risk based approach – putting it into practice 2012/rba - putting it into...risk based approach...
TRANSCRIPT
Risk Based Approach – putting it into
practice
Collin Lobo
Regional Head of Financial Crime Risk –Middle East, Pakistan and Africa
Disclaimer – This presentation / document has been prepared to assist improve the general awareness about Risk Based Approach to AML / Sanctions / Financial Crime in general and KYC / CDD processes in specific for the attendees of the Outreach Session by DFSA and has been created for discussion purposes only. It reflects only the personal views of the author and not of Standard Chartered Bank. Neither the author nor Standard Chartered Bank accepts any responsibility or liability whatsoever in regards to its contents.
Agenda
� Introduction
� Why do we need RBA – a practitioner’s perspective?
� What does a risk based approach mean to us?
� How do you go about putting a RBA into practice?
� Policy
� Risk AssessmentRisk Assessment– Enterprise
– Client
– Segment
– Product
� Operating Procedures
� On-going monitoring
� Training
� What can go wrong?
� Q & A
Why do we need RBA?
� We need a RBA to help us as an authorised firm to:
� Identify and measure potentially higher risk areas of money laundering, terrorist financing and sanctions;
� Develop strategies to mitigate those risks that have been identified; and
� Help focus resources (human and financial) in areas that are deemed higher risk from a financial crime risk perspective.deemed higher risk from a financial crime risk perspective.
� Because
� We operate in different geographies
� We offer somewhat different client solutions
� We have different operating models, are different in size and complexity
� We don’t have a ‘blank cheque’! and
� ONE SIZE DOES NOT FIT ALL!!
What does RBA mean to us?
� Allows us to risk categorize our business, products and
clients from an FCR perspective
� Include a documented risk assessment covering financial
crime risks (ML,TF, Sanctions, ABC and Fraud)
� Risk assessment for Financial Crime Risk takes into
account:account:
� Clients and business relationships
� Products, services and delivery channels
� Jurisdictions where we draw our client base from
� Jurisdiction where we operate
� Continuous identification of areas for improvement in the
risk assessment and associated policies and procedures
� Independent assurance that it is working in practice
Overarching RBA philosophy
Group AML policies and procedures
Risk Assessment – Global, Geography, Customer – flow through to Businesses (Wholesale, Consumer & Private Banking
Risk Assessment – Global, Geography, Customer – flow through to Businesses (Wholesale, Consumer & Private Banking
Customer on-boarding procedures – bespoke written procedures within the boundaries of Group policies by each Business
Customer on-boarding procedures – bespoke written procedures within the boundaries of Group policies by each Businesseach Businesseach Business
On-going monitoring – Transaction surveillance, Sanctions filtering, periodic review, trigger-event reviews and Dynamic Risk Rating
On-going monitoring – Transaction surveillance, Sanctions filtering, periodic review, trigger-event reviews and Dynamic Risk Rating
Training – Bespoke and fit-for-purpose training to staff –Tellers / Branches, Cash Management, Trade, RMs, CDD Advisory and Senior Management
Training – Bespoke and fit-for-purpose training to staff –Tellers / Branches, Cash Management, Trade, RMs, CDD Advisory and Senior Management
Assurance – 3 lines of defence – KCSAs (first line), Compliance Monitoring (2nd line), Group and Country Audit (3rd line)
Assurance – 3 lines of defence – KCSAs (first line), Compliance Monitoring (2nd line), Group and Country Audit (3rd line)
Building blocks that synergise each other
Financial Crime policies and procedures
Client on-boarding – KYC / CDD
Ongoing monitoring
Governance
Ongoing monitoring
Transaction screening
Client screening
AML surveillance
CDD Review
Assurance
Systems, Organization and Resources
Training
RBA – KYC (client on-boarding)
AML Risk Assessment
• Risk-based approach ensuring more due diligence for situations where there is greater money
Identification & Verification
• Collection of information that identifies clients and verification of accuracy of information
Client screening
• Screening of names of clients and related parties against watch lists including sanctions lists,
Client due diligence
• Collection of information to understand nature of relationship the client is seeking with the Bank
Client acceptance
• Ensure that AML risks are acceptable before on-boarding
• Restrict or reject relationships money
laundering risk
• Risk factors include geography, industry, products, clients, regulatory requirements
sanctions lists, politically exposed persons lists, adverse media lists and internal lists
with the Bank• Understanding
whether client will introduce AML risks to the Bank
relationships where risks are not acceptable
• Escalation to senior management/ governance committees if required
CDD is embedded in the end to end client onboarding process; No new client will
be accepted without an authorised CDD record.
RBA – the nuts and bolts (current)
Risk over-ride
Sanctions risk
Compulsory EDD
Final risk
rating
Co. type, age,
Country
Country specific
5 key risk ‘pools’ drive risk assessment – to arrive at SDD (Standard Due
Diligence) or EDD (Enhanced Due Diligence)
What does each ‘risk pool’ mean?
