Fortifying Your AML Audit with International Best Practices

Transcription

1 Fortifying Your AML Audit with International Best Practices Hue Dang, CAMS Head of Asia, ACAMS 1 February 2013 Asia Full Day Seminars Asia Pacific Region - 1

2 Agenda Regulatory Framework: BSA/AML Exam Optimizing your audit practices to meet stringent regulatory expectations and regional standards Implementing a risk-based approach to AML audits Leveraging audit findings to improve AML department processes Applying the latest techniques to streamline testing and reporting procedures 2

3 Regulatory Framework: BSA/AML Key Components AML Risk Assessment Step 1: Risk categories: products, services, customers, entities, transactions, and geographic locations Step 2: detailed analysis of the data identified to better assess the risk within these categories AML Compliance Program Written policies, procedures, and processes System of internal controls to ensure ongoing compliance (CIP Program) Independent Testing Designation of Compliance Officer Training 3

4 Regulatory Framework: BSA/AML Key Components (cont d) Suspicious Activity Monitoring & Reporting Systems Review correspondence with primary regulator Check for STR, CTR errors and exemptions Level and Extent of Automated Systems Volume of activity commensurate w/ customer occupation or type of business Number & Volume of high-risk customers Volume of STRs/CTRs in relation to exemption Volume of STRs/CTRs in relation to bank size, asset or deposit growth, and geographic location 4

5 Implementing a risk-based approach to AML audits STARTING POINT 1. What are the Key Elements of a Good AML Program? Statement of Objective AML Organization Structure - Identification of Roles & Responsibilities AML Regulatory Framework Outline of the AML/Compliance/Risk Governance Structure Risk assessment of Clients/Products/Geographies /Transactions On-boarding Procedures - CIP + KYC On-going Monitoring + Periodic Review Escalation - Investigation-Suspicious Activity Reporting Cooperation with Law Enforcement, other financial institutions Sanction Screening MIS Record Retention AML Training Review and Auditing/Testing of the AML Program 5

6 2. Derive the Key AML Risks and Controls from an Effective AML Program 1. Management Oversight 2. AML Policies/Procedures 3. AML Monitoring 4. SAR/STR Reporting, Sanction Screening 5. Testing 6. Training 6

7 Testing AML Controls : Some Common Flaws in AML Risks and Controls Management Oversight Lack of Business Participation/Buy-in (No Culture of Compliance ) Weak AML Governance Structure (i.e. Senior (AML) Management not aware of AML issues and their resolution) AML Policies Fragmented procedures/processes Not robust enough in mitigating certain High Risks Not timely in addressing regulatory changes (Gaps & Remediation)

8 Testing AML Controls : Some Common Flaws in AML Risks and Controls AML Monitoring Parameters/Thresholds not optimized: Noise vs Productive Alerts Inefficient disposition of Alerts: Too many nonproductive Alerts Inexperienced AML Analysts to detect unusual activity Insufficient resources Failure to document the rationale for closing an alert/investigation 8

9 Testing AML Controls : Some Common Flaws in AML Risks and Controls SAR/STR Reporting, Sanction Screening Lack of clarity in the Escalation Process Too much time taken to determine possible suspicious/unusual activity (Delay in reporting) Poor SAR/STR Narratives - Failure to clearly state why the activity is suspicious (or NOT suspicious) Failure to take (or track) action post-sar/str filing Search request and result reporting are not streamlined (resulting in untimely responses/ incomplete coverage) 9

10 Testing AML Controls : Some Common Flaws in AML Risks and Controls Testing No Independent; only Self-testing Lack of Transparency in Testing and Results Poorly defined Corrective Action Plans (Root Causes not identified/addressed) Failure to track Follow-up Actions Corrective Action Plans/Remediation Training Failure to identify correct target-audience(s) within the Firm Failure to track and follow-through on non-completion of mandatory training New Training vs Refresher Training (same modules/contents) Failure to train to regulatory requirement 10

11 11 CASE STUDY: Testing KYC/CDD Controls

12 STARTING POINT: Appreciate the importance of an effective KYC /CDD program Effective KYC/CDD Program Identifies the ML/TF risk that the prospect / client may pose Tailors the Due Diligence required to be performed on the prospect /client Satisfies that the prospect / client does NOT pose a ML/TF risk ML/TF risk to the your FI /Bank Managed 12

