12.9 09.00 Developing a Sound Risk Methodology Pattison a... · NGOs, NPOs, Charities, Hawala etc...
Transcript of 12.9 09.00 Developing a Sound Risk Methodology Pattison a... · NGOs, NPOs, Charities, Hawala etc...
Developing a Sound Risk Methodology
Risk Management Methodologies (Reporting Entities Risk Assessment)(Reporting Entities Risk Assessment)
9 December 2013� 10.45 – 12.15
Speaker:
Pattison Boleigha, Head, Group Compliance and
Internal Control, Access Bank Plc.
Outline• Introduction
• Risk Definition
• Risk Management Framework
• The Risk Based Approach To Anti-money Laundering
• AML Risk Management Process
• Mitigants & Controls
33rd Annual AML & Financial Crime Conference, Africa
• Mitigants & Controls
• Fundamental Elements In a Risk-Based AML
• Purpose & Benefits f adopting Risk-Based AML
• Conclusion
3
Introduction • Recent changes in the regulatory environment globally including the
FATF 40 Recommendations 2012, New Basel Accord (“Basel II & III”),the Sarbanes-Oxley Act and the requirements for better riskmanagement practices issued by the various Central Banks has madeit imperative for financial institutions to take risk managementseriously.
• Risk is a fact of life, inherent in all financial institution’s business and isconstantly changing.
43rd Annual AML & Financial Crime Conference, Africa
constantly changing.
• The primary role of Risk Management is to minimize the divergencebetween expectations and outcomes, thus ensuring the realization ofmore predictable results.
• Risk is an integral part of FI business. The FI will not seek to avoidrisk, but to understand it properly, manage it effectively and evaluate itin the context of the reward that is being earned.
4
Risk Definition• Risk is the level of exposure –opportunity, threat and uncertainty that a FI
must identify, measure, understand and effectively manage, as it executes
its strategies to achieve its business objectives and create value.
• Simply defined, “risk” is the likelihood that the outcome of events will vary from
our expectations.
• For example
– a borrowing customer or trading counterparty may fail to meet its
repayment/settlement obligations to the FI as and when due (“Credit Risk”);
– unforeseen movements in interest rates, foreign exchange rates or equity prices may
have major effects on the value of the FI’s trading portfolio (“Market Risk”);
53rd Annual AML & Financial Crime Conference, Africa
have major effects on the value of the FI’s trading portfolio (“Market Risk”);
– the FI may suffer losses due to frauds, systems failures or weaknesses in operational
controls (“Operational Risk”)
– or due to penalties, litigation and/or violations of provisions of Laws and Statutes
including AML/CFT/P laws (“Compliance and Legal Risk”)
– Or the FI may suffer bad press due to its being used for Money laundering and/or
terrorist financing(“Reputation Risk”).
– A new competitor enters the market to take market share
(“Strategic Risk”)
5
A Model of Risk
THREAT
IMPACT
63rd Annual AML & Financial Crime Conference, Africa
VULNERABILITYPROTECTION PROTECTION
ASSETS
PROTECTIONIMPACTCONTROL
6
Another View
Impact on AssetsVulnerabilityThreat
Event SeverityEvent Frequency
73rd Annual AML & Financial Crime Conference, Africa
Business
Risks
Page 7
BUSINESS RISK VS. REGULATORY RISK
• Business Risk is the risk that the FI may be used for
ML/TF
83rd Annual AML & Financial Crime Conference, Africa
• Regulatory Risk is associated with not meeting
obligations under the AML/CFT laws
8
The Risk Management Framework• The primary role of Risk Management is to minimize the divergence
between expectations and outcomes, thus ensuring the realization of more predictable results.
• This can only be achieved through a robust framework and clearly defined and transparent processes for:
– the identification of all factors that may lead to the said divergences (“Risk Identification”);
– estimation of the likelihood of their occurrence and the extent or severity of
their impact in the event of occurrence (“Risk
93rd Annual AML & Financial Crime Conference, Africa
their impact in the event of occurrence (“Risk Assessment/Measurement”);
– design of effective controls to minimize both the likelihood and the impact
of risk events (“Risk Control”);
– establishment of procedures to ensure that these controls are effective
and are being complied with (“Risk Monitoring”);
– regular reporting of risk events and controls (“Risk Reporting”);
– and provision of sufficient capital to absorb the adverse impact of
expected and unexpected losses.
