AN INTEGRATED APPROACH TO COMPLIANCE AND RISK MANAGEMENT IS THE BEST WAY FORWARD BY MARTIN WOODS OCTOBER 2011

Transcription

1 AN INTEGRATED APPROACH TO COMPLIANCE AND RISK MANAGEMENT IS THE BEST WAY FORWARD BY MARTIN WOODS OCTOBER 2011

2 FOREWORD The global financial crisis has led banks, firms, governments and societies to the very edge of disaster, indeed with the potential for a double dip recession, the crisis is far from over. At the same time there have been a series of significant financial sanctions applied against banks and regulated firms for breaches related to serious financial crimes. It is universally acknowledged and accepted that many things went wrong, but this document is not about blame, rather it is an examination of historical compliance and risk management. Having assessed the history we can apply the lessons learned to the compliance and risk management processes of today and tomorrow. The fields of compliance, risk management, financial crime, sanctions and corruption have evolved at an ever increasing rate, concurrently, the demands upon and expectations of the risk and regulatory compliance functions have diversified and increased. This paper, which is focussed upon the management and application of client data and external data, is one in a series that will consider the present moment as an opportunity to redefine the compliance risk landscape, to meet the challenges head-on and in doing so drive effectiveness and efficiencies within amalgamated and integrated compliance risk management programs. 2 AN INTEGRATED APPROACH TO COMPLIANCE AND RISK MANAGEMENT IS THE BEST WAY FORWARD OCTOBER 2011

3 CONTENTS INTRODUCTION... 4 BACKGROUND... 5 THE WAY FORWARD...7 CONCLUSION AN INTEGRATED APPROACH TO COMPLIANCE AND RISK MANAGEMENT IS THE BEST WAY FORWARD OCTOBER 2011

4 INTRODUCTION In his 2010 book McMafia Misha Glenny portrays a global network of organized crime within which some criminal organizations franchise their business. In each chapter the author provides an insight into geographical regions and crime typologies, where the reader learns that crime has no boundaries, physical or cyber, and money has no colour. Significantly, the reader learns of a criminal world of integration, a world where opportunities, vulnerabilities and markets are identified and exploited. Traffickers do not restrict their business to product lines or commodities; on the contrary they diversify and offer their services to all customers including people traffickers, arms traffickers, terrorists, counterfeiters and even corrupt officials in governments. The service is based upon experience and expertise as well as a reputation for delivering the goods. At all times, traffickers and other criminals are vulnerable to a wide range of threats and to mitigate the same they apply a comprehensive integrated risk management program. The objectives of the program are survival and success. The foundations are confidentiality/ secrecy, with cooperation where necessary, and constant surveillance. The program evolves and develops from lessons learned in relation to the specific organisation, the business in which they operate and the actions of their enemies. Organized crime is often successful for a number of reasons but primarily successful criminals are effective at managing and mitigating risk through the acquisition and application of data. They seek to know their clients, victims and enemies. The more they know the better equipped they are to identify risks and ultimately succeed in their criminal objectives. The organized criminal network that is integrated is stronger and is therefore more likely to succeed and survive. Organized criminals react to change out of necessity as they have no third party to petition should things not go their way. Hence when money laundering became a criminal offence they adapted new methods and continued in their activities. Changes to anti-money laundering (AML) laws and regulations, changes in relation to sanctions, corruption and market abuse/ manipulation have all been positive and as such they need to be accepted and indeed promoted within firms and society as a whole. They also demand adjustments and enhancements to compliance risk management programs. Additionally there has been, and continues to be, considerable transformation to the global political landscape. The Arab Spring has maintained momentum and continues to drive regime changes across the Middle East. The impact upon firms is profound. Relationships with parties that were previously accepted and even endorsed are now the subject of new sanctions. Regulated firms need to be nimble and dynamic in reacting to the constantly changing lists of sanctioned parties/designated persons. With so many changes, matched by an equal number of additional demands upon finite compliance risk management resources, it is difficult to know where to start and how to respond. Likewise, this paper does not seek to address all such matters. Consequently, this first paper will focus upon the subject of the management and application of data. 4 AN INTEGRATED APPROACH TO COMPLIANCE AND RISK MANAGEMENT IS THE BEST WAY FORWARD OCTOBER 2011

