Systematic Integrity Risk Assessment (SIRA) Practical case-study. Amsterdam November 17 th, 2015

Transcription

1 Systematic Integrity Assessment (SIRA) Practical case-study Amsterdam November 17 th, 2015

2 Objectives The key objective is provide insight how to operationalize regulator s expectations with regard to a SIRA 01/ Provide 02/ Share 03/ Share introduction to SIRA a proven approach for conducting a SIRA Lessons learned 2

3 Introduction to SIRA The Dutch Central Bank ( DNB ) has shown increased attention for a documented approach for integrity risk identification owned by the business Besluit prudentiële regels Wft, Article 10: A bank ensures a systematic analysis of integrity risks [translated from Dutch] Position of DNB - SIRA Position of DNB - SIRA Rationale for a systematic integrity risk analysis (SIRA) is to ensure that banks are aware of their inherent integrity risk and take adequate corresponding controls. Points of attention for the DNB: A documented identification and weighing of inherent risks Explicitly define a risk appetite Have available a documented link between inherent risks, the risk appetite and controls Document the acceptance of residual risks and follow-up actions Inherent risk The risk that a client misuses the bank to launder funds Appetite Controls Control 1 Control 2 3

4 SIRA Approach High level approach SIRA should facilitate the business (risk owners) in executing & documenting the decision process re risk identification & mitigation efficiently Defining a SIRA approach - Governance SIRA Process - Determine the scope o Theme s to be addressed by a SIRA o Assessment units (business units, client portfolio segments, countries) o Determine level of detail of assessment - Define risk appetite: qualitative and quantitative - Define risks and underlying risk indicators and quantify (risk profile) - Identify and optimize existing controls and determine residual risks - Align with existing risk management taxonomy and documentation requirements Generic SIRA approach Foundation Process per assessment unit Output Scoping Appetite Inherent risk profile (quantitative) Define & select applicable inherent risks Identify existing controls Complement controls Determine residual risk & remedial actions Consolidation and reporting Embedding in organization 4

5 SIRA Approach Scoping of themes It is best practice to draft a SIRA roadmap describing assessment of relevant theme s as exemplified below in line with the organization s profile and size Area Organization Conduct Related Personal Conduct Related Client Conduct Related Compliance Theme Anti- Corruption Financial Economic Crime Conflict of Interests Market Abuse Privacy Treating Customers Fairly Reputation and integrity of Bank is hampered by conduct of Bank Active Bribery Failure to maintain books & records to required standards Reputation and integrity of Bank is hampered by conduct of Employees Passive Bribery Conflict of interest between staff and clients and/or Rabobank Reputation and integrity of Rabobank is hampered by conduct of Clients Bribes of clients facilitated by Bank systems External Fraud Internal fraud Anti-Money Laundering (incl. KYC/CDD) Sanctions Tax evasion Between interests of Bank and duty of Bank owed to it s clients Between interests of relationships of Bank with two or more clients Insider dealing/trading Improper disclosure of data Market manipulation Collision Employee/client data protection Transparency of product offerings Complaint handling Inducements Personal Account Dealing 5

6 SIRA Approach appetite Defining a Appetite Statement and Limits A first step in defining a Appetite is the definition of a Appetite Statement ( RAS ) in cooperation with business management. The RAS should be aligned with the organizational goals of the bank 1. Current strategic goals 2. Evaluating existing RASstatements 3. Definition of RAS for integrity risk Understand current strategic goals Desk research on relevant existing material Interview with key stakeholder Assessment of current risk tolerance and risk limits Define current position as starting point Statement of Commitment Qualitative statements Quantitative statement governance 6

7 SIRA Approach Exemplary inherent risk profile Per assessment unit an overview of the inherent risk profile based on key characteristics is quantified Inherent risk profile Indicators H H H H H H M M M M M M Client Geography Channel Industry Product Transaction L L L L L L Client risk Maturity client portfolio (%clients< 1 year) Complexity of client structure (%clients > 10 entities in structure) PEP status (% clients with PEP-flag) Assets (% clients assets > 1 mln.) Geographical risk Geographical footprint of transactions (% clients with trans. to high risk countries) Country of incorporation / residence (% clients with residency in high risk countries) Distribution channel risk Relationship model (Y/N) Direct model (Y/N) Industry / Sector risk Client Industry (% clients in high risk industry) Client activity (% clients dealing with high risk industries) Product risk High risk product usage (e.g. Trade Finance) (% clients with high risk products) Transaction risk Cash (%clients with regular cash deposits) Cross-border (%clients with cross-border transactions) 7

8 SIRA Approach Exemplary risk & control register Defining a clear risk culture is a key requirement in realizing a solid quantitative risk analysis as well as serves the basis for a future risk control log s Inherent risk Controls Residual risk Money Laundering 1 The risk of facilitating money laundering due to misuse of products 2 The risk of facilitating money laundering through misuse of new technologies Sanctions 3 The risk of breaking sanctions by providing services to clients in specific countries 4 The risk of unintentionally breaking sanctions due to a customer not disclosing key information Terrorism financing 5 The risk of facilitating terrorism financing by providing services to Clients which could be suspected to be related to terrorism Frequency Impact Frequency Impact 8

9 Frequency SIRA Approach Exemplary heat map Plotting risks on a heat map in relation to the risk appetite helps in visualizing risk prioritization Appetite Impact 9

10 Embedding SIRA should be embedded in the standing organization and business processes as part of a continuous risk management process Sign off on Integrity SIRA trigger (periodic / event) Execute SIRA Collect continuous monitoring results Process results Execute Second Line Monitoring Determine controls Report First Line Monitoring results Determine gaps & remedial actions Implement generic controls 10

11 Lessons learned What did we learn while executing SIRA at our clients? Proper execution SIRA at large FI requires at least 3 months, especially for executing data analytics for inherent risk profile Manage content and timelines SIRA based on FI s own (compliance) risk management strategy and vision (in stead of committed timelines to regulator) Execution of SIRA requires multi disciplinary team with business (1st line) in the lead, supported by Compliance, ORM and IT (data analytics) SIRA should be evolved and improved over time as part of continuous risk management process, especially Appetite and inherent risk profile can be further improved based on our experience 11

12 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see for a more detailed description of DTTL and its member firms. Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte s more than 210,000 professionals are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte network ) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.