Developing a Risk Based Approach for DNFBPs on AML/CFT

1
Developing a Risk Based Approach for DNFBPs on
AML/CFT

• The Special Control Unit Against Money Laundering
  (SCUML) Seminar on Strategic Partnership Between
  SCUML and DNFBPs for Effective Implementation of
  AML/CFT Regime in Nigeria Held at EFCC
  Conference Hall, Lagos

Presented by Pattison Boleigha
2.30pm to 3.30pm February 2012
2
Outline

• Background
• AML Risk Management Process
• Requisites of Risk Based AML
• Fundamental Elements In a Risk-Based AML
• Purpose of adopting RBA
• Benefits of Risk-Based AML
• Risk Modeling/Risk Categories
• Leveraging on Risk Based AML
• COMPLIANCE RISK MANAGEMENT
• RISK MANAGEMENT MODEL
• Conclusion

3
Definition of Acronyms

• AML Anti Money Laundering
• CFT Countering Financing of Terrorism
• FIs Financial Institutions
• ML Money Laundering
• TF Terrorist Financing
• DNFI Designated Non-Financial Institutions
• KYC Know Your Customer
• KYCB Know Your Customers Business
• KYE Know Your Employee
• CDD Customer Due Diligence
• EFCC Economic and Financial Crimes Commission
• NFIU Nigerian Financial Intelligence Unit
• SCMUL Special Commission for Monitoring
• FATF Financial Action Task Force
• CTR Currency Transaction Reports
• STR Suspicious Transaction Report
• EDD Enhanced Due Diligence
• DNFBPs Designated Non-Financial Businesses and
  Professions
• SROs Self-Regulatory Organisations

4
Background

• After the 2007 general guidance on Risk Based
  AML/CFT, in October 2008, the FATF came up with
  another set of Guidance on RBA on DNFBPs like
  Accountants, Casinos , etc.
• The guidance for the DNFBPs followed the
  principles of the risk-based approach already
  established by FATF, and highlighted risk factors
  specific to the DNFBPs, as well as suggest
  mitigation strategies that fit with the
  particular activities and businesses of the
  DNFBPs.
• The purpose of this guidance was to
• Support the development of a common understanding
  of what the risk-based approach involves.
• Outline the high-level principles involved in
  applying the risk-based approach.
• Indicate good practice in the design and
  implementation of an effective risk-based
  approach.
• However it should be noted that applying a
  risk-based approach is not mandatory. A properly
  applied risk-based approach does not necessarily
  mean a reduced burden, although it should result
  in a more cost effective use of resources.

5
Objective of the RBA

• The strategies to manage and mitigate the
  identified money laundering and terrorist
  financing activities are typically aimed at
  preventing the activity from occurring through a
  mixture of
• deterrence (e.g. appropriate CDD measures),
• detection (e.g. monitoring and suspicious
  transaction reporting),
• and record-keeping (e.g. to facilitate
  investigations).
• Proportionate procedures should be designed based
  on assessed risk
• Higher risk areas - enhanced procedures
• enhanced customer due diligence checks and
• enhanced transaction monitoring.
• Lower risk areas simplified or reduced controls
  may be applied.
• There are no universally accepted methodologies
  that prescribe the nature and extent of a
  risk-based approach.
• An effective risk-based approach will allow
  accountants to exercise reasonable business and
  professional judgement with respect to clients.
• Regardless of the strength and effectiveness of
  AML/CFT controls, criminals will continue to
  attempt to move illicit funds undetected and
  will, from time to time, succeed.

6
The Steps Involved In A Basic Risk-based Approach

• Identify the money laundering and terrorist
  financing risks that apply to a firm
• Then assess the risks presented by the firms
  particular
• Customers
• Products
• Geographical areas of operation
• Firms then need to design and introduce controls
  to manage and reduce these risks.
• These controls must then be monitored and
  improved where necessary
• Firms must keep a record of what they have done
  and why they did it.

7
Key Elements For Success

• DNFBPs, designated competent authorities and SROs
  should have access to sufficiently detailed,
  reliable and actionable information about the
  threats, and how to implement a risk-based
  approach.
• There must be emphasis on cooperative
  arrangements among the policy makers, law
  enforcement, regulators, and the private sector.
• Authorities should publicly recognise that the
  risk-based approach will not eradicate all
  elements of risk.
• Authorities have a responsibility to establish an
  atmosphere in which DNFBPs need not be afraid of
  regulatory sanctions where they have acted
  responsibly and implemented adequate internal
  systems and controls.
• Regulators and SROs supervisory staff must be
  well-trained in the risk-based approach, both as
  applied by supervisors/SRO and by the
  accountants.

8
Requisites of Risk-Based AML

• The Risk-Based Anti-Money Laundering (AML)
  compliance program should be designed
  commensurate with its unique risk profile.
• The risk profile should take cognizance of the
  inherent risks in the products and services it
  offers, the customers it serves, and the
  geographic locations it operates in.
• It should be a logical process that identifies,
  monitors and manages risks to the businesses that
  could be used for money laundering.
• The risk-based AML should leverage on a robust
  automated IT solution that can perform data
  analysis, detection, and advanced data mining to
  generate alert detection scenarios.

9
Steps in a Risk-Based AML

• The first step is to conduct a risk assessment,
  which involves thoroughly evaluating a companys
  products and services customers base delivery
  channels and geographical profiles and
  determining what the vulnerable areas are.
• Once these areas have been properly defined, the
  business needs to create and apply policies and
  procedures to deal with them. the second step.
• The third step involves risk monitoring, which
  varies depending on the size and type of business
  concerned, but the key is having systems in place
  that will recognize potential threats in relation
  to activity. E.G. An organization may utilize a
  software solution to monitor activity and
  transactions.
• Finally, the entire process needs to retain the
  ability to continually evaluate its own
  effectiveness the fourth step. It must be
  flexible enough to adapt to continually changing
  circumstances, and it must also make sure that it
  is being applied appropriately.

10
Fundamental Elements in a Risk-Based AML Approach

• Legal Organizational Structure of the
  institution Large organizations with different
  markets, subsidiaries, functional areas, or
  business lines present higher levels of AML risk.
• Geographies Operating Markets The level of
  risk may be heightened as geography and market
  area expands. Additionally, the institution
  should evaluate the impact of expanding its
  business lines to accepting transactions and
  accounts from areas designated as High Risk Money
  Laundering and Related Financial Crimes Areas,
  HIFCAs, requiring scrutiny.
• Regulatory Framework Consideration of applicable
  laws in areas of operation. Lack of regulatory
  framework or scrutiny may be indicative of
  heightened risk level for transactions or
  beneficiaries in those markets.

11
Fundamentals Elements in a Risk-Based AML
Approach (contd)

• Counterparties Enterprise risk profiling in
  relation to business with counterparties. An
  institution can unwittingly accept assume a level
  of risk through its counterparties that it would
  not willingly assume if the customer relationship
  was direct. Compliance expectations from
  counterparties must be known. It is therefore
  incumbent for each institution toKnow Your
  Counterparty
• Customer Base Characteristics Review of
  associated risks emanating from compliance with
  KYC or KYCB requirements to determine areas for
  enhanced due-diligence (EDD) in relation to the
  following
• Retail/Individual Clients
• Institutional/Corporate Clients
• Domestic Foreign Correspondent DNFBP
  Relationships
• Linked Relationships
• Risk Weighting Alert Prioritization.

12
Fundamental Elements in a Risk-Based AML Approach
(Contd)

• Customer Correspondent Bank Validation/
  Categorization
• KYC High-Risk Profiling and Transactional-risk
  scoring
• Peer group benchmarking
• Service-level profiling
• Scope of Customer Relationships/Client Account
  Behaviour Benchmarking
• Determination of breadth and depth of customer
  relationships.
• Exceeds historical benchmarks above thresholds.
• Identification of typical behavior/suspected
  terrorist financing schemes.
• Any indication of suspicious transaction of
  logical entities.
• Fraud

13
Purpose of adopting risk-based approach (RBA)

• Measures to prevent money laundering and
  terrorist financing in line with risks
  identified.
• Risk management process
• Identification and addressing of high risk areas
• Reasonable business judgment
• Efficient and effective allocation of resources
• Flexible efforts to fight money laundering and
  terrorist financing
• Increased focus on high risk activities
• Better adaptability to money laundering and
  terrorist financing methods

14
Challenges Of Adopting RBA

• Money laundering vs. terrorist financing
  applicability
• Resources and expertise requirement
• Inadequate resources devoted to compliance
• Diversity of practice among financial
  institutions
• Identifying appropriate information to conduct a
  sound risk analysis
• Addressing short term transitional costs
• Greater need for more expert staff capable of
  making sound judgments.
• Developing appropriate regulatory response to
  potential diversity of practice.

15
Limitations To Adopting RBA

• Rule-based requirements (freezing of assets, STR,
  CTR)
• Verification of customer identity
• Non-applicability of simplified measures to all
  CDD
• Due diligence requirements appropriate to each
  customer
• Degree of monitoring in accordance with perceived
  risk
• Measures and controls for higher risk situations
• Wilful Blindness
• Beneficial Ownership
• Tipping Off

16
Potential Benefits of Risk-Based AML Approach

• The risk-based AML Approach provides value to the
  organization and the cornerstone of an effective
  compliance programme.
• Allows management to see things as they really
  are, and make risk-appropriate decisions based on
  measurable data and intelligence.
• Serves as a basis for management decisions to
  allocate resources for compliance and internal
  control to manage the institution's unique risks
  (Compliance, Regulatory Strategic) and minimize
  the incidence of regulatory infractions and
  penalties.
• Facilitates a comprehensive AML governance and
  oversight capability, thereby demonstrating a
  corporate-wide culture to deter money laundering.
• Sets the stage for on-going AML risk management,
  which adapts to changes in regulations, products,
  and organizational structure.

17
Leveraging on Risk-Based AML Approach

• Institutions must leverage on risk-based AML
  approach by adopting a comprehensive programme
  administration over the following
• Compliance Programme Effectiveness of current
  management policies and compliance procedures
• Reporting
• SAR/CTR Reporting.
• Case Generation Management
• Audit Trail Record Retention
• Training Programme to ensure sustenance of
  compliance efforts
• Self Assessment Programme Assessment of current
  process to through programme testing to design
  appropriate enhancements to the existing process
  or develop and entirely new, custom process.

18
Leveraging on Risk-Based AML Approach (Contd)

• Leveraging on risk-based AML approach for
  business advantage through adopting of an AML
  Solution that can perform the following
• Generation of Alerts on set compliance
  parameters.
• Data mining, advanced analysis detection
• Extraction of Exception Reports for SAR/CTR
  Reporting
• Risk scoring and prioritization of Alerts in
  support of workflow and case management
• Flexibility to accommodate sophisticated business
  rules that can analyse customers transactional
  behaviour in comparison to normalized activity
  and known money laundering techniques in batch
  and real time.
• Flexibility to accommodate KYC-based Models that
  can learn about customers and their KYC behaviour
• Accurate and timely SARs/CTRs filing support
  within regulator-prescribed windows.
• Adaptability to new and changing regulatory
  requirements and rapid deployment of new
  detection capability.

