Crime Stoppers
International
Assessing the Anti-Money
Laundering (“AML”)
Compliance Program
October 3, 2013
Agenda
Governance
Risk Assessments (AML & Sanctions)
Know Your Customer
Training & Education
Transaction Monitoring & Suspicious Activity Investigations
Third Party Reliance
OFAC/Sanctions Compliance
AML/Sanctions Independent Testing
AML Examinations
Most Common AML Program Weaknesses
1
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Governance
• Has the Board and senior management established a “tone at the top”?
• Does the Board approve the AML program annually, is this formally
documented?
• Is the Board’s and management’s commitment to AML compliance expressly
stated in the bank’s AML Program?
• Do Board and/or Management Committee Minutes evidence discussion of AML
compliance matters?
• Do the Board and/or senior management regularly review the status of the AML
program through periodic reporting of the AML Officer?
• Does the AML Officer present the status of the program to the Board or
Management Committee during regularly scheduled meetings?
• Are there routine and regular reports to the Board and senior management
identifying the main AML risks facing the company and how those risks are
being managed?
Governance
• Is the importance of compliance periodically reinforced through training,
meetings, and employee communications such as bulletins and newsletters?
• Does the bank establish a formal annual AML compliance plan that covers
compliance goals, priorities and activities for the year? Has the plan been
reviewed and approved by the Board and senior management accordingly?
• Is there a written job description that outlines the AML Officer’s responsibilities
and authority? Are there written job descriptions for AML compliance staff?
• Is the AML Officer independent from the business lines, who does he or she
report to?
• Is the AML department sufficiently staffed based on the bank’s products,
services, customers, delivery channels and geographic locations served?
• Are AML support staff solely devoted to AML or compliance roles so that no
conflict of interest exists and that staff is given sufficient times to execute all
duties?
Agenda
Governance
Risk Assessments (AML & Sanctions)
Know Your Customer ( “KYC”)
Training & Education
Transaction Monitoring & Suspicious Activity Investigations
Third Party Reliance
OFAC/Sanctions Compliance
AML/Sanctions Independent Testing
AML Examinations
Most Common AML Program Weaknesses
4
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Risk Assessments (AML & Sanctions)
• Has a formal, risk assessment been conducted that covers all products and
services, types of customers, delivery channels, and geographies the bank
serves?
• Is the risk assessment periodically reviewed and updated (12-18 months given
risk profile of the bank)?
• Is the risk assessment current?
• Are the results current?
• Is there over-reliance on a third party to develop or maintain the risk
assessment?
• Is the risk assessment conducted at the customer or account level?
– Note: that conducting a risk assessment at the account level prevents the bank from
assessing the risks of all the customer’s relationships, rather it focuses only on a
component of the overall customer’s transactions or activity.
Risk Assessments (AML & Sanctions)
• Has the methodology of the risk assessment been documented and not just the
results?
• Is the methodology consistent across business lines and customers?
• Has the bank identified high risk geographies for the purpose of performing risk
assessments and transaction monitoring?
• Does the risk assessment address (a) inherent risk of products, services,
customers and geographies, (b) the strength of current controls, and (c) the
residual AML risk?
• How is the risk assessment used, does it drive strategic changes or the
direction of the overall program? Does it:
–
–
–
–
–
Dictate documentation and verification requirements for new and existing customers?
Determine the nature and frequency of account KYC reviews?
Determine the nature and frequency of transaction monitoring?
Influence the nature, scope, and frequency of AML audits?
Help in establishing other AML program priorities, hiring, training needs and
deployment of resources?
Agenda
Governance
Risk Assessments (AML & Sanctions)
Know Your Customer ( “KYC”)
Training & Education
Transaction Monitoring & Suspicious Activity Investigations
Third Party Reliance
OFAC/Sanctions Compliance
AML/Sanctions Independent Testing
AML Examinations
Most Common AML Program Weaknesses
7
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Know Your Customer
• Has the bank established a KYC program or policy that covers customer
identification and verification, due diligence and enhanced due diligence (to
satisfy that sources of funds are reasonably legitimate)?
• Does the information collected in the customer due diligence process allow the
bank to verify the customer’s identity and determine or assess the customer’s
risk (for example, collecting occupation information)?
• What additional information is required to collect or verify under enhanced due
diligence, is this distinction defined in the KYC program?
• Is expected, baseline activity or other relevant business information captured to
serve as the basis to identify transactions/activity that is unusual, or not normal
and expected from this type of customer?
– Expected activity includes products & services used, frequency, dollar transactional
volume, geographies involved.
• Is KYC updated after the initial account opening process? Especially when the
bank notices increased volume or activity that deviates from historical patterns.
Know Your Customer
• Are accounts reviewed periodically to assess changes in customer profiles?
The frequency, scope and extent of this review should be based on the
customer’s risk rating.
