IIB - INTERNATIONAL BANKING ANTI-MONEY LAUNDERING SEMINAR

Practical Suggestions and Tips for an

Effective BSA/AML

Compliance Function -

Risk Assessment and Transaction

Monitoring

May 15, 2012

1 Copyright © 2012 Deloitte Development LLC. All rights reserved.

This publication contains general information only and Deloitte Financial Advisory

Services LLP is not, by means of this publication, rendering accounting, business,

financial, investment, legal, tax, or other professional advice or services. This

publication is not a substitute for such professional advice or services, nor should it

be used as a basis for any decision or action that may affect your business. Before

making any decision or taking any action that may affect your business, you should

consult a qualified professional advisor.

Deloitte Financial Advisory Services LLP shall not be responsible for any loss

sustained by any person who or entity which relies on this publication.

Disclaimer

2 Copyright © 2012 Deloitte Development LLC. All rights reserved.

Challenges - Where is the risk?

Identifying where AML risk originates and how the factors interrelate can be a complicated task

Customers

Trusts

Corps.

PEPS

Individ.

Geographies

Transactions

Operations

Customers

Outsourcers

Service Providers

US

Channels

Internet

Telephone

In person Products

Credit

Trade Finance

Corresp. Banking

Deposits

Transactions

Frequency

Volume

Regulation

Head Office

FATF US

Value

Affiliates

3 Copyright © 2012 Deloitte Development LLC. All rights reserved.

Risk Assessment typically follows a three-step approach:

Step 1: Assessment of Inherent Risk

Objective is to measure the risk of the entity or business units based on their

business activities, irrespective of any controls

– For example, a business unit operating in a higher risk jurisdiction and/or offering higher risk

products/services would have a higher inherent risk

Step 2: Assessment of Control Environment

Objective is to assess the control environment in light of the mitigating controls

implemented

Examples of strong internal controls: clear policies and procedures, strong KYC processes,

effective systems, training program and independent audit

Step 3: Determine Residual Risk

Upon completion Phases 1 and 2, determine residual risk, e.g., utilizing a

Residual Risk Rating Matrix , based on the overall inherent and control

assessment rating.

For example, a business unit with a higher inherent risk but strong governance, internal controls

and/or systems, etc. may have a lower overall residual risk than a medium risk business unit with

weak controls

An Approach to BSA/AML (OFAC) Risk Assessment

4 Copyright © 2012 Deloitte Development LLC. All rights reserved.

• Inherent Risk is typically based on selecting relevant, broad categories of risk:

• Customer Base

• Products and Services

• Transactions

• Delivery Channels

• Geography/Jurisdictions

• Other

• These broad risk categories are then sub-divided into inherent risk factors derived from regulatory guidance and industry leading practices.

• This tends to be more quantitative in nature. Greater reliance on quantitative data in this section to reduce subjectivity.

• Each inherent risk factor is assigned a weight based on its importance from an institutional, industry and regulatory perspective.

• The overall inherent risk is then derived based on the results of the assessment and the weights assigned to each risk factor.

Step 1: Assessment of Inherent Risk

5 Copyright © 2012 Deloitte Development LLC. All rights reserved.

As an example, the Customer Base risk category can be sub-divided into the following risk factors:

• Business/Occupation

o Industry type (i.e., the nature of the business that is conducted by a customer) is typically considered given that certain industry types inherently present a higher sanctions risk than other industries

o NAICS code

• Ownership Type

o Individual vs. Business

o Public vs. Private

• Legal Entity Type

o e.g., Corporation, LLP, LLC, Sole Proprietor, Not-for-Profit

• Length of Relationship

o Typically, the longer the relationship the less risky the customer because you know the customer better and their expected business activity

Step 1: Inherent Risk – Customer Base Risk Factors

6 Copyright © 2012 Deloitte Development LLC. All rights reserved.

Step 1: Assessment of Inherent Risk - Illustration

Inherent AML risk is assessed across a defined set of main risk areas. Multiple risk factors are evaluated

within each main risk area to determine the overall inherent AML risk for each entity/business assessed.

Inherent AML Risk

Customer Base Inherent Risk

1

Product / Account Type Inherent Risk

2

Transactional Inherent Risk

3

Business Strategy Inherent Risk

4

Geography Inherent Risk

5

• Maturity/stability • Domicile/residency • PEP status • E - banking • Indirect customers

Portfolio of product offerings: • Sales finance • Mortgage • Life insurance • Anonymous savings accts

Portfolio of transaction types: • Domestic transfers • Cash deposits • International checks • International transfers

• M&A activity • Business strategy changes • Expected growth • Product portfolio expansion • Staff turnover

Country risk rating model: • Positive factors (FATF, EU,

BIS) • Negative factors (OFAC, NCCT,

311, offshore, etc.)

Summary Dashboard

Summary Dashboard provides an overview of the overall risk for each country by 5 main risk areas

Examples of Risk Factors Risk Model Snapshot 5 Main Risk Areas Legend: For each country / risk area / risk factor the inherent AML risk can be rated on a scale of:

Inherent AML Risk

Customer Base Inherent Risk

1 Customer Base Inherent Risk

1

Product / Account Type Inherent Risk

2 Product / Account Type Inherent Risk

2

Transactional Inherent Risk

3 Transactional Inherent Risk

3

Business Strategy Inherent Risk

4 Business Strategy

Inherent Risk

4

Geography Inherent Risk

5 Geography

Inherent Risk

5

• Individual/ Business • Industry Type • PEP status • E Legal Entity Status •

Portfolio of product offerings: • Deposits • Correspondent Banking • Credit •

Portfolio of transaction types: • Cash /Checks • Transfers • International / Domestic Wires • International / Domestic ACH

• M&A activity • Business strategy changes • Expected growth • Product portfolio expansion • Staff turnover

Country risk rating model: • Positive factors (FATF, EU,

BIS) • Negative factors (OFAC,

311, offshore, etc.)