19
Key Findings of Money Laundering Threat
Assessment

• One of the key challenges for DNFBPs is
  developing a risk profile of the customer base so
  that enhanced due diligence standards can be
  applied to high risk relationships both of
  account opening and throughout the course of such
  relationship
• Risk categories include product types, geographic
  location and types of business
• (what this means is that some customers because
  of the business they are involved in, where they
  live or the type of product they utilize, pose a
  higher risk for money laundering activities)

20
Compliance vs. Risk Management

• Compliance is the management of regulatory risk.
• AML/CFT compliance is meeting all obligations
  mandated under the AML/CFT laws and regulations.
• Risk is the probability of the occurrence of an
  event and its consequences

21
BUSINESS RISK VS REGULATORY RISK

• Business Risk is the risk that the DNFBP may be
  used for ML/TF
• Regulatory Risk is associated with not meeting
  obligations under the AML/CFT laws

22
BUSINESS RISKS

• Customer Risk
• Products Risk
• Service Risk
• Business Practice Risk
• Delivery Channel Risk
• Location Risk
• Jurisdiction/Geography Risk

23
REGULATORY RISKS

• Non STR Reporting
• Non Conduct of CDD/EDD
• No AML/CFT program
• No training
• No Independent Compliance Testing
• Non CTR filing
• Non Mandatory Reports filling
• No Management Arrangement

24
COMPLIANCE

• Compliance is about meeting obligation that may
  have a mandatory component
• All compliance risks must be dealt with
• Compliance identifies all the obligations an
  organisation has

25
A QUESTION OF RISK

• A supervised entity is challenged to define its
  risk appetite in the context of AML/CFT and
  develop strategies to effectively manage the risk
  inherent in the business it conducts.
• It is therefore expected that institutions will
  be able to demonstrate that they understand the
  risk they take on and that they have devised
  internal mechanisms and controls to mange that
  risk.

26
National Risk Assessment Factors that influence
ML/TF Risk

• Political environment.
• Legal environment.
• A countrys economic structure.
• Cultural factors, and the nature of civil
  society.
• Sources, location and concentration of criminal
  activity.
• Size and composition of the financial services
  industry.
• Ownership structure of financial institutions and
  DNFBPs businesses.
• Size and nature of the activity carried out by
  DNFBPs, including accountants.
• Corporate governance arrangements in relation to
  financial institutions, DNFBPs, including
  accountants, and the wider economy.
• The nature of payment systems and the prevalence
  of cash-based transactions.

27
National Risk Assessment Factors that influence
ML/TF Risk

• Geographical spread of the financial industrys
  and DNFBPs operations and customers/clients.
• Types of products and services offered by
  financial institutions and accountants.
• Types of customers/clients serviced by financial
  institutions and accountants.
• Types of predicate offences.
• Amounts of illicit money generated domestically.
• Amounts of illicit money generated abroad and
  laundered domestically.
• Main channels or instruments used for laundering
  or financing terrorism.
• Sectors of the legal economy affected.
• Underground/informal areas in the economy.

28
Risk Definition

• Risk is the level of exposure opportunity,
  threat and uncertainty that a DNFBP must
  identify, measure, understand and effectively
  manage, as it executes its strategies to achieve
  its business objectives and create value.
• Simply defined, risk is the likelihood that the
  outcome of events will vary from our
  expectations.
• For example
• a borrowing customer or trading counterparty may
  fail to meet its repayment/settlement obligations
  to the DNFBP as and when due (Credit Risk)
• unforeseen movements in interest rates, foreign
  exchange rates or equity prices may have major
  effects on the value of the DNFBPs trading
  portfolio (Market Risk)
• the DNFBP may suffer losses due to frauds,
  systems failures or weaknesses in operational
  controls (Operational Risk)
• or due to litigation and/or violations of
  provisions of Laws and Statutes (Compliance and
  Legal Risk)
• Or the DNFBP may suffer bad press (Reputation
  Risk).
• A new competitor enters the market to take market
  share
• (Strategic Risk)

29
The Risk Management Framework

• The primary role of Risk Management is to
  minimize the divergence between expectations and
  outcomes, thus ensuring the realization of more
  predictable results.
• This can only be achieved through a robust
  framework and clearly defined and transparent
  processes for
• the identification of all factors that may lead
  to the said divergences (Risk Identification)
• estimation of the likelihood of their occurrence
  and the extent or severity of their impact in the
  event of occurrence
  (Risk Assessment/Measurement)
• design of effective controls to minimize both the
  likelihood and the impact of risk events (Risk
  Control)
• establishment of procedures to ensure that these
  controls are effective and are being complied
  with (Risk Monitoring)
• regular reporting of risk events and controls
  (Risk Reporting)
• and provision of sufficient capital to absorb the
  adverse impact of expected and unexpected losses.
•  

30
Risks Associated with Money Laundering

• Reputational risk is the potential that adverse
  publicity regarding a businesses practices and
  associations, whether accurate or not, will cause
  a loss of public confidence in the integrity of
  the institution.
• Borrowers, depositors, and investors might stop
  doing business with the institution because of a
  money laundering scandal involving the
  institution.
• Operational risk is the potential for loss
  resulting from inadequate or failed internal
  processes, people, systems and external events
• DNFIs that rely on the proceeds of crime have
  additional challenges in adequately managing
  their assets, liabilities and operations.
• Increased borrowing or funding costs can also be
  included in such losses.
• Legal risk is the potential for lawsuits, adverse
  judgments, unenforceable contracts, fines and
  penalties generating losses, increased expenses
  for an institution, or even closure of such an
  institution.
• Concentration risk is the potential for loss
  resulting from too much credit or loan exposure
  to one borrower.
• Lack of knowledge about a particular customer or
  who is behind the customer, or what the
  customers relationship is to other borrowers,
  can place a DNFBP at risk in this regard.
• This is particularly a concern where there are
  related counter-parties, connected borrowers, and
  a common source of income or assets for
  repayment.

