Crime Stoppers International Assessing the Anti-Money Laundering (“AML”) Compliance Program October 3, 2013 Agenda Governance Risk Assessments (AML & Sanctions) Know Your Customer Training & Education Transaction Monitoring & Suspicious Activity Investigations Third Party Reliance OFAC/Sanctions Compliance AML/Sanctions Independent Testing AML Examinations Most Common AML Program Weaknesses 1 Copyright © 2013 Deloitte Development LLC. All rights reserved. Governance • Has the Board and senior management established a “tone at the top”? • Does the Board approve the AML program annually, is this formally documented? • Is the Board’s and management’s commitment to AML compliance expressly stated in the bank’s AML Program? • Do Board and/or Management Committee Minutes evidence discussion of AML compliance matters? • Do the Board and/or senior management regularly review the status of the AML program through periodic reporting of the AML Officer? • Does the AML Officer present the status of the program to the Board or Management Committee during regularly scheduled meetings? • Are there routine and regular reports to the Board and senior management identifying the main AML risks facing the company and how those risks are being managed? Governance • Is the importance of compliance periodically reinforced through training, meetings, and employee communications such as bulletins and newsletters? • Does the bank establish a formal annual AML compliance plan that covers compliance goals, priorities and activities for the year? Has the plan been reviewed and approved by the Board and senior management accordingly? • Is there a written job description that outlines the AML Officer’s responsibilities and authority? Are there written job descriptions for AML compliance staff? • Is the AML Officer independent from the business lines, who does he or she report to? • Is the AML department sufficiently staffed based on the bank’s products, services, customers, delivery channels and geographic locations served? • Are AML support staff solely devoted to AML or compliance roles so that no conflict of interest exists and that staff is given sufficient times to execute all duties? Agenda Governance Risk Assessments (AML & Sanctions) Know Your Customer ( “KYC”) Training & Education Transaction Monitoring & Suspicious Activity Investigations Third Party Reliance OFAC/Sanctions Compliance AML/Sanctions Independent Testing AML Examinations Most Common AML Program Weaknesses 4 Copyright © 2013 Deloitte Development LLC. All rights reserved. Risk Assessments (AML & Sanctions) • Has a formal, risk assessment been conducted that covers all products and services, types of customers, delivery channels, and geographies the bank serves? • Is the risk assessment periodically reviewed and updated (12-18 months given risk profile of the bank)? • Is the risk assessment current? • Are the results current? • Is there over-reliance on a third party to develop or maintain the risk assessment? • Is the risk assessment conducted at the customer or account level? – Note: that conducting a risk assessment at the account level prevents the bank from assessing the risks of all the customer’s relationships, rather it focuses only on a component of the overall customer’s transactions or activity. Risk Assessments (AML & Sanctions) • Has the methodology of the risk assessment been documented and not just the results? • Is the methodology consistent across business lines and customers? • Has the bank identified high risk geographies for the purpose of performing risk assessments and transaction monitoring? • Does the risk assessment address (a) inherent risk of products, services, customers and geographies, (b) the strength of current controls, and (c) the residual AML risk? • How is the risk assessment used, does it drive strategic changes or the direction of the overall program? Does it: – – – – – Dictate documentation and verification requirements for new and existing customers? Determine the nature and frequency of account KYC reviews? Determine the nature and frequency of transaction monitoring? Influence the nature, scope, and frequency of AML audits? Help in establishing other AML program priorities, hiring, training needs and deployment of resources? Agenda Governance Risk Assessments (AML & Sanctions) Know Your Customer ( “KYC”) Training & Education Transaction Monitoring & Suspicious Activity Investigations Third Party Reliance OFAC/Sanctions Compliance AML/Sanctions Independent Testing AML Examinations Most Common AML Program Weaknesses 7 Copyright © 2013 Deloitte Development LLC. All rights reserved. Know Your Customer • Has the bank established a KYC program or policy that covers customer identification and verification, due diligence and enhanced due diligence (to satisfy that sources of funds are reasonably legitimate)? • Does the information collected in the customer due diligence process allow the bank to verify the customer’s identity and determine or assess the customer’s risk (for example, collecting occupation information)? • What additional information is required to collect or verify under enhanced due diligence, is this distinction defined in the KYC program? • Is expected, baseline activity or other relevant business information captured to serve as the basis to identify transactions/activity that is unusual, or not normal and expected from this type of customer? – Expected activity includes products & services used, frequency, dollar transactional volume, geographies involved. • Is KYC updated after the initial account opening process? Especially when the bank notices increased volume or activity that deviates from historical patterns. Know Your Customer • Are accounts reviewed periodically