Association of International Bank Auditors (AIBA) - 2nd Annual Compliance Seminar Current AML Regulatory Environment June 14, 2012
Dec 26, 2015
Association of International Bank Auditors (AIBA) - 2nd Annual Compliance Seminar
Current AML Regulatory Environment
June 14, 2012
2 Copyright © 2012 Deloitte Development LLC. All rights reserved.
This publication contains general information only and Deloitte Financial Advisory Services LLP is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte Financial Advisory Services LLP shall not be responsible for any loss sustained by any person who or entity which relies on this publication.
Disclaimer
3 Copyright © 2012 Deloitte Development LLC. All rights reserved.
• Stakes are getting higher, and maintaining compliance is becoming harder
• Increased cross-border issues and activities
– International Directives
• More and more guidance and standards
• Increased governmental/regulatory activity
– Enforcement Actions
– Congressional Reports
– Government Accountability Office (GAO) Reviews
• Larger, more complex organizations
Current Environment
4 Copyright © 2012 Deloitte Development LLC. All rights reserved.
• Communication with/involvement of head office is important• Head Office personnel responsible for oversight
of/conducting testing should:– Understand both the local and head office risk profiles– Understand the legal and regulatory requirements applicable to the
U.S. operations – Obtain training related to BSA/AML compliance – Establish strong information sharing practices between Head Office
and U.S. offices; be given sufficient access to information in order to monitor the activity of the U.S. operations
– Actively oversee the testing program/activities and “sign off” on the program/testing results
– Obtain/review copies of audit reports and any other reports related to AML and internal control evaluations
– Follow-up on observations (timeliness and completeness of management responses) and perform re-testing
Current Environment (cont’d)
5 Copyright © 2012 Deloitte Development LLC. All rights reserved.
• Pay attention to regulatory and litigation trends and priorities
• BSA Program Redesign
– Deeper Dive Into Risk-Based Analysis; Increased focus on firm-wide compliance risk management
– Emphasis on Metrics
• Transaction Monitoring/Filtering
– Better Use of Interdiction Software
– Continued Enhancements to Existing Monitoring Systems
• Reporting
– Connecting the Dots
– Escalation and Governance
Current Environment (cont’d)
6 Copyright © 2012 Deloitte Development LLC. All rights reserved.
• AML examinations are expected to be more frequent and intense– Severity of the enforcement may reach new heights
– Increased resources dedicated to BSA regulation and examinations
– Increased enforcement actions against mid sized and foreign banks.
– Include more formal examination of AML “models”, e.g. TM, risk, etc.
• Personal Liability for officers and directors
• Greater DOJ and local law enforcement involvement in BSA related cases– More deferred prosecution agreements
• Emphasis on emerging technologies– Stored value
– Mobile phones
• Compliance integration in the context of M&A deals
• Growing focus on OFAC enforcement
• FATCA compliance
Emerging Trends
7 Copyright © 2012 Deloitte Development LLC. All rights reserved.
• Establish an Audit Scope, Plan and Methodology that is comprehensive and includes all relevant components of the USA PATRIOT Act including systems used to support compliance
• Create work papers that clearly document the testing performed, are consistent in methodology and presentation, address all audit plan items and describe the sampling methodology – explain sample size selected
• Document the activities performed - formal interviews, walk-throughs, documents assessed, etc.
• Previous audit or regulatory findings should be clearly delineated and addressed early in the audit
Realign and Enhance the Audit Framework
8 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Audit Scope and Approach• A lack of/inadequate independent testing and/or the
Auditors did not possess sufficient AML knowledge• A number of enforcement actions address the following: the
Bank failed to conduct adequate independent testing, failed to adequately document its testing activities, the testing program was inadequate and the assigned ratings were not in line with testing findings/results
• Regulators increasingly reviewing Auditor resumes, AML training received, etc.
Common Internal Audit Errors and/or Regulatory Findings
9 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Audit Scope and Approach• Failure to identify and test all of the business lines that
require AML • The Audit Scope does not include key items or the testing
failed to address all items in the Audit Plan• Work papers are not adequate to support Key Findings in
the final report• Audit ratings are not in line with documented findings• All aspects of the AML Program are not routinely tested
including automated detection systems (e.g. OFAC and transaction monitoring)
• Third Party Service Providers which play a pivotal role in leveraging resources are not subject to annual testing
Common Internal Audit Errors and/or Regulatory Findings
10 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Governance• The board has not established an appropriate tone at the
top of the organization• Senior management does not receive adequate, periodic
reporting on AML compliance by the AML Officer (e.g., metrics, risk trends, new/proposed regulations, results of compliance testing and audits, etc.)
• The Board and/or senior management are not actively involved in the oversight of the AML program
Common Internal Audit Errors and/or Regulatory Findings
11 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Section 352 of the USA PATRIOT Act• AML Officer
– Board/Senior Management have not appointed an AML Officer who possesses the requisite knowledge/has the necessary stature in the org.
