Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

4. op risk and aml

1,061 views

Published on

  • Be the first to comment

4. op risk and aml

  1. 1. Implementing AML Compliance Program for Financial Institutions Dr. LAM Yat-fai (林日辉博士林日辉博士林日辉博士林日辉博士) Doctor of Business Administration (Finance) CFA, CAIA, FRM, PRM, MCSE, MCNE PRMIA Award of Merit 2005 E-mail: quanrisk@gmail.com 2 Outline Supervisory framework on AML Risk-based AML compliance program IT systems for AML compliance Sound practices of AML compliance 3 Supervisory framework Regulatory guidelines Circulars AML profiling Prudential survey Offsite review Onsite examination Control self-assessment Tripartite meeting 4 Regulatory guidelines Hong Kong Monetary Authority Guideline on Anti-Money Laundering and Counter- Terrorist Financing (for Authorized Institutions) Issued in January 2012, 12 chapters, 112 pages Securities and Futures Commission Guideline on Anti-Money Laundering and Counter- Terrorist Financing Issued in April 2012, 10 chapters, 130 pages
  2. 2. 5 Circular 6 AML profiling A long questionnaire consisting 30 to 40 questions AML compliance officer Composition of AML compliance committee IT systems for AML compliance in place Major MIS reports No. of PEP customers Customer AML risk classification system No. of incidents reported to JFIU during the last three years Latest audit findings To capture static information about a FI’s AML compliance program To be completed within two to three months, renew on annual basis Regulators to build a centralized database 7 Prudential survey A short questionnaire to collect some ad-hoc information during the year No. of transactions with Mr. 薄熙來, Ms. 谷開來 or Mr. 薄瓜瓜 during the last three years No. of large amount out-going fund transfers from Chongqing city during the last three years No. of customers in North Korea Driven by contemporary political, economic, regulatory and/or media focus Issued on ad-hoc basis To be completed within two to four weeks 8 Off-site review Revised and updated policies and procedures Independent audit reports on an FI’s AML compliance program Action plans to rectify audit findings Progress report on rectification actions Major incident reports Follow up by meetings
  3. 3. 9 Onsite examination Comprehensive examination Two/three-people group, around two to three months Covering major topics of an FI’s AML compliance program To assess the quality of an FI’s AML compliance program Thematic examination One man band, around one month Covering one to three hot AML compliance topics Aim at identifying sound practices and common issues of contemporary AML topics 10 Control-self assessment (“CSA”) A comprehensive audit check list To be completed by an FI herself Covering critical policy areas For each control procedure Compliance status – fully, partially or not compliant Explanations of compliance Mitigation plan and tentative completion date 11 CSA summary 12 CSA summary by institution
  4. 4. 13 CSA summary by control procedure 14 CSA summary by institution and control procedure 15 Compliance projection 16 Tripartite meeting Three-party senior meeting among Financial institution Auditor Regulator To assess the major and critical areas for improvement and/or development
  5. 5. 17 Challenges facing FIs External Regulatory requirements keep on changing and tightening Internal AML compliance a cost centre Limited budget Lack of manpower AML compliance impacts customer relationship 18 Outline Supervisory framework on AML Risk-based AML compliance program IT systems for AML compliance Sound practices of AML compliance 19 Senior management oversight Senior management is fully responsible for the AML compliance program A committee comprises senior staff from different business units A comprehensive terms of reference Regular meetings – at least quarterly Meeting minutes with discussion items on AML compliance 20 Corporate AML policy Match the regulatory guidelines Topics and no. of pages Reviewed and updated At least annually Incorporating material changes on business or regulatory requirements during the year Approved by AML committee
  6. 6. 21 AML procedures A guide book to carry out a specific AML activity, e.g. Due diligence procedure Suspicious transaction management procedure JFIU reporting procedure Department and business dependent From one page to hundred pages Reviewed at least on annual basis Approved by department head and/or AML committee 22 MIS reporting MIS reports with key risk indicators (“KRIs”) No. of high/medium/low risk customers No. of rejected potential customers No. of suspicious transactions detected No. of suspicious transactions approved No. of suspicious transactions under investigation Trend analysis Peer analysis among business lines and country offices 23 Compliance and audit Compliance To ensure that AML policies and procedures are followed through Compliance staff are advised not to be involved in daily operations to maintain independency Audit To ensure that compliance staff are doing their jobs Do more on fashion topics 24 Training and awareness New staff training within three months Annual training on regulatory updates Keep attendancy record Follow up with simple test
