Compliance - Worksession

Compliance Services: Moving

toward a utility model

13 April 2016

Paul Taylor, SWIFT

FCC – not an easy topic and

no ‘silver bullet’

Let’s take a look at the

challenges – starting with

KYC …

KYC data collection as per 2012

Regional / Global Bank (a larger bank that provides Cash Management services)

Reviews 100 correspondent banks per

year. Requires confirmation of static data,

supporting documents and specific EDD /

account activity information:

• Collects client information via public sources Average time spent to search & collect: 5 hours

Average time to validate data: 4 hours

• Sends KYC AML/CFT questionnaire to each

client Turn-around time depends on urgency and

importance of

relationship (4-8 weeks)

• Responses received by Email with non-standard

PDF attachments

Manual input of data required 1 hour

• Total time spent: 1,000 hours (> 0.5 FTE for 100 correspondents, 5 FTE for 1000

correspondents)

Local / Small Bank (a smaller bank that requires Cash Management

services)

Receives 100 KYC information

requests per year. Needs to provide

static data, supporting documents and

to fill individually designed KYC

AML/CFT questionnaires:

• Receives data request by email/phone.

Request is for documents and AML/CFT info

3-4 hours to fill each questionnaire

1 hour per request to collect other

documents, draft and send bilateral

response

Turn-around time depends on urgency

and

importance of relationship (4-8 weeks)

• Total time spent: 400-500 hours (>0.25 FTE per 100 correspondents)

SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016


KYC Market Environment as per 2012

• No market standard

• Constantly evolving intrusive Due Diligence procedures

• Reliance on expensive front office resource (RMs) to collect

sensitive critical EDD** data

• Language barriers, translation issues, cost to verify data

• Estimated total cost per KYC record: USD 5,000 (low risk) to

USD 15,000 (high risk)

• Plus: High reputational risk and cost due to negative news

and enforcement

• Minimum revenue required per client: USD 25,000 (low risk),

USD 75,000 (high risk)

“De-risking” becomes synonym for widespread global

termination of correspondent banking relationships

Global impact on trade-related GDP feared to be minus 2-3%

*CDD: Customer Due Diligence, **EDD: Enhanced Due diligence

What about Sanctions?

Sanctions are very complex!

40,000 names on lists

4 Billion fuzzy combinations

14 Billion $ fines levied on financial institutions for violation of sanctions regulations

1 Day

Average interval between sanctions list updates for banks active globally

-50%

Decrease in number of correspondent relationships from some US banks

+100%

Increase in alerts every 4 years due to increase in SDNs and transaction numbers

+20%

Yearly increase in names and aliases on US OFAC list


List Content Challenges abound!

Inconsistent listings (across lists)

There are 112 spelling variations in Muammar Kaddafi’s name in print media

The OFAC list provides 8 of them.

The UN sanction uses only 1 form of the name.

The form used in the UN sanction does not match any of the 8 in the OFAC listing.

