Risk Based Approach – putting it into

practice

Collin Lobo

Regional Head of Financial Crime Risk –Middle East, Pakistan and Africa

Disclaimer – This presentation / document has been prepared to assist improve the general awareness about Risk Based Approach to AML / Sanctions / Financial Crime in general and KYC / CDD processes in specific for the attendees of the Outreach Session by DFSA and has been created for discussion purposes only. It reflects only the personal views of the author and not of Standard Chartered Bank. Neither the author nor Standard Chartered Bank accepts any responsibility or liability whatsoever in regards to its contents.

Agenda

� Introduction

� Why do we need RBA – a practitioner’s perspective?

� What does a risk based approach mean to us?

� How do you go about putting a RBA into practice?

� Policy

� Risk AssessmentRisk Assessment– Enterprise

– Client

– Segment

– Product

� Operating Procedures

� On-going monitoring

� Training

� What can go wrong?

� Q & A

Why do we need RBA?

� We need a RBA to help us as an authorised firm to:

� Identify and measure potentially higher risk areas of money laundering, terrorist financing and sanctions;

� Develop strategies to mitigate those risks that have been identified; and

� Help focus resources (human and financial) in areas that are deemed higher risk from a financial crime risk perspective.deemed higher risk from a financial crime risk perspective.

� Because

� We operate in different geographies

� We offer somewhat different client solutions

� We have different operating models, are different in size and complexity

� We don’t have a ‘blank cheque’! and

� ONE SIZE DOES NOT FIT ALL!!

What does RBA mean to us?

� Allows us to risk categorize our business, products and

clients from an FCR perspective

� Include a documented risk assessment covering financial

crime risks (ML,TF, Sanctions, ABC and Fraud)

� Risk assessment for Financial Crime Risk takes into

account:account:

� Clients and business relationships

� Products, services and delivery channels

� Jurisdictions where we draw our client base from

� Jurisdiction where we operate

� Continuous identification of areas for improvement in the

risk assessment and associated policies and procedures

� Independent assurance that it is working in practice

Overarching RBA philosophy

Group AML policies and procedures

Risk Assessment – Global, Geography, Customer – flow through to Businesses (Wholesale, Consumer & Private Banking

Risk Assessment – Global, Geography, Customer – flow through to Businesses (Wholesale, Consumer & Private Banking

Customer on-boarding procedures – bespoke written procedures within the boundaries of Group policies by each Business

Customer on-boarding procedures – bespoke written procedures within the boundaries of Group policies by each Businesseach Businesseach Business

On-going monitoring – Transaction surveillance, Sanctions filtering, periodic review, trigger-event reviews and Dynamic Risk Rating

On-going monitoring – Transaction surveillance, Sanctions filtering, periodic review, trigger-event reviews and Dynamic Risk Rating

Training – Bespoke and fit-for-purpose training to staff –Tellers / Branches, Cash Management, Trade, RMs, CDD Advisory and Senior Management

Training – Bespoke and fit-for-purpose training to staff –Tellers / Branches, Cash Management, Trade, RMs, CDD Advisory and Senior Management

Assurance – 3 lines of defence – KCSAs (first line), Compliance Monitoring (2nd line), Group and Country Audit (3rd line)

Assurance – 3 lines of defence – KCSAs (first line), Compliance Monitoring (2nd line), Group and Country Audit (3rd line)

Building blocks that synergise each other

Financial Crime policies and procedures

Client on-boarding – KYC / CDD

Ongoing monitoring

Governance

Ongoing monitoring

Transaction screening

Client screening

AML surveillance

CDD Review

Assurance

Systems, Organization and Resources

Training

RBA – KYC (client on-boarding)

AML Risk Assessment

• Risk-based approach ensuring more due diligence for situations where there is greater money

Identification & Verification

• Collection of information that identifies clients and verification of accuracy of information

Client screening

• Screening of names of clients and related parties against watch lists including sanctions lists,

Client due diligence

• Collection of information to understand nature of relationship the client is seeking with the Bank

Client acceptance

• Ensure that AML risks are acceptable before on-boarding

• Restrict or reject relationships money

laundering risk

• Risk factors include geography, industry, products, clients, regulatory requirements

sanctions lists, politically exposed persons lists, adverse media lists and internal lists

with the Bank• Understanding

whether client will introduce AML risks to the Bank

relationships where risks are not acceptable

• Escalation to senior management/ governance committees if required

CDD is embedded in the end to end client onboarding process; No new client will

be accepted without an authorised CDD record.

RBA – the nuts and bolts (current)

Risk over-ride

Sanctions risk

Compulsory EDD

Final risk

rating

Co. type, age,

Country

Country specific

5 key risk ‘pools’ drive risk assessment – to arrive at SDD (Standard Due

Diligence) or EDD (Enhanced Due Diligence)

What does each ‘risk pool’ mean?

