Kpmg global anti-money laundering survey 2007

618 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
618
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Kpmg global anti-money laundering survey 2007

  1. 1. FORENSIC Global Anti-Money Laundering Survey 2007 How banks are facing up to the challenge ADVISORY
  2. 2. Global Anti–Money Laundering Survey 2007 3 Contents Foreword 4 Executive Summary 7 Detailed survey findings 11 - 1. The role of senior management 11 - 2. The costs of AML compliance 14 - 3. AML policies and procedures 19 - 4.Formal testing and monitoring of AML systems and controls 21 - 5.Risk-based approach to Know Your Customer activity 24 - 6. Politically Exposed Persons 29 - 7. Transaction monitoring 33 - 8. Training 39 - 9. Attitudes towards regulation 43 - 10. Sanctions compliance 46 Concluding remarks 50 Regional perspectives 51 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  3. 3. 4 Global Anti–Money Laundering Survey 2007 Foreword Estimated money laundering flows are reported to be in excess of US$1 trillion being laundered every year by drug dealers, arms traffickers and other criminals1 . Recent years have seen rapid change in the financial services industry and growing regulatory expectations and pressures. Combating money laundering and terrorist financing continues to be a major challenge for the banking sector, as gatekeepers to the legitimate financial system. Given this backdrop, KPMG International commissioned this Global Anti-Money Laundering (AML) Survey to build on the findings from our last survey in 2004. Three years on, we have sought to establish whether the significant changes in the financial and regulatory environment have led to increased focus on AML and new and improved ways of tackling the challenge. Our survey shows how significantly banks have responded to this challenge – in increased investment, senior management focus, and cooperation with governments, regulators and law enforcement. Despite this good intent and strong commitment, many banks continue to struggle to design and implement an effective AML strategy, and they believe that much more needs to be done internationally to combat money laundering more effectively. Since our last survey in 2004, there has been unprecedented change in the financial market place and the regulatory environment, key developments include: • Banks have a more international footprint, markets and products have become more complex, there is greater investment in emerging markets, the amount of privately held wealth has vastly increased, and all alternative asset classes have undergone significant growth. These structural changes have deep implications for how banks tackle the challenges of AML and counter­ terrorist financing (CTF). • At the same time, banks have had to come to terms with significant regulatory change across all of their activities and operations globally. This includes legislative changes (for example, those stemming from Basel II) but also increased focus on the wider responsibilities of financial institutions, and development of the right regulatory framework to deliver the outcomes governments and regulators seek. This has led to stronger emphasis on corporate governance and senior management accountability, and has led some governments, in particular the U.S. government, to seek to apply their standards globally through the extra-territorial reach of U.S. law. • In addition to the wider regulatory changes, there have been enhancements in AML standards specifically, with changes in the requirements of the Financial Action Task Force (FATF) and Wolfsberg Group, together with new legislation at the national and supranational level (including the EU Third Money Laundering Directive). There has also been tougher enforcement of AML requirements, particularly in the U.S. but also internationally, reinforcing the message that money laundering remains a key priority for banks. Our survey points towards significant investment and improvement in the AML systems and controls environment within individual financial institutions, together with an understanding and commitment to the role banks have to play in the overall AML and counter-terrorism effort. However, there is also more to be done to make the financial system less vulnerable to money laundering and terrorist financing. For banks, this means greater focus on the © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  4. 4. Global Anti–Money Laundering Survey 2007 5 effectiveness of their AML and CTF strategy, systems and controls. For the government, regulatory and law enforcement community, it means greater partnership with banks, including clearer and better information sharing. There are already signs of progress, with banks and the public sector moving in the right direction, but it will be important for this momentum to be maintained. Set against this background, we are pleased to publish KPMG Forensic’s second Global AML Survey. Reflecting the themes that have driven financial markets in the past three years, our survey this year has looked in greater depth at emerging markets, with more Brendan Nelson Global Chairman KPMG Financial Services participants in the survey coming from these countries and more analysis of the underlying results. We have also added sections on each region to explain how the survey results relate more directly to them. All of this should help our firms’ clients and regulators to benchmark banks’ AML systems and controls against trends, peer comparisons and opportunities in a more precise way. Likewise for law enforcement and policymakers, the survey aims to provide an insight into how the industry is embedding new requirements and provides some thoughts for future AML policy direction. Karen Briggs Global Head of AML KPMG Forensic Our first Global AML Survey in 2004 was extremely well received by the industry, and helped to provoke discussion and debate among banks, practitioners, regulators, governments and law enforcement alike. We believe that this survey is one of the most detailed and authoritative reports on AML systems and controls undertaken in the market place, and we hope that you will take this opportunity to consider how to respond to the challenges in today’s financial services industry. We would like to thank all the 224 banks and senior executives that participated in the survey. © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  5. 5. 224 respondents overall, up from 209 in 2004 Over 25% of the top 250 banks represented 55 countries covered 60% of the banks surveyed were multi-national
  6. 6. Global Anti–Money Laundering Survey 2007 7 Executive Summary KPMG’s Global AML Survey 2007 explores the range of challenges that banking institutions face in complying with global AML requirements. We have used the same methodology as the 2004 survey, to ensure comparability of results over the intervening three years. KPMG International commissioned RS The survey covered the following topics: Consulting, an independent research 1 The role of senior management in AML issues agency based in the United Kingdom, 2 The costs of AML compliance to conduct a telephone survey of banks across the major sectors (retail banking, 3 AML policies and procedures corporate / business banking, private 4 Formal monitoring of AML systems and controls banking, investment banking and 5 Taking a risk-based approach to ‘Know Your Customer’ activity wholesale banking). These banks were drawn from the top 1,000 global banks 6 Politically Exposed Persons by tier 1 capital, and the caliber of 7 Transaction monitoring respondents was high, with job titles 8 Training ranging from Group Money Laundering Reporting Officer (MLRO) to Head of 9 Attitudes towards regulation Legal and Head of Risk. Details of the 10 Sanctions compliance survey methodology are in Appendix I: Survey Methodology Strong senior management engagement in AML efforts Banks in our survey reported that senior management were more engaged in AML issues than they had been in 2004, with the percentage of respondents reporting that their senior management and their board of directors take an active interest in AML increasing by 10 percentage points to 71%. The result reflects a mix of regulatory and international pressure on senior management to take responsibility for the full range of risks in their business, including compliance, as well as continued focus on counter-terrorist financing. As the financial services industry becomes more complex, and AML risks become more pressing, it will be important that this heightened interest in AML is directed towards ensuring systems and controls are effective in practice. AML costs have grown well beyond expectations Average AML costs were reported by the participants in our survey to have increased by 58% over the last three years. This was more than banks had expected when we carried out our 2004 survey - at that time, banks predicted costs would only rise by 43% over the following three years. Despite the unexpectedly high increase in AML costs, respondents anticipate that growth will slow, with banks predicting an average increase of 34% in AML costs over the next three years. The main drivers of the past and future increases in costs continue to be transaction monitoring and staff training, consistent with the 2004 survey. As banks develop more risk-based AML programs, the pressure will be to focus on using resources within compliance effectively and efficiently, and this may involve considerable reallocation of resources within compliance as well as cost reduction through outsourcing, offshoring or centralization of AML functions. Setting a global standard With growth in the proportion of income derived from international business, banks have become more global in their approach to managing AML risk. Nearly 85% of internationally active banks © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  7. 7. 