9
Risks Associated with Money Laundering
• Reputational risk is the potential that adverse publicity regarding a businesses’ practices and associations, whether accurate or not, will cause a loss of public confidence in the integrity of the institution.
– Borrowers, depositors, and investors might stop doing business with the
institution because of a money laundering scandal involving the
institution.
• Operational risk is the potential for loss resulting from inadequate or failed internal processes, people, systems and external events
– FI’s that rely on the proceeds of crime have additional challenges in
103rd Annual AML & Financial Crime Conference, Africa
– FI’s that rely on the proceeds of crime have additional challenges in
adequately managing their assets, liabilities and operations.
– Increased borrowing or funding costs can also be included in such losses.
• Legal risk is the potential for lawsuits, adverse judgments, unenforceable contracts, fines and penalties generating losses, increased expenses for an institution, or even closure of such an institution.
• Concentration risk is the potential for loss resulting from too much reliance on funds from money launderers.
10
Organizational Risk Environment
113rd Annual AML & Financial Crime Conference, Africa11
Risk Management Process OverviewCommunicate & Consult
Establish
Context
Internal contextExternal context
Identify
RisksWhat canhappen?
Analyse
RisksReview controls
Determine
Evaluate
RisksCompare against
criteria
Treat
RisksIdentify optionsSelect the best
responses.
123rd Annual AML & Financial Crime Conference, Africa
Monitor & Review
External contextStakeholders’
criteria
Define structure
How and why?
When andwhere?
Determinelikelihood &
consequenceHence:
risk level
Rank risks &set priorities
Treatment?
responses.Develop risk
treatment plans.Implement
Assess residual risk
Risk Assessment
Page 12
RISK MANAGEMENT WORKSHEET
RISK
GROUPCUSTOMERS
HIGH RISK LIKELIHOOD IMPACTRISK
SCORETREATMENT/ACTION
PEP
Customers
133rd Annual AML & Financial Crime Conference, Africa
Customers
in cash
generating
business
Customer
who is an
unregistere
d charity
13
Risk Rating• Determine significant process areas that should be assessed• Each AML/CFT/P risk type or scheme is identified and assigned a
risk rating• Country, Products, Customers and Channels, that could have
AML/CFT/P risk exposure• Risk rate each area
• Consider origin of the risk, current processes and existingcontrols
• Include both quantitative and qualitative analysis
143rd Annual AML & Financial Crime Conference, Africa14
• Include both quantitative and qualitative analysis• Set rating scale based on risk and tolerance of industry and
organization’s culture
Risk Rating Likelihood Naira Threshold
1=Low Very Remote (<10% Chance) <1M
2=Below Average Somewhat Likely (>10%-<50% Chance) >1M
3=Moderate Likely (>50% - 70% Chance) <5M
4=Below Average Probable (>70% - 90% Chance) >5M
5=High Highly Probable (>90% Chance) >10M
Sample AML/CFT Risk MapIm
pact on O
rganis
ational
153rd Annual AML & Financial Crime Conference, Africa15
Probability of Occurrence
Impact on O
rganis
ational
Sta
tem
ent
Risk Map Rationale• Monitor
Areas of high inherent risks
where controls are deemed to
be adequate should be
monitored. This area is to be
watched (Low likelihood but
potentially devastating
• Improve
Areas of high inherent
exposures with a low level of
control must be a key priority
for controls improvement
activity
• Optimise • Accept
Impact/
Sig
nific
ance
163rd Annual AML & Financial Crime Conference, Africa16
Areas of low inherent
exposure with high level of
control may generate
opportunities to optimize the
process and control for
efficiency
Risks with low inherent
exposures that may also
have a low level of control
may be consciously
accepted by the
organizationImpact/
Sig
nific
ance
Likelihood/Probability of Occurrence
Level of ML Risk (Heat Wave)Almost
Certain M H
L
L
M
M
M
HH
HHH
HHH
5CD
E
F
GLikely
Possible 3
4
of
Occu
rren
ce
173rd Annual AML & Financial Crime Conference, Africa
Catastrophic
ML
M
L
L M
H
H
M
HA
B
H
5
Unlikely
Rare 1
2
MajorModerateMinorInsignificant
1 2 3 4
Lik
eli
ho
od
of
Magnitude of ImpactKey:
Low.Medium;High
;17
• This is usually expressed as acceptable/unacceptable
level of risk.