•Combination of multiple, over-riding risk parameter feeds

•Business type, age, country of inc. or operation (higher)

Co. type, age, Country

•Allows assignment of SDD rating for listed entities, companies subject to statutory licensing, Governments, Ministries, SWEPEs etc irrespective of Co. type, age, Country rating

Risk over-ride

•Link to any sanctioned country required assignment of EDD risk rating and obtaining related approvalsSanctions risk

•CDD procedures require assignment of compulsory EDD risk rating for specific client types (PEP link, off-shore trusts, gambling / casino businesses, arms, bearer shares, rough diamonds etc.)

Compulsory EDD

•Over and above Group CDD policies and procedures, local country regulators may require assignment of specific risk rating to certain types of clients (manual over-ride in eCDD system)

Country specific

RBA – the nuts and bolts (enhanced)

Client AML risk

rating

Country of establishment or operation

IndustryBanking

products and services

Ownership, regulated

status, length of relationship

AML Control \

RiskLow Medium High

Due

Dilig

ence

Requ

irem

All clientsStandard Due Diligence

(SDD)

Enhanced

DD (EDD)

Defined Specialised Due Diligence (SpecDD)

L M H

Based on global benchmarking and studies, we are moving to a more focused,

‘next-gen’ risk assessment mode

L M H

Client AML risk

irem

ent

Defined

situationSpecialised Due Diligence (SpecDD)

Frequency of

CDD ReviewEvery 3 years Annually

Automated AML

surveillance risk

weighting

Low Medium High

RBA – the nuts and bolts (enhanced)

SpecDD – Special Due Diligence based on the driver – PEP, Sanctions, Complex Ownership, FI / Correspondent Banking/ MSBs, Adverse media

Client AML risk rating is now independent to Due Diligence level (SDD / EDD and Spec DD)

Client AML Risk Rating ‘flows-through’ to Transaction Surveillance systems to

help build RBA in our Financial Crime Intelligence Operations program

Due Diligence level drives the periodicity of CDD reivew (1 or 3 years)

Client AML risk rating drives the risk-based thresholds in surveillance systems (progressive thresholds set for each Detection Scenario based on risk rating)

Multiple levels of review / sign-off

Role SDD EDD / Spec DD

Relationship Manager Sign off / Approve Recommend

Compliance / FCR ---- Review / Advise

Sr Management ---- Sign off / Approve

Country Governance ---- Review periodically

For signing off CDD file, RMs consider all the information gathered during the

due diligence process, including consideration of any reputational risks

identified through media searches. Material reputational risk considerations

are escalated to Senior management for consideration and decision

Ongoing monitoring / continuous loopback

Stage Nature of activity

Transactions screening Automated screening of cross-border SWIFT messages to / from against

numerous regulatory (e.g. OFAC) and internal watch lists

Client screening Comparison of client names against a wider set of watch lists e.g. sanctioned

persons, politically exposed persons (PEPs), internal lists

AML surveillance Post-transaction review – Detection Scenarios, prompting investigation ;

performing research and analytics to generate FCR intelligence ; and performing research and analytics to generate FCR intelligence ; and

disclosure to authorities as a STR where appropriate

CDD review Three key activities – information updates; trigger-based CDD reviews,

periodic CDD reviews. Follows similar process as client on-boarding to ensure

appropriate challenge

Assurance – three lines of defence

1st line – Business (Front Office)

• Act as primary “gatekeepers” for client acquisition

• Ensures ongoing

2nd line –Compliance and

other RCOs

• Sets policies and standards for regulatory compliance

• Provides advice to

3rd line – Group Internal Audit

• Conducts internal audits

• Assesses effectiveness of a • Ensures ongoing

compliance with all relevant policies and procedures

• Tools include MI (KRIs, KCIs, KPIs), Key Control Standards, Key Control Self Assessments, Peer Reviews

• Provides advice to business in relation to policies

• Monitors to ensure ongoing business adherence to policies

• Tools include Compliance Monitoring Reviews, Controls Effectiveness Reviews

effectiveness of a process as a whole

What can go wrong?

� Failure to include all products and systems will cause your risk

assessment to be incorrect

� Failure to include all key stakeholders will not allow you to

consider operational challenges faced by them

� Failure to interpret/implement local requirements will expose

you to local regulatory risk and internal challenges from

assurance functions (e.g. Internal Audit)assurance functions (e.g. Internal Audit)

� Over complicated procedures will cause confusion in the front

line

� Failure to train staff appropriately will lead to poor quality of

CDD

� Overly rigid procedures may cause operational difficulties

� Failure to have a process of continuous evaluation of risk and

associated procedures will expose your organization to

ML/TF/Sanctions risk