•Combination of multiple, over-riding risk parameter feeds
•Business type, age, country of inc. or operation (higher)
Co. type, age, Country
•Allows assignment of SDD rating for listed entities, companies subject to statutory licensing, Governments, Ministries, SWEPEs etc irrespective of Co. type, age, Country rating
Risk over-ride
•Link to any sanctioned country required assignment of EDD risk rating and obtaining related approvalsSanctions risk
•CDD procedures require assignment of compulsory EDD risk rating for specific client types (PEP link, off-shore trusts, gambling / casino businesses, arms, bearer shares, rough diamonds etc.)
Compulsory EDD
•Over and above Group CDD policies and procedures, local country regulators may require assignment of specific risk rating to certain types of clients (manual over-ride in eCDD system)
Country specific
RBA – the nuts and bolts (enhanced)
Client AML risk
rating
Country of establishment or operation
IndustryBanking
products and services
Ownership, regulated
status, length of relationship
AML Control \
RiskLow Medium High
Due
Dilig
ence
Requ
irem
All clientsStandard Due Diligence
(SDD)
Enhanced
DD (EDD)
Defined Specialised Due Diligence (SpecDD)
L M H
Based on global benchmarking and studies, we are moving to a more focused,
‘next-gen’ risk assessment mode
L M H
Client AML risk
irem
ent
Defined
situationSpecialised Due Diligence (SpecDD)
Frequency of
CDD ReviewEvery 3 years Annually
Automated AML
surveillance risk
weighting
Low Medium High
RBA – the nuts and bolts (enhanced)
SpecDD – Special Due Diligence based on the driver – PEP, Sanctions, Complex Ownership, FI / Correspondent Banking/ MSBs, Adverse media
Client AML risk rating is now independent to Due Diligence level (SDD / EDD and Spec DD)
Client AML Risk Rating ‘flows-through’ to Transaction Surveillance systems to
help build RBA in our Financial Crime Intelligence Operations program
Due Diligence level drives the periodicity of CDD reivew (1 or 3 years)
Client AML risk rating drives the risk-based thresholds in surveillance systems (progressive thresholds set for each Detection Scenario based on risk rating)
Multiple levels of review / sign-off
Role SDD EDD / Spec DD
Relationship Manager Sign off / Approve Recommend
Compliance / FCR ---- Review / Advise
Sr Management ---- Sign off / Approve
Country Governance ---- Review periodically
For signing off CDD file, RMs consider all the information gathered during the
due diligence process, including consideration of any reputational risks
identified through media searches. Material reputational risk considerations
are escalated to Senior management for consideration and decision
Ongoing monitoring / continuous loopback
Stage Nature of activity
Transactions screening Automated screening of cross-border SWIFT messages to / from against
numerous regulatory (e.g. OFAC) and internal watch lists
Client screening Comparison of client names against a wider set of watch lists e.g. sanctioned
persons, politically exposed persons (PEPs), internal lists
AML surveillance Post-transaction review – Detection Scenarios, prompting investigation ;
performing research and analytics to generate FCR intelligence ; and performing research and analytics to generate FCR intelligence ; and
disclosure to authorities as a STR where appropriate
CDD review Three key activities – information updates; trigger-based CDD reviews,
periodic CDD reviews. Follows similar process as client on-boarding to ensure
appropriate challenge
Assurance – three lines of defence
1st line – Business (Front Office)
• Act as primary “gatekeepers” for client acquisition
• Ensures ongoing
2nd line –Compliance and
other RCOs
• Sets policies and standards for regulatory compliance
• Provides advice to
3rd line – Group Internal Audit
• Conducts internal audits
• Assesses effectiveness of a • Ensures ongoing
compliance with all relevant policies and procedures
• Tools include MI (KRIs, KCIs, KPIs), Key Control Standards, Key Control Self Assessments, Peer Reviews
• Provides advice to business in relation to policies
• Monitors to ensure ongoing business adherence to policies
• Tools include Compliance Monitoring Reviews, Controls Effectiveness Reviews
effectiveness of a process as a whole
What can go wrong?
� Failure to include all products and systems will cause your risk
assessment to be incorrect
� Failure to include all key stakeholders will not allow you to
consider operational challenges faced by them
� Failure to interpret/implement local requirements will expose
you to local regulatory risk and internal challenges from
assurance functions (e.g. Internal Audit)assurance functions (e.g. Internal Audit)
� Over complicated procedures will cause confusion in the front
line
� Failure to train staff appropriately will lead to poor quality of
CDD
� Overly rigid procedures may cause operational difficulties
� Failure to have a process of continuous evaluation of risk and
associated procedures will expose your organization to
ML/TF/Sanctions risk