The risk appetite is a judgement that must be made
based on business goals and strategies as well as due
diligence assessment of the ML/TF risks
Risk Appetite
183rd Annual AML & Financial Crime Conference, Africa18
RISK ASSESSMENT : Decision
193rd Annual AML & Financial Crime Conference, Africa19
How Much Risk?
• A supervised entity is challenged to define its risk appetite
in the context of AML/CFT and develop strategies to
effectively manage the risk inherent in the business it
conducts.
• It is therefore expected that institutions will be able to
203rd Annual AML & Financial Crime Conference, Africa
• It is therefore expected that institutions will be able to
demonstrate that they understand the risk they take on
and that they have devised internal mechanisms and
controls to mange that risk.
20
RISK TOLERANCE • In addition to defining the risk’s appetite you can also define a level of
variation to how you manage the risk. This is called risk tolerance. It provides some operational flexibility while still adhering to the Risk framework the FI has developed.
• The FI has decided for example that generally the risk is unacceptable to accept inflow from IRAN.
• However, it has some risk tolerance. In this case the business will permit
213rd Annual AML & Financial Crime Conference, Africa
• However, it has some risk tolerance. In this case the business will permit transaction provided it is a FI-to-FI transaction.
• The customer provides identification using International Passport only and the verification is carried out, the transaction is approved by a Senior Manager . As such the FI understands and accepts the consequences of a ML/TF risk being realised
21
RISK TREATMENT Risk Treatment steps include:
• Setting transaction limits for higher risk products
• Having a management approval process for high risk
products
• Having a process to place customers in different risk
categories and apply different identification and
223rd Annual AML & Financial Crime Conference, Africa
categories and apply different identification and
verification methods
• Not accepting customers who represent unregistered
NGOs, NPOs, Charities, Hawala etc and those who wish
to transact with a high-risk country
22
Gross Risk MatrixGross risk=Impact x Likelihood
233rd Annual AML & Financial Crime Conference, Africa23
Risk Matrix
243rd Annual AML & Financial Crime Conference, Africa24
Total Cost Approach
COST
Total Risk-Related CostsOptimal
Operating
Point
253rd Annual AML & Financial Crime Conference, Africa
LEVEL OF CONTROL
Cost of ControlsCost of Losses
25
Buy-in and commitment of top
Management/BoardA robust Risk Assessment
Team
An Ongoing Assessment and Review Process
Critical Success Factors In ML/TF Risk Assessment
263rd Annual AML & Financial Crime Conference, Africa
Material and Human
ResourcesRequisite capacity and development
plan
Data Availability and Quality
Risk Management in Corporate Governance
Board and Executive
Business GoalsObjectives & Expectations
Business PerformanceRisk Appetite
Risk AssessmentRegulations & Compliance
Review
Business PlansBusiness ObjectivesBusiness Strategy
Internal Control ProcessControl Objectives
Policy and Standards
PlanRegulators
Shareholders
ExternalReporting
Executive Decisions
273rd Annual AML & Financial Crime Conference, Africa
Line Management & Staff
Board and Executive
Key Performance IndicatorsRisk Monitoring
Key Risk IndicatorsSensitivity &Stress Testing
Scenario modelling
Measure
Business ProcessesBusiness Operations
Business SystemsPeople Management
Internal ControlsRisk Mitigation
Implement
Internal
Auditors
External
Auditors
IndependentAudit
Monitoring
InternalReporting
InternalCommunications
Page 27
Objective of the RBA • The strategies to manage and mitigate the identified money laundering and
terrorist financing activities are typically aimed at preventing the activity from
occurring through a mixture of :
– deterrence (e.g. appropriate CDD measures),
– detection (e.g. monitoring and suspicious transaction reporting),
– and record-keeping (e.g. to facilitate investigations).