– The AML Office is not sufficiently staffed for the overall risk level and size for the institution
– There are not proper reporting lines established and appropriate escalation protocols
– Decentralized activities do not report either directly or indirectly to the AML Office
Common Internal Audit Errors and/or Regulatory Findings
12 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Section 352 (cont’d)• Policies and Procedures
– Lack of updates to policies and procedures for changes to the business, practices and/or systems within the Bank
– Business and/or Support units not following documented policies and procedures
– Missing policies and procedures for functions or products that should have documented processes related to AML
– Untimely approval of the AML Program
Common Internal Audit Errors and/or Regulatory Findings
13 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Section 352 of the USA PATRIOT Act (cont’d)• Training
– All existing and new employees do not receive annual general training; “targeted/enhanced” training not provided to individuals whose job responsibilities require specific AML knowledge (e.g. Compliance) adequate documentation is not maintained; Board/sr. mgt. not trained
Common Internal Audit Errors and/or Regulatory Findings
14 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Section 352 of the USA PATRIOT Act (cont’d)• Testing
– Lack of/Limited documented audit plan, scope and methodology– Inadequate risk based testing of policies, procedures, processes and
automated systems– Inability to report and track deficiencies; corrective actions by the business
and/or follow up assessments by audit are inadequate/not timely– Audit personnel do not receive training on regular basis
Common Internal Audit Errors and/or Regulatory Findings
15 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Risk Assessments• The risk assessments (AML and/or OFAC) are not
performed or fail to adequately address the risks faced by the institution
• The risk assessment processes are not updated on a regular basis
• The risk assessments are not incorporated into other facets of the AML Program (e.g. audit or transaction monitoring)
Common Internal Audit Errors and/or Regulatory Findings
16 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Challenges - Where is the risk?
Identifying where AML risk originates and how the factors interrelate can be a complicated task
Customers
Trusts
Corps.
PEPS
Individ.
Geographies
Transactions
Operations
Customers
Outsourcers
Service Providers
US
Channels
Internet
Telephone
In person Products
Credit
Trade Finance
Corresp.Banking
Deposits
Transactions
Frequency
Volume
Regulation
Head Office
FATFUS
Value
Affiliates
17 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Risk Assessment typically follows a three-step approach:
Step 1: Assessment of Inherent Risk Objective is to assess the risk of the entity or business units based on their
business activities, irrespective of any controls – For example, a business unit operating in a higher risk jurisdiction and/or offering higher risk
products/services would have a higher inherent risk
Step 2: Assessment of Control Environment Objective is to assess the control environment in light of the mitigating controls
implemented Examples of strong internal controls: clear policies and procedures, strong KYC processes,
effective systems, training program and independent audit
Step 3: Determine Residual Risk Upon completion of Steps 1 and 2, determine residual risk, e.g., utilizing a
Residual Risk Rating Matrix , based on the overall inherent and control assessment rating. For example, a business unit with a higher inherent risk but strong governance, internal controls
and/or systems, etc. may have a lower overall residual risk than a medium risk business unit with weak controls
An Approach to BSA/AML (OFAC) Risk Assessment
18 Copyright © 2012 Deloitte Development LLC. All rights reserved.
• Inherent Risk is typically based on selecting relevant, broad categories of risk:
• Customer Base• Products and Services• Transactions• Delivery Channels• Geography/Jurisdictions• Other
• These broad risk categories are then sub-divided into inherent risk factors derived from regulatory guidance and industry leading practices.
• This tends to be more quantitative in nature. Greater reliance on quantitative data in this section to reduce subjectivity.
• Each inherent risk factor is assigned a weight based on its importance from an institutional, industry and regulatory perspective.
• The overall inherent risk is then derived based on the results of the assessment and the weights assigned to each risk factor.
Step 1: Assessment of Inherent Risk
19 Copyright © 2012 Deloitte Development LLC. All rights reserved.
As an example, the Customer Base risk category can be sub-divided into the following risk factors:
• Business/Occupationo Industry type (i.e., the nature of the business that is conducted by a customer) is typically
considered given that certain industry types inherently present a higher sanctions risk than other industries
o NAICS code
• Ownership Typeo Individual vs. Businesso Public vs. Private
• Legal Entity Type o e.g., Corporation, LLP, LLC, Sole Proprietor, Not-for-Profit
• Length of Relationshipo Typically, the longer the relationship the less risky the customer because you know the customer
better and their expected business activity
Step 1: Inherent Risk – Customer Base Risk Factors
20 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Step 1: Assessment of Inherent Risk - IllustrationInherent AML risk is assessed across a defined set of main risk areas. Multiple risk factors are evaluated within each main risk area to determine the overall inherent AML risk for each entity/business assessed.
Inherent AML Risk
Customer BaseInherent Risk
1
Product / Account Type Inherent Risk
2
TransactionalInherent Risk
3
Business StrategyInherent Risk
4
GeographyInherent Risk
5
• Maturity/stability• Domicile/residency• PEP status• E-banking• Indirect customers
Portfolio of product offerings:• Sales finance• Mortgage• Life insurance• Anonymous savings accts
Portfolio of transaction types: • Domestic transfers• Cash deposits• International checks• International transfers
• M&A activity• Business strategy changes• Expected growth• Product portfolio expansion• Staff turnover
Country risk rating model:• Positive factors (FATF, EU,
BIS)• Negative factors (OFAC, NCCT,
311, offshore, etc.)
Summary Dashboard
Summary Dashboard provides an overview of the overall risk for each country by 5 main risk areas
Examples of Risk Factors Risk Model Snapshot5 Main Risk AreasLegend: For each country / risk area / risk factor the inherent AML risk can be rated on a scale of:
Inherent AML Risk
Customer BaseInherent Risk
1 Customer BaseInherent Risk
1
Product / Account Type Inherent Risk
2 Product / Account Type Inherent Risk
2
TransactionalInherent Risk
3 TransactionalInherent Risk
3
Business StrategyInherent Risk
4 Business StrategyInherent Risk
4
GeographyInherent Risk
5 GeographyInherent Risk
5
• Individual/ Business• Industry Type• PEP status• ELegal Entity Status•
Portfolio of product offerings:• Deposits• Correspondent Banking• Credit•
Portfolio of transaction types: • Cash /Checks• Transfers• International / Domestic Wires• International / Domestic ACH
• M&A activity• Business strategy changes• Expected growth• Product portfolio expansion• Staff turnover
Country risk rating model:• Positive factors (FATF, EU,
BIS)• Negative factors (OFAC,
311, offshore, etc.)
Summary Dashboard
Summary Dashboard provides an overview of the overall risk by 5 main risk areas
Examples of Risk Factors Risk Model Snapshot Sample Risk AreasLegend: For each country / risk area / risk factor the inherent AML risk can be rated on a scale of:
Mortgages
Length of Relationship
21 Copyright © 2012 Deloitte Development LLC. All rights reserved.
• Mitigating Controls are typically assessed across various categories, e.g.:
• Management: Structure, Oversight and Governance• Policies and Procedures• Training• Systems• Internal Testing, Controls, and Reporting
• Controls are assessed using series of questions relevant to each category. This assessment tends to be more qualitative.
• Each control category is then assigned a weighting based on the importance that the institution places on the control.
• The overall control rating is then derived based on the results of the assessment and the weights assigned to each control.
Step 2: Mitigating Controls & Residual Risk
22 Copyright © 2012 Deloitte Development LLC. All rights reserved.
ASSESSMENT OF CONTROLS
WEAK3+
MEDIUM2
STRONG0
LEVELMax Count of “N” for each Control Area
ASSESSMENT OF CONTROLS
WEAK3+
MEDIUM2
STRONG0
LEVELMax Count of “N” for each Control Area
P&P
AML Controls
Sample Control Areas
Governance
Training
Risk Assessment
Screening
Auditing / Testing
1
2
3
4
5
6
7
8
Examples of Questions
• Do you perform regular testing
of adherence to the AML program, policies and procedures?
• Are all new employees required to attend and pass the initial AML training within the first months after being hired?
• Is the AML officer certified by the local authority or a recognized international organization (e.g., ACAMS)?
•
Do you utilize an automated screening filter to match customer names against the Watch list names?
• For all individual customers, do you at minimum obtain the name, DOB, residential address and identification number?
Structured Answers
CommentComment
N/AN/A
NN
YY
POLICIES & PROCEDURE
SPROCESS
CommentComment
N/AN/A
NN
YY
POLICIES & PROCEDURE
SPROCESS
Summary Dashboard
PROCESS POLICIES & PROCEDURES
I. General Policies & ProceduresII. GovernanceIII. TrainingIV. Risk AssessmentV. Customer Risk RatingVI. CIP / KYC / EDDVII. PEPsVIII. ScreeningIX. SurveillanceX. ReportingXI. RecordkeepingXII.Auditing / Testing
OVERALL AML CONTROLS MEDIUM STRONGMEDIUM STRONGSTRONG STRONGSTRONG STRONG
WEAK MEDIUMWEAK WEAK
MEDIUM MEDIUMMEDIUM STRONGWEAK WEAK
MEDIUM MEDIUMWEAK WEAK
MEDIUM STRONGSTRONG MEDIUM
# Question
OVERALL RATING OF CONTROLS
Summary Dashboard provides a summary of the overall assessment of mitigating controls
CIP / KYC / EDD
Step 2: Mitigating Controls - IllustrationMitigating controls in form of AML policies, procedures and processes are assessed for each entity/business assessed.
AML Officer and Function
23 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Step 2: Residual Risk - Illustration
• Once the overall inherent risk and the control risk ratings are derived, then residual risk can be determined. The matrix below is an example of how residual risk can be determined.
• Upon assessing their residual risk, a FI is better able to execute a more effective, risk-based transaction monitoring program, allocate resources to monitoring higher risk customers, identify training priorities, influence hiring practices, identify system development needs, and align due diligence with the level of risk.
High Moderate Low
Weak High Moderate Low
Moderate High Moderate Low
Strong Moderate Low Low
Final AML Controls
Assessment
Final Inherent Risk Assessment
24 Copyright © 2012 Deloitte Development LLC. All rights reserved.
Contact Information
Peter Fitzgerald, Principal, Deloitte Financial Advisory Services LLP
212-436-5221
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
Copyright © 2011 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited