1. Annual AML/CFT Risk Assessment & Investigations
Md. Sahadul Hoque
Principal Officer
Islami Bank Bangladesh Limited
Risk Management Wing
2. Agenda of the Session
AML Risk Management Framework
Why & What Risks to be assessed?
How to assess AML/CFT Risk?
Implications of AML Risk Assessment
AML Investigations
3. Let’s Refresh our Concept of Risk
Intention of the man is to suicide.
Jumping from the top of the building
Loss of life is certain
Is the event a Risky One?
Risk is the uncertainty of an expected
objective (ISO 31000).
Risks can be seen as a combination
of the chance that something may
happen and the degree of damage or
loss that may result if it does occur
4. Why Banks are Vulnerable in ML/CFT
Definition: The process of disguising the proceeds of crime in an effort to
conceal their illicit origins and legitimize their future use.
Objective: To conceal true ownership and origin of the proceeds, a desire to
maintain control, a need to change the form of the proceeds.
Banks Financial services
Brokerage firms
Other Examples: Insurance companies, Money remitters, Cash intensive
businesses, Brokerage firms, LAWYERS and ACCOUNTANTS
Money is Laundered Through
5. Is Money Laundering a Risk?
Increased headcount
Increased technology budget
Reputational damage
Consultancy fees
Long periods of Regulatory oversight
Attention from other Regulators
Loss of partners, clients
Regulatory Fines/Penalty
6. Risk Management
"Narrated Aisha, Ummul Mu'minin:
The Apostle of Allah (peace_be_upon_him) said: Profit follows responsibility
of bearing loss. “
(Sunan e Ibn Majah Book 23, Number 3501)
7. AML/CFT Risk Management Framework
Risk Identification
Business Risk
Customers
Products & Services
Delivery Methods or Channel
Country or Jurisdiction
Regulatory Risk
Failure to report SARs/STRs
Inappropriate customer verification
Inappropriate record keeping
Lack of AML/CFT Program
Risk Assessment
Size & Importance of Risk
likelihood – chance of the risk
happening
impact – the amount of loss or
damage if the risk happened
likelihood X impact = level of risk (risk
score)
Risk Treatment
Business Risk
Minimize & Manage the Risks
Apply strategy, policy & procedures
Regulatory Risk:
Put in place systems and controls
Carry out risk plan and AML/CFT program
Monitoring & Review
Develop & carry out monitoring process
Keep necessary records
Review risk plan and necessary AML/CFT
Program
Do internal audit and assessment
Do AML & CFT Compliance Report
9. Risk Assessment
According to Business Dictionary, Risk Assessment is –
Identification
Evaluation and
Estimation of the levels of Risks
And comparison against standards of an acceptable level of Risk.
10. Is Risk Assessment Obligatory?
FATF Recommendations No. 1
To identify ML & TF Risk
To assess ML & TF Risk
To take action
To mitigate ML & TF Risk
FATF Recommendations No. 15
To assess ML & TF Risk for new products,
business techniques and delivery mechanisms
Using technology to asses new and existing
products
AML Rule 2013, Rule No. 21
RO-FI shall conduct periodic assessment
Report to BFIU for vetting
Assessment report to be utilized by RO-FI after
vetting
EDD for HIGH Risk
BFIU Circular Letter No. 01/2015 dated 08.01.2015 ML & TF Risk Assessment Guideline for Banking
Sector
September 2015
Money Laundering and Terrorist Financing Risk
Management Guideline. A Risk Register is
enclosed.
11. Uses of Risk Assessment
Identify gaps and improve policy & procedures
Develop Risk Based Framework
Aware Sr. Management about key risks, exits and disposals
Informed decision about Risk Appetite on the basis of Residual Risk
Alignment of compliance with Risk Profile
Risk mitigation strategies and resource allocation
Regulatory reporting for remediation efforts across the FIs
12. Steps of Risk Assessment
Identification of Risk Assessment Categories
Detailed Analysis of the Gathered Data
Evaluation of AML Program
14. Kroll’s Findings on Risk Assessment of IBBL
Risk Assessment is Partial
Risk rating is done on clients’ net-worth, occupation & transaction profile only
Inadequate tools, technology and methodology
Poor data quality
Inadequate actionable information in in Risk Assessment Report
Inadequate SoP & SoD
16. Business Risks Arises to and from
Customer
New customer
New customer but wants to conduct large
transaction
Transaction to the same individual or group
Cash intensive business
Identification is difficult to check
Large but small denominated transactions
Distance between business and location of
the customer
Non resident customer
Complex corporate ownership
PEPs & IPs
Unreliable documents
Inconsistent transaction with source of
income etc.
Country/Jurisdiction
any country which is unidentified by
credible sources as having significant level
of corruption and criminal activity
any country subject to economic or trade
sanctions
any country known to be a tax haven and
unidentified by credible sources as
providing funding or support for terrorist
activities or that have designated terrorist
organizations operating within their country
any country unidentified by FATF or FATF
Style Regional Bodies (FSRBs) as not having
adequate AML&CFT system
any country indentified as destination of
illicit financial flow
17. Business Risks Arises to and from (Cont’d)
Product & Services
private banking i.e., prioritized or
privileged banking
credit card
anonymous transaction
non face to face business relationship
or transaction
payment received from unknown or
unrelated third parties
any new product & service developed
service to walk-in customers
mobile banking
Delivery Channel
direct to the customer
online/internet
phone
fax
email
third-party agent or broker.
18. Regulatory Risks Arises to and from
Regulatory Risks
customer/beneficial owner identification and verification not
done properly
failure to keep record properly
failure to scrutinize staffs properly
failure to train staff adequately
not having an AML&CFT program
failure to report suspicious transactions or activities
not submitting required report to BFIU regularly
not having an AML&CFT Compliance Officer
failure of doing Enhanced Due Diligence (EDD) for high risk
customers (i.e., PEPs, IPs)
not complying with any order for freezing or suspension of
transaction issued by BFIU or BB
not submitting accurate information or statement requested by
BFIU or BB.
19. Other Qualitative Risk Factors
Other Risk Factors
Client base stability
Integration of IT system
Expected account/client growth
Expected revenue growth
Recent AML Compliance Employee turnover
Reliance on 3rd party providers
Recent introduction of new products and services
Recent project and initiatives related to AML Compliance matters
Recent relevant enforcement actions
National risk assessment
22. Risk Assessment Scales
Likelihood Scale
Frequency Likelihood of an ML/FT Risk
Very Likely Probably occur several times in a year
Likely High probability that it will happen once in a year
Unlikely Unlikely, but not impossible
Impact Scale
Consequence Impact of an ML/FT Risk
Major major damage or effect. Serious terrorist act or large-
scale money laundering
Moderate Moderate level of money laundering or terrorism
financing impact
Minor Minor or negligible consequences or effects
24. Risk Score Table
Rating Impact – of an ML&TF risk
4 Extreme Risk almost sure to happen and/or to have very serious consequences.
Response:
Do not allow transaction to occur or reduce the risk to acceptable level.
3 High Risk likely to happen and/or to have serious consequences.
Response:
Do not allow transaction until risk reduced.
2 Medium Possible this could happen and/or have moderate consequences.
Response:
May go ahead but preferably reduce risk.
1 Low Unlikely to happen and/or have minor or negligible consequences.
Response:
Okay to go ahead.
25. Risk Registrar
Risk Likelihood Impact Risk Score Treatment/ Action
Retail Banking Customer
A new customer Unlikely Minor i) CDD shall be applied properly.
ii) EDD shall also be applied for high
risky clients & accounts opened
without physical presence of the
clients.
Walk-in customer (beneficiary is
government/semi
government/autonomous body/ bank &
NBFI
Unlikely Minor Obtaining proper KYC of the Remitter
Walk-in customer (beneficiary is other
than government/semi
government/autonomous body/ bank &
NBFI
Likely Moderate i) Obtaining proper KYC of the remitter/
beneficiary
ii) Reporting STR/ SAR if suspicious
anything found.
Non-Resident customer (Bangladeshi) Likely Major i) CDD shall be done
ii) verification of necessary papers/
documents including work permit,
passport & visa.
iii) Transaction shall be allowed with
constant monitoring of the account in
case of High Risk nature.
iv) STR shall be submitted to CCU if any
transaction found suspicious.
A new customer who wants to carry out a
large transaction (i.e. transaction above
CTR threshold or below the threshold)
Likely Moderate i) CDD shall be applied properly.
ii) Verifying the genuineness of the data/
information of the client.
iii) Transaction monitoring shall be done.
iv) STR shall be submitted to CCU if any
transaction found suspicious.
26. Risk Registrar
Risk Likelihood Impact Risk Score Treatment/ Action
Retail Banking Customer
A new customer Unlikely Minor 1
Low
i) CDD shall be applied properly.
ii) EDD shall also be applied for high
risky clients & accounts opened
without physical presence of the
clients.
Walk-in customer (beneficiary is
government/semi
government/autonomous body/ bank &
NBFI
Unlikely Minor 1
Low
Obtaining proper KYC of the Remitter
Walk-in customer (beneficiary is other
than government/semi
government/autonomous body/ bank &
NBFI
Likely Moderate 2
Medium
i) Obtaining proper KYC of the remitter/
beneficiary
ii) Reporting STR/ SAR if suspicious
anything found.
Non-Resident customer (Bangladeshi) Likely Major 3
High
i) CDD shall be done
ii) verification of necessary papers/
documents including work permit,
passport & visa.
iii) Transaction shall be allowed with
constant monitoring of the account in
case of High Risk nature.
iv) STR shall be submitted to CCU if any
transaction found suspicious.
A new customer who wants to carry out a
large transaction (i.e. transaction above
CTR threshold or below the threshold)
Likely Moderate 2
Medium
i) CDD shall be applied properly.
ii) Verifying the genuineness of the data/
information of the client.
iii) Transaction monitoring shall be done.
iv) STR shall be submitted to CCU if any
transaction found suspicious.
27. Risk Register (Summary)
Sl. Risk Aspects Particulars # Questions
1 ML & TF Risk Register for Customer’s Retail Banking Customer 35
Wholesale Banking Customer 8
Khidmah Card Customer 4
International Trade Customer 10
Sub-total= 57
2 ML & TF Risk Register for Products & Services Retail Banking Product 15
Retail Privilege Facilities 2
SME Banking Product 7
Wholesale Banking Product 9
Khidmah Card Product 4
International Trade 5
Sub-total= 42
3 Risk Register for Businesses Practice/delivery
methods or channels
Online/BEFTN/BACH 4
Mobile Banking 3
Alternate Delivery Channel 6
International Trade 2
Sub-total= 15
4 Risk Register for Country/Jurisdiction 15
5 Register for Regulatory Risk 42
Grand Total= 171
33. Dependants of Risk Assessment Frequency
Methodology
Type & extent of interim validation
Result of the Risk Assessment
Material Change to the Risk Environment
Regulatory intervention
Trigger based
Usually requires to submit assessment report annually
36. Implications
Improve policy & procedures
Effective Risk Based Framework
Informed decision about Risk Appetite on the basis of Residual Risk
Alignment of compliance with Risk Profile
Risk mitigation strategies and resource allocation
Regulatory reporting for remediation efforts across the FIs
Charging 1.5% of MCR for risk rating below “satisfactory” under SRP
38. Considerations of Investigations
Identification of all areas of business and responsibilities of business units
Effectiveness of systems and internal controls
Inherent risk of existing, new, potential class of customers, geographies,
products, services and systems
Reflection of changed events like expansion, new markets, new products, new
core data processing and systems
Whether crossed the assets size of defined large bank
Whether assessment has been done on qualitative and quantitative data
Frequency of risk assessment review
Whether risk assessment is communicated to the business units and the
Board of Directors
Whether regulatory changes have been warranted
39. Major Areas of Investigation
AML Corporate Governance; Management Oversight and Accountability
Policies and Procedures
Know Your Client (“KYC”); Client Due Diligence (“CDD”); Enhanced Due
Diligence (“EDD”)
Previous Other Risk Assessments (local and enterprise-wide)
Management Information/Reporting
Record Keeping and Retention
Designated AML Compliance Officer/Unit
Detection and SAR filing
Monitoring and Controls
Training
Independent Testing and Oversight (including recent Internal Audit or Other
Material Findings)
Other Controls/Others
40. Report Contents of Internal Control
Key Risk Indicators (KRIs)
High Risk Processes
Compliance Initiatives
AML Program Deficiencies
Volume SAR, STR & CTR filed
Accounts closed due to suspicious activity
Customer Identification Program (CIP) Violations
High Risk Accounts
Completed and outstanding training
Source of alerts reported and investigations completed
41. Technical Considerations
Configuration of the AML Software
Logics behind the alert generation
Alert Management
Change Control Procedure
How data is imported from the CBS
Independent validation of the software
Gap analysis of the AML software
Volume of false positive and false negative
Risk of failure of the AML software, hardware and data
42.
43. Glory is to You, O Allah, and praise is to You. I bear witness that
there is none worthy of worship but You. I seek Your forgiveness
and repent to You.
Kaffara-e-Majlish