31
Risk Management Process Overview
Communicate Consult
Establish Context Internal context External
context Stakeholders criteria Define structure
Identify Risks What can happen? How and
why? When and where?
Analyse Risks Review controls Determine likelihoo
d consequence Hence risk level
Evaluate Risks Compare against criteria Rank
risks set priorities Treatment?
Treat Risks Identify options Select the best
responses. Develop risk treatment
plans. Implement Assess residual risk
Monitor Review
Risk Assessment
32
Risk Management Model
32
32
33
Organizational Risk Environment
34
RISK MANAGEMENT MODEL

• NB

RISK MITIGATION IMPLEMENTATION OF CONTROL (RISK
TREATMENT
RISK REVIEW

• Manage the Business Risks
• Apply risk management and mitigation strategies
• Implement policies and procedures
• Manage the Regulatory Risks
• Deploy system

35
RISK MANAGEMENT WORKSHEET
RISK GROUP CUSTOMERS CUSTOMERS CUSTOMERS
HIGH RISK LIKELIHOOD IMPACT RISK SCORE TREATMENT/ACTION
PeP        
Customers in cash generating business        
Customers who is an unregistered charity      
36
Level of Risk (Heat Wave)
37
RISK TOLERANCE

• In addition to defining the risks appetite you
  can also define a level of variation to how you
  manage the risk. This is called risk tolerance.
  It provides some operational flexibility while
  still adhering to the Risk framework the DNFBP
  has developed.
• The DNFBP has decided for example that generally
  the risk is unacceptable to accept inflow from
  IRAN.
• However, it has some risk tolerance. In this case
  the business will permit transaction provided it
  is a DNFBP-to-DNFBP transaction.
• The customer provides identification using
  International Passport only and the verification
  is carried out, the transaction is approved by a
  Senior Manager . As such the DNFBP understands
  and accepts the consequences of a ML/TF risk
  being realised

38
RISK TREATMENT

• Risk Treatment steps include
• Setting transaction limits for higher risk
  products
• Having a management approval process for high
  risk products
• Having a process to place customers in different
  risk categories and apply different
  identification and verification methods
• Not accepting customers who represent
  unregistered NGOs, NPOs, Charities, Hawala etc
  and those who wish to transact with a high-risk
  country

39
RISK IDENTIFICATION Customer/Client

• NATURAL PERSONS
• Citizenship
• Place of birth
• Residence
• Employment
• Source of funds
• Source of wealth
• Purpose of account
• History/ Internet search results
• Type of product being purchased

40
RISK IDENTIFICATION -Customer

• LEGAL PERSONS
• Place of incorporation
• Type of business
• Level of regulation
• Assets
• Private or public
• Local presence
• Audited financial statement

41
RISK IDENTIFICATION -customer

• Customer Business
• Nature of Activity/Business i.e. AML/TF prone or
  not
• Category of Customer i.e. PEP, FEP, Non F/F
• Type of Customer (Private/Retail)
• Ownership Structure
• Size of Business
• Family Tree/Subsidiaries/Affiliation
• Level of KYC available
• Level of monitoring available
• Lifestyle/mannerism
• Layering/Integration risks

42
EXAMPLES OF HIGH RISK CUSTOMER

• Politically Exposed Persons (PEPs)
• Financially Exposed Persons (FEPs)
• Non-resident customers
• Safe custody/safety deposit boxes
• Existing customers changing to a new and
  different business
• Off-shore customers
• Account opened by intermediaries (Lawyers,
  Accountants)
• Significant/unexplained distance between customer
  location and DNFBP
• Movement of accounts to different DNFBP in
  different locations
• Difficulty in identifying Beneficial Owner.
• Cash intensive businesses MSB, CASINO, BDC etc
• The use of intermediaries that are not supervised
  
• Minors
• Disabled customers
• Trust, Nominee and Fiduciary clients
• Partnerships

43
EXAMPLES OF HIGH RISK CUSTOMER

• Partnerships
• Non Governmental Organisations (NGOs)
• Private DNFBP-anonymous clients
• Joint Accounts
• Numbered accounts
• Nominee shareholders or shares in bearer form
• Use of cash cards mobile phones, internet
• Use of Corporate Vehicles
• Introduced Business
• Non-Face-to-Face Customers
• Correspondent DNFBP relationships
• Client Accounts Opened By Professional
  Intermediaries
• Real estate brokers/agents
• Non-Bank financial institutions
• Government account

44
RISK IDENTIFICATION (PRODUCT RISK)

• Any product that allows a customer to readily
  convert cash into monetary instruments is High
  risk
• Any product or service that allows a Customer to
  readily move value from one jurisdiction to
  another and which conceals the source of fund is
  high risk
• If not consistent with customer type/business
  nature then it is high risk
• If it makes no economic sense considering the
  nature of customer/business it is high risk.