to assess changes in customer profiles? The frequency, scope and extent of this review should be based on the customer’s risk rating. • Where the customer is a corporation, are individual owners identified? – UK and EU require identifying owners or those who control more than 25 % of voting rights, FinCEN has not articulated a percentage, but prevailing practice in the US is 10 percent. Agenda Governance Risk Assessments (AML & Sanctions) Know Your Customer ( “KYC”) Training & Education Transaction Monitoring & Suspicious Activity Investigations Third Party Reliance OFAC/Sanctions Compliance AML/Sanctions Independent Testing AML Examinations Most Common AML Program Weaknesses 10 Copyright © 2013 Deloitte Development LLC. All rights reserved. Training & Education • Does the AML training program identify which employees are required to complete training and the frequency of such training? • Does the bank conduct economic sanctions training; is this included in AML or is it a separate training? • Are Board of Directors and Senior Management required to participate in AML training? • Is training specifically tailored to roles and responsibilities of employees in attendance? • Are quizzes or tests part of the training to test the training’s effectiveness? • Is the training medium (face–to- face, computer based, third party) appropriate given the risk profile and business activities of the bank? • Are training records maintained? Training & Education • Has training been conducted in the last year? • Are employees with key AML responsibilities required to participate in outside, externally sponsored training such as seminars and conferences? • Does the training program and materials cover all required elements of the AML program, including: – The importance that the Board of Directors and/or senior management place on ongoing education, training, and compliance. – Employee accountability for ensuring AML compliance. – Specific risks of individual business lines and red flags. – Coverage of different forms of money laundering and terrorist financing as it relates to identification and examples of suspicious activity. – Coverage of policies, procedures, processes, including new rules and regulations, if applicable and impact on the bank. – Penalties for noncompliance with internal policies and regulatory requirements. – Documentation of attendance records and training materials. Agenda Governance Risk Assessments (AML & Sanctions) Know Your Customer ( “KYC”) Training & Education Transaction Monitoring & Suspicious Activity Investigations Third Party Reliance OFAC/Sanctions Compliance AML/Sanctions Independent Testing AML Examinations Most Common AML Program Weaknesses 13 Copyright © 2013 Deloitte Development LLC. All rights reserved. Transaction Monitoring & Suspicious Activity Investigations • Are written procedures in place to identify, investigate, escalate and report suspicious activity? • Are all transactions monitored? • At what level are transactions monitored, transaction, account, customer, household? • Do policies and procedures adequately describe which transactions are subject to monitoring and how they are monitored? • Are suspicious activity red flags provided to employees or listed in AML program? • Based on interviews, does compliance staff have the appropriate knowledge, experience and support needed to perform his/her duties? • Is there proper segregation of duties related to transaction monitoring? Transaction Monitoring & Suspicious Activity Investigations • Are staffing levels sufficient to review the volume of reports, alerts and investigate cases? • Is there an alert / case backlog, if yes does the bank have remedial plans in place to resolve the backlog, has senior management and the Board been made aware? • Who determined the AML rules for transaction monitoring and how were they determined? • Are the transaction monitoring rules and thresholds aligned with risks identified in the bank’s risk assessment? • Are transactions monitored against historical to current activity (or based on customer profile information collected during KYC process)? • Are case investigation files maintained for each investigation? What documentation is included in the file? • Is there a case management system utilized to serve as a central repository for all investigations and manage case workflow and retain case documentation? Transaction Monitoring & Suspicious Activity Investigations • Does the bank incorporate the use of media in investigations (Google, WorldCheck, and Lexis-Nexis); if so what sources of information are used? • When an account alerts, is a review done of that alert only or is a historical review conducting on the account or entire relationship (typically 6 months to a year)? • How does the bank determine the effectiveness of its transaction monitoring system, does it periodically evaluate its rules related to SAR filings? • When was the last time the transaction monitoring rules or parameters were recalibrated, tuned, or modified to improve the identification of potentially suspicious activity? • Are SARs accurately completed and filed timely; within thirty (30) (or local requirement) days after the subject activity was identified as suspicious or ninety (90) (or local requirement) days for a supplemental SAR? • Has the transaction monitoring system been subject to an integrity review that includes validation of data integrity from source or transactional systems (data sources are properly fed) and validation of programming? Agenda Governance Risk Assessments (AML & Sanctions) Know Your Customer ( “KYC”) Training & Education Transaction Monitoring & Suspicious Activity Investigations Third Party Reliance OFAC/Sanctions Compliance AML/Sanctions Independent