• Where the customer is a corporation, are individual owners identified?
– UK and EU require identifying owners or those who control more than 25 % of voting
rights, FinCEN has not articulated a percentage, but prevailing practice in the US is
10 percent.
Agenda
Governance
Risk Assessments (AML & Sanctions)
Know Your Customer ( “KYC”)
Training & Education
Transaction Monitoring & Suspicious Activity Investigations
Third Party Reliance
OFAC/Sanctions Compliance
AML/Sanctions Independent Testing
AML Examinations
Most Common AML Program Weaknesses
10
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Training & Education
• Does the AML training program identify which employees are required to
complete training and the frequency of such training?
• Does the bank conduct economic sanctions training; is this included in AML or
is it a separate training?
• Are Board of Directors and Senior Management required to participate in AML
training?
• Is training specifically tailored to roles and responsibilities of employees in
attendance?
• Are quizzes or tests part of the training to test the training’s effectiveness?
• Is the training medium (face–to- face, computer based, third party) appropriate
given the risk profile and business activities of the bank?
• Are training records maintained?
Training & Education
• Has training been conducted in the last year?
• Are employees with key AML responsibilities required to participate in outside,
externally sponsored training such as seminars and conferences?
• Does the training program and materials cover all required elements of the AML
program, including:
– The importance that the Board of Directors and/or senior management place on
ongoing education, training, and compliance.
– Employee accountability for ensuring AML compliance.
– Specific risks of individual business lines and red flags.
– Coverage of different forms of money laundering and terrorist financing as it relates to
identification and examples of suspicious activity.
– Coverage of policies, procedures, processes, including new rules and regulations, if
applicable and impact on the bank.
– Penalties for noncompliance with internal policies and regulatory requirements.
– Documentation of attendance records and training materials.
Agenda
Governance
Risk Assessments (AML & Sanctions)
Know Your Customer ( “KYC”)
Training & Education
Transaction Monitoring & Suspicious Activity Investigations
Third Party Reliance
OFAC/Sanctions Compliance
AML/Sanctions Independent Testing
AML Examinations
Most Common AML Program Weaknesses
13
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Transaction Monitoring & Suspicious Activity
Investigations
• Are written procedures in place to identify, investigate, escalate and report
suspicious activity?
• Are all transactions monitored?
• At what level are transactions monitored, transaction, account, customer,
household?
• Do policies and procedures adequately describe which transactions are subject
to monitoring and how they are monitored?
• Are suspicious activity red flags provided to employees or listed in AML
program?
• Based on interviews, does compliance staff have the appropriate knowledge,
experience and support needed to perform his/her duties?
• Is there proper segregation of duties related to transaction monitoring?
Transaction Monitoring & Suspicious Activity
Investigations
• Are staffing levels sufficient to review the volume of reports, alerts and
investigate cases?
• Is there an alert / case backlog, if yes does the bank have remedial plans in
place to resolve the backlog, has senior management and the Board been
made aware?
• Who determined the AML rules for transaction monitoring and how were they
determined?
• Are the transaction monitoring rules and thresholds aligned with risks identified
in the bank’s risk assessment?
• Are transactions monitored against historical to current activity (or based on
customer profile information collected during KYC process)?
• Are case investigation files maintained for each investigation? What
documentation is included in the file?
• Is there a case management system utilized to serve as a central repository for
all investigations and manage case workflow and retain case documentation?
Transaction Monitoring & Suspicious Activity
Investigations
• Does the bank incorporate the use of media in investigations (Google, WorldCheck, and Lexis-Nexis); if so what sources of information are used?
• When an account alerts, is a review done of that alert only or is a historical
review conducting on the account or entire relationship (typically 6 months to a
year)?
• How does the bank determine the effectiveness of its transaction monitoring
system, does it periodically evaluate its rules related to SAR filings?
• When was the last time the transaction monitoring rules or parameters were recalibrated, tuned, or modified to improve the identification of potentially
suspicious activity?
• Are SARs accurately completed and filed timely; within thirty (30) (or local
requirement) days after the subject activity was identified as suspicious or
ninety (90) (or local requirement) days for a supplemental SAR?
• Has the transaction monitoring system been subject to an integrity review that
includes validation of data integrity from source or transactional systems (data
sources are properly fed) and validation of programming?
Agenda
Governance
Risk Assessments (AML & Sanctions)
Know Your Customer ( “KYC”)
Training & Education
Transaction Monitoring & Suspicious Activity Investigations
Third Party Reliance
OFAC/Sanctions Compliance
AML/Sanctions Independent Testing
AML Examinations
Most Common AML Program Weaknesses
17
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Third Party Reliance
• Does the company rely on a third party to conduct all or part of its AML
functions?
• Is the reliance reasonable?
