Association of International Bank Auditors (AIBA) - 2nd Annual Compliance Seminar Current AML Regulatory Environment June 14, 2012.

Association of International Bank Auditors (AIBA) - 2nd Annual Compliance Seminar

Current AML Regulatory Environment

June 14, 2012

2 Copyright © 2012 Deloitte Development LLC. All rights reserved.

This publication contains general information only and Deloitte Financial Advisory Services LLP is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte Financial Advisory Services LLP shall not be responsible for any loss sustained by any person who or entity which relies on this publication.

Disclaimer


• Stakes are getting higher, and maintaining compliance is becoming harder

• Increased cross-border issues and activities

– International Directives

• More and more guidance and standards

• Increased governmental/regulatory activity

– Enforcement Actions

– Congressional Reports

– Government Accountability Office (GAO) Reviews

• Larger, more complex organizations

Current Environment


• Communication with/involvement of head office is important• Head Office personnel responsible for oversight

of/conducting testing should:– Understand both the local and head office risk profiles– Understand the legal and regulatory requirements applicable to the

U.S. operations – Obtain training related to BSA/AML compliance – Establish strong information sharing practices between Head Office

and U.S. offices; be given sufficient access to information in order to monitor the activity of the U.S. operations

– Actively oversee the testing program/activities and “sign off” on the program/testing results

– Obtain/review copies of audit reports and any other reports related to AML and internal control evaluations

– Follow-up on observations (timeliness and completeness of management responses) and perform re-testing

Current Environment (cont’d)


• Pay attention to regulatory and litigation trends and priorities

• BSA Program Redesign

– Deeper Dive Into Risk-Based Analysis; Increased focus on firm-wide compliance risk management

– Emphasis on Metrics

• Transaction Monitoring/Filtering

– Better Use of Interdiction Software

– Continued Enhancements to Existing Monitoring Systems

• Reporting

– Connecting the Dots

– Escalation and Governance

Current Environment (cont’d)


• AML examinations are expected to be more frequent and intense– Severity of the enforcement may reach new heights

– Increased resources dedicated to BSA regulation and examinations

– Increased enforcement actions against mid sized and foreign banks.

– Include more formal examination of AML “models”, e.g. TM, risk, etc.

• Personal Liability for officers and directors

• Greater DOJ and local law enforcement involvement in BSA related cases– More deferred prosecution agreements

• Emphasis on emerging technologies– Stored value

– Mobile phones

• Compliance integration in the context of M&A deals

• Growing focus on OFAC enforcement

• FATCA compliance

Emerging Trends


• Establish an Audit Scope, Plan and Methodology that is comprehensive and includes all relevant components of the USA PATRIOT Act including systems used to support compliance

• Create work papers that clearly document the testing performed, are consistent in methodology and presentation, address all audit plan items and describe the sampling methodology – explain sample size selected

• Document the activities performed - formal interviews, walk-throughs, documents assessed, etc.

• Previous audit or regulatory findings should be clearly delineated and addressed early in the audit

Realign and Enhance the Audit Framework


Audit Scope and Approach• A lack of/inadequate independent testing and/or the

Auditors did not possess sufficient AML knowledge• A number of enforcement actions address the following: the

Bank failed to conduct adequate independent testing, failed to adequately document its testing activities, the testing program was inadequate and the assigned ratings were not in line with testing findings/results

• Regulators increasingly reviewing Auditor resumes, AML training received, etc.

Common Internal Audit Errors and/or Regulatory Findings

Condon, Kevin

is there another word instead of errors. i suggest "criticisms"


Audit Scope and Approach• Failure to identify and test all of the business lines that

require AML • The Audit Scope does not include key items or the testing

failed to address all items in the Audit Plan• Work papers are not adequate to support Key Findings in

the final report• Audit ratings are not in line with documented findings• All aspects of the AML Program are not routinely tested

including automated detection systems (e.g. OFAC and transaction monitoring)

• Third Party Service Providers which play a pivotal role in leveraging resources are not subject to annual testing



Governance• The board has not established an appropriate tone at the

top of the organization• Senior management does not receive adequate, periodic

reporting on AML compliance by the AML Officer (e.g., metrics, risk trends, new/proposed regulations, results of compliance testing and audits, etc.)

• The Board and/or senior management are not actively involved in the oversight of the AML program



Section 352 of the USA PATRIOT Act• AML Officer

– Board/Senior Management have not appointed an AML Officer who possesses the requisite knowledge/has the necessary stature in the org.