• Proportionate procedures should be designed based on assessed risk:
– Higher risk areas - enhanced procedures;
• enhanced customer due diligence checks and
283rd Annual AML & Financial Crime Conference, Africa
• enhanced customer due diligence checks and
• enhanced transaction monitoring.
– Lower risk areas: simplified or reduced controls may be applied.
• There are no universally accepted methodologies that prescribe the nature
and extent of a risk-based approach.
• An effective risk-based approach will allow operators to exercise reasonable
business and professional judgement with respect to clients.
• Regardless of the strength and effectiveness of AML/CFT controls, criminals
will continue to attempt to move illicit funds undetected and will, from time to
time, succeed. 28
Potential Benefits of Risk-Based AML Approach
• The risk-based AML Approach provides value to the organizationand the cornerstone of an effective compliance programme.
• Allows management to see things as they really are, and make risk-appropriate decisions based on measurable data and intelligence.
• Serves as a basis for management decisions to allocate resourcesfor compliance and internal control to manage the institution'sunique risks (Compliance, Regulatory & Strategic) and minimize the
293rd Annual AML & Financial Crime Conference, Africa
unique risks (Compliance, Regulatory & Strategic) and minimize theincidence of regulatory infractions and penalties.
• Facilitates a comprehensive AML governance and oversightcapability, thereby demonstrating a corporate-wide culture to determoney laundering.
• Sets the stage for on-going AML risk management, which adapts tochanges in regulations, products, and organizational structure.
29
Fundamental Elements in a Risk-Based AML Approach
• Legal & Organizational Structure of the institution
• Geographies & Operating Markets
• Regulatory Framework
303rd Annual AML & Financial Crime Conference, Africa
• Counterparties
• Customer Base Characteristics
• Customer & Correspondent Bank Validation/ Categorization
• Scope of Customer Relationships/Client Account BehaviourBenchmarking
30
Steps in a Risk-Based AML • Identify the money laundering and terrorist financing risks that apply
to a firm
• Then assess the risks presented by the firm’s particular:
– Customers
– Products
– Channels
– Geographical areas of operation:
313rd Annual AML & Financial Crime Conference, Africa
– Geographical areas of operation:
• Firms then need to design and introduce controls to manage and reduce these risks.
• These controls must then be monitored and improved where necessary
• Firms must keep a record of what they have done and why they did it.
31
Money Laundering Risk Assessment
323rd Annual AML & Financial Crime Conference, Africa32
ML/TF RISK MANAGEMENT MODEL
Identify the Main Business Risks
- Customers/Businesses - Products/Services - Practices/Delivery channels
- Locations/countries -Identify the main regulatory
RISK IDENTIFICATION
Determine the likelihood and Impact of risk:
- Likelihood-chance of the risk happening
- Impact – the amount of loss or damage if the risk happened
Determine risk level/score
RISK ANALYSIS & MEASUREMENT
333rd Annual AML & Financial Crime Conference, Africa
-Identify the main regulatory Risk
Monitor and Review the Risk Plan -Develop and Implement monitoring regime -Keep necessary records -Review the business risk plan -Review the AML/CFT program -Prepare internal audit -Complete compliance report
Determine risk level/score
Manage the Business Risks:-Apply risk management and mitigation strategies -Implement policies and procedures Manage Manage the Regulatory Risksthe Regulatory Risks-Deploy system
RISK MITIGATION & CONTROL RISK REVIEW
33
MITIGANTS & CONTROL• CDD/KYC
• STR
• Training and Awareness to meet identified gaps
• Identify and measure risk
• Compliance Programme: Policies, procedures, systems and controls
• Periodic risk based audit
• Corrective measures to strengthen compliance
343rd Annual AML & Financial Crime Conference, Africa
• Corrective measures to strengthen compliance
• Risk Based Process must be imbedded within the internal control measures.