13 Key components of an effective KYC/CDD program Record Retention Written Customer Identification Program / Procedures Customer Due Diligence Name Screening OBTAIN Client Identity Information & Documentation VERIFY Client Identity Information & Documentation Due Diligence or Enhanced Due Diligence (EDD) Sanctions Lists Do-not-do Business Lists Object: To enable the bank to form a reasonable belief that it knows the true identity of each customer. Object: To enable the bank to verify facts about the client, including his reputation. Object: To ensure that the bank does not establish a relationship with a sanctioned person, or with someone that the bank ought not to do business (e.g. previously rejected, or terminated clients, known criminals), etc. 13

14 KYC/CDD Controls Testing: What are some of the common flaws /problems with a KYC/EDD program? KYC Policy / Procedures No written CIP / CDD / Name Search procedures / Records Retention procedures. Unclear procedures Fragmented procedures/processes (i.e. not consolidated or centrally located) Not robust enough in identifying and/or mitigating certain High Risks Clients PLEASE REFER TO NEXT SLIDE Not timely in addressing regulatory changes (Gaps & Remediation) 14

15 KYC/CDD Program Regulatory Expectation - Enhanced Due Diligence for Higher-Risk Customers The bank should consider obtaining, both at account opening and throughout the relationship, the following information on the customer: Purpose of the account. Source of funds and wealth. Individuals with ownership or control over the account, such as beneficial owners, signatories, or guarantors. Occupation or type of business (of customer or other individuals with ownership or control over the account). Financial statements. Banking references. Domicile (where the business is organized). Proximity of the customer s residence, place of employment, or place of business to the bank. Description of the customer s primary trade area and whether international transactions are expected to be routine. Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers. Explanations for changes in account activity. Source: FFIEC BSA/Aml Examination Manual nual_online.htm

16 KYC/CDD Program assessment Common flaws in KYC/CDD Programs SUMMARY (cont d) KYC / CDD Client Profiles Insufficient information on client s Source of Wealth or Source of Funds DD /EDD not performed. Or, results not sufficiently documented for the DD/EDD that was performed No quality control on what client or banker says about the client (i.e. no independent corroboration / verification) The information is stale; as the client s profile has not been periodically reviewed and updated. Too many exceptions / deferrals on client documentation to be obtained. These deferrals may not be tracked to ensure the documents are received Training Business does not appreciate the ML/TF risks Bankers do not know how to complete a KYC Profile. 16

17 Leveraging audit findings to improve AML department processes Review the past finding (s) Review the Corrective Action (s) that were agreed to address the finding. Ask: Has the Corrective Action addressed the ROOT CAUSE? 17

18 Applying the latest techniques to streamline testing and reporting procedures Identify Key AML Risks and their controls Test the Controls Design and Operating Effectiveness Don t just rely on deliverables from the Auditee. Think how else can we test the Controls Independent data requests from Technology? 18

19 AML Audit Cycle: Summary Measure against prior assessments. audits Adequacy of AML Program Record keeping AML Policies, procedures, processes Review of training records Compliance with AML obligations by staff Data testing including monitoring programs 19

20 20 AML Audit Report Flow Scope agreed Phase 2 Perform Audit Report to Board Action plans Phase 4 Validate Phase 1 Phase 3 Phase 5

21 Some Cases Asia Full Day Seminars Asia Pacific Region - 21

22 Hong Kong s Largest ML Case (24 Jan 2013) HK: Jan to Nov 2012: 136 ML cases prosecuted & 147 people convicted 22-yr old high school drop-out working as factory delivery man Chiyu Bank (part of Bank of China (HK)): initial deposit of HK$500 in 2009, within 8 mos, HK$13bil. in transfers by internet (4,800 deposits & 3,500 transfers out) VERDICT: 10 ½ yrs imprisonment KEY QUESTION: What is the consequence to the Bank? 22

23 Living/Salary Standards Test Jurisdiction: Hong Kong Indicators: 600 transactions over 2 years, with HKD1 mil in size Deposited HKD1.1 mil. In Jockey Club account, only HKD2K used for betting Monthly salary of HKD23K Case description: Wilson Ho Hung-yiu, 36, attached to the Traffic Accident Investigation Unit of Kowloon West, used three bank accounts and a Jockey Club account to manipulate the money between 2007 and Defendant claimed transactions were for his business, but Inland Revenue Dept records showed he neither owned a property or ran a business, and had not other sources of income. Verdict: 3 years imprisonment 23

24 Tying it all together: Ponzi Scheme I am not a banker but I know that $100bn going in and out of a bank account is something that should alert you to something, Madoff told the Financial Times from his North Carolina prison. Securities Fraud Investment Adviser Fraud, Mail Fraud Wire Fraud False Statements Perjury False Filings to the SEC Theft from an employee benefit plan AND three counts of money laundering

25 Thank you. Questions? Asia Full Day Seminars 25 Asia Pacific Region - 25