• Is the party or other financial institution being relied upon regulated by a federal
functional regulator?
• Is the other financial institution subject to general AML compliance program
requirement?
• Does the other financial institution share the customer with the bank?
• Have the two institutions entered into a reliance contract that delineates their
responsibilities?
• Does the bank monitor the third party’s performance under the agreement on a
continuing basis?
Third Party Reliance
• Does the third party annually certify that it is complying with the requirements of
the contract?
• Has the bank conducted any due diligence on the third party’s AML program?
• Does the third party annually certify that it has implemented an effective AML
program?
• Is the bank’s reliance on a third party subject to the independent testing to
ensure that the third party is meeting its obligations on a continual basis?
Agenda
Governance
Risk Assessments (AML & Sanctions)
Know Your Customer ( “KYC”)
Training & Education
Transaction Monitoring & Suspicious Activity Investigations
Third Party Reliance
OFAC/Sanctions Compliance
AML/Sanctions Independent Testing
AML Examinations
Most Common AML Program Weaknesses
20
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Sanctions Compliance
• Has the bank designated an employee responsible for Sanctions Compliance?
Is this documented?
• Has the bank developed written policies and procedures that address:
–
–
–
–
–
–
–
–
–
Sanctions requirements
Conducting screening/filtering on account holders and all transaction types
Transaction monitoring and filtering
Employee training and education
Blocking/rejecting funds and transaction reporting
Updating the Sanctions list
Match investigation and escalation
Licensing, if applicable
Annual reporting.
• Has the bank performed a sanctions risk assessment identifying high risk
areas?
– Inherent risks of products services, customer types, geographic origin and destination
of transactions and strength of controls to mitigate those risks.
Sanctions Compliance
• Is the methodology documented, not just the results?
• Has the bank provided Sanctions Training for appropriate personnel?
• What is the time frame for updating the Sanctions list, who is responsible for
updating the list and how is the bank notified of updates?
• Does the bank perform “back testing” when the list is updated to ensure that
the updates are contained within its systems, as well as deletions?
• Are there any blocked transactions, have these been reported to local authority
and are they in a segregated interest bearing account?
• When are new customer transactions screened?
• Are there any pending Sanctions investigations or inquiries?
Sanctions Compliance
• What account types, transaction types, and individuals or entities are subject to
screening
– Non-account holders that should be screened include, beneficial owners, authorized
signors (POA), beneficiaries, principals, directors, employees, vendors, other third
party relationships, agents.
Agenda
Governance
Risk Assessments (AML & Sanctions)
Know Your Customer ( “KYC”)
Training & Education
Transaction Monitoring & Suspicious Activity Investigations
Third Party Reliance
OFAC/Sanctions Compliance
AML/Sanctions Independent Testing
AML Examinations
Most Common AML Program Weaknesses
24
Copyright © 2013 Deloitte Development LLC. All rights reserved.
AML/Sanctions Independent Testing
• What is the scope of independent testing?
– Note: scope of testing should include all of the program areas above.
• What is the frequency of independent testing?
• Who performs the independent testing?
• How does the testing program link back to risk assessments?
• How are issues tracked?
• Are there any unresolved issues identified in the last audit report?
Agenda
Governance
Risk Assessments (AML & Sanctions)
Know Your Customer ( “KYC”)
Training & Education
Transaction Monitoring & Suspicious Activity Investigations
Third Party Reliance
OFAC/Sanctions Compliance
AML/Sanctions Independent Testing
AML Examinations
Most Common AML Program Weaknesses
26
Copyright © 2013 Deloitte Development LLC. All rights reserved.
AML Examinations
• Has the bank been subject to any examination?
• Were any AML issues noted, what were they?
• Did the exam report include any issues requiring management’s attention or
management’s immediate attention?
Most Common AML/Sanctions Program Weaknesses:
• Insufficient resources dedicated to compliance.
• Inadequate KYC procedures.
• Employees, Board and management have not received relevant and targeted
AML compliance training.
• Inexperienced compliance staff.
• Inadequate program status reporting to the Board and management.
• Failure to identify and periodically monitor high risk accounts or activity.
• Suspicious activity investigations not properly documented.
• AML systems and supporting technology not stress tested.
• Poor record keeping.
• Failure to file timely and accurate required regulatory reports.
Deloitte Financial Advisory Services LLP
Frederick E. Curry III
Principal
555 12th Street, Suite 500
Washington, DC 20004-1207
+1 202 378-5171
fcurry@deloitte.com
This publication contains general information only and Deloitte Financial Advisory Services LLP is not, by means of this publication, rendering
accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional
advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified professional advisor.
Deloitte Financial Advisory Services LLP shall not be responsible for any loss sustained by any person who relies on this publication.
29
Copyright © 2013 Deloitte Development LLC. All rights reserved.