Summary Dashboard

Summary Dashboard provides an overview of the overall risk by 5 main risk areas

Examples of Risk Factors Risk Model Snapshot Sample Risk Areas Legend: For each country / risk area / risk factor the inherent AML risk can be rated on a scale of:

Mortgages

Length of Relationship

7 Copyright © 2012 Deloitte Development LLC. All rights reserved.

• Mitigating Controls are typically assessed across various categories, e.g.:

• Management: Structure, Oversight and Governance

• Policies and Procedures

• Training

• Systems

• Internal Testing, Controls, and Reporting

• Controls are assessed using series of questions relevant to each category. This

assessment tends to be more qualitative.

• Each control category is then assigned a weighting based on the importance that the institution places on the control.

• The overall control rating is then derived based on the results of the assessment and the weights assigned to each control.

Step 2: Mitigating Controls & Residual Risk

8 Copyright © 2012 Deloitte Development LLC. All rights reserved.

ASSESSMENT OF CONTROLS

WEAK 3+

MEDIUM 2

STRONG 0

LEVEL Max Count of “ N ” for each Control Area

ASSESSMENT OF CONTROLS

WEAK 3+

MEDIUM 2

STRONG 0

LEVEL Max Count of “ N ” for each Control Area

P&P

AML Controls

Sample Control Areas

Governance

Training

Risk Assessment

Screening

Auditing / Testing

1

2

3

4

5

6

7

8

Examples of Questions

• Do you perform regular testing

of adherence to the AML program, policies and

procedures?

• Are all new employees required

to attend and pass the initial

AML training within the first

months after being hired?

• Is the AML officer certified by

the local authority or a

recognized international

organization (e.g., ACAMS)?

•

Do you utilize an automated

screening filter to match customer names against the

Watch list names?

• For all individual customers, do

you at minimum obtain the

name, DOB, residential address

and identification number?

Structured Answers

Comment Comment

N/A N/A

N N

Y Y

POLICIES & PROCEDURE

S PROCESS

Comment Comment

N/A N/A

N N

Y Y

POLICIES & PROCEDURE

S PROCESS

Summary Dashboard

PROCESS POLICIES & PROCEDURES

I. General Policies & Procedures

II. Governance

III. Training

IV. Risk Assessment

V. Customer Risk Rating

VI. CIP / KYC / EDD

VII. PEPs

VIII. Screening

IX. Surveillance

X. Reporting

XI. Recordkeeping

XII. Auditing / Testing

OVERALL AML CONTROLS MEDIUM STRONG

MEDIUM STRONG

STRONG STRONG

STRONG STRONG

WEAK MEDIUM

WEAK WEAK

MEDIUM MEDIUM

MEDIUM STRONG

WEAK WEAK

MEDIUM MEDIUM

WEAK WEAK

MEDIUM STRONG

STRONG MEDIUM

# Question

OVERALL RATING OF CONTROLS

Summary Dashboard

provides a summary of the

overall assessment of

mitigating controls

CIP / KYC / EDD

Step 2: Mitigating Controls - Illustration

Mitigating controls in form of AML policies, procedures and processes are assessed for each

entity/business assessed.

AML Officer and Function

9 Copyright © 2012 Deloitte Development LLC. All rights reserved.

Step 2: Residual Risk - Illustration

• Once the overall inherent risk and the control risk ratings are derived, then

residual risk can be determined. The matrix below is an example of how

residual risk can be determined.

• Upon assessing their residual risk, a FI is better able to execute a more effective, risk-based

transaction monitoring program, allocate resources to monitoring higher risk customers,

identify training priorities, influence hiring practices, identify system development needs,

and align due diligence with the level of risk.

High Moderate Low

Weak High Moderate Low

Moderate High Moderate Low

Strong Moderate Low Low

Final AML

Controls

Assessment

Final Inherent Risk Assessment

10 Copyright © 2012 Deloitte Development LLC. All rights reserved.

Supervisory Guidance on Model Risk Management

10

Joint release by the OCC (Bulletin 2011-12) and Board of Governors

of the Federal Reserve (SR Letter 2011-7)

OCC

http://www.occ.gov/news-issuances/bulletins/2011/bulletin-2011-12a.pdf

Fed

http://www.federalreserve.gov/bankinforeg/srletters/sr1107a1.pdf

11 Copyright © 2012 Deloitte Development LLC. All rights reserved.

What is a model?

Draft - For Discussion Purposes 11

Examples of Potential AML “Models”

Transaction Monitoring

Enterprise / BU Risk Assessment

Customer Risk Rating Process

Alert / Case Scoring

12 Copyright © 2012 Deloitte Development LLC. All rights reserved.

Typical AML Program

13 Copyright © 2012 Deloitte Development LLC. All rights reserved.

Documentation & Management

Documentation

If it is not documented it did

not happen and does not

exist.

Documentation should be

complete and

comprehensive

• Documentation needs to be

updated / re-created as

aspects of the model change

(i.e. scenario or threshold

changes)

• Exam is likely to begin with a

documentation request

Management

• Management oversight

• Meeting minutes

where decisions are

made

• Decisions

incorporated into

documentation

• Annual Testing /

Validation

• Appropriate permissions

granted to various

systems

14 Copyright © 2012 Deloitte Development LLC. All rights reserved.

Contact Information

Peter Fitzgerald, Principal, Deloitte Financial Advisory

Services LLP

212-436-5221

pefitzgerald@deloitte.com

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

Copyright © 2011 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited