78 ACAMS TODAY | JUNE–AUGUST 2014 | ACAMS.ORG | ACAMSTODAY.ORG

AML POLICY

On February 18, 2014, the Wolfsberg Group of International Financial Institutions, an industry consor-

tium that sets international industry anti-money laundering (AML) standards, issued updates to its AML Principles for Correspon-dent Banking.1 The updates are in response to the increasing regulatory focus on the AML and economic-sanctions related risks asso-ciated with foreign correspondent banking that have arisen since the group published its original guidance in 2002.

The guidance is focused on traditional corres- pondent banking, such as establishing nostro and vostro relationships, cash clearing, liquidity management and short-term borrowing or investment needs. It may be applicable to SWIFT Relationship Manage-ment Application (RMA) relationships as well. However, the Wolfsberg Group recognizes that some jurisdictions have more expansive definitions of correspon-dent banking and that the guidance may be applicable to non-bank financial institution customers that pose similar risks. The guid-ance is broadly focused on incorporating several key topics into the overall AML program of the institution.

Responsibility and oversight

Institutions should establish policies and procedures that require specified personnel be responsible for ensuring compliance with these principles. This may include a formal governance body with specific oversight of foreign correspondent banking, inclu-sive of on-boarding new relationships and

escalations of higher risk clients. Approval for new correspondent banking relationships should be obtained from someone senior to or independent of the sponsor of the relation-ship. Furthermore, an independent review should be undertaken to ensure compliance with these requirements.

Risk-based due diligence guidelines/considerations

All correspondent banking clients should be subject to appropriate risk-based dili-gence, based on the client’s risk profile and the nature of the business with the client. A number of factors should be considered, as appropriate, in determining the risk of the client relationship. Each institution should develop its own methodology for deriving the client risk levels, which can include some or all of these factors, weighted or combined in whatever manner the institution chooses.

Geographic risk is one of these risk factors. Institutions should consider informa-tion from organizations like the Financial Action Task Force (FATF) to assess the risk of the client, as well as its parent and the client’s customers.

Institutions should consider the branches, subsidiaries and affiliates of correspondent banking clients. The relationship between a client and its parent, if any, should be considered. When dealing with these clients, the AML program of the parent should be considered, particularly whether or not the parent’s program is extended to the client or if the client acts fairly autonomously from

the parent. When dealing with an affiliate that is not substantively or effectively controlled by the parent, both the parent and the client should be reviewed. Certain facts unique to a branch, subsidiary or affiliate may dictate enhanced due diligence (EDD) be applied (e.g., chartered in a jurisdiction noted by FATF or other local regulatory authorities as requiring EDD).

The guidance specifically states that branches, subsidiaries and affiliates of the institution, while within the corporate struc-ture, should be considered clients and be subject to risk-based due diligence. Again, as with other customers, certain facts unique to a branch, subsidiary or affiliate may dictate

Wolfsberg Group updates correspondent banking guidelines

1 http://www.wolfsberg-principles.com/pdf/home/Wolfsberg-Correspondent-Banking-Principles-2014.pdf

ACAMS TODAY | JUNE–AUGUST 2014 | ACAMS.ORG | ACAMSTODAY.ORG 79

AML POLICY

EDD be applied. While not explicitly called out in the guidance, treating other members of the larger institution as customers can serve as a useful means of compliance monitoring and testing, where the transac-tion monitoring can be used to help identify patterns with the portfolio, such as whether it is providing full wire instructions or whether the economic sanctions filters for the subsid-iary are performing appropriately.

The correspondent banking client’s owner-ship and management structures are another component of risk. Factors influencing the risk include the country of domicile and the reputation of the owners; the corporate legal form of the client; whether it is state-owned, publicly listed (including whether or not the exchange where it is listed has adequate

regulation and whether significant owner-ship of the shares presents a concern) or privately owned and the transparency of the ownership. It may be appropriate to consider the most senior executives in charge of the day-to-day business (e.g., the board of directors, supervisory board, executive committee) and whether they have any nega-tive news associated with them and whether they appear to have sufficient experience managing a bank of the size of the client.

Any politically exposed person (PEP) in executive management or ownership struc-ture is an important consideration, as this increases the potential for political corrup-tion with the relationship. For all significant controlling interests, the ultimate beneficial owners, sources of wealth and background,

including their reputation in the marketplace (particularly related to negative news) as well as recent material ownership changes should be ascertained to the extent possible through inquiry or public sources. A more detailed understanding of the reputation of the client’s executive management (including recent material changes) and the identity of significant controlling owners should be considered where there is evidence of nega-tive news.

Obtaining an understanding of the corre-spondent banking client’s business can influ-ence the risk. As the portion of its income involves higher risk clients, products and services, the risk should increase as well. A bank that primarily provides invest-ment management for large multinational

80 ACAMS TODAY | JUNE–AUGUST 2014 | ACAMS.ORG | ACAMSTODAY.ORG

AML POLICY

corporations across the globe will have a significantly different risk profile than one that provides cash management services to a number of large downstream corre-spondents in a higher risk area or one that focuses on providing private banking services to wealthy non-resident individuals.

The products and services offered by the institution to the client will significantly alter the risk of the relationship. Institutions should document the business purpose for the relationship with the client and expected business activity, to reasonably reflect an understanding of what is normal and expected. Those with higher risk products and higher expected usage would generally pose higher risks than those who use less risky products.

The regulatory status and history of the client is another important aspect to the overall risk. Reasonable measures should be taken to verify the entity is regulated and whether the client has been the subject of any relevant, material regulatory action, and if so, to assess the extent to which it is rele-vant to the business with the client. If neces-sary, further discussions with the client may be warranted. Often, once an institu-tion has been publicly cited for a violation, it is actively working to address that defi-ciency. This is increasingly a requirement in enforcement orders; U.S. bank regulators often put tight timetables around the selec-tion of an independent consultant to help, drafting a plan to address the deficiencies and regular reporting on progress made to remediate them.

Lastly, the AML controls of the client should be considered. A risk-based approach should be taken to assess the client’s AML controls. This can include obtaining responses to AML questionnaires (e.g., the Wolfsberg AML Questionnaire, which was updated along with the guidelines), speaking with represen-tatives of the client, reviewing AML controls (e.g., policies and procedures, a synopsis of them, or even an independent review of them). These opportunities, particularly speaking with the client’s AML staff, can help corroborate other findings and may often result in a mutually beneficial dialogue between the institutions’ AML departments.

Client visit

Unless other measures suffice, a client visit, prior to or within a reasonable period of time after on-boarding, should be conducted. This may or may not include AML subject-matter experts, depending on the risk of the client.

An in-person meeting is an excellent oppor-tunity to review the operations of the insti-tution firsthand, as opposed to only reading thirdhand information about the client, such as through negative news reviews. However, as noted, there may be other measures that suffice, as client visits can be difficult to arrange in some instances (e.g., logistics of travel, availability of personnel, costs of site visits). Alternative means can include telephone discussions with the client and their AML staff.

EDD

The guidance states that EDD should be conducted when certain elements are present, to establish sufficient understanding of the risks.

When a PEP is involved in the relation-ship (e.g., an owner or a member of senior management), the institution should take steps to understand the person, their role, the appropriateness of that role, their level of influence with the client and the risk they present to the relationship.

When the client engages in downstream correspondent banking, which increases the risk by exposing you to their customers’ customers, efforts should be made to under-stand the nature of the relationships with downstream clients, including (as appro-priate) the types, number, scale of services and geographic distribution of clients; iden-tified issues with the downstream correspon-dent; the degree to which the client examines the AML controls of its downstream clients and whether this activity presents elevated risk. Since you are processing the trans-actions for their clients and are ultimately relying on their AML programs to provide you with sufficient comfort, your institution should develop sufficient understanding of and comfort with these controls.

Higher risk relationships, both at the time of on-boarding and periodic review, should be subject to a higher level of approval than

lower risk relationships. Periodic reviews of high-risk clients should be conducted at minimum annually.

Monitoring and reporting of suspicious activities

Bank-wide policies and procedures should be implemented to detect and investigate unusual or suspicious activity and report such as required by applicable law. These policies and procedures should include guidance on what is considered unusual or potentially suspicious, including examples. The institution should develop a holistic view of the client, incorporating the ongoing monitoring of clients’ activity with the due diligence (including risk rating and other appropriate factors) in assessing the risks of transactions. The institution should also incorporate the results of monitoring into the periodic review of the client’s file, partic-ularly when the results indicate elevated risk levels. The due diligence collected and the monitoring performed should be compli-mentary; both should inform the other, in terms of providing information to help assess whether activity is normal and expected for the client as well as increasing the risk of the client when the client is observed to engage in higher risk activity. This is not to say that reports of suspicious activity should be included in client files, but rather, should be incorporated, as appropriate, in the custom-er’s overall risk.

Summary

The guidance has been updated to reflect the significant changes in the regulatory expec-tations within correspondent banking since the previous issuance of the guidance. It would be useful for an institution to assess its current practices against the Wolfsberg Guidelines, as this is an industry group that publishes best practices for this particular industry. Regulatory authorities will be looking at this and seeing it as industry best practice; it would be better for institutions to take a proactive approach to reviewing this document and making changes before regu-lators come in and use this new yardstick to measure the institution’s program.

Janice Cassidy Meegan, CAMS, director, Bank of America, Boston, MA, USA, janice.cassidy.meegan@baml.com

Kevin M. Anderson, CAMS, director, Bank of America, Falls Church, VA, USA, kevin.m.anderson@bankofamerica.com

A risk-based approach should be taken to assess the client’s AML controls