• Senior Management must create culture of compliance
• Periodic Monitoring/On-going – Due Diligence
• Automated Reporting Tools for SAR/CTR and Case Generation & Management
• Audit Trail & Record Retention
• Self Assessment Programme
34
• All accounts should be reviewed annually to re-assess their risk activities i.e. classify from High Risk to Low Risk or vice
• versa.
• Circumstances other than account activity that may cause to shift a low risk account to High risk account:
– Adverse stories in the media about a company or its
Qualitative Factors
353rd Annual AML & Financial Crime Conference, Africa
– Adverse stories in the media about a company or its principals (Print, Radio, T.V.)
– Negative reputational rumours in the financial or special community.
– Suspicious or unusual transactions.
35
• All accounts designated as “HRA” will be opened only on the approval in writing of the Managing Director (MD) or his/her deputy.
• All “HRA” credit facilities, irrespective of amount, will be signed off by the MD or his deputy.
• All transactions on a “HRA” up to a certain amount (deposit and withdrawal) must be approved in writing by the Managing Director or his deputy. The transactions would include but are not limited to, cash deposits, cheque deposits, investments etc.
• All “HRA” shall be flagged on the FI software on a special status such that
Approval Controls Over High Risk Accounts (HRA) & Transactions (PEP’s, NGO’s, BDC’s, Correspondence)
363rd Annual AML & Financial Crime Conference, Africa
• All “HRA” shall be flagged on the FI software on a special status such that the status appears whenever enquiries or transactions are done on them.
• A weekly report on all HRA related transactions should be sent to the MD and copied to the DMD and the Chief Compliance Officer (CCO). In other words all HRA accounts will be flagged and monitored weekly.
• On a semi-annual basis, all “HRA” will be reviewed by Internal Control Unit to ensure that all the aforesaid processes and procedures are being followed in the management of these accounts. Deviations shall be reported to the MD and CCO. These reviews would be in addition to the routine quarterly audits.
36
Conclusion• Risk-based AML Approach facilitates identification of high risk
situations• In the current context of globalization, the risk-based approach to AML
initiatives must be designed to meet institution specific risk
• Institutions must invest in IT Solutions,
• Acquire maximum knowledge of the different, new, emerging methodsand techniques of money laundering.
• Cumulative impact of law enforcement and regulation,• A sound Risk methodology will not prohibit FIs and regulators from
373rd Annual AML & Financial Crime Conference, Africa
• A sound Risk methodology will not prohibit FIs and regulators fromconducting business or enforcing regulation .
• A risk based AML/CFT compliance programme will effectively controlcost and risks associated with the institution’s products, services,customers, entities, and geographic locations.
• For effectiveness, ML/TF risk assessment should be an ongoingprocess and not a one-time exercise.
• FIs should update their risk assessment to identify changes in riskprofile, as necessary
37
• http://www.fdic.gov/news/news/financial/2005/fil2405a.html
• 15 http://www.occ.treas.gov/ftp/eas/ea2005-101
• 16 http://www.fincen.gov/foster
• 17 http://www.fsa.gov.uk/Pages/Library/Communication/PR/2005/117.shtml
• 18 http://www.fincen.gov/abnamro.html
• The World Bank: Capacity Enhancement Program on ” Anti-Money
Laundering and Combating Financing of Terrorism”
• Study Guide for the CAMS Certification Examination (ACAMS)
References and Further Reading
383rd Annual AML & Financial Crime Conference, Africa
• www.,acams.org
• www.fatf.org
38
Questions & Questions &
IssuesIssues
393rd Annual AML & Financial Crime Conference, Africa39
Pattison Boleigha, CAMSBsc, MBA, FCA, ACIT, HCIB,CGEIT, CRMA
THANK YOU
403rd Annual AML & Financial Crime Conference, Africa
HCIB,CGEIT, CRMAChief Compliance OfficerAccess Bank plc+234-8022924308, [email protected]@gmail.com
40