APRIL 2007
Anti-Money Laundering – Global Best Practices
William LangfordDirector of Global Anti-Money Laundering
Framework for Anti-Money Laundering ComplianceFramework for Anti-Money Laundering Compliance
Policy and Procedures
Global Money Laundering Risk Assessment and Mitigation
Drives the development and operation of the program Identify and quantify risks and internal controls across product lines and geographies Develop and track risk mitigation action plans
Global AML Policy
Corporate Minimum Standards— KYC – High Risk Customers— Correspondent Banking— Country Risk Ranking— Suspect Screening
Line of Business AML Policies and Procedures
Anti
-Money L
au
nderi
ng –
Glo
bal B
est
Pra
ctic
es
Framework (Cont’d)Framework (Cont’d)
On-Going Due Diligence and Monitoring Automated transaction monitoring – through activity profiling, peer grouping, and targeted filters
plus the detection of specific scenarios that may involve illicit activity On-going use of monitoring experience to enhance systemic monitoring quality Watchlists and suspect screening of accounts and transactions Account surveillance of high-risk customers or accounts with potentially suspicious activity Periodic relationship reviews and due diligence refresh on a risk-assessed basis
Customer On-Boarding Customer identity verification Risk-based customer due diligence, including general due diligence and, where necessary,
enhanced due diligence and specialized due diligence Compliance with additional, specific regulatory requirements for type of client or account, e.g.,
correspondent accounts, private banking accounts, politically exposed persons Suspect screening Identification of prohibited relationships
Anti
-Money L
au
nderi
ng –
Glo
bal B
est
Pra
ctic
es
Investigation and Reporting Investigation of potentially suspicious activity Reporting of activity determined to be suspicious in accordance with applicable legal requirements Coordination with law enforcement on matters requiring additional investigation Information sharing on trends and patterns to business units Consultation with lines of business to address the risks posed, including determining whether to
maintain the relationship Program Assessment and Audit Management reporting and metrics to track policy implementation, program operation, and
effectiveness Coordinated compliance testing Independent testing and validation performed by Audit targeting highest risks
Communication and Training Annual core training as well as enhanced training specific to products and services within the lines of
business AML Awareness
Framework (Cont’d)Framework (Cont’d)
Anti
-Money L
au
nderi
ng –
Glo
bal B
est
Pra
ctic
es
AgendaMoney Laundering Risk Assessment and Mitigation
Benefits of an effective BSA/AML risk assessment process include:
Helps to identify the bank’s BSA/AML risk profile. Enables the bank to apply the appropriate risk management processes to
the BSA/AML Compliance program to mitigate risk. Allows management to better identify and mitigate gaps in the bank’s
controls. Provides a comprehensive analysis of the BSA/AML risk in a concise and
organized presentation.
Step 1: Identify Specific Risk Categories
Identify specific risk categories, (i.e., products, services, customers, entities, and
geographic locations) unique to the bank.
Step 2: Conduct Detailed Analysis
Conduct a more detailed analysis of the data identified to better assess the risk within these categories. In reviewing the risk assessment, the examiner should determine whether management has considered all products, services, customers, and geographic locations, and whether management’s detailed analysis within these specific risk categories was adequate.
AgendaMoney Laundering Risk Assessment – Primary Audiences
Regulators
Senior Management
LOB Senior Management
Regulators expect that we understand our AML risks, have created appropriate controls to mitigate them, and can support both the understanding of risks and our associated controls with appropriate documentation (including an AML risk assessment)
Senior Management requires a strong level of confidence that our AML program currently maintains appropriate controls to mitigate the reputation and business risks of money laundering-related activity, and that our AML program is prepared to respond appropriately to future challenges
LOB Senior Management requires an accurate understanding of the nature of their AML exposure and a level of comfort with the measures and controls in place to mitigate this business risk
AgendaMoney Laundering Risk Assessment – Primary Audiences
Internal Audit
BSA Officer - Compliance
Officer
Testing Units
Internal Audit has a mandate to ensure that LOBs possess a sufficient understanding of their business risks, a system of internal controls adequate to mitigate these risks effectively, and LOB senior management oversight of the AML risk management process
The BSA Officer or Compliance Officer is responsible for the development, implementation and oversight of the AML program, and requires an accurate assessment regarding LOB AML risks and controls in order to make decisions regarding the shape and direction of the program
Similar to Internal Audit, Compliance Testing Units utilize risk assessments to ensure that risks are identified, measured, monitored, and controlled. Risk assessments are key part of the scoping process.
AgendaMoney Laundering Risk Assessment and Mitigation
Measuring Susceptibility to Money Laundering
Stratify Risk Assessment by Business UnitsQuantify Risk Levels and Control AdequacyRoll Up ResultsCommunicate Risk Levels and TrendsMacro-Level Measurement Possibilities
•Capital•Total Assets or Assets Under Management•Revenue
AgendaKey Enterprise Risks
Legal Risk
Compliance Risk
Reputation Risk
AgendaMoney Laundering Risk Assessment and Mitigation
Risk Assessment Link to the BSA/AML Compliance Program – FFIEC Manual
Identify & Measure Risk:• Products• Services• Customers• Geographic locations
Risk Assessment Internal Controls
Develop Applicable:• Policies• Procedures• Systems• Controls
Results
Risk-Based BSA Compliance Program• Internal controls• Audit• BSA Compliance Officer• Training
AgendaMoney Laundering Risk Assessment and Mitigation
Inherent Risks
•Products
•Clients
•Geography (Domestic or International Exposure)
•Forward Looking – changes in business strategy; new products, expanding to new markets, or exiting products/markets
Risk Mitigation
•Governance
•Management Oversight/Resources
•Customer/Client Identification and Due Diligence
•Management Information Systems
•BSA Reporting (CTRs, SARs)
•Training
•Testing/Audit Coverage/Examination Findings
AgendaMoney Laundering Risk Assessment and Mitigation
Product Risk – FFIEC ManualCertain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered.
Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents.
Some of these products and services are listed below, but the list is not all inclusive:
Electronic funds payment services.
Electronic Banking.
Private banking (domestic and international.
Trust and asset management services.
Monetary instruments.
Foreign correspondent accounts.
Trade finance (letters of credit).
Special use or concentration accounts.
Lending activities (e.g., loans secured by cash collateral and marketable securities).
Non-deposit account services (e.g., non deposit investment products and insurance).
AgendaMoney Laundering Risk Assessment and Mitigation
Client Risk – FFIEC Manual
Although any type of account is potentially vulnerable to money laundering or terrorist financing, by the nature of their business, occupation, or anticipated transaction activity, certain customers and entities may pose specific risks.
At this stage of the risk assessment process, it is essential that banks exercise judgment and neither define nor treat all members of a specific category of customer as posing the same level of risk.
In assessing customer risk, banks should consider other variables, such as services sought and geographic locations.
See the next page for a list of Customers and Entities that may pose specific risks to money laundering or terrorist financing.
AgendaMoney Laundering Risk Assessment and Mitigation
Client Risk – FFIEC ManualForeign financial institutions, including banks and foreign money services providers (e.g., casas de cambio, currency exchanges, and money transmitters).
Non-bank financial institutions (e.g., money services businesses; casinos and card clubs; brokers/dealers in securities; and dealers in precious metals, stones, or jewels).
Senior foreign political figures and their immediate family members and close associates (politically exposed persons (PEPs)).
Nonresident alien (NRA) and accounts of foreign individuals.
Foreign corporations and domestic business entities, particularly offshore corporations (such as domestic shell companies and Private Investment Companies (PICs) and international business corporations (IBCs)) located in high-risk geographic locations.
Deposit brokers, particularly foreign deposit brokers.
Cash-intensive businesses (e.g., convenience stores, restaurants, retail stores, liquor stores, cigarette distributors, privately owned ATMs, vending machine operators, and parking garages).
Non-governmental organizations and charities (foreign and domestic).
Professional service providers (e.g., attorneys, accountants, doctors, real estate brokers).
AgendaMoney Laundering Risk Assessment and Mitigation
Geographic Risk – FFIEC Manual
Countries subject to OFAC sanctions, including state sponsors of terrorism.
Countries identified as supporting international terrorism under section 6(j) of the Export Administration Act of 1979, as determined by the Secretary of State.
Jurisdictions determined to be “of primary money laundering concern” by the Secretary of the Treasury, and jurisdictions subject to special measures imposed by the Secretary of the Treasury, through FinCEN, pursuant to section 311 of the Patriot Act.
Jurisdictions or countries identified as non-cooperative by the Financial Action Task Force on Money Laundering (FATF).
Major money laundering countries and jurisdictions identified in the U.S. Department of State’s annual International Narcotics Control Strategy Report (INCSR), in particular, countries which are identified as jurisdictions of primary concern.
Offshore financial centers (OFCs) as identified by the U.S. Department of State.
Other countries identified by the bank as high-risk because of its prior experiences or other factors (e.g., legal considerations, or allegations of official corruption).
Domestic: HIDTAs and HIFCAs
International:
AgendaMoney Laundering Risk Assessment and Mitigation
Roll Up the Results
Risk Weighting – FFIEC Manual Appendix J
Document Your Results
Possible Proxies
•Total Assets or Assets Under Management
•Capital
•Net Revenue
•Interest Income/Noninterest Income
•Market Exposure
•Place the AML Exposure in the Context of the Enterprise
AgendaMoney Laundering Risk Assessment and Mitigation
Summarize the Results
•Profile of the business
•Key Inherent Risk Factors
•Primary factors that contributed to the risk levels assigned
•Key Mitigation Factors/Controls
•Primary factors that contributed to the strength or weakness of controls
•Residual Risk
•Direction of Risk Trend
•Where is your risk headed in the next 12-18 months?
•Increasing? Decreasing? Stable?
AgendaMoney Laundering Risk Assessment and Mitigation
Now what?
Keep your risk assessment up to date
Per the FFIEC Manual, reassess BSA/AML risks at least every 12 to 18 months
Dynamic if possible
AgendaMoney Laundering Risk Assessment and Mitigation
Now what?Drive/Focus Resources
Training
Monitoring
Independent testing or Audit
•Scoping
•Validating the Assessment and Controls
AgendaMoney Laundering Risk Assessment and Mitigation
What about OFAC?
Do you assess OFAC as part of your AML risk assessment?
Resources:
FFIEC Manual – Appendix M
OFAC Website