Qaddafi, Muammar

Al-Gathafi, Muammar

al-Qadhafi, Muammar

Al Qathafi, Mu'ammar

Al Qathafi, Muammar

El Gaddafi, Moamar

El Kadhafi, Moammar

El Kazzafi, Moamer

El Qathafi, Mu'Ammar

Gadafi, Muammar

Gaddafi, Moamar

Gadhafi, Mo'ammar

Gathafi, Muammar

Ghadafi, Muammar

Ghaddafi, Muammar

Ghaddafy, Muammar

Gheddafi, Muammar

Gheddafi, Muhammar

Kadaffi, Momar

Kad'afi, Muàmar al-

Kaddafi, Muamar

Kaddafi, Muammar

Kadhafi, Moammar

Kadhafi, Mouammar

Kazzafi, Moammar

Khadafy, Moammar

Khaddafi, Muammar

Moamar al-Gaddafi

Moamar el Gaddafi

Moamar El Kadhafi

Moamar Gaddafi

Moamer El Kazzafi

Mo'ammar el-Gadhafi

Moammar El Kadhafi

Mo'ammar Gadhafi

Moammar Kadhafi

Moammar Khadafy

Moammar Qudhafi

Muàmar al-Kad'afi

Mu'amar al-Kadafi

Muamar Al-Kaddafi

Muamar Kaddafi

Muamer Gadafi

Muammar Al-Gathafi

Muammar al-Khaddafi

Mu'ammar al-Qadafi

Mu'ammar al-Qaddafi

Muammar al-Qadhafi

Mu'ammar al-Qadhdhafi

Muàmmar al-Qadhdhāfī

Mu'ammar Al Qathafi

Muammar Al Qathafi

Muammar Gadafi

Muammar Gaddafi

Muammar Ghadafi

Muammar Ghaddafi

Muammar Ghaddafy

Muammar Gheddafi

Muammar Kaddafi

Muammar Khaddafi

Mu'ammar Qadafi

Muammar Qaddafi

Muammar Qadhafi

Mu'ammar Qadhdhafi

Muammar Quathafi

Mulazim Awwal Mu'ammar Muhammad Abu

Minyar al-Qadhafi

Qadafi, Mu'ammar

Qadhafi, Muammar

Qadhdhāfī, Muàmmar

Qathafi, Mu'Ammar el

Quathafi, Muammar

Qudhafi, Moammar

Moamar AI Kadafi

Maummar Gaddafi

Moamar Gadhafi

Moamer Gaddafi

Moamer Kadhafi

Moamma Gaddafi

Moammar Gaddafi

Moammar Gadhafi

Moammar Ghadafi

Moammar Khadaffy

Moammar Khaddafi

Moammar el Gadhafi

Moammer Gaddafi

Mouammer al Gaddafi

Muamar Gaddafi

Muammar Al Ghaddafi

Muammar Al Qaddafi

Muammar Al Qaddafi

Muammar El Qaddafi

Muammar Gadaffi

Muammar Gadafy

Muammar Gaddhafi

Muammar Gadhafi

Muammar Ghadaffi

Muammar Qadthafi

Muammar al Gaddafi

Muammar el Gaddafy

Muammar el Gaddafi

Muammar el Qaddafi

Muammer Gadaffi

Muammer Gaddafi

Mummar Gaddafi

Omar Al Qathafi

Omar Mouammer Al Gaddafi

Omar Muammar Al Ghaddafi

Omar Muammar Al Qaddafi

Omar Muammar Al Qathafi

Omar Muammar Gaddafi

Omar Muammar Ghaddafi

Omar al Ghaddafi


So, if I install a filter I’m

‘protected’ … right?

It’s actually only part of the

challenge … let’s take a look

at some examples …

So, what’s wrong with this filter?


And why might these names be missed in a SWIFT message?


And why might these ‘famous’ people be missed?

SDN/IND/Type

Review of names suggests

Deceased Individuals may

be “Missed”/Skipped

List update

issues?

Other

issues?


In real terms …

An Analogy: In the unlikely event of a fire …

- Fire alarms mitigate low

frequency but high impact

events

- Irrespective of the likelihood of a

fire, a building fire alarm system

must work when needed

- Testing ensures that the alarms

will operate correctly in the

unlikely event of a building fire

- Most fire alarms are tested

weekly


In the unlikely event of a sanction violation …

- Sanctions filters mitigate business

risk of low frequency but high

impact events

- Irrespective of the likelihood of a

sanctions violation, businesses

have an obligation to ensure that

sanctions controls work

- Sanctions testing ensures that

your filter will operate in alignment

with your risk policy

- Many sanctions filters are rarely

tested


And there is more regulator

focus coming …

What about data and riskier

jurisdictions?

Sanctions and High Risk Jurisdictions

Business challenges

• Hard to get a comprehensive overview of Correspondent relationships incl.

down/upstream relationships

• Hard to collect reliable data on a regular basis to perform ongoing due-diligence

• Difficult to be efficient when reviewing relationships

KYC

Teams

Business challenges

• Hard to ensure that the controls in place work and reconcile with

implementations/use data to adjust systems

• Hard to ensure all risks are covered (sanctions, AML, payment quality/free formats,

use of MT202)

• Difficult to monitor and understand status of RMAs

Operations

Teams


Sanctions and High Risk Jurisdictions

Business challenges

• Difficult to get a high-level view of the institution’s global risks (direct and indirect)

• Limited ability to drill down into details

• Limited ability to produce detailed reports internally via a user-friendly independent

analytic tool

Compliance

Teams

• Head of

• Group

• Subsidiary

Business challenges

• Difficult to get a global overview of risk exposure with countries with sanctions or

high risk jurisdictions

• Almost impossible to get confirmation that policies are being followed

• No dynamic alerts of new risks as they emerge (on a monthly basis)

Sanctions

Teams


And incoming new

‘recommendations’ …


FATF Recommendation 16 states…

Countries should ensure that financial institutions include:

required and accurate originator information

required beneficiary information

This includes wire transfers and related messages.

The information has to remain with the wire transfer or related

message throughout the payment chain.

Countries therefore should ensure that financial institutions

monitor wire transfers for the purpose of detecting those which

lack required originator and/or beneficiary information, and take

appropriate measures.

More information can be found on this link: FATF

Recommendation

http://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html

http://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html


Recommendation 16 applies to domestic and cross-

border transfers Financial institutions must include

the name of the originator;

the originator account number or unique transaction number where such an account is used to

process the transaction;

the originator’s address, or national identity number, or customer identification number, or date

and place of birth;

the name of the beneficiary; and

the beneficiary account number or unique transaction number where such an account is used to

process the transaction.

Key elements to the new European regulation on information accompanying

transfers of funds (click here to view the regulation):

Ensure that transfers of funds are also accompanied by the name of the payee and the payee's

account number

Issue warnings, set deadlines, reject transfers, or restrict or terminate its relationship with a PSP

that repeatedly fails to provide the required payer and payee information, and report that failure.