  7. 7. 25 Risk-based approach To justify that there is no AML activity, please do more on Customers with higher risk – CDD Counterparties with higher risk – sanction filtering Transaction with higher risk 26 Customer risk level Higher customer risk Customers with political background (PEPs) Customers in business of casino or weapon Customers in sanctioned countries Lower customer risk High school teachers Restaurant waiters Factory workers 27 Other higher risk customers Private banking Correspondent banking Money changers Companies registered in tax heavens Client accounts – who is the ultimate owner? 28 Risk-based approach Higher risk customers Detailed background check Frequent updated Close monitoring Lower risk customers Simple background check Regular updated Less monitoring
  8. 8. 29 Counterparty risk Higher counterparty risk On the sanction list Lower counterparty risk Not on the sanction list 30 Transaction risk Likelihood What is the chance? Chance of customer + chance of counterparty Exposure What is the amount? Transaction risk Likelihood x Exposure 31 Exposure Static limits HK$8,000 for wire transfer HK$120,000 for other transactions Dynamic limits Statistical distance Amount Mean Standard deviation − = 32 Transaction risk
  9. 9. 33 Outline Supervisory framework on AML Risk-based AML compliance program IT systems for AML compliance Sound practices of AML compliance 34 AML IT systems Customer identification CDD and KYC Offline checking again a sanction list Sanction filtering Transaction monitoring 35 Sanction filtering Know the counterparty of your customer Fund transfer from counterparty Fund transfer to counterparty Match against sanction lists Worldcheck Fativa Local black list Conducted before completion of transactions 36 Sanction filtering False positive Customer name similar to entities in sanction list Urgency Suspected transactions must be investigated before proceeding Resources No. of AML compliance officers
  10. 10. 37 Risk-based approach Transaction risk Likelihood x Exposure Higher transaction risk Detailed investigation Expert Lower transaction risk General investigation Front line staff 38 Resources dedicated by the bank Higher risk categories Centralized expert investigation Dedicated compliance officer Lower risk categories Decentralized general investigation Front line staff 39 Sanction filtering IT solutions 40 Transaction monitoring Know the transaction of your customer To detect suspicious transactions Conducted after the completion of transactions Implemented with offline IT systems Not to notify customer Suspicious crimes to be reported to police
  11. 11. 41 IT systems for transaction monitoring Examine within a period, all Account balances Incoming transactions Outgoing transactions Criteria set out by experts based on Historical scenarios Exceptions to normal situations 42 Transaction monitoring solutions 43 Outline Supervisory framework on AML Risk-based AML compliance program IT systems for AML compliance Sound practices of AML compliance 44 Role of senior management To accord AML compliance due priority, senior management may play an active role in the following areas. Endorsing AML policies. Appointing senior staff responsible for AM compliance. Approving or declining high risk customers. Approving or declining third party payments. Reviewing suspicious activities/cases identified by the staff. Supporting compliance investigation of suspicious cases. Participating in AML/CFT training.
  12. 12. 45 Role of senior management To reinforce the importance of AML compliance, the board of directors may contribute by Overseeing the implementation of AML policies as part of their broader governance role. Reviewing reports of violations of AML procedures and controls. 46 AML policies and procedures To help ensure that appropriate and effective AML policies and procedures are in place, firms may implement the following steps AML policies are endorsed by senior management and effectively communicated to all staff by means of training and utilizing suitable forms of testing to ensure proper understanding of the policies. Appoint a person to regularly review changes to applicable AML rules and regulations, and where necessary, make changes or updates to ensure compliance. Perform periodic audits or compliance checks of AML controls, including clients’ identification and verification procedures. Issue and distribute AML internal audit reports or compliance checking reports to all relevant business and functional departments as well as to senior management. 