5 BACKGROUND In many countries, the evolution of AML laws has followed a similar path. Initially they applied solely to drug trafficking crimes; this was later extended to incorporate all fiscal crimes. Post 9/11, the laws and considerable regulatory focus was upon counter terrorist financing (CTF). More recently the priority for law enforcement agencies, regulators and regulated firms has been breaches of, and compliance with, sanctions regimes. This shift of emphasis has called for an adjustment of thinking on the part of the compliance risk professional accompanied by a demand for improved data and enhanced data management technological solutions. The management of data can be broken down into a number of categories which include: The collection of client data The screening of client data The blending of client data The collection of client data Knowledge, information and data remain at the heart of risk management; this is particularly so in relation to the principals of know your client (KYC). It is only when risks are known or identified that they can be properly managed and controlled. Nowadays the KYC requirements are often far more than simple identification and verification of a client s identity, formerly referred to as ID & V. It is now necessary for regulated firms to have in place risk based policies, procedures and processes that mandate collection, retention and periodic maintenance of considerably more client data and information, which may include: The source of a client s wealth The source of the funds used by the client to fund an account or transaction The client s occupation/status/salary/fund ing/expected account activity For clients that are companies, partnerships, trusts, funds or corporate entities it may be necessary to collect, retain and periodically review and update information in relation to: The ultimate beneficial owners The ultimate controllers/directors/partners The finances The status of the client The nature of the client s business The source of the client s revenue The location of the client s business The nature of the client s own clients The screening of client data In addition, it is necessary for firms to screen client names and associated parties, including directors and ultimate beneficial owners, against prescribed lists of sanctioned parties as well as a list of politically exposed person, or PEPs. Importantly, regulated firms are required to maintain evidence which demonstrates such screening has taken place. Thereafter, the same names and information must be re-screened on a risk based periodic basis. In a firm with a significant number of clients this process needs to be automated and this is where the integration of data is becoming an increasing necessity. Currently many firms routinely screen the entire list of client names against up-to-date sanctions lists in order to avoid breaching sanctions legislation. As legal obligations and regulatory expectations increase, this procedure may soon be considered only partially compliant. The blending of data The problem which many firms face is that existing client data systems contain limited information. In the majority of instances the data systems do not contain the names, addresses and dates of birth of the ultimate beneficial owners, controllers or partners of corporate 5 AN INTEGRATED APPROACH TO COMPLIANCE AND RISK MANAGEMENT IS THE BEST WAY FORWARD OCTOBER 2011