– The AML Office is not sufficiently staffed for the overall risk level and size for the institution

– There are not proper reporting lines established and appropriate escalation protocols

– Decentralized activities do not report either directly or indirectly to the AML Office



Section 352 (cont’d)• Policies and Procedures

– Lack of updates to policies and procedures for changes to the business, practices and/or systems within the Bank

– Business and/or Support units not following documented policies and procedures

– Missing policies and procedures for functions or products that should have documented processes related to AML

– Untimely approval of the AML Program



Section 352 of the USA PATRIOT Act (cont’d)• Training

– All existing and new employees do not receive annual general training; “targeted/enhanced” training not provided to individuals whose job responsibilities require specific AML knowledge (e.g. Compliance) adequate documentation is not maintained; Board/sr. mgt. not trained



Section 352 of the USA PATRIOT Act (cont’d)• Testing

– Lack of/Limited documented audit plan, scope and methodology– Inadequate risk based testing of policies, procedures, processes and

automated systems– Inability to report and track deficiencies; corrective actions by the business

and/or follow up assessments by audit are inadequate/not timely– Audit personnel do not receive training on regular basis



Risk Assessments• The risk assessments (AML and/or OFAC) are not

performed or fail to adequately address the risks faced by the institution

• The risk assessment processes are not updated on a regular basis

• The risk assessments are not incorporated into other facets of the AML Program (e.g. audit or transaction monitoring)



Challenges - Where is the risk?

Identifying where AML risk originates and how the factors interrelate can be a complicated task

Customers

Trusts

Corps.

PEPS

Individ.

Geographies

Transactions

Operations

Customers

Outsourcers

Service Providers

US

Channels

Internet

Telephone

In person Products

Credit

Trade Finance

Corresp.Banking

Deposits

Transactions

Frequency

Volume

Regulation

Head Office

FATFUS

Value

Affiliates


Risk Assessment typically follows a three-step approach:

Step 1: Assessment of Inherent Risk Objective is to assess the risk of the entity or business units based on their

business activities, irrespective of any controls – For example, a business unit operating in a higher risk jurisdiction and/or offering higher risk

products/services would have a higher inherent risk

Step 2: Assessment of Control Environment Objective is to assess the control environment in light of the mitigating controls

implemented Examples of strong internal controls: clear policies and procedures, strong KYC processes,

effective systems, training program and independent audit

Step 3: Determine Residual Risk Upon completion of Steps 1 and 2, determine residual risk, e.g., utilizing a

Residual Risk Rating Matrix , based on the overall inherent and control assessment rating. For example, a business unit with a higher inherent risk but strong governance, internal controls

and/or systems, etc. may have a lower overall residual risk than a medium risk business unit with weak controls

An Approach to BSA/AML (OFAC) Risk Assessment


• Inherent Risk is typically based on selecting relevant, broad categories of risk:

• Customer Base• Products and Services• Transactions• Delivery Channels• Geography/Jurisdictions• Other

• These broad risk categories are then sub-divided into inherent risk factors derived from regulatory guidance and industry leading practices.

• This tends to be more quantitative in nature. Greater reliance on quantitative data in this section to reduce subjectivity.

• Each inherent risk factor is assigned a weight based on its importance from an institutional, industry and regulatory perspective.

• The overall inherent risk is then derived based on the results of the assessment and the weights assigned to each risk factor.

Step 1: Assessment of Inherent Risk


As an example, the Customer Base risk category can be sub-divided into the following risk factors:

• Business/Occupationo Industry type (i.e., the nature of the business that is conducted by a customer) is typically

considered given that certain industry types inherently present a higher sanctions risk than other industries

o NAICS code

• Ownership Typeo Individual vs. Businesso Public vs. Private

• Legal Entity Type o e.g., Corporation, LLP, LLC, Sole Proprietor, Not-for-Profit

• Length of Relationshipo Typically, the longer the relationship the less risky the customer because you know the customer

better and their expected business activity

Step 1: Inherent Risk – Customer Base Risk Factors


Step 1: Assessment of Inherent Risk - IllustrationInherent AML risk is assessed across a defined set of main risk areas. Multiple risk factors are evaluated within each main risk area to determine the overall inherent AML risk for each entity/business assessed.

Inherent AML Risk

Customer BaseInherent Risk

1

Product / Account Type Inherent Risk

2

TransactionalInherent Risk

3

Business StrategyInherent Risk

4

GeographyInherent Risk

5

• Maturity/stability• Domicile/residency• PEP status• E-banking• Indirect customers

Portfolio of product offerings:• Sales finance• Mortgage• Life insurance• Anonymous savings accts

Portfolio of transaction types: • Domestic transfers• Cash deposits• International checks• International transfers

• M&A activity• Business strategy changes• Expected growth• Product portfolio expansion• Staff turnover

Country risk rating model:• Positive factors (FATF, EU,

BIS)• Negative factors (OFAC, NCCT,

311, offshore, etc.)