Testing AML Examinations Most Common AML Program Weaknesses 17 Copyright © 2013 Deloitte Development LLC. All rights reserved. Third Party Reliance • Does the company rely on a third party to conduct all or part of its AML functions? • Is the reliance reasonable? • Is the party or other financial institution being relied upon regulated by a federal functional regulator? • Is the other financial institution subject to general AML compliance program requirement? • Does the other financial institution share the customer with the bank? • Have the two institutions entered into a reliance contract that delineates their responsibilities? • Does the bank monitor the third party’s performance under the agreement on a continuing basis? Third Party Reliance • Does the third party annually certify that it is complying with the requirements of the contract? • Has the bank conducted any due diligence on the third party’s AML program? • Does the third party annually certify that it has implemented an effective AML program? • Is the bank’s reliance on a third party subject to the independent testing to ensure that the third party is meeting its obligations on a continual basis? Agenda Governance Risk Assessments (AML & Sanctions) Know Your Customer ( “KYC”) Training & Education Transaction Monitoring & Suspicious Activity Investigations Third Party Reliance OFAC/Sanctions Compliance AML/Sanctions Independent Testing AML Examinations Most Common AML Program Weaknesses 20 Copyright © 2013 Deloitte Development LLC. All rights reserved. Sanctions Compliance • Has the bank designated an employee responsible for Sanctions Compliance? Is this documented? • Has the bank developed written policies and procedures that address: – – – – – – – – – Sanctions requirements Conducting screening/filtering on account holders and all transaction types Transaction monitoring and filtering Employee training and education Blocking/rejecting funds and transaction reporting Updating the Sanctions list Match investigation and escalation Licensing, if applicable Annual reporting. • Has the bank performed a sanctions risk assessment identifying high risk areas? – Inherent risks of products services, customer types, geographic origin and destination of transactions and strength of controls to mitigate those risks. Sanctions Compliance • Is the methodology documented, not just the results? • Has the bank provided Sanctions Training for appropriate personnel? • What is the time frame for updating the Sanctions list, who is responsible for updating the list and how is the bank notified of updates? • Does the bank perform “back testing” when the list is updated to ensure that the updates are contained within its systems, as well as deletions? • Are there any blocked transactions, have these been reported to local authority and are they in a segregated interest bearing account? • When are new customer transactions screened? • Are there any pending Sanctions investigations or inquiries? Sanctions Compliance • What account types, transaction types, and individuals or entities are subject to screening – Non-account holders that should be screened include, beneficial owners, authorized signors (POA), beneficiaries, principals, directors, employees, vendors, other third party relationships, agents. Agenda Governance Risk Assessments (AML & Sanctions) Know Your Customer ( “KYC”) Training & Education Transaction Monitoring & Suspicious Activity Investigations Third Party Reliance OFAC/Sanctions Compliance AML/Sanctions Independent Testing AML Examinations Most Common AML Program Weaknesses 24 Copyright © 2013 Deloitte Development LLC. All rights reserved. AML/Sanctions Independent Testing • What is the scope of independent testing? – Note: scope of testing should include all of the program areas above. • What is the frequency of independent testing? • Who performs the independent testing? • How does the testing program link back to risk assessments? • How are issues tracked? • Are there any unresolved issues identified in the last audit report? Agenda Governance Risk Assessments (AML & Sanctions) Know Your Customer ( “KYC”) Training & Education Transaction Monitoring & Suspicious Activity Investigations Third Party Reliance OFAC/Sanctions Compliance AML/Sanctions Independent Testing AML Examinations Most Common AML Program Weaknesses 26 Copyright © 2013 Deloitte Development LLC. All rights reserved. AML Examinations • Has the bank been subject to any examination? • Were any AML issues noted, what were they? • Did the exam report include any issues requiring management’s attention or management’s immediate attention? Most Common AML/Sanctions Program Weaknesses: • Insufficient resources dedicated to compliance. • Inadequate KYC procedures. • Employees, Board and management have not received relevant and targeted AML compliance training. • Inexperienced compliance staff. • Inadequate program status reporting to the Board and management. • Failure to identify and periodically monitor high risk accounts or activity. • Suspicious activity investigations not properly documented. • AML systems and supporting technology not stress tested. • Poor record keeping. • Failure to file timely and accurate required regulatory reports. Deloitte Financial Advisory Services LLP Frederick E. Curry III Principal 555 12th Street, Suite 500 Washington, DC 20004-1207 +1 202 378-5171 fcurry@deloitte.com This publication contains general information only and Deloitte Financial Advisory Services LLP is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte Financial Advisory Services LLP shall not be responsible for any loss sustained by any person who relies on this publication. 29 Copyright © 2013 Deloitte Development LLC. All rights reserved.