APRIL 2007 Anti-Money Laundering – Global Best Practices William Langford Director of Global Anti-Money Laundering.

APRIL 2007

Anti-Money Laundering – Global Best Practices

William LangfordDirector of Global Anti-Money Laundering

Framework for Anti-Money Laundering ComplianceFramework for Anti-Money Laundering Compliance

Policy and Procedures

Global Money Laundering Risk Assessment and Mitigation

Drives the development and operation of the program Identify and quantify risks and internal controls across product lines and geographies Develop and track risk mitigation action plans

Global AML Policy

Corporate Minimum Standards— KYC – High Risk Customers— Correspondent Banking— Country Risk Ranking— Suspect Screening

Line of Business AML Policies and Procedures

Anti

-Money L

au

nderi

ng –

Glo

bal B

est

Pra

ctic

es

Framework (Cont’d)Framework (Cont’d)

On-Going Due Diligence and Monitoring Automated transaction monitoring – through activity profiling, peer grouping, and targeted filters

plus the detection of specific scenarios that may involve illicit activity On-going use of monitoring experience to enhance systemic monitoring quality Watchlists and suspect screening of accounts and transactions Account surveillance of high-risk customers or accounts with potentially suspicious activity Periodic relationship reviews and due diligence refresh on a risk-assessed basis

Customer On-Boarding Customer identity verification Risk-based customer due diligence, including general due diligence and, where necessary,

enhanced due diligence and specialized due diligence Compliance with additional, specific regulatory requirements for type of client or account, e.g.,

correspondent accounts, private banking accounts, politically exposed persons Suspect screening Identification of prohibited relationships

Anti

-Money L

au

nderi

ng –

Glo

bal B

est

Pra

ctic

es

Investigation and Reporting Investigation of potentially suspicious activity Reporting of activity determined to be suspicious in accordance with applicable legal requirements Coordination with law enforcement on matters requiring additional investigation Information sharing on trends and patterns to business units Consultation with lines of business to address the risks posed, including determining whether to

maintain the relationship Program Assessment and Audit Management reporting and metrics to track policy implementation, program operation, and

effectiveness Coordinated compliance testing Independent testing and validation performed by Audit targeting highest risks

Communication and Training Annual core training as well as enhanced training specific to products and services within the lines of

business AML Awareness

Framework (Cont’d)Framework (Cont’d)

Anti

-Money L

au

nderi

ng –

Glo

bal B

est

Pra

ctic

es

AgendaMoney Laundering Risk Assessment and Mitigation

Benefits of an effective BSA/AML risk assessment process include:

Helps to identify the bank’s BSA/AML risk profile. Enables the bank to apply the appropriate risk management processes to

the BSA/AML Compliance program to mitigate risk. Allows management to better identify and mitigate gaps in the bank’s

controls. Provides a comprehensive analysis of the BSA/AML risk in a concise and

organized presentation.

Step 1: Identify Specific Risk Categories

Identify specific risk categories, (i.e., products, services, customers, entities, and

geographic locations) unique to the bank.

Step 2: Conduct Detailed Analysis

Conduct a more detailed analysis of the data identified to better assess the risk within these categories. In reviewing the risk assessment, the examiner should determine whether management has considered all products, services, customers, and geographic locations, and whether management’s detailed analysis within these specific risk categories was adequate.

AgendaMoney Laundering Risk Assessment – Primary Audiences

Regulators

Senior Management

LOB Senior Management

Regulators expect that we understand our AML risks, have created appropriate controls to mitigate them, and can support both the understanding of risks and our associated controls with appropriate documentation (including an AML risk assessment)

Senior Management requires a strong level of confidence that our AML program currently maintains appropriate controls to mitigate the reputation and business risks of money laundering-related activity, and that our AML program is prepared to respond appropriately to future challenges

LOB Senior Management requires an accurate understanding of the nature of their AML exposure and a level of comfort with the measures and controls in place to mitigate this business risk

AgendaMoney Laundering Risk Assessment – Primary Audiences

Internal Audit

BSA Officer - Compliance

Officer

Testing Units

Internal Audit has a mandate to ensure that LOBs possess a sufficient understanding of their business risks, a system of internal controls adequate to mitigate these risks effectively, and LOB senior management oversight of the AML risk management process

The BSA Officer or Compliance Officer is responsible for the development, implementation and oversight of the AML program, and requires an accurate assessment regarding LOB AML risks and controls in order to make decisions regarding the shape and direction of the program

Similar to Internal Audit, Compliance Testing Units utilize risk assessments to ensure that risks are identified, measured, monitored, and controlled. Risk assessments are key part of the scoping process.


