Risk Based Approach putting it into practice

Transcription

1 Risk Based Approach putting it into practice Collin Lobo Regional Head of Financial Crime Risk Middle East, Pakistan and Africa Disclaimer This presentation / document has been prepared to assist improve the general awareness about Risk Based Approach to AML / Sanctions / Financial Crime in general and KYC / CDD processes in specific for the attendees of the Outreach Session by DFSA and has been created for discussion purposes only. It reflects only the personal views of the author and not of Standard Chartered Bank. Neither the author nor Standard Chartered Bank accepts any responsibility or liability whatsoever in regards to its contents.

2 Agenda Introduction Why do we need RBA a practitioner s perspective? What does a risk based approach mean to us? How do you go about putting a RBA into practice? Policy Risk Assessment Enterprise Client Segment Product Operating Procedures On-going monitoring Training What can go wrong? Q & A

3 Why do we need RBA? We need a RBA to help us as an authorised firm to: Identify and measure potentially higher risk areas of money laundering, terrorist financing and sanctions; Develop strategies to mitigate those risks that have been identified; and Help focus resources (human and financial) in areas that are deemed higher risk from a financial crime risk perspective. Because We operate in different geographies We offer somewhat different client solutions We have different operating models, are different in size and complexity We don t have a blank cheque! and ONE SIZE DOES NOT FIT ALL!!

4 What does RBA mean to us? Allows us to risk categorize our business, products and clients from an FCR perspective Include a documented risk assessment covering financial crime risks (ML,TF, Sanctions, ABC and Fraud) Risk assessment for Financial Crime Risk takes into account: Clients and business relationships Products, services and delivery channels Jurisdictions where we draw our client base from Jurisdiction where we operate Continuous identification of areas for improvement in the risk assessment and associated policies and procedures Independent assurance that it is working in practice

5 Overarching RBA philosophy Group AML policies and procedures Risk Assessment Global, Geography, Customer flow through to Businesses (Wholesale, Consumer & Private Banking Customer on-boarding procedures bespoke written procedures within the boundaries of Group policies by