8 Global Anti–Money Laundering Survey 2007 reported that they had a global AML policy in place. As ever, though, the challenge is to ensure effective implementation of policies at the local level. More monitoring and testing of AML systems and controls Greater regulatory focus on governance, and the resulting increase in the accountability of senior management for AML, appears to have driven up the amount of independent monitoring and testing of AML systems and controls. More banks report that they have a monitoring and testing program in place, and banks report that a wider range of functions within their organization are involved in this. The key to successful testing and monitoring, however, relies on a strong drive from senior management as well as effective and timely follow-up and feedback of improvements into current systems and controls. Broader acceptance of a risk-based approach Our survey shows an increase in the number of banks using a risk-based approach to determine the level of due diligence performed on clients at account-opening stage (‘Know Your Customer’ or KYC processes). In addition, a wider range of risk factors are taken into account than was the case in our 2004 survey, recognizing the evolving international best practice in this area and greater focus on reputational risk among banks. Going forward, banks in many regions are likely to be under pressure to extend a risk- based approach to other areas of their AML strategy and – where they are given more flexibility in the design of AML processes – they will be under pressure to document the rationale for their approach so that they have an audit trail for the decisions they have made. More focus on Politically Exposed Persons (PEPs) Increased regulatory and industry focus has led more banks to seek to apply additional scrutiny to PEPs. In our 2004 survey, a surprisingly low number of banks performed enhanced due diligence on PEPs at account-opening (55%); this year, the figure has increased to 81%. Moreover, significant numbers of banks have put in place specific procedures to identify and monitor PEPs on an ongoing basis (71% of all banks in our survey). However, with no universal definition of a PEP, there are likely to be substantial differences between individual banks’ interpretation of the requirements in practice. With greater sensitivity to the reputational consequences of dealing with PEPs, banks are likely to be under pressure to examine how robust their procedures for PEPs really are. This is even more relevant in markets where business and politics are closely intertwined. Continued strong investment in transaction monitoring Virtually all respondents rely heavily on their people to spot suspicious activity, and with banking becoming more electronically based, many are investing in sophisticated IT monitoring systems. Transaction monitoring continues to be the single greatest area of AML expenditure for banks, and is expected to remain so over the next three years. Despite this, many banks want to improve the quality of their transaction monitoring, with many looking to invest in enhancing system capacity, functionality and coverage. Banks need to understand, however, that IT systems are only one component of an effective AML strategy and that they are no substitute for well-trained and vigilant staff. Vigilant staff are the first line of defense but focus is now on effectiveness of training The proportion of banks training over 60% of their staff has grown by 9 percentage points since 2004, with face-to-face training, the most commonly used mechanism and the method regarded as the single most effective. Banks continue to report that properly trained staff is the best AML control, and this is reflected in continued high spending on training programs. The regulatory focus now is moving to the effectiveness of all this training, with pressure to implement more tailored training and testing, and evidence that staff have the level of AML understanding they need to carry out their role. Broad-based support for regulatory AML efforts, but more needs to be done The survey shows continued support for global AML efforts by regulators, governments and law enforcement, with 93% of banks saying the burden of regulation is either acceptable or should be increased. However, a 51% majority of banks still believe that AML regulation could be focused more effectively, through clearer legislation, better feedback to the industry and a greater endorsement of a risk-based approach. While some banks have called for wider acceptance of a risk-based approach to AML, there is concern over whether regulators are willing to accept all of the consequences that flow from this. Even so, banks, governments, regulators and law enforcement agencies are united in seeking more collaboration and information-sharing although banks are uncertain as to how such a public-private partnership will really work in practice. © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  8. 8. Global Anti–Money Laundering Survey 2007 9 Sanctions compliance a key challenge for banks Sanctions compliance was a major driver of AML costs over the past three years, being ranked the third greatest area of AML expenditure after transaction monitoring and staff training. This reflects increased focus on counter­ terrorism, the long arm of the U.S. law, and growth in the number of lists that banks need to monitor against, as well as the tougher enforcement of sanctions requirements by regulators. Despite the progress made so far, there is more to do in this area, as banks work to ensure they design operational processes that are equal to the task of complying with sanctions rules that are detailed, complex and potentially broad in scope. A particular challenge is the design and implementation of a sanctions compliance program that can support this goal. Looking ahead The survey results show significant investment in AML systems and controls, and increased engagement from senior management. The challenge for many banks will be to maintain this focus as they enter a new phase of regulatory initiatives (Basel Il, EU regulatory change and the extra­ territorial effects of U.S. legislation being some of the more high-profile examples). Banks may also find it challenging to adapt to many of the key changes that are taking place in the financial services market, with increased product complexity, greater involvement with emerging markets, and integration of mergers that have taken place on a new scale. All of these mean future challenges in relation to AML compliance going forward. Overall, although much has been achieved, there is still much to do to make the financial system more robust in the fight against money laundering. © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  9. 9. Compliance starts at the top. It will be most effective in a corporate culture that emphasises standards of honesty and integrity and in which the board of directors and senior management lead by example. It concerns everyone within the bank and should be viewed as an integral part of the bank’s business activities. A bank should hold itself to high standards when carrying on business, and at all times strive to observe the spirit as well as the letter of the law. Basel Committee on Banking Supervision, ‘Compliance and the compliance function in banks’, April 2005.
  10. 10. Global Anti–Money Laundering Survey 2007 11 Detailed survey findings 1. The role of senior management AML remains a high priority for senior management AML remains a high profile issue for the senior management of banks globally. In our 2007 survey, 71% of banks reported that their most senior levels of management – including their boards of directors – take an active interest in AML compliance, up from 61% in our 2004 survey. Of the remaining banks, the majority stated that senior management took “some interest” in AML issues. Only 1% of banks reported that senior management took little interest in the subject. Moreover, over 40% of respondents said that their main board of directors Figure 1 formally discussed AML issues at least quarterly, with an additional 25% saying they did so at least monthly. The increased profile of AML as an issue is part of a broader shift in the governance of the world’s major banks, with boards of directors being held more directly accountable by shareholders and regulators for the full range of risks run by their banks. However, anecdotal evidence suggests that it may also reflect the extra-territorial effects of U.S. legislation. The U.S.A. PATRIOT Act 2001 requires due diligence, and in some cases enhanced due diligence, for correspondent banking relationships and international private banking customers. The practical High-profile enforcement action, regulatory emphasis on senior management accountability, legislative change, and increased business with countries with higher AML risk has pushed AML up the senior management agenda Profile of AML at senior management level %ofrespondents (Percentages may not add up to 100% due to rounding) Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  11. 11. 12 Global Anti–Money Laundering Survey 2007 effect of this is to require the international community to provide information sufficient to meet U.S. standards, which in the case of high risk correspondent banking clients may include providing information on the client’s customers. Within the global results, a marked shift has taken place in the Asia Pacific region. This year, 72% of banks reported that senior management took an active interest in AML, up from only 49% in 2004. This appears to be a response to increased regulatory focus in the region, and new legislation introduced or implemented in several countries, including Australia, India and China. Terrorist financing continues to be an area of focus for senior management, regulators, law enforcement and governments, and the issues and challenges arising from this have been closely bound up with AML issues. Responsible and accountable Since our last survey in 2004, AML controls have not only remained a high profile issue for senior management, but have become more so. Many regulatory regimes have for a long time imposed potential personal liability on directors of banks for shortcomings in systems and controls, including AML. However, the responsibility of senior management for AML controls is likely to become more real, and less abstract, as global regulation moves towards more principles-based and risk-based approaches. At the core of the principles-based approach is the obligation for senior management of banks to meet high-level regulatory objectives using their own judgment and evaluation of the risks in their business, rather than by meeting multiple rules. This raises difficult questions about the level of engagement that regulators expect senior management to have in each of the processes underlying this approach, from risk assessment through to design, implementation, monitoring and oversight of controls. As the FATF recommendations, which form the bedrock of global anti-money laundering standards, have moved toward a risk-based agenda, many regulators are moving in the same direction, including those in the EU and Australia. One of the clearest examples of principles-based regulation and strongest endorsements of a risk- based approach has been in the UK, where the Financial Services Authority (FSA) has replaced fifty-seven pages © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  12. 12. Global Anti–Money Laundering Survey 2007 13 of detailed AML rules with two pages of principles, backed up by industry guidance. Both the new material from the Financial Services Authority and the industry guidance (the Joint Money Laundering Steering Group guidance notes) place particular emphasis on the responsibility and accountability of senior management for AML systems and controls. In addition, a number of high-profile AML and sanctions enforcement cases in the U.S., and outside the U.S. by U.S. regulators, have concentrated senior management’s attention on the reputational, legal and financial risks of AML violations. In addition to fines, the costs of remediating deficiencies are high, in terms of the direct costs of new systems, training, “look-back” reviews, and in the indirect costs of management distraction. This points to the need for senior management to focus not just on the costs of AML compliance, but the associated risks if they fail to meet regulatory expectations in respect of AML policies, procedures, culture and oversight. KPMG comment Setting the tone from the top to take responsibility for financial involved in each of the processes that Senior management has a critical role crime risk (including AML), and underpin the bank’s AML strategy, in managing an institution’s AML risk, ensuring the audit committee is from risk appetite, through to policy and with increasing focus on sufficiently focused on AML as design, implementation and ongoing reputational risk, senior management an issue. monitoring. have taken on board the need to set the right tone at the top of the bank • They have to align incentives for staff There are additional complications for and push this down throughout the to ensure better direct management internationally active banks in defining organization. A number of steps may be of AML and compliance risks. which layers of senior management necessary for this to happen in practice: need to be involved in the bank’s AML • They also need to foster a culture strategy, with regulatory obligations • Senior management have to be of cooperation between the various attaching to senior management in the visible in the AML process, through functions within the bank, and in local region, but also board communications to staff, in-person particular between the front-office responsibility for the bank’s global AML or video introductions to training and compliance, so that there is approach. In a number of instances, sessions, and ongoing awareness proper dialogue between them, regulators are focusing on AML risk in and sensitivity to AML issues. clear accountability for tasks, and a the branches of the global banks that heightened willingness to cooperate operate in their country, and this raises • They have to articulate an approach and assist one another in combating particular risks where deficiencies in to compliance, including AML money laundering. AML controls have resulted from the compliance, that focuses on absence of a clear articulation of the substance over form – making sure The strong impact senior management responsibilities of local and global that employees follow the spirit as can have on an organization’s culture senior management. well as the letter of policies and means that regulators internationally procedures. are becoming more focused on the Senior management at the global level attitude and approach taken by them should ensure that there is clear • They must put in place the towards risk management, including accountability throughout the appropriate corporate governance compliance risk and AML risk organization for AML compliance, mechanisms to ensure effective management. The challenge for banks and that there is effective oversight management of AML risk. This is how to engage with regulators on and cultural sensitivity to AML at all means training for the board of these issues, in particular identifying levels of the bank. directors, nominating a director what level of management needs to be © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  13. 13. %increaseinAMLinvestment 14 Global Anti–Money Laundering Survey 2007 2. The costs of AML compliance Costs are up substantially, far more than participants in the survey anticipated in 2004. As costs continue to increase, there will be pressure to innovate and streamline costs through outsourcing, offshoring and process re-engineering AML costs far exceed expectations With growing regulatory expectations and strong demand for experienced compliance professionals, the costs of AML compliance have increased substantially over the past three years – well ahead of the expectations of the banks that we surveyed in 2004. At that time, banks predicted that their AML costs would rise by 43% over the following three years; our survey this year shows banks reported that their actual costs had increased by 58% over the period. Unsurprisingly, the regions that recorded the highest increase in costs were North America and the Middle East / Africa. This reflects the significant legal Figure 2 and regulatory changes in the U.S., and the wider impact of the extra-territorial provisions of U.S. law around the world. In many regions, the rate of growth is surprisingly consistent in the 2004 and 2007 surveys, implying that AML costs may continue to grow at a similar rate (see figure 3 on page 15). Despite the strong, sustained rate of growth in AML costs, banks internationally continue to predict that costs over the next three years will grow at a slower rate, and are even more optimistic about the anticipated slowdown in costs than they were three years ago (in 2004, banks expected the growth rate to fall by Banks’ estimates of average % increase in AML investment over the past three years and the next three years Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  14. 14. Global Anti–Money Laundering Survey 2007 15 18 percentage points; this year they expect the growth rate to fall by 24 percentage points). North American banks were particularly optimistic in 2004, and remain so in 2007. In our last survey they reported that, despite a 66% rise in AML costs over the previous three years, they expected the rate of growth for the next three years to slow to 46%. The actual rate of growth according to our 2007 survey was closer to 71%, and these banks, in spite of under-estimating costs in 2004, still expect the growth rate to slow over the next three years to 28%. This points to the need for banks in this region in particular, and banks internationally, to give careful thought to the degree of optimism in their compliance budgets going forward. The difficulty of estimating AML costs is that cost may be spread across many different functions (operations, compliance, risk) or regions, involve direct and indirect costs, and overlap with processes that are embedded in normal business practice (e.g. credit risk or customer relationship management). These factors, together with the unexpectedly sharp increase in AML costs over the past three years, meant that a substantial proportion of respondents felt unable to predict their future AML costs (10% of respondents). Where banks are not aware of the full costs of AML compliance, they may not Figure 3 necessarily be well positioned to consider how they can better apply their resources to focus on the major areas of AML risk. Although there may be difficulties in identifying and quantifying all of the drivers of AML costs, there can be ancillary benefits to doing so. It can, for example, improve a bank’s understanding of the full range of AML processes that exist across its organization and - through this - can highlight enhancements required in processes, unjustified variations in these, or learning points that can be applied elsewhere in the bank. Banks’ estimates of average % increase in AML investment over the past three years, 2004 and 2007 surveys 2004 2007 Estimate of increase Estimate of increase in AML investment in AML investment Increase / decrease over prior three years over prior three years (percentage points) Total 61% 58% -3% Europe 63% 58% -5% North America 66% 71% 5% ASPAC 36% 37% 1% C/S America / Caribbean 73% 59% -14% Russia / CIS 66% 60% -6% Middle East / Africa 68% 70% 2% Source: KPMG International, 2004 and 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  15. 15. 16 Global Anti–Money Laundering Survey 2007 Areas of greatest AML expenditure The AML activities requiring the largest investment over the previous three years have not changed markedly from 2004, with transaction monitoring and training topping the survey. Sanctions compliance was a new activity included in this year’s survey, and it has already been ranked as the third largest area of expenditure over the last three years. The drivers of higher expenditure appear to be greater expenditure on transaction monitoring capabilities and upgrades Figure 4 to existing systems, and the provision of additional tailored training to staff. As in 2004, we asked banks to estimate their absolute costs of AML compliance. Not many respondents felt able to do this, and the few estimates that we did receive seemed to be fairly low, suggesting that perhaps these banks had only included the direct costs of AML compliance. This helps to underscore the difficulties of estimating the wide range of costs associated with AML compliance. Banks’ estimates of greatest additional AML spending over the last and next three years Score out of 5 Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  16. 16. Global Anti–Money Laundering Survey 2007 17 Outsourcing or offshoring of AML functions As banks review their costs, a topical issue is the use of outsourcing or offshoring. Internationally active banks appear to have been reluctant in the past to consider moving AML functions offshore or to a third party. This reluctance appears to stem from legitimate concerns among banks about their accountability for a function they may cease to have day- to-day control or oversight over. Globally, 73% of banks reported they had never considered the outsourcing or offshoring of AML functions. As well as concern over potential loss of control, the low number of banks that have outsourced or offshored AML activities may also reflect the wide range of different functions involved in AML processes. This makes it more difficult to coordinate outsourcing or offshoring projects, and may also mean that no single function has the ability to begin such a project on their own initiative. Within the global result, banks from the North Americas reported a slightly higher willingness to consider or use outsourcing or offshoring as a solution (13% of banks had outsourced or offshored some AML functions, and 20% were considering doing so, or had considered doing so but put their plans on hold). ASPAC and Russia & CIS were the two regions with the least appetite to consider outsourcing or offshoring: 94% and 95% of banks respectively Figure 5 had never considered either or had considered and rejected doing so. This is likely to be because many of the countries in these regions are themselves low cost centers, and therefore the relative attractiveness of outsourcing or offshoring is diminished. Where banks have outsourced or offshored AML functions, our understanding is that functions have mainly moved to low cost centers in Asia, and so far have consisted of ‘vanilla’ AML processes, for example initial KYC gathering or initial screening of transaction monitoring reports to clear ‘false positives’. Consideration of outsourcing or offshoring of any AML functions % of respondents (Percentages may not add up to 100% due to rounding) Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  17. 17. 18 Global Anti–Money Laundering Survey 2007 KPMG comment Understanding AML costs and processes Banks have long been applying Activity Based Costing and Six Sigma techniques across a range of functions to identify the drivers of costs and embed operational effectiveness. However, this does not appear to have happened often in relation to compliance or AML, perhaps because of the complexity of the exercise, or because of the mandatory nature of these functions. In practice, though, banks have discretion over how they direct their resources, and there are steps they can take to improve efficiency and effectiveness. Without this focus on costs, banks risk losing many of the opportunities offered by process improvements made elsewhere in the bank, for example, the benefits of increased automation of payments processing are undermined if AML controls within the process continue to be manual and cause downstream disruption. However, as other functions have been outsourced or offshored, some banks have had success in moving components of the AML process as well, for example alerts management or customer due diligence data Outsourcing / StreamliningofAMLprocesses Offshoring Shared Service Centers Over time, globally active banks may move towards a combination of Shared Service Diverse AML Centers and outsourcing or offshoring. processes spread over multiple locations Most banks are at a stage where diverse AML processes are spread over multiple locations, or some combination of this and Shared Service Centers Time gathering. In general, banks have had more success where they have moved AML functions along with accompanying operational processes, rather than AML functions in isolation. But it is important to recognize that banks retain ultimate responsiblity for AML risk irrespective of where processes are based. Accordingly, in practice, many banks are moving toward a ‘global’ or ‘group’ AML and financial crime function which operates as a ‘center of excellence’ in providing proactive AML risk management. © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  18. 18. Global Anti–Money Laundering Survey 2007 19 3. AML policies and procedures Increasing use of global AML policies and procedures As capital flows have become more international and cross-border mergers and acquisitions of banking institutions have driven consolidation in the industry, banks must assess whether to apply a single set of AML policies and procedures across borders. We asked banks which of three approaches they used to set their policies and procedures: a global approach, a local approach, or some combination of the two. Nearly 85% of internationally active banks reported that they had a global AML policy in place, up from 83% in our 2004 survey. Whilst this is a relatively modest increase, it is from a high base, and reflects growing acceptance and adoption of international best practices. Figure 6 In making decisions about which approach to adopt, banks need to balance the simplicity of a single set of global policies and procedures against the potential competitive disadvantage of applying higher standards in local markets around the world. Our survey results, however, suggest that, in general, concerns about the potential reputational damage of inadequate AML policies and procedures has led most banks to adopt global minimum standards. There are, however, regional variances in the results. Notably, banks from North America, Europe and Russia & CIS all have a strong bias towards global policies and procedures, even if in some instances detailed procedures are set at a local or regional level. Growing ‘internationalization’ of banking is pushing institutions towards the use of global AML policies to ensure they manage their AML risk using a consistent and comprehensive approach Statement best describing respondents' AML policies and procedures (excluding respondents only operating in one country) (Percentages may not add up to 100% due to rounding) Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  19. 19. 20 Global Anti–Money Laundering Survey 2007 In the case of the U.S., it is apparent that all internationally active banks have a global component to their policies and procedures, reflecting the need to implement the extra-territorial components of domestic legislation on a global basis, principally the Office of Foreign Assets Control (OFAC) requirements and the requirements of the U.S.A. PATRIOT Act 2001 with respect to, for example, correspondent banking and international private banking relationships. In Europe, there appears to be a greater willingness to apply global policies and procedures on a more consistent basis, with less delegation to local operations. This is likely to reflect the high-level, principles-based nature of AML requirements in this region, which makes it easier to design policies and procedures that are flexible enough to be implemented outside the home country. It may also reflect the fact that a common legislative framework applies in Europe and so many of the European respondents may find it feasible and economic to implement one set of global policies and procedures. In Russia, a very high proportion of banks reported using global policies and procedures. This is likely to reflect regulatory pressure, where AML policies need the approval of the local regulator (the Central Bank of Russia, or CBR) and a number of banks have had, and continue to have, their banking licenses revoked for failure to comply with AML regulations. Whilst there is no requirement to have a global policy, it is a common way for banks in the region to demonstrate that their approach to AML is comprehensive and aligned with regulatory expectations. By contrast, significant numbers of banks in the Middle East and Africa regions have adopted a “local approach” to setting AML policies and procedures. There is a reluctance among banks in the region to suffer competitive disadvantage by voluntarily adopting higher AML standards than is required by law, as well as less focus among the regulatory community in pushing banks towards global policies. In some instances, the standards set by a bank’s home regulator may not be appropriate for ‘export’ to other markets in which the bank operates. This may be because they are not sufficiently demanding for use in other countries, or are too heavily influenced by local factors. KPMG comment Operationalizing a risk-based approach they have followed in setting policies in to the bank’s services in other through global policies their organization so that they can explain countries or regions without meeting Global banks face significant challenges to regulators and internal stakeholders the AML requirements that are in developing and operationalizing their what approach they have taken in each necessary in those parts of the world risk-based approach across multiple country, and why.This is particularly (whether required by local regulations business units and territories.There is important as a line of defense when or by the bank’s global policy). also a real need for banks to fully regulatory expectations change in a articulate their risk-based approach, country or region without any formal Banks also need to focus continually including how the specific risk appetite changes to rules or legislation. Where on the effective implementation of of the bank has driven the design of the banks are able to explain what approach policies and procedures. Regulatory model. Much of the experience gained they have taken, and why, this can form action can equally be taken where by banks in developing their operational the basis for an informed discussion with banks have not applied policies and risk program under the requirements of the regulatory community and an procedures consistently, rather than Basel ll could also be leveraged in enhanced ability to avoid gaps emerging failed to design any in the first place. developing a comprehensive top-down, between regulatory expectations and the In practice, this means focusing on the bottom-up approach to designing and bank’s actual AML practices. realities of implementing the policies operationalizing an effective AML risk- and procedures, such as the clarity based approach. In addition, some banks Documentation of local deviations to of the policies for employees, training may find it useful to assess the extent to global policy is particularly important to and communicating the policies and which the risk of an AML failure has help ensure a common understanding procedures, and the application of been reflected within the operational risk across the organization of the policies these, i.e. how easily and quickly model of the bank. in place in each country or region. employees can follow processes Without this, there is a risk that clients in practice, as well as monitoring Throughout this process, banks need to accepted into a part of the group with effectiveness on a regular basis. document carefully the thought process lower KYC standards can gain access © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  20. 20. Global Anti–Money Laundering Survey 2007 21 4. Formal testing and monitoring of AML systems and controls Eighty-three percent of banks in the survey formally test and monitor the effectiveness of their AML systems and controls Greater senior management and regulatory focus on AML has heightened the relevance of formal and independent testing of the effectiveness of AML systems and controls. Our survey reflected this, with the overwhelming majority of banks reporting that they had a formal program of testing and monitoring of their AML systems and controls. The results show an increase in the amount of testing and monitoring undertaken by banks since the 2004 survey (83% of banks versus 75% in 2004). The surprising figure is that only 92% of U.S. banks reported that they undertook formal testing of their AML systems and controls, despite this being a requirement of the U.S.A. PATRIOT Act 2001 (in 2004, the comparable figure was 91%). As with the previous survey, the European figure appears low, with only 70% of banks reporting that they had formal testing or monitoring of their AML controls. However, this masks variations in the different countries within Europe. One hundred percent of respondents in 10 European countries (including France, Ireland, Spain and the U.K.) had formal testing in place, but a number of major European constituents had lower percentages (for example, Germany 38% and Switzerland 50%). Figure 7 The drive among regulators and senior management to challenge banks’ control functions to demonstrate the effectiveness of AML systems and controls has led to an increase in both the amount of testing and monitoring taking place and the range of control functions involved Respondents with a formal program for testing and monitoring the effectiveness of their AML systems and controls %ofrespondents Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  21. 21. 22 Global Anti–Money Laundering Survey 2007 In reading the results, it should be borne in mind that in Germany, local law requires banks’ external auditors to report on their AML systems and controls on an annual basis, and in Switzerland there is also a legal requirement for the external auditors of banks to audit AML compliance and report to the bank and their local regulator annually. This suggests that banks in these regions may have responded to the question purely in terms of internal monitoring rather than by reference to any statutory review work undertaken by their external auditors. If the European figures were adjusted for this, they would be broadly in line with other regions. Our survey also showed that a wider range of functions within banks are now undertaking formal testing and monitoring of AML compliance, recognizing the range of functions involved in AML compliance. Whilst the survey reflects the multiplicity of functions with potentially overlapping responsibilities with respect to AML, it is important to note that these functions have differing roles and responsibilities in relation to AML. There are three “lines of defense” in AML compliance: staff Figure 8 engaged in client on-boarding and ongoing monitoring; control functions that test the effectiveness of controls on an ongoing and regular basis; and fully independent control functions that review and test controls after the event (Figure 9). A significant figure in the 2007 survey is the increase in the amount of AML monitoring carried out by financial crime or fraud prevention units, which – although they may not be more independent than compliance – may nevertheless act as a center of excellence for AML and fraud prevention. The survey results therefore reflect a broader trend Functions with a role in testing and monitoring the effectiveness of AML systems and controls (Options are not mutually exclusive) Source: KPMG International, 2004 and 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  22. 22. Global Anti–Money Laundering Survey 2007 23 and attributes brought to bear on the task. This means having the right mix of independence, timeliness of review, proximity to the business, and AML experience to ensure that the key issues are identified and tackled, and that learning points are fed back into operational processes. Source: KPMG International, 2007 in the industry towards the setting up of a financial crime function with oversight of both AML and fraud, and in the long-term may come to include market abuse. This is consistent with what is happening in the industry. In Australia, for example, a number of banks are considering whether cost efficiencies and reductions in fraud can be achieved by combining AML and fraud monitoring within one function, using a common system. Whatever the approach adopted, the key to effective AML monitoring is to seek to ensure the bank has a range of complementary skills, experience Figure 9 “Three lines of defense” KPMG comment Taking ownership of AML monitoring With such a broad range of functions involved in AML monitoring, there is a risk within banks that senior management, and compliance, may take false comfort in the view that because the overall quantity of monitoring is high, it will be sufficient to prevent any mishaps.The reality is that some monitoring may be impaired, whether by lack of independence, infrequency of review, inexperience of staff, or lack of coordination between functions with resulting overlaps or gaps in monitoring. In many instances, internal audit is the last line of defense and through their detailed and independent review work, weaknesses in AML controls are often identified which should have been identified by other functions at a far earlier stage. One approach to this problem can be to set up a dedicated quality assurance (QA) team for AML controls, whether this is situated within compliance or another independent risk function (such as a financial crime function). QA teams can be used to carry out spot checks on banks’ end-to-end AML control processes. This means not only focusing on the common areas for monitoring such as KYC and client on- boarding, but also looking at other areas such as staff training, transaction monitoring, and sanctions compliance. Internal audit should be an overlay to this, not a substitute for it, and should be able to leverage off work performed by the QA team in planning and executing their audit work. One of the key challenges is finding suitably skilled and experienced staff. It requires a detailed knowledge of AML typologies, controls, and up-to­ date intelligence to identify the right issues and find areas for enhancement or additional focus. © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  23. 23. 24 Global Anti–Money Laundering Survey 2007 5. Risk-based approach to KnowYour Customer activity Enhanced due diligence procedures for high-risk customers is common practice, and it is only in a small minority of countries that it has not gained wide acceptance. As risk approaches have become more sophisticated, however, banks have been forced to re-visit their existing client base and upgrade the quality of KYC information held Most banks around the world apply a risk-based approach at account-opening The requirement to know your customer underpins global efforts to counter money laundering, and it is a legal requirement in most jurisdictions. When a bank takes on a new customer, it provides the customer with an entry point to that bank both locally and internationally. It is therefore fundamental that banks understand their customers’ circumstances and financial situation and know with whom they are dealing. Doing so across a wide customer base is logistically challenging, and the international regulatory focus has been moving towards encouraging banks to apply a risk-based approach to KYC. Figure 10 In our 2007 survey, we asked banks whether they used a risk-based approach to KYC, and – if so – what risk factors they took into account. As in 2004, the majority of banks (86%) employ a risk-based approach, up from 81% in our last survey. These banks are also using a wider range of risk factors than three years ago; the broader acceptance of the wider range of risk factors is encouraging (Figure 11). A key development in this year’s survey is the higher level of consideration given to whether the customer is a Politically Exposed Person (“PEP”) at account-opening stage. This reflects increasing focus on PEPs in the international environment. Respondents that employ a risk-based approach at account-opening stage %ofrespondents Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  24. 24. Global Anti–Money Laundering Survey 2007 25 Figure 11 Factors taken into account by respondents when using a risk-based approach at account-opening stage %ofrespondentswitharisk-basedapproach (Options are not mutually exclusive) Source: KPMG International, 2004 and 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  25. 25. 26 Global Anti–Money Laundering Survey 2007 Banks continue to use remediation programs to ‘backfill’ customer data The basic premise of AML is understanding who you are dealing with and the nature of their business. Risk- based monitoring for unusual or suspicious activity must be based on an understanding of what represents normal activity for that client. Banks have historically not held very much, if any, information on long-standing customers or groups of customers. Banks face a particular challenge in risk assessing existing customers whose relationship with the bank pre-dates the introduction of current KYC and account-opening legislation and guidance. As a result, a significant majority of banks have set up a program of retrospective remediation to fill in gaps in their KYC data. In a number of countries, this has been mandated by the regulatory authorities through a mix of formal rule-making, enforcement action, or informal pressure (for example through the regulatory examination process). The emphasis in the U.S. has, in the past three years, been more focused on transaction “look-backs”, as opposed to remediating KYC information (which has been mainly a European trend). Transaction look-backs generally require a bank to review historic transaction data using scenarios or parameters agreed and negotiated with their regulator, with a view to investigating and filing suspicious activity reports where necessary. These exercises can be expensive and time-consuming, and can also be difficult to perform if gaps in KYC information mean that the institution does not fully understand the context for the transactions their customers have executed. Look-backs can be useful, however, in identifying new typologies of money laundering and/or spotting suspicious behavior spread Figure 12 over a longer historical time-period than would normally be looked at through current transaction monitoring procedures. We asked banks in our survey if they had an active program to remedy gaps in the KYC information they held on existing customers, what approach they had taken, and if they did not have a remediation program, why not. The survey results show a slight but not significant increase in the number of banks engaged in a remediation program, although it remains significant that 77% of banks have a remedial plan in place. In 2004, 74% of respondents had a remedial program in place. This may help to explain in part the unexpected increase in costs of AML compliance that has been cited elsewhere in the survey. Respondents with a program to remediate gaps in KYC information held on existing customers %ofrespondents Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  26. 26. Global Anti–Money Laundering Survey 2007 27 For the banks that did not have a remediation plan, the most commonly cited reason was that they did not have sufficient gaps in their KYC information to warrant remedial action. The second most commonly cited reason was the absence of legal or regulatory pressure to do so (Figure 13). We also asked banks to specify what methodology they had adopted for remedying gaps in their KYC information. This showed a broad range of approaches being used, as in our 2004 survey (Figure 14 on page 28). The main change since our 2004 survey is the shift in approach used by banks from the ‘Central & South America and Caribbean’ region. In 2004, 73% of banks in the region reported that they were performing a remediation program across their Figure 13 entire customer base. This year, the figure rose to 83% of banks performing a remediation program, with 40% carrying this out across their entire customer base. Of the remaining banks with a remediation program 55% of banks now report they use a risk- based approach, and 5% report they only gather more KYC information when a customer opens a new account or transacts new business. We also asked respondents what issues they encountered in gathering KYC information from customers. Over 30% of banks reported difficulties in obtaining information in particular countries or regions. The responses overall did not single out any specific jurisdictions as being uniquely difficult, but this is largely because a significant proportion of respondents only operated in a small number of countries and so had no experience of operating in jurisdictions outside of this. The main countries or regions in which respondents reported the greatest difficulties obtaining KYC information were the Cayman Islands, Russia, and Eastern Europe. In relation to Russia, this is likely to reflect known issues surrounding the wide use of shell companies, and the difficulties of identifying the beneficial owners of these. The U.S., Switzerland and Middle East were also cited by some correspondents as being difficult regions to obtain KYC information, although to a lesser degree, again reflecting difficulties in obtaining beneficial ownership information and/or wider bank secrecy / data protection concerns. Respondents’ reasons for not having a remediation program in place %ofrespondentswithoutaremediationprogram (Options are not mutually exclusive) Source: KPMG International, 2007 Note: One hundred percent of banks in Russia & CIS reported having a remediation plan and so do not appear in the above table. Note also that relatively few banks responded to this question (the majority of banks had a remediation program in place), and so the percentages given are from a low base. Respondents citing another reason or ‘don’t know’ have been excluded. © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  27. 27. 28 Global Anti–Money Laundering Survey 2007 Figure 14 Respondents’ approach to remediation %ofrespondents (Percentages may not add up to 100% due to rounding) Source: KPMG International, 2007 KPMG comment The challenges of applying a risk- disciplines to bear on AML issues, as KYC data, with many banks under- based approach well as focusing on the outputs of their estimating the complexity, time taken Our survey has focused on the AML processes and not just the inputs. and cost of the exercise. It also reflects application of a risk-based approach to In jurisdictions where senior the fact that banks are not only seeking client on-boarding and KYC, but the management are given greater flexibility to fill gaps that have arisen because challenge is to apply this to all of the by the regulator to set their own risk- regulatory requirements have increased components of AML systems and based processes, they will be under since an account was opened; they are controls including training and pressure to create an audit trail for their also having to fill gaps left by poor compliance monitoring. As in the early thought processes, and document the application of the bank’s processes that stages of the development of operational rationale for the approaches that they have been in place since regulatory risk frameworks, it appears that banks in have adopted. requirements changed. This points to the many regions are in a situation where need for banks to plan carefully for any they are not able to articulate the linkage A particular area in which banks have remediation program. There are potential between the institution’s risk appetite used a risk-based approach has been cost savings and operational synergies and the risk-based approach adopted for filling in gaps in their KYC information for those who tackle the task in discrete AML.This may be exacerbated by the through remediation programs. Our stages, prioritized according to the level challenge of balancing absolute AML survey this year showed approximately of risk associated with those client legal requirements with desired best the same proportion of banks had a accounts, as well as anticipating and practices. Banks need to focus more on remediation program in place as in 2004 planning for future AML challenges. these areas, and bring some of the rigor (77% of all banks in our 2007 survey). of operational risk techniques and This reflects the challenges of backfilling © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  28. 28. Global Anti–Money Laundering Survey 2007 29 6. Politically Exposed Persons Increasing numbers of banks have specific procedures to identify and monitor Politically Exposed Persons PEPs are individuals who have political roles or associations, such as politicians, diplomats and high ranking members of the military, but there is no uniform definition of a PEP. Differing definitions appear in laws, regulations and guidance notes internationally. Despite this, there is a growing consensus among banks, governments and regulators that PEPs present heightened AML risks. In our 2004 survey, only 55% of banks using a risk-based approach to KYC reported that PEP status was one of their risk factors. In this year’s survey, the figure has increased to 81% of respondents (see section 5 of this survey). Across all banks, irrespective of whether they use a risk-based approach to KYC, 71% reported that they had specific procedures for identifying and monitoring PEPs on an ongoing basis. This is up from approximately 45% in our 2004 survey. In the U.S., nearly all banks have specific processes in place to identify and monitor PEPs, driven by the U.S.A. PATRIOT Act 2001, which requires monitoring of foreign PEPs. The increased focus on PEPs has not been uniform across all regions, with some countries in ASPAC placing far less emphasis on PEPs as a risk factor (for example, Australia, Japan, South Korea, Philippines andTaiwan).This is believed to reflect higher public trust in politicians and senior business executives in some Figure 15 Increased emphasis on reputational risk management, as well as legislative and cultural changes, mean that more banks than ever before have procedures in place to identify and monitor their relationships with Politically Exposed Persons Respondents with specific procedures in place for identifying and monitoring PEPs on an ongoing basis %ofrespondents Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  29. 29. 30 Global Anti–Money Laundering Survey 2007 of these countries and a general lack of requirements to identify and monitor PEPs. This is changing, however, with recent legislative changes in some countries in the ASPAC region now requiring procedures for identifying and monitoring PEPs. The comparatively low figure for Europe is likely to change as a result of the EU Third Money Laundering Directive, which requires banks to screen for PEPs.The Directive is due to be implemented by December 15, 2007 in all countries within the EEA, although it is possible that individual countries may take longer than this. Among the larger countries in Europe, there were significant variations in the extent to which they had specific procedures in place with regard to PEPs. In the five biggest countries by GDP in the EU, the U.K. and Germany Figure 16 were the most likely to have PEP procedures (86% and 62% of respondents respectively).The three remaining countries lagged behind this: France (50%), Spain (29%) and Italy (13%). One surprising result is that some of the smaller banks in our survey were more likely to have specific procedures in place for PEPs than their larger rivals. Out of the respondents who were in the top 250 banks globally (measured by tier 1 capital ), only 64% had PEP procedures. This compares to a figure of 87% for banks who were ranked 751-1000 of the world’s biggest banks. Classification of PEPs With differing definitions of PEPs across regions, and varying regulatory requirements, banks have sought to use centralized lists of PEPs to facilitate easy classification of individuals as PEPs. We asked our respondents what approach they took to create or obtain these lists (Figure 16). Our survey shows that banks in Europe and North America were the most likely to rely entirely on commercial lists they had purchased, whilst respondents in Central / South America and the Caribbean, Russia/CIS, and Middle East / Africa were more likely to use a hybrid approach. We believe this is likely to be the case because of the blurring of politics and business in some countries in these regions, and therefore the necessity of modifying commercial lists to reflect local practices and risk appetite. Banks approach to classifying individuals as PEPs %ofrespondentswithspecificPEPprocedures Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  30. 30. Global Anti–Money Laundering Survey 2007 31 Defining PEPs There are a variety of definitions of PEPs available in domestic legislation, regulations, supranational bodies and industry guidance (three of these are provided below). Whilst these may at a high-level have common features, there are many differences in the detail. This includes subtle differences in terms of the level of seniority necessary for politicians, judicial figures, or other officials to be classified as PEPs. There are also differences in the definition of who constitutes a ‘family member’ or ‘close business associate’ of a PEP. However, these difficulties of definition can be overcome by adopting a broad definition of a PEP, and applying a risk- based approach. The real difficulties are the practical application of the requirements, including: • Identification of family members or close associates of PEPs where this is not readily apparent from their name, situation, or information disclosed to the bank or available publicly. • Identification of situations where existing customers may have become a PEP because of a change in their status, or the status of a family member or business associate of theirs. • Application of PEP standards in countries with uncertain, unstable or non-transparent political structures. Wolfsberg Group “Individuals who have or have had positions of public trust, such as government officials, senior executives of government corporations, politicians, important political party officials, etc., as well as their families and close associates”. Source: The Wolfsberg Group AML Principles on Private Banking, revised version, May 2002 The Financial ActionTask Force “Individuals who are or have been entrusted with prominent public functions in a foreign country, for example Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state owned corporations, important political party officials”. Source: FATF Forty Recommendations, as amended October 2004. EU Third Money Laundering Directive “Natural persons who are or have been entrusted with prominent public functions and immediate family members, or persons known to be close associates, of such persons”. Source: Article 3(8) of the EU Third Money Laundering Directive, October 2005. © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  31. 31. 32 Global Anti–Money Laundering Survey 2007 KPMG comment The operational complexity However, banks may need to bring Intelligence) providers to find out who of dealing with PEPs in relation these lists together into a single source their customers really are, and what to AML requirements which can be accessed from across reputation they have in local markets in With the heightened risks associated the bank. order to support their enhanced due with PEPs, banks may need to think diligence. A number of banks are also carefully about the end-to-end control As with sanctions screening, ‘PEP lists’ setting up their own internal Financial processes they have in place to identify are not static, and banks need a process Intelligence Units to coordinate PEPs, accept them as customers, and to source updates to lists against which intelligence gathering, and take a monitor their account activity. all new customers should be screened, proactive approach to identifying and an accompanying process to try to emerging risks in relation to new Identifying PEPs ensure that the changes to the list are products, customers or markets. With a wide range of definitions of a screened against the bank’s entire client Enhanced due diligence and the use PEP from regulators, industry bodies base, so that any existing account holders of Corporate Intelligence is equally and governments, banks need to give who become a PEP are identified. applicable in respect of other high risk careful thought to what definition would customers such as high net worth be appropriate for their business, and Accepting customers individuals from high-risk jurisdictions. how they can apply this consistently Doing business with PEPs raises unique across all of their operations. While the reputational issues that require Activity monitoring individuals who meet this definition will judgment and experience to evaluate. Banks must have processes in place to vary from country to country, a global For many banks, it is not possible to monitor the account activity of PEPs, approach helps to create a greater codify the range of risks, or the bank’s applying critical judgment in determining degree of consistency. risk appetite, for dealing with PEPs, and whether this activity is in line with therefore it is important that senior expectations. Transaction monitoring Whilst the use of external providers of management is involved in the decision should be based on good quality due ‘PEP lists’ is common, banks need to to accept a new client who is a PEP, or diligence undertaken at account-opening think about centralizing their use of these agree to continue servicing a client who and updated on a regular basis. This lists in order to ensure consistency has become a PEP. These decisions should address the expected source of in the identification of PEPs. This does should be based on good quality funds in the account, and the expected not necessarily mean adopting a single information and intelligence, which is transaction activity in the account, provider for PEP lists; it may be not always readily available, and banks including any underlying business and appropriate to use a number of different are increasingly using respected beneficial ownership (if it is a corporate providers to obtain global coverage. Integrity Due Diligence (or Corporate account). © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  32. 32. Global Anti–Money Laundering Survey 2007 33 7. Transaction monitoring People are still the first line of defense in the fight against money laundering Transaction monitoring has long been an area of focus for regulators and banks. It is the area of AML compliance that has incurred the greatest expenditure in both our 2004 and 2007 surveys, and is expected to remain a key driver of AML costs over the next three years. The legal framework and AML requirements in most jurisdictions are based on a regime for reporting suspicious activity to law enforcement, in addition to currency transaction reporting in a number of countries. Accordingly, most banks have developed systems and controls to monitor transactions and escalate unusual or suspicious items. In our survey, we asked banks what methods they used to monitor transactions. This showed little change since the 2004 survey. Figure 17 Vigilant staff continue to be the main defense that a bank has against money laundering, and whilst transaction monitoring may be the key to the future, much work remains to be done to improve the effectiveness of systems Methods used by respondents to monitor transactions %ofrespondents (Options are not mutually exclusive) Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  33. 33. Scoreoutof5 Mean score out of 5: 1= very unsatisfactory 5= very satisfactory Source: KPMG International, 2007 34 Global Anti–Money Laundering Survey 2007 Within the regions, it is clear that there is comparatively less transaction monitoring in ASPAC with lower than average scores for nearly all of the monitoring approaches under review. This reflects a general lack of any requirements to conduct transaction monitoring, other than threshold monitoring, in many countries in this region. However, increasing emphasis is being placed on transaction monitoring as legislative requirements are updated around the region. The lower amount of transaction monitoring in the ASPAC region is also reflected in respondents’ satisfaction with their transaction monitoring systems (Figure 18). “People who design these systems should use them. Although I've said systems are not sophisticated, they are sometimes too much so for our own good” Switzerland respondent “I would like to have a system that can track both behavioral and statistical transactions ­ based on a transaction pattern (e.g. volume, country, business)” Hong Kong respondent Bearing in mind that a score of 3 is ‘neutral’ and a score of 4 is ‘fairly satisfactory’, the responses indicate banks are generally satisfied with their transaction monitoring, but only just. The scores in ASPAC are noticeably lower than other regions. We also asked banks what recommendations they would make to improve their IT monitoring systems. Of the responses, 31% were focused on aspects of enhancing software or systems, such as increasing system capacity, or better integration of multiple systems across the bank. An additional 17% of banks wanted systems with improved functionality or broader coverage. Figure 18 Increased number of Suspicious Activity Reports Greater investment in AML transaction monitoring systems and efforts appears to have resulted in higher volumes of suspicious activity reports (SARs) being filed with law enforcement authorities (Figure 19). Our survey shows that 72% of respondents reported some level of increase in the number of SARs over the past three years, up from 67% in 2004. This trend is particularly clear in the North American region, with 95% of respondents reporting some level of increase. The two biggest reasons for the increase in SARs were reported to be improved electronic / automated transaction monitoring systems and better staff training. Respondents’ satisfaction with transaction monitoring systems © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  34. 34. Global Anti–Money Laundering Survey 2007 35 “We need more intelligence-based transaction monitoring with the capability to detect transactions not noted by human scrutiny” Russia respondent “We should focus Figure 19 Change in number of suspicious activity reports compared with three years ago on updating the enterprise-wide system, rather than different ones in different areas of the bank” Taiwan respondent Source: KPMG International, 2007 Figure 20 Factors that have caused the increase in SARs %ofrespondents Mean score out of 5: 1= no impact 5= very strong impact Score out of 5 Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  35. 35. 36 Global Anti–Money Laundering Survey 2007 Costs of transaction monitoring Where respondents attributed the increase in SARs to improved transaction monitoring, we asked about the impact of this on the ongoing human and financial resources needed to operate these systems. A clear consensus emerged, with 92% of banks reporting that improved monitoring systems meant more resources were required.The most commonly cited reasons for the required increase in resources were ongoing maintenance costs, the need to review ‘false positives’, and the complexity of fully implementing the systems. Our survey also looked at the potential commercial benefits flowing from implementation of automated transaction monitoring systems. Of the banks that identified commercial benefits, 37% cited improved marketing opportunities and customer relationship management, 30% referred to improved reputational risk management, and 20% mentioned fraud reduction. In relation to fraud reduction, a number of banks now appear to be moving towards incorporating additional modules into their automated AML transaction monitoring platforms to identify potential fraud, as well as moving towards consideration of wider financial crime risks. Feedback from government sources In both this year’s survey and 2004’s, a number of banks emphasized the importance of better feedback from government sources such as financial intelligence units (FIUs). Around one third of banks could name a FIU that they regarded as particularly good at providing feedback, although typically they named the FIU operating in their home state. This may reflect the fact that many respondents had not had personal experience of dealing with FIUs outside of their jurisdiction. There was broad support for better and more frequent interaction with FIUs, although with recognition that this could lead to resourcing pressure within those organizations if the volume of SARs continued to increase and processing backlogs built up. In this context, the generally positive views expressed by U.S. banks about their domestic FIUs and law enforcement agencies is impressive given the strong growth in the volume of SARs in that region. Over 30% of U.S. banks said that their domestic authorities were good at providing feedback, with particular credit going to the Financial Crimes Enforcement Network (FinCEN). FinCEN cross-border transaction It is estimated that it will take three and A significant challenge for FinCEN database a half years to set up the system and is how to use the information they The Intelligence Reform and Terrorism bring it into operation. It is also estimated receive as effectively as possible, and Prevention Act of 2004 required the that 300-500 million transactions would to analyze it in a way that produces Secretary of the U.S. Treasury to fall under the reporting requirements (as valuable insight and intelligence for law investigate the feasibility of requiring they have been defined to date), and that enforcement agencies. They also need U.S. financial institutions to report the system will need to hold a three year to consider how they will interact with certain cross-border transactions to history of transactions, with a further financial institutions so as to help them FinCEN. The feasibility study has now seven years of data maintained in an enhance their AML detection been completed, and it concluded that archive, in order to perform meaningful capabilities (i.e. the type and quantity it would be appropriate for financial and relevant analysis. of feedback they provide to industry). institutions which deal directly with foreign financial institutions to disclose The specific requirements of which The requirements and FinCEN database information on all cross-border transactions will need to be reported will clearly have an impact on all U.S. payments over US$3,000. have not yet been determined. In financial institutions handling cross- addressing these requirements, FinCEN border payments, generating additional As a result, a program of work will now has stated they will take a number of reporting requirements for the industry. be undertaken to set up a central factors into consideration, including the database into which these transactions impact on financial institutions, the can be reported by institutions, and privacy concerns of individuals (both U.S. logged for subsequent analysis by FinCEN and non-U.S.), and the wider impact on Source: ‘Feasibility of a Cross-Border Electronic Funds and other law enforcement agencies. the use of the dollar as the basis for Transfer Reporting System Under the Banking Secrecy Act’, October 2006, published by U.S. Department of international financial transactions. Treasury Financial Crimes Enforcement Network. © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  36. 36. Global Anti–Money Laundering Survey 2007 37 Joined-up monitoring One of the challenges for internationally active banks in carrying out transaction monitoring is the ability to monitor a single customer’s transactions and account status across multiple countries. Our survey shows that a significant proportion of banks could not carry out this type of monitoring. Within the global results, it was clear that North American banks were ahead of their peer group, with 42% of internationally active banks in the region able to carry out monitoring of customer transactions across multiple countries. Interestingly, there was no Figure 21 evidence that the larger banks in our survey were any more capable in this area than smaller banks. This may reflect privacy laws in some countries that prevent the sharing of information around the group. A number of banks are reported to be looking at introducing single customer identification numbers to use across all of their operations globally, which would significantly enhance their ability to carry out joined-up monitoring. Banks capable of monitoring a single customer's transactions and account status across multiple countries %ofrespondents (Percentages may not add up to 100% due to rounding) Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  37. 37. 