Measuring Susceptibility to Money Laundering

Stratify Risk Assessment by Business UnitsQuantify Risk Levels and Control AdequacyRoll Up ResultsCommunicate Risk Levels and TrendsMacro-Level Measurement Possibilities

•Capital•Total Assets or Assets Under Management•Revenue

AgendaKey Enterprise Risks

Legal Risk

Compliance Risk

Reputation Risk


Risk Assessment Link to the BSA/AML Compliance Program – FFIEC Manual

Identify & Measure Risk:• Products• Services• Customers• Geographic locations

Risk Assessment Internal Controls

Develop Applicable:• Policies• Procedures• Systems• Controls

Results

Risk-Based BSA Compliance Program• Internal controls• Audit• BSA Compliance Officer• Training


Inherent Risks

•Products

•Clients

•Geography (Domestic or International Exposure)

•Forward Looking – changes in business strategy; new products, expanding to new markets, or exiting products/markets

Risk Mitigation

•Governance

•Management Oversight/Resources

•Customer/Client Identification and Due Diligence

•Management Information Systems

•BSA Reporting (CTRs, SARs)

•Training

•Testing/Audit Coverage/Examination Findings


Product Risk – FFIEC ManualCertain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered.

Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents.

Some of these products and services are listed below, but the list is not all inclusive:

Electronic funds payment services.

Electronic Banking.

Private banking (domestic and international.

Trust and asset management services.

Monetary instruments.

Foreign correspondent accounts.

Trade finance (letters of credit).

Special use or concentration accounts.

Lending activities (e.g., loans secured by cash collateral and marketable securities).

Non-deposit account services (e.g., non deposit investment products and insurance).


Client Risk – FFIEC Manual

Although any type of account is potentially vulnerable to money laundering or terrorist financing, by the nature of their business, occupation, or anticipated transaction activity, certain customers and entities may pose specific risks.

At this stage of the risk assessment process, it is essential that banks exercise judgment and neither define nor treat all members of a specific category of customer as posing the same level of risk.

In assessing customer risk, banks should consider other variables, such as services sought and geographic locations.

See the next page for a list of Customers and Entities that may pose specific risks to money laundering or terrorist financing.


Client Risk – FFIEC ManualForeign financial institutions, including banks and foreign money services providers (e.g., casas de cambio, currency exchanges, and money transmitters).

Non-bank financial institutions (e.g., money services businesses; casinos and card clubs; brokers/dealers in securities; and dealers in precious metals, stones, or jewels).

Senior foreign political figures and their immediate family members and close associates (politically exposed persons (PEPs)).

Nonresident alien (NRA) and accounts of foreign individuals.

Foreign corporations and domestic business entities, particularly offshore corporations (such as domestic shell companies and Private Investment Companies (PICs) and international business corporations (IBCs)) located in high-risk geographic locations.

Deposit brokers, particularly foreign deposit brokers.

Cash-intensive businesses (e.g., convenience stores, restaurants, retail stores, liquor stores, cigarette distributors, privately owned ATMs, vending machine operators, and parking garages).

Non-governmental organizations and charities (foreign and domestic).

Professional service providers (e.g., attorneys, accountants, doctors, real estate brokers).


Geographic Risk – FFIEC Manual

Countries subject to OFAC sanctions, including state sponsors of terrorism.

Countries identified as supporting international terrorism under section 6(j) of the Export Administration Act of 1979, as determined by the Secretary of State.

Jurisdictions determined to be “of primary money laundering concern” by the Secretary of the Treasury, and jurisdictions subject to special measures imposed by the Secretary of the Treasury, through FinCEN, pursuant to section 311 of the Patriot Act.

Jurisdictions or countries identified as non-cooperative by the Financial Action Task Force on Money Laundering (FATF).

Major money laundering countries and jurisdictions identified in the U.S. Department of State’s annual International Narcotics Control Strategy Report (INCSR), in particular, countries which are identified as jurisdictions of primary concern.

Offshore financial centers (OFCs) as identified by the U.S. Department of State.

Other countries identified by the bank as high-risk because of its prior experiences or other factors (e.g., legal considerations, or allegations of official corruption).

Domestic: HIDTAs and HIFCAs

International:


Roll Up the Results

Risk Weighting – FFIEC Manual Appendix J

Document Your Results

Possible Proxies

•Total Assets or Assets Under Management

•Capital

•Net Revenue

•Interest Income/Noninterest Income

•Market Exposure

•Place the AML Exposure in the Context of the Enterprise


Summarize the Results

•Profile of the business

•Key Inherent Risk Factors

•Primary factors that contributed to the risk levels assigned

•Key Mitigation Factors/Controls

•Primary factors that contributed to the strength or weakness of controls

•Residual Risk

•Direction of Risk Trend

•Where is your risk headed in the next 12-18 months?

•Increasing? Decreasing? Stable?


Now what?

Keep your risk assessment up to date

Per the FFIEC Manual, reassess BSA/AML risks at least every 12 to 18 months

Dynamic if possible


Now what?Drive/Focus Resources

Training

Monitoring

Independent testing or Audit

•Scoping

•Validating the Assessment and Controls


What about OFAC?

Do you assess OFAC as part of your AML risk assessment?

Resources:

FFIEC Manual – Appendix M

OFAC Website

APRIL 2007 Anti-Money Laundering – Global Best Practices William Langford Director of Global Anti-Money Laundering.

Documents

risk assessments

aml risk management

business risk slide

specific risk categories

aml program

lob aml risks

banks bsaaml risk profile

aml exposure