And particularly for an intermediary Payment Service Provider:

Ensure that all of the information received on the payer and payee that accompanies a transfer of

funds is retained with the transfer.

Have procedures in place to detect whether particular information is missing, or has been

completed using characters that do not meet the conventions of the relevant messaging or payment

and settlement system

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2015.141.01.0001.01.ENG

Responses and Trends

- SWIFT

Sanctions

Screening

Hosted solution

for cost-effective

compliance with

sanctions

regulations

Sanctions

Testing

Maximise the

effectiveness and

efficiency of

banks’ sanctions

environment

The KYC

Registry

One global

source of KYC

information for

correspondent

banking

Compliance

Analytics

Enhanced

understanding &

management of

financial crime-

related risk

Current set of financial crime compliance services


Moving toward a Financial Crime Compliance Utility Vision – 3

main pillars

Sanctions Analytics/AML KYC

Interconnected Utilities leveraging commonalities

and data between the products & services

Financial Crime Compliance

Utility

e.g.

• Transaction &

Name screening

• List Management

• Standards

• Alert Management

e.g.

• KYC Registry

• KYC Market Place

• Standards

• Notifications

e.g.

• Compliance Analytics

• FATF 16

• Bank-to-bank

monitoring

For ALL SWIFT users (small AND large) SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016


- Sanctions Lists

Public lists

Premium lists

Private list

US

EU

UN

PEP

OTH

Group

Local

Transaction

screening

Customer

screening

AM

ER

ICA

S

EU

RO

PE

A

SIA

-PA

CIF

IC

Complexity

Lack of control

Costs

Transformation

• Sources

• Formats

Selection

• Monitoring

• No consistency

Distribution

• Duplication

• No transparency

List management – Challenges


Public lists

Premium lists

Private list

US

EU

UN

PEP

OTH

Group

Local

Transactions Customer

data

AM

ER

ICA

S

EU

RO

PE

A

SIA

-PA

CIF

IC

Standardisation

Transparency

Efficiency

M

O

N

I

T

O

R

I

N

G

E

N

R

I

C

H

M

E

N

T

O

P

T

I

M

I

S

A

T

I

O

N

S

E

L

E

C

T

I

O

N

D

I

S

T

R

I

B

U

T

I

O

N

Search & navigate

Audit & archiving

Feedback

mechanism

Policy

manager

Operator

List Management Service



- Name Screening

Name Screening Service

List

Service

Business

Logic

Decision

Portal

On

lin

e

ch

ec

k

The service will cover:

- Online individual name checks (one at a time check) Live Jan 2017

- Ongoing screening of entire customer database (recurring batch

process based on files manually uploaded) H2 2017

Alert Management

Screening

Configuration

User management

Sanctions lists

PEP lists

Negative news, …

Ongoing check, delta

screening, multiple

names check,…

On

go

ing

ch

ec

k



- Data

Overview of the Payments Data Quality module

Payments data

quality rules

Payments data

quality attributes

FI

N

Compliance

Analytics

Centrally hosted and managed

by SWIFT Understand presence and quality of

originator and beneficiary information in

your SWIFT messages

Verify whether this data meets regulatory

requirements in line with FATF

Recommendation 16

Use reporting and alerts to assess and

improve your own data quality and take

appropriate measures with counterparties

to ensure compliance

New module within Compliance Analytics

Available in mid-2016

Product characteristics

• MT103,

MT202COV,

MT205COV

• Inbound and

outbound flows

• All entities

belonging to the

financial group

Common set of rules

managed centrally by SWIFT

with input from the

community • Shared dummy list of commonly

used not acceptable entries

• Shared white list of commonly

accepted entries - synonyms

• Rules applied in the flow - No

extraction/storage of fields

50/59

• All rules applied to 50/59 –

Filter results via the reporting

tool

• Management information,

trends, data mining, data

visualisation, basic

notifications

• Weekly or monthly reports

• Consolidated group level,

drill down to BIC11

• Consolidated rule types, drill

down to sub rule type

• Field 20 to trace back

transactions

• FATF country risk

classification to filter results

Scope Rules Reporting



Key categories of rules

Party identifier

• Empty value

• Account number length

• Invalid IBAN

• Cheque

Name

• Name length

• Number of consecutive repetitive characters

• Presence of CCC

• Characters present in dummy list

Address and additional info

• Address length

• Number of consecutive numerical / alphabetical repetitive characters


• 50F additional info

Country

• No country in all lines

• Country line maxed out


Other

• Use of field option (structured or free format)

• Country of domicile of originator / beneficiary matches country of originator / beneficiary bank

• Characters present in the “double nesting” or “human trafficking” list

Rules are applied to all payments (103, 202Cov, 205Cov).

Result of checks are numeric or boolean (true/false)

www.swift.com

SWIFT Business Forum Canada - Real-time retail payments: Building for the future - 13 April 2016

Compliance - Worksession

Economy & Finance

Transcript of Compliance - Worksession