6 clients. Frequently the details are maintained on an Excel spreadsheet, in some instances they remain on hard copy documents within individual client KYC files. Regulatory expectations have evolved and in doing so they have added considerable burden to firms at a time when the prevailing manual processes are resource intensive and subject to human error. The client data systems were designed to retain information in relation to a client s finances, including account balances, transactions and turnover. The critical data was the client name and account number. There was no requirement for the application of additional data and indeed the posting of such data would potentially increase the risks of fraud, identity theft and account takeover. Technology and automation The simple fact is that risks are now different and the only way to effectively manage and control these risks is to adjust, change and add supplementary data management technology solutions. The forward thinking compliance risk specialist is looking for the best data provider to reduce the number of false positives and in doing so to drive the improved efficiency and effectiveness of the sanctions risk management program. At the same time firms are reviewing the way in which KYC data is collected, recorded, retained and used. It is becoming increasingly important for regulated firms to proactively monitor and screen persons associated with corporate clients, including ultimate beneficial owners, directors, controllers and partners. By not periodically screening the names of these individuals against up-to-date sanctions lists, the regulated firm is running an increased level of risk which may not be acceptable to regulators. There is an absolute crucial requirement for audit trails to be maintained which clearly demonstrates and maked evident a firm s compliance with laws and regulations as they apply to client data. This will include the screening of all relevant names and parties, both at the time of originating a relationship and on an ongoing basis, as well as the subsequent analysis and investigation of the same. The ever increasing burden means assurances, efficiencies and perhaps even peace of mind are becoming more elusive and difficult to acquire. It is a never ending task, similar to applying paint to great bridges, where the completion of painting one side of the bridge is the signal to initiate re-painting the other side. Hence the age old saying for all never ending tasks, It s like painting the Forth Bridge! But behold, there are reports (Financial Times 6th September 2011) of a new paint that protects bridges for a period of 25 years. So what is the relevance and application of this story to the business of compliance and the role of the professionals? It is an enhanced, tried, tested and approved system; it is monumental change in the effective and efficient management of risk. For sure the paint will have an increased cost but it is an improvement to an existing process that will provide significant savings. Compliance risk professionals firms and shareholders can derive enormous benefits, in particular improved risk management and peace of mind, from the purchase and implementation of enhanced, integrated and automated risk management systems. In the long-term such systems have the potential to deliver real cost and resource savings, leading to increased profits and stronger controls. 6 AN INTEGRATED APPROACH TO COMPLIANCE AND RISK MANAGEMENT IS THE BEST WAY FORWARD OCTOBER 2011

7 THE WAY FORWARD The added regulatory requirements that have emerged and continue to emerge from the global financial crisis demand more: more capital (capital adequacy), more data (transaction reporting) and more transparency. The common denominator is information. Now more than ever firms need to collect, distribute and use an increasing volume of data. It is the management of this data collection and distribution processes which needs to be carefully administrated and well documented by the compliance risk professionals. Failure to properly collect, translate, use, distribute or forward relevant data can present serious regulatory jeopardy at the same time as creating a genuine financial crime risk to a firm. When collecting data, firms need to acquire PEP lists, which are regularly updated, and meet with regulatory requirements and expectations. As stated, the rapidly transforming political landscapes in the Middle East has resulted in an increased frequency of additional names being added to sanctions lists. The quality, adequacy, and completeness of data can reduce anxieties and drive efficiencies. Confidence in both a process and the data fed into a process is of paramount importance. The business of sanctions compliance is not minimalist and certainly not one where any form of corner cutting is acceptable. Recent, severe financial penalties bear testimony to an aggressive and robust regulatory regime within which systemic failures will not be tolerated. Ideally the data provided by vendors should also be blended and perhaps even categorised or graded. Data which has been analysed and investigated generates value added intelligence. This is particularly so in relation to PEPs and the management of the potential risks presented by PEPs. It is the additional intelligence, including allegations and negative media reports which present the compliance risk professional with the opportunity to focus risk management resources and determine levels of due diligence and subsequent account activity monitoring. Thus there is real benefit to be derived from intelligence related to a PEP s additional activities, corporate connections and business associates. It is the smart, innovative application of the data which increases efficiencies and engenders confidence of both the compliance risk professional and ultimately the regulators. At the same time such practices will deter criminals, including corrupt PEPs and money launderers. In essence the additional intelligence is an enabler which allows the compliance risk professional to implement an effective, robust, structured program which is graduated and subsequently managed accordingly. It is the presence or absence of additional intelligence which can drive the risk categorisation and the improved allocation of all too often finite risk management resources. The onus is upon the compliance risk professional to make an evaluation and this cannot be undertaken without intelligence. In the event the data provided by a vendor is raw, unchecked, unrefined and/or devoid of analysis, the value is reduced and at the same time the burden and demands upon the compliance risk professionals increase. The challenge facing firms and their compliance risk professionals is how to ensure all of the relevant names and data are captured within a screening process. Is there a system or a process which can efficiently and effectively transform hard copy KYC data into a format which can be screened in an automated environment? Do firms need to review entire client adoption and review processes? Is there a necessity for a new system, a new platform, indeed, a new way of thinking? Necessity is the mother of all invention and it is necessity which will continue to transform the compliance risk programs. It is necessity which will in fact revolutionize the ways in which firms obtain, use and maintain client data. The demands of yet more legislation are on the horizon, for example the Foreign Account Tax Compliance Act (FATCA) will soon become a contract between the US Government and banks. Quite simply, to remain in business the compliance risk professional needs to think ahead and evidence of actual compliance is vital. 7 AN INTEGRATED APPROACH TO COMPLIANCE AND RISK MANAGEMENT IS THE BEST WAY FORWARD OCTOBER 2011