45
EXAMPLE OF HIGH RISK PRODUCTS

• One-off transaction products/services
• Private bank facilities
• Non-customer wire transfers
• Complexity of transaction
• No apparent economic justification
• E-banking, Mobile banking, Electronic Funds
  Transfer
• Travellers cheque, Money Order, Cashier Cheque,
  Value Card.
• Correspondent bank services
• International private DNFBP services
• DNFBP note and precious metal trading and
  delivery
• Services that enable anonymity or can readily
  cross international borders e.g online Banking

46
RISK IDENTIFICATION (GEOGRAPHY)

• Reputation
• Political Stability
• Level of corruption
• Hard Drug Production
• Hard Drug Transit
• Secrecy Jurisdictions/Tax Havens
• OFAC listed countries
• Domestic Factors
• High crime rate
• Smuggling activities
• Affinity (4-1-9)
• Border Towns
• Black Spots

47
EXAMPLES OF HIGH RISK LOCATION

• Customers subject to UN sanctions, embargoes etc
• Countries identified as lacking AML/CFT regime by
  FATF
• Countries identified as providing funds/support
  for Terrorism/Terrorist activities
• Countries identified as having significant level
  of corruption or criminal activity
• Drug producing countries

48
FG TERRORISM WATCH LIST SEP. 2011

• Somalia
• Pakistan
• Yemen
• Sudan
• Niger
• Chad
• Mauritania

49
RISK ANALYSIS MEASUREMENT

• Attaching weight to identified risk criteria
• FATF proposed
• Assessment to be done at inception of
  relationship
• Assessment to be done during the relationship
• Based on Circumstance (e.g information received
  from competent authority)

50
AML/CFT Risk Assessment
51
(No Transcript)
52
A Model of Risk
THREAT
PROTECTION
ASSETS
53
Total Cost Approach
Total Risk-Related Costs
COST
Cost of Controls
Cost of Losses
LEVEL OF CONTROL
54
Another View
Event Severity
Event Frequency
Vulnerability
Threat
Impact on Assets
55
The COSO Control Framework

• The COSO definition is a generally accepted
  framework for internal control evaluation.
• All five pillars must be in place for internal
  control to be effective.

• Monitoring
• Assessment of a control
• systems performance over time
• Combination of on-going and
• separate evaluation
• Management and supervisory
• activities.
• Internal audit activities

• Control Activities
• Policies/procedures that ensure
• management directives are carried out
• Range of activities including approvals,
• authorizations, verifications,
• recommendations, performance
• reviews, asset security and
• segregation of duties

• Control Environment
• Sets tone of organisation
• Influencing control consciousness
• of its people
• Factors include integrity,
• ethical values, competence,
• authority, responsibility.
• Foundation for all other pillars of control

• Information Communciation
• Pertinent information identified,
• captured and communicated
• in a timely manner
• Access to internally generated
• information
• Flow of information that allows for
• successful on responsibilities to summary
• of findings for management action

• Risk Assessment
• Risk assessment is the identification
• and analysis of relevant risks to
• achieving the entitys objectives.
• This forms the basis for
• determining control activities

56
Risk Management in Corporate Governance
Executive Decisions
Regulators
Review
Plan
External Reporting
Business Goals Objectives Expectations Business
Performance Risk Appetite Risk Assessment Regulati
ons Compliance
Business Plans Business Objectives Business
Strategy Internal Control Process Control
Objectives Policy and Standards
Shareholders
Board and Executive
Internal Reporting
Internal Communications
Line Management Staff
Measure
Implement
Key Performance Indicators Risk Monitoring Key
Risk Indicators Sensitivity Stress
Testing Scenario modelling
Business Processes Business Operations Business
Systems People Management Internal Controls Risk
Mitigation
Internal Auditors
Independent Audit
External Auditors
Monitoring
57
Compliance Culture

• Embedding a compliance culture into the overall
  institutional culture is key to an effective AML
  program.
• Staff at the business lines will quite
  legitimately argue that they are overwhelmed by
  other priorities.
• Sometimes, the culture of immediate, short-term
  profit overwhelms the culture of compliance with
  money laundering laws and regulations.
• It is dangerous when compliance staff is ignored,
  viewed as not relevant, or operating too distant
  from the business units.
• It is critical that firms establish a strong
  culture of compliance that guides and reinforces
  employees as they make decisions and choices each
  day.
• Raising awareness, to the point where everyone in
  the organization feels compelled to deter and
  detect money laundering, is vital.

58
Board Senior Managements Role

• Ultimate responsibility for the AML compliance
  program rests with the board of directors.
• Members must openly voice their commitment to the
  program, ensure that their commitment flows
  through all service areas and lines of business
  and be willing to report results to shareholders,
  if necessary.
• The boards role in AML compliance consists of
  oversight.
• That means board members are not expected to
  become money laundering experts themselves, nor
  are they responsible for day-today program
  management.
• The boards job is to formally approve an
  institutions AML Compliance program and then
  make sure the program is adequately implemented
  and maintained by staff.
• The boards oversight role also extends to the
  supervisors examination process.

59
Senior Managament Commitment to Compliance

• Senior management must show its commitment to
  compliance by
• Establishing a strong compliance plan that is
  fully implemented and approved by the board of
  directors
• Insisting that it be kept informed of compliance
  efforts, audit reports and any compliance
  failures, with corrective measures instituted
• Including regulation compliance within the job
  description and job performance evaluation of
  institution personnel and
• Conditioning employment on regulation compliance.