Summary Dashboard

Summary Dashboard provides an overview of the overall risk for each country by 5 main risk areas

Examples of Risk Factors Risk Model Snapshot5 Main Risk AreasLegend: For each country / risk area / risk factor the inherent AML risk can be rated on a scale of:

Inherent AML Risk

Customer BaseInherent Risk

1 Customer BaseInherent Risk

1

Product / Account Type Inherent Risk

2 Product / Account Type Inherent Risk

2

TransactionalInherent Risk

3 TransactionalInherent Risk

3

Business StrategyInherent Risk

4 Business StrategyInherent Risk

4

GeographyInherent Risk

5 GeographyInherent Risk

5

• Individual/ Business• Industry Type• PEP status• ELegal Entity Status•

Portfolio of product offerings:• Deposits• Correspondent Banking• Credit•

Portfolio of transaction types: • Cash /Checks• Transfers• International / Domestic Wires• International / Domestic ACH

• M&A activity• Business strategy changes• Expected growth• Product portfolio expansion• Staff turnover

Country risk rating model:• Positive factors (FATF, EU,

BIS)• Negative factors (OFAC,

311, offshore, etc.)

Summary Dashboard

Summary Dashboard provides an overview of the overall risk by 5 main risk areas

Examples of Risk Factors Risk Model Snapshot Sample Risk AreasLegend: For each country / risk area / risk factor the inherent AML risk can be rated on a scale of:

Mortgages

Length of Relationship


• Mitigating Controls are typically assessed across various categories, e.g.:

• Management: Structure, Oversight and Governance• Policies and Procedures• Training• Systems• Internal Testing, Controls, and Reporting

• Controls are assessed using series of questions relevant to each category. This assessment tends to be more qualitative.

• Each control category is then assigned a weighting based on the importance that the institution places on the control.

• The overall control rating is then derived based on the results of the assessment and the weights assigned to each control.

Step 2: Mitigating Controls & Residual Risk

Condon, Kevin

wuldn;t the design and operating effectiveness play a role too?


ASSESSMENT OF CONTROLS

WEAK3+

MEDIUM2

STRONG0

LEVELMax Count of “N” for each Control Area

ASSESSMENT OF CONTROLS

WEAK3+

MEDIUM2

STRONG0

LEVELMax Count of “N” for each Control Area

P&P

AML Controls

Sample Control Areas

Governance

Training

Risk Assessment

Screening

Auditing / Testing

1

2

3

4

5

6

7

8

Examples of Questions

• Do you perform regular testing

of adherence to the AML program, policies and procedures?

• Are all new employees required to attend and pass the initial AML training within the first months after being hired?

• Is the AML officer certified by the local authority or a recognized international organization (e.g., ACAMS)?

•

Do you utilize an automated screening filter to match customer names against the Watch list names?

• For all individual customers, do you at minimum obtain the name, DOB, residential address and identification number?

Structured Answers

CommentComment

N/AN/A

NN

YY

POLICIES & PROCEDURE

SPROCESS

CommentComment

N/AN/A

NN

YY

POLICIES & PROCEDURE

SPROCESS

Summary Dashboard

PROCESS POLICIES & PROCEDURES

I. General Policies & ProceduresII. GovernanceIII. TrainingIV. Risk AssessmentV. Customer Risk RatingVI. CIP / KYC / EDDVII. PEPsVIII. ScreeningIX. SurveillanceX. ReportingXI. RecordkeepingXII.Auditing / Testing

OVERALL AML CONTROLS MEDIUM STRONGMEDIUM STRONGSTRONG STRONGSTRONG STRONG

WEAK MEDIUMWEAK WEAK

MEDIUM MEDIUMMEDIUM STRONGWEAK WEAK

MEDIUM MEDIUMWEAK WEAK

MEDIUM STRONGSTRONG MEDIUM

# Question

OVERALL RATING OF CONTROLS

Summary Dashboard provides a summary of the overall assessment of mitigating controls

CIP / KYC / EDD

Step 2: Mitigating Controls - IllustrationMitigating controls in form of AML policies, procedures and processes are assessed for each entity/business assessed.

AML Officer and Function


Step 2: Residual Risk - Illustration

• Once the overall inherent risk and the control risk ratings are derived, then residual risk can be determined. The matrix below is an example of how residual risk can be determined.

• Upon assessing their residual risk, a FI is better able to execute a more effective, risk-based transaction monitoring program, allocate resources to monitoring higher risk customers, identify training priorities, influence hiring practices, identify system development needs, and align due diligence with the level of risk.

High Moderate Low

Weak High Moderate Low

Moderate High Moderate Low

Strong Moderate Low Low

Final AML Controls

Assessment

Final Inherent Risk Assessment


Contact Information

Peter Fitzgerald, Principal, Deloitte Financial Advisory Services LLP

212-436-5221

[email protected]

mailto:[email protected]

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

Copyright © 2011 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited

http://www.deloitte.com/about

http://www.deloitte.com/us/about

Association of International Bank Auditors (AIBA) - 2nd Annual Compliance Seminar Current AML Regulatory Environment June 14, 2012.

Documents

deloitte development

head office risk profiles

disclaimer slide

aml examinations

bsaaml compliance

professional advice

strong information

general information