risk Assessment• Product and Service Risk Assessment• Geography Risk Assessment• Risk Assessment integration with the Lines of

Business (LOBs) and Internal Audit (IA)


PROTIVITI’S BSA/AML AND SANCTIONS SUPPORT

78

TRAINING

• Setting the “Tone-at-the-Top”• Organizational Capability Assessments • BSA/AML and OFAC Officer designation • Board Oversight/Reporting• Risk Strategy/Appetite definition• Compliance Program Design/Integration• Policy and Procedure Governance• Process Mapping and Business Transformation

Services

• Annual BSA/AML and OFAC Training Plan• BSA/AML and OFAC Training Program• New Hire Training• Existing Employee Annual/ Periodic Training• Senior Management Training/Awareness• Role-Specific Training

• Model Tuning and Threshold Setting• Independent Model Validation• Data Validation and Analytics• Scenario and Alert Optimization• Transaction Monitoring Model development,

Testing, and Supporting Documentation

• Management Organizational Structure • Internal Staffing/Loan Staff Support• Quality Assurance Function• Regulatory Liaison/Relationship Development• LOB Relationship Development/Feedback• Process and Procedure Development• PMO Support• Enforcement Action Remediation

• System Selection, Implementation and Validation

• System Integration• Data Source Mapping, Governance, Lineage• BSA/AML and Sanctions Technology

Assessments• Governance, Risk, and Compliance Function

Integration

• Independent Testing Recurring Reviews• Internal Control Assessments• Self-Assessment Routine Establishment• Issue Capture, Prioritization and Resolution

Process• Internal Audit Co-Sourcing, Loan Staff Support BSA/AML and

Sanctions Practice


8.7Overall Score

out of 10

PROTIVITI RANKS HIGH IN CLIENT SATISFACTIONOUR CLIENT VALUE MANAGEMENT PROCESS

79

Protiviti has a systematic, global process for measuring, monitoring and improving our clients’ satisfaction. We invest time in understanding and improving our level of service and ensuring we are delivering upon our promise of “Powerful Insights, Proven Delivery.”

100% of our clients said they would “Retain Protiviti for Future

Projects”

WHAT WE’VE HEARD FROM OUR CLIENTS:Protiviti was able to supply valuable resources to assist our team when we needed them most so the impact on our operations was significant.------------------------------------------------------------------------------------------------------------We cannot say enough good things about your work and the impact on our business. In terms of measurable results, shrink was an industry best practice level when we started and it has declined to an even lower level since you began.------------------------------------------------------------------------------------------------------------We appreciate: Quality of people and work. Service mind set. Flexibility in your approach and work schedule. Work with a sense of urgency. Also Protiviti’s depth of knowledge with control environment; appropriate perspective on control, how you see the big picture.


QUESTIONS AND ANSWERS

80

Q&A

For more info, also visit www.Protiviti.com/AML