60
Compliance Officer's Role

• One of the compliance officers tasks is to
  obtain endorsement of the anti-money laundering
  program from senior management.
• The compliance officer must explain the roles and
  responsibilities of the board of directors and
  senior management, and how reputational risk can
  hurt the firm.
• The Compliance officer is also required to
  disseminate AML information across the
  organisation.

61
GOOD COMPLIANCE CONTROLS WHEN TO BE FLEXIBLE

• Strike the right balance, with a full
  appreciation of the environment and risks.
• Identify the risks, but do not be blinded by
  them.
• Having said.
• May be better to over control, as louse controls
  are ultimately costlier in the long run.

62
An Integrated Approach to Governance, Ethics,
Compliance and Controls
Functional Roles
Ethics Compliance Responsibilities
Market,Regulator StakeholderExpectations
Board of Directors Oversight Monitoring
Governance
Audit Assurance Risk Management
Senior Management Objectives Tone at the Top
Functional Unit Management
Drive Implementation
Ethics Compliance Risk Management
Establish Tools, Monitor Results
Compliance Facilitator
Workforce Third Parties
Self-Monitor Comply
63
ML/CFT Risk Mitigation

• The information about a customer obtained at the
  time of the establishment of a relationship or
  the opening of an account constitutes a customer
  profile.
• DNFBI businesses shall have policies and
  procedures for updating customer profiles and
  for confirming information provided by customers,
  commensurate with the assessment of the money
  laundering risks posed by the customers expected
  use of products and services
• The customers source of funds
• The customers source of income and assets
• The nature and extent of the customers expected
  use of its products and services (i.e. a
  transaction profile) or the customers investment
  objectives.

64
MITIGANTS CONTROL

• INTERNAL CONTROL FRAMEWORK
• Identify and measure risk
• Policies, procedures, systems and controls
• periodic risk based audit
• Corrective measures to strengthen compliance
• Training to meet identified gaps

65
MITIGANTS CONTROL

• CDD/KYC
• STR
• Monitoring
• Training and Awareness
• Risk Based internal control

66
MITIGANTS CONTROL -CDD/KYC

• Involves
• Identification and verification of customer
• Identification and verification of Beneficial
  Owners
• Understand nature and level customers business
• Ultimately you should be able to determine that
  customer is who he says he is.
• Also RBA adopted will enable the decision to
  lower CDD in respect of a customer.

67
Know Your Customer

• The most important means by which DNFBPs can
  avoid criminal exposure to a customer who use
  DNFBPs resources for illicit purposes is to have
  a clear and concise understanding of their
  practice.
• DNFBPs should know their customers at a minimum.
• How can we Meet these Requirements?
• Know Your Customer
• Risk-based approach to KYC
• Enhanced KYC identification if appropriate
• Countries considered to be non-cooperative.
• Need to establish beneficial ownership
• Source of funds both initially and on-going
• A regulatory chore? Or
• Commercial Common Sense
• Identification of location of business of
  customers (FATF).
• Similar process BUT different forms for different
  entities.

68
Customer Identification

• DNFBPs shall have policies and procedures to
  obtain
• sufficient
• reliable
• significant
• Information to determine the identity of all its
  customers
• individual,
• corporate and
• other legal entities.

69
Establish Transaction Profile

• A Transaction Profile is a snap shot or picture
  of the anticipated financial behaviour of a
  customer and the type of transaction he/she is
  expected to do with us.
• This behaviour forms a baseline from which we can
  evaluate whether or not future account activity
  is consistent with the clients anticipated
  financial activity.
• How DNFBPs can Meet these Requirements?
• KYC forms should have the space where
  relationship manager is required to provide the
  information about
• Transactions customer may do through DNFBPs.
• Expected volumes of transaction
• Type of products
• Type of facilities he/she will enjoy

70
Classification Of Clients/Customers Accounts

• Determine which accounts need to be monitored on
  an on-
• going basis. Accounts should be divided into two
  categories
• Plain Vanilla Accounts
• This is the low risk category account and that
  perform in the anticipated manner and NEED not be
  scrutinized on an on-going basis.
• High Risk Accounts
• This require additional due diligence and on
  going periodic monitoring. Following basic Risk
  Category should be used to analyse your
  customers
• - High Risk Geographies
• - High Risk Business
• - High Risk Products

71
Classification Of Account (Contd)

• All accounts should be reviewed annually to
  re-assess their
• risk activities i.e. classify from High Risk to
  Low Risk or vice
• versa.
• Circumstances other than account activity that
  may cause to
• shift a low risk account to High risk account
• Adverse stories in the media about a company or
  its principals (Print, Radio, T.V.)
• Negative reputational rumours in the financial or
  special community.
• Suspicious or unusual transactions.

72
Enhanced Due Diligence/Know Your Customer

• Information that outlines additional information
  about the customer
• Description of lines of business
• Business activity and market share
• Main customer bases
• Assessment of Anti-Money Laundering Controls
• Expected service requirements
• Anticipated Transaction Activity
• Supporting documentation of facts

73
Enhanced Due Diligence (EDD)

• \What is EDD?
• Risk Assessment
• Know Your Correspondent DNFBP (KYCB)
• Understand
• Use of products and services
• Transaction activity Monitoring
• Reporting of suspicious activity
• Training
• Documentation confirming that the entity is duly
  Licensed in the jurisdiction and authorized to
  operate abroad.
• Details of the financial institutions/corporation
  s ownership and its market reputation

74
Questions DNFBPs Employees Must Ask

• When dealing with your customers, ask yourself
  these questions
• How well do I know this customer?
• Does the transaction make sense considering the
  customer's profile?
• Do I fully understand the transaction the
  customer wishes to complete?
• Am I comfortable with this transaction?
• Is this the usual method for conducting this type
  of business transaction?
• If in doubt, there may be a possibility that your
  customer is using your institution to launder
  money

75
Eleven Red Flags Know Your Customer and
Transactions

• Products inconsistent with customers business
• Transaction structure unnecessarily complex
• Payment of proceeds to unrelated third party
• Locations or descriptions inconsistent with LC
• Significantly amended letter of credit
• Conducting business in high-risk jurisdictions
• Shipping products through high-risk
  jurisdictions
• Transaction in high-risk products
• Misrepresentation of quantity type of
  products
• Invoice inconsistent with Customs documents
• Obvious over- or under-pricing of products
  

76
MITIGANTS CONTROL

• SUSPICIOUS TRANSACTION REPORTING
• Unjustified frequency
• Unjustified complexities
• Activities inconsistence with business profile
• Activities that does not make economic sense
• These reports can be developed into a robust
  database from which information can be shared by
  relevant authority and FIs thereby enhancing RBA
  to AML/CFT

77
MITIGANTS CONTROL

• MONITORING OF TRANSACTION (Factors)
• Size
• AML/CFT risk,
• Methodologies
• Activity under scrutiny
• Resources
• IMPLEMENTATION FACTORS UNDER RBA
• Threshold
• Adequacy of systems and processes

78
Monitoring of DNFBPs Activities

• In developing appropriate methods of monitoring,
  DNFBIs should consider
• Current reports and management information
  generated for marketing/fraud prevention
  purposes. Could these records be adapted or used
  for AML/KYC purposes
• Whether manual or computerised monitoring is
  suitable or practical.
• May be carried out in a variety of ways, monitors
  must understand their responsibility in relation
  to AML learn to recognize the signs of crime.
• Monitoring is either manual or software assisted
  and comprises analysis of transactions.
• It is designed to seek the unusual and may be
  inter-jurisdictional e.g. monitoring FTs
  globally.
• Data protection issues, client confidentiality
  and DNFBP secrecy legislation can make
  investigation problematic.

79
Periodic Monitoring/On-going Due Diligence

• Once we have determined that a customer profile
  places it in the High Risk Category, we are
  required to monitor.
• Review High risk accounts for value, movement
  into and out of the account and geographic
  locations from which and into which funds flow.
• Review related accounts of principals or persons
  who have signature authority over the account.
• Determine if the sum total of the DNFBP
  activities are consistent with what we know about
  the client.
• Determine if a customer or business account has
  or uses additional business names or corporate
  entities.

80

• PERIODIC MONITORING/ON-GOING DUE DILIGENCE
  (Contd)
• How DNBFIs can Meet these Requirements?
• Departmental Monitoring Self Testing
• Following steps are to be taken to monitor the
  transactions movements in HIGH RISK ACCOUNTS.
• - All High Risk Accounts to placed on on status
  
• (Blocked Accounts).
• - All transactions in these accounts will be
  entered in
• the registers being maintained by each
  department/ branch.
• - All departments will updated their checklist
  and
• procedure to handle their products in
  this respect

81

• Periodic Monitoring/On-going Due Diligence
  (Contd)
• How DNBFIs can Meet these Requirements? (contd)
• Departmental Monitoring Self Testing (contd)
• All transactions over these accounts have to be
  approved by a Group Head and relationship manager
  before processing.
• - Departmental registers to be reviewed by Unit
  Heads to ensure all transactions are
  being properly entered.
• - List of these accounts will be circulated to
  all
• concerned staff and are made available on
  desk tops.

82

• Periodic Monitoring/On-going Due Diligence
  (Contd)
• How DNFBPs can Meet these Requirements?
• Independent Monitoring Testing
• Control staff will review the movements in these
  account as under
• - Daily report showing outward FCY transfers by
• beneficiaries and remitters is being
  reviewed for High
• Risk accounts.
• - Human Decision Report showing all accounts on
• status 5 is being reviewed for LCY/FCY
  transactions.
• Daily reviews are monitored through Control
  proof charts.

83
MITIGANTS CONTROL

• TRAINING AND AWARENESS
• RBA is largely human related.
• The need for training is key (recom. 15)
• Training must
• Be tailored to responsibility
• Have appropriate detail
• Be at appropriate frequency
• Test to assess that knowledge meets information
  provided

84
MITIGANTS CONTROL

• INTERNAL CONTROL
• Risk Based Process must be imbedded within the
  internal control measures.
• It must enhance staff compliance
• Snr. Management must create culture of compliance

85
MITIGANTS CONTROL

• FACTORS DETERMINING NATURE AND EXTENT OF AML/CFT
  CONTROLS
• Nature, scale and complexity of DNFBPs business
• Diversity of operation and geography
• Customer, product and activity
• Distribution channels
• Risk level of operation
• Volume of operation
• Extent of direct dealing

86

• High Risk Products
• Any product which allows a customer to readily
  convert cash to a monetary instrument.
• Any product or service which allows a customer to
  readily move value from one jurisdiction to
  another and which conceals the source of those
  funds.
• Ask whether the products or services the client
  is asking for make sense given the nature of
  their account or business.

87

• Reporting System
• Know your customer program is to alert management
  to
• unacceptable risks.
• The purpose of the program is to review accounts
  that may ultimately harm the institution.
• Once staff spots suspicious transaction either in
  the course of their normal duties or during
  on-going monitoring process, Management must be
  alerted.
• Staff must also report to their Supervisors.
• Supervisor should report to the Compliance
  Officers.
• Compliance Officers and the and Senior Managers
  should then confer and determine if it is
  necessary to consult with
• Legal Counsel so they can take appropriate
  action.