8 CONCLUSION At a time when profits are down and budgets are being cut the compliance risk professional is faced with ever increasing demands of new legislation and regulation. All the while it is essential that clients, transactions and indeed employees are screened and monitored. There are real resource implications, but now is not the time to gamble with a firm s or a senior manager s reputation when diluting and weakening the compliance risk function. The level of fiscal sanction for regulatory breaches is continuing to increase substantially; simultaneously regulators and law enforcement have targeted individuals, including owners and senior managers to make them accountable and responsible for their actions. This trend and pattern of sanction should be used by the compliance professional to stimulate the thinking of senior managers and provoke greater engagement in the risk management processes. It will be the presence of a well presented, documented, auditable process which will impress the regulators while conversely the absence of such will bring increased scrutiny and challenge. The compliance risk professional needs to use a system and process that they are comfortable with and confident in. The ideal solutions are automated, incorporating technology, the required, preferably blended data, appropriate, adequate screening and an audit functionality upon which all stakeholders can place reliance. It is critical that firms have in place the resources to deal with the output from the screening and a program which reacts quickly and dynamically to changing threats, new challenges, new names on sanctions lists, rogue PEPs and regulatory expectations. False positive matches between client/ transaction data and sanctions data cost time and money. The purchase and application of well managed, properly translated, blended and indexed data will undoubtedly generate regulatory approval and simultaneously, can actually have a positive impact upon resource costs and allocation. The Arab Spring has shown the compliance risk professional that yesterday s handshake means nothing in the transforming world of international politics. It can quickly be replaced with a war crime s indictment and a sanctioned status. Firms need to be reactionary to these developments and indeed anticipate them. It is vital that firms know whether their data provider is capable of monitoring these developments and making the necessary enhancements and adjustments to lists, which will safeguard the firm against potential sanction breaches. Integration demands reliance upon partners, systems, processes and staff. Reputations can take a life time to build, but can be destroyed in an instant. Money is short-term; reputations endure, good and bad. The role of the compliance risk professional is to protect firms, clients, shareholders, senior managers and their own reputation. There is a requirement for individuals to be fit and proper to perform their roles such credentials need to be maintained. It is not possible for any compliance risk professional to be all seeing in all places at all times. For reduced anxiety and ultimately peace of mind, he/she needs to be able to have full confidence in an integrated compliance risk management program that incorporates the requisite data, effective technology and like minded, positive thinking, hard working people with integrity and commitment. 8 AN INTEGRATED APPROACH TO COMPLIANCE AND RISK MANAGEMENT IS THE BEST WAY FORWARD OCTOBER 2011

9 THOMSON REUTERS ACCELUS Thomson Reuters Governance, Risk & Compliance (GRC) business unit provides comprehensive solutions that connect our customers business to the ever-changing regulatory environment. GRC serves audit, compliance, finance, legal, and risk professionals in financial services, law firms, insurance, and other industries impacted by regulatory change. The Accelus suite of products provides powerful tools and information that enable proactive insights, dynamic connections, and informed choices that drive overall business performance. Accelus is the combination of the market-leading solutions provided by the heritage businesses of Complinet, IntegraScreen, Northland Solutions, Oden, Paisley, West s Capitol Watch, Westlaw Business, Westlaw Compliance Advisor and World-Check. For more information, visit accelus.thomsonreuters.com 2011 Thomson Reuters L /01-12