38 Global Anti–Money Laundering Survey 2007 KPMG comment Taking transaction monitoring Despite the difficulties encountered, identified or prevented, and using forward many banks are now at a stage where this to reinforce staff awareness. With the significant steps forward in they are moving from putting an the processing capacity of IT, the move electronic monitoring system in place, • Intelligence is critical to designing towards electronic banking and services, to a point where the core platform typologies to screen for money and a steady decline in the cost of IT exists, and they can focus more on laundering, and banks need to equipment, new possibilities have refining the typologies they screen network effectively to pick up on opened up in the monitoring of customer for and the escalation criteria used. current trends in money laundering. transactions. Banks worldwide have In some countries, such as the U.K., taken steps forward in the automated Whilst there is a growing trend towards regulators and FIUs have set up fora monitoring of transactions, with implementing AML transaction for banks to share views, and learn significant investment in new IT monitoring systems, there are a number from FIUs about the trends they are platforms and development of advanced of industry best practice points that seeing in the market. Banks should data analytical software. However, banks’ banks can use: seek to ensure that they participate experience of new systems have not in the discussions they are entitled • Whilst monitoring systems offer always met their expectations.They have to, and take steps to ensure the the potential to screen high found that significant resources need information they receive is – where volumes of transactions and spot to be deployed in the continual updating possible – disseminated widely patterns of behavior that may be of monitoring software, data feeds within the organization so that it can spread over time or spread over for transactions, and review of the be used by front-line staff and multiple transactions, they are no exceptions and potentially suspicious operations as well as the AML team. substitute for staff vigilance on the transactions identified by the systems. front-line. A significant proportion of Banks have also found it difficult to Good quality intelligence is particularly SARs are raised by vigilant staff design the right typologies for identifying important in the context of monitoring rather than complex systems, and money laundering, and calibrate the transactions for terrorist financing, banks should ensure that in building escalation thresholds to a level they are and a number of banks in our survey up systems they do not lose focus comfortable with.The challenge remains expressed the view that they would on staff training and awareness- that many of these systems contain like to see more and better quality building. Banks can enhance and complex mathematical algorithms that information sharing with FIUs; this develop staff potential by singling make it difficult to understand intuitively will be critical in ensuring a joined-up out occasions when money the inter-relationships between inputs approach. laundering has been successfully to the system and the outputs. © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  38. 38. %ofrespondentsthatprovidesomeformofAMLtraining Global Anti–Money Laundering Survey 2007 39 8. Training There is a growing commitment to train staff to combat money laundering AML training and awareness is key to a bank’s ability to combat money laundering effectively, with 97% of banks saying they are dependent on the vigilance of staff to monitor transactions and identify suspicious activity. Reflecting this, 97% of banks say they provide some level of AML training to their staff. (Interestingly, out of the six banks in our survey with no AML training program, five nevertheless said they relied on the vigilance of staff to identify suspicious transactions). The overall amount of training given by banks has not changed markedly since our 2004 survey, and continues to show Figure 22 significant variation in the percentage of staff that banks deliver AML training to. Within Europe, the figures for 2004 and 2007 show banks moving towards the center of the distribution (the 61-80% category), with fewer banks in the 81­ 100% category and in the under 60% categories, than was the case in our 2004 survey. These shifts may reflect a more risk- based approach to training, with banks focusing training more directly on staff with a real need for it, and the amount and content of training adjusted to reflect the AML risks inherent in employees’ roles. Whatever the cause of it, however, the training patterns seem to be reflected in the costs of AML compliance, with Banks continue to invest heavily in training programs, with institutions in many regions under pressure to demonstrate the effectiveness of their training, and are looking to make it more relevant to front-line staff through case studies and practical examples Estimate by respondents of percentage of staff who received AML training in the past two years (Percentages may not add up to 100% due to rounding) Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  39. 39. 40 Global Anti–Money Laundering Survey 2007 European banks reporting that training is relatively less expensive than it appears to be in other regions.Training was the fourth largest area of AML spending in the past three years for European banks, but - on average - was ranked second across all regions globally. The results for the U.S. show particularly rapid change, and is likely to reflect the impact of the U.S.A. PATRIOT Act 2001, which requires AML training for all relevant employees of a bank, as well as some high profile enforcement actions (Figure 23). Methods of training As in 2004, face-to-face training continues to be the most common method used by all banks; this method is also regarded as being the most effective (Figure 24). Despite there being no apparent shift in views of the effectiveness of computer- based training (CBT), usage of this method has increased significantly from 2004 (up from 61% to 79% of all respondents).This may reflect a need by banks in some countries to ensure complete coverage of their employee base, and the comfort they can derive from electronic tracking of which employees have taken the training and passed the test, also important as employees change roles and move around the bank. The use of CBT also makes it easier for banks to demonstrate compliance with any training requirements set by their regulator. The survey results pointed towards a particular growth in confidence in CBT in emerging markets and corresponding higher usage thereof. In more developed markets, usage of CBT has also increased despite a slight dip in overall Figure 23 confidence in the effectiveness of that method of delivery. Improvements to training We asked respondent banks about measures that could be employed to improve the quality of AML training (Figure 25). The main theme among respondents was the wish to use more case studies for staff, both to raise awareness that AML exists in the real world, and to give staff the practical skills and knowledge to apply the AML training in their role. Despite greater pressure on banks to examine the effectiveness of their AML controls, including training, the percentage of banks considering testing of staff appears low, and whilst testing is a common feature in many CBT packages, this can often be a fairly basic assessment test. Estimate by North American respondents of percentage of staff who received AML training in the past two years, 2004 and 2007 surveys (Percentages may not add up to 100% due to rounding) Source: KPMG International, 2004 and 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  40. 40. Global Anti–Money Laundering Survey 2007 41 “We need to use more examples or real case studies to give the staff the awareness that money laundering is a real existing issue” Austria respondent “We need more face- to-face training – small groups role-playing to give people the chance to work together and practice what they are looking for” U.S.A. respondent “We need to identify instances across all the institutions where things have gone wrong with KYC. We need to identify the reasons and train people to know how best to avoid them” India respondent %ofrespondents%ofrespondents Figure 24 Training methods used by respondents compared with assessment of effectiveness (Options for training delivered are not mutually exclusive) Source: KPMG International, 2007 Figure 25 Measures that could be employed to improve the quality of AML training (Options are not mutually exclusive) Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  41. 41. 42 Global Anti–Money Laundering Survey 2007 KPMG comment Enhancing the effectiveness Whilst CBT modules can include a have comparatively low SAR of training degree of testing of comprehension, reporting and why this is the case With a significant proportion of this can often be at a fairly basic level • whether a suspicious transaction Suspicious Activity Reports (SARs) and there is a need to include more identified by electronic monitoring raised by staff on the front-line, training case studies dealing with actual money systems should have been spotted is a key control that banks need to have laundering examples. In some respects, by staff first in place. In many jurisdictions, it is also face-to-face training offers more mandatory under local regulations, or opportunities for staff to raise questions • the interaction that takes place with important as a line of defense should or demonstrate their understanding of staff during training sessions. any employee of the bank commit an AML requirements, and for those offence under AML regulations. providing training to assess their Monitoring of AML controls by understanding. Accordingly, banks need compliance or internal audit can also In a number of countries, regulatory to focus more on the processes, formal include brief interviews with staff to attention is now shifting towards giving and informal, that they have in place to assess their current understanding of banks greater flexibility in who they train monitor the effectiveness of their AML systems and controls, and this, and what level of training they provide, training. This includes CBT test results, coupled with the results of monitoring reflecting the risk-based approach. but also making judgments based on a and testing, can be an effective way Whilst this offers the opportunity to range of other indicators: of assessing staff’s understanding. focus resources on the staff with the greatest need for AML awareness, and • the quality of KYC compliance during All of this information needs to be used to design training courses that are customer on-boarding to enhance the AML training program tailored to an employee’s specific • the detail and level of understanding and wider AML systems and controls. needs, regulators are also beginning to reflected in SARs escalated by staff ask more pressing questions about how banks assess the effectiveness of their • which branches or divisions of the training. bank have not raised any SARs or © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.
  42. 42. Global Anti–Money Laundering Survey 2007 43 9. Attitudes towards regulation %ofrespondents Source: KPMG International, 2007 Global support for regulatory AML frameworks Our 2007 survey continues to reflect broad-based support for AML regulation internationally, with 93% of respondents saying the burden of AML regulation was acceptable, or even should be increased. However, this includes 51% of respondents who said that AML requirements needed to be better focused to combat money laundering more effectively. Respondents in the North Americas region displayed divided views on their regulatory regime. Whilst a significant majority regarded the regulatory Figure 26 burden as acceptable (83% of respondents), this left a large minority who regarded their regime as excessively onerous (17% of respondents). No respondents in the U.S. regarded it as necessary for their AML requirements to be increased, probably reflecting the increased activity and high profile enforcement cases in recent years. Eight percent of banks globally believed that AML requirements in their jurisdiction should be increased, however some stronger views were expressed, notably in the UAE, Nigeria and Kazakhstan (Figure 27). Statement most closely reflecting respondents’ view on AML requirements Broad-based support for AML efforts by the public sector, but prevailing view that more needs to be done to combat money laundering effectively Figure 27 % of respondents in that country expressing the view that AML requirements should be increased United Arab Emirates 83% Nigeria 50% Kazakhstan 67% Source: KPMG International, 2007 © 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.

×