88

• Reporting System (Contd)
• How DNFBPs can Meet these Requirements?
• All suspicious activities or any other
  information e.g. adverse stories, negative
  reputational rumours of our customers should be
  reported to relationship managers group heads,
  Compliance Officers, who then confer and
  determine the actions to be taken.
• All transactions to be reported to relationship
  managers and group heads for their sign-offs.

89
What A DNBFI Should Look Out For

• Beware Of Activity Not Consistent With The
  Customers Business
• Beware Of Attempts To Avoid Reporting Or
  Record-keeping Requirements
• Beware Of Certain Funds Transfer Activities
• Beware Of A Customer Who Provides Insufficient Or
  Suspicious Information
• Beware Of Changes In DNFBP Transactions
• Beware Of Transactions With Politically Exposed
  Persons
• Business Transactions Involving Suspect/
  Blacklisted
• Transactions Through Real Estate Investments.
• Beware Of Secured And Unsecured Loan Transactions
• Beware Of Transactions With Non-financial And
  Specialised Institutions
• Beware Of Some Investment Activities
• Beware Of Some International Trade Finance
  Activities
• Beware Of A Certain DNFBP Employees
• Beware Of Certain Shareholders

90

• What You Should Do If You Decide To Carry Out A
• Suspicious Transaction.
• Seek information from the customer as to the
  origin and the destination of the funds, the aim
  of the transaction and the identity of the
  beneficiary.
• Draw up a written report as quickly as possible.
• Ensure that the DNFBP is not exposed to risk, in
  the carriage of the transaction.
• Take appropriate action to prevent the laundering
  of the proceeds of a crime or an illegal act.
  Like
• Termination of the account
• Reducing services offered
• Additional monitoring
• Filing a criminal referral with Local Law
  Enforcement Agency.
• Send the report timely to regulatory authorities.

91
Approval Controls Over High Risk (HRA)
Transactions (PEPs, NGOs BDCs and Dom a/cs)

• All accounts designated as HRA will be opened
  only on the approval in writing of the Managing
  Director (MD) or his/her deputy.
• All HRA credit facilities, irrespective of
  amount, will be signed off by the MD or his
  deputy.
• All transactions on a HRA up to a certain
  amount (deposit and withdrawal) must be approved
  in writing by the Managing Director or his
  deputy. The transactions would include but are
  not limited to, cash deposits, cheque deposits,
  investments etc.
• All HRA shall be flagged on the DNFBP software
  on a special status such that the status appears
  whenever enquiries or transactions are done on
  them.
• A weekly report on all HRA related transactions
  should be sent to the MD and copied to the DMD
  and the Chief Compliance Officer (CCO). In other
  words all HRA accounts will be flagged and
  monitored weekly.
• On a semi-annual basis, all HRA will be
  reviewed by Internal Control Unit to ensure that
  all the aforesaid processes and procedures are
  being followed in the management of these
  accounts. Deviations shall be reported to the MD
  and copied to the DMD and CCO. These reviews
  would be in addition to the routine quarterly
  audits.

92
Advice to DNFBP Operators

• Front lines of a battle
• Dont get complacent
• Be aware of new trends
• Identify how these new convenience tools can add
  to your risk
• Combat by arming yourself with knowledge
• Think about things differently
• Learn to think like a money launderer
• Risk Information Analytics Group

93
Conclusion

• Ultimately, RBA should not prohibit FIs from
  transacting business with customers but enable it
  to effectively manage ML/CFT risks
• Risk-based AML Approach facilitates
  identification of high risk situations (high risk
  transactions, customers FePs, PePs, Non-Face-to
  Face etc. and carry out enhanced due diligence
  when necessary.
• In the current context of globalization, the
  risk-based approach to AML initiatives must be
  designed to meet requirements that would counter
  emerging methods and techniques of money
  laundering activities in the context of each
  institution's particular risk profile.
• Non-DNFBP money laundering techniques,
  corporate money laundering, and the new payment
  technologies and e-products should be given
  particular attention.
• Risk-Based approach to AML initiatives must
  extend to the cataloging of laundering typologies
  found in other regions of the world Asia, Latin
  America and Central Eastern Europe.

94
Questions Issues
95
References and Further Reading

• http//www.fdic.gov/news/news/financial/2005/fil24
  05a.html
• 15 http//www.occ.treas.gov/ftp/eas/ea2005-101
• 16 http//www.fincen.gov/foster
• 17 http//www.fsa.gov.uk/Pages/Library/Communicati
  on/PR/2005/117.shtml
• 18 http//www.fincen.gov/abnamro.html
• The World Bank Capacity Enhancement Program on
  Anti-Money Laundering and Combating Financing
  of Terrorism
• Study Guide for the CAMS Certification
  Examination (ACAMS)
• www.,acams.org
• www.fatf.org
• Debra.geister_at_lexisnexis.com
• John S. Zdanowicz, Ph.D. Florida International
  Bankers AssociationProfessor of Finance Florida
  International University john.zdanowicz_at_fiu.edu
  President International Trade Alert,
  Inc.johnz_at_internationaltradealert.com
• www. internationaltradealert.com

96
Thank You
97
My Contact Details
Pattison Boleigha Bsc, MBA, FCA, ACIT, HCIB,
CAMS, CGEIT Chief Compliance Officer Access DNFBP
plc 234-8022924308, 234-012712014 boleighap_at_acce
ssDNFBPplc.com boleighap_at_gmail.com