47 Customer acceptance and customer due diligence To undertake customer acceptance and due diligence measures on a risk sensitive basis, firms may Risk-based assessment Perform risk-based and extensive know-your-customer assessment in order to ascertain a customer's identity, beneficial owners, nature and background of its business activities and source of funds and apply a risk rating to determine the extent of ongoing monitoring. Categorise customers into distinct risk categories – high, medium and low risk. High risk customers are managed by focused resources and enhanced due diligence processes. 48 Customer acceptance and customer due diligence On-going due diligence Conduct periodic reviews depending on a customer's risk rating. This risk-based approach allows more detailed and enhanced reviews to be conducted for higher risk customers on a more frequent basis than low/medium risk customers. Generate reports identifying those accounts showing activity which fulfils predetermined criteria, such as large transaction volume, or increased account usage. The compliance officer would review and decide if the transactions made were consistent with the customer’s profile.
  13. 13. 49 Customer acceptance and customer due diligence Identification of Politically Exposed Persons and related enhanced due diligence Use Internet or other web-based tools to perform background screening. Employ external databases to perform background screening, including names of customers, directors, shareholders, authorised signatories and beneficial owners and perform batch screening on all accounts regularly. 50 Customer acceptance and customer due diligence Classify PEPs as high risk customers and adopt enhanced due diligence and escalation processes, for example by Assessing the PEP risk by obtaining information such as the customer’s political function, country of origin, type of services and products sought and the source of wealth and funds, etc. Seeking senior management’s approval before opening PEP accounts. Reviewing transactions of the PEP clients on a periodic basis. 51 Recognition and reporting of suspicious transactions To facilitate the identification of suspicious transactions and help ensure that the legal requirements for reporting suspicious transactions to the JFIU and prohibitions against tipping-off are complied with, firms may: Recognition and reporting of suspicious transactions Implement automated transaction monitoring system utilising software which is designed to detect patterns of unusual transactions and suspicious transactions. Arrange to have exception reports automatically escalated to the compliance officer for review, approval and, where necessary, to form the basis for further investigation, reporting, raising the risk rating of a customer for enhanced monitoring. 52 Recognition and reporting of suspicious transactions Cash or third-party payments Require approval of cash or third party payments by Head of Compliance and Head of relevant Business Department. Perform regular review on activities such as frequent fund transfers or cheque payments involving unverified or difficult to verify third parties or other unusual fund movements and investigate accounts with unusual activities.
  14. 14. 53 Recognition and reporting of suspicious transactions Review these reports from time to time to ensure that they have been properly updated to incorporate new indicators of suspicious activity. Incorporate organization specific indicators of potentially suspicious or unusual activities into AML policies and AML training. Conduct background checks using reliable and independent source documents and database before establishing business relationships in order to identify terrorist suspects at the initial account opening stage and on an ongoing basis thereafter. 54 Recognition and reporting of suspicious transactions No tipping-off Put in place procedures whereby Account executives and other relevant staff receive AML training and are fully cautioned against tipping off customers and made aware that they are subject to criminal liability for such actions. Only a limited number of persons, e.g. the compliance officer and senior management, are privy to suspicious transaction reports which are made to the JFIU strictly on a need-to-know basis. Account executives are not informed when suspicious transaction reports are made to the JFIU to prevent tipping off. 55 Staff training To help ensure that appropriate and effective staff training procedures are in place, firms may Distribute their internal AML policies to new staff members during induction training. Require newly recruited staff to complete training on AML and thereafter refresh themselves on AML policies and procedures regularly. Incorporate new or updated changes in AML regulations or policies whenever necessary and inform staff of these changes through different means, e.g. circulation of revised policy, internal circulars or email alerts. Provide tailored AML training for front office employees. Utilize suitable forms of testing to ensure proper understanding of the policies, e.g. quizzes. Your opinions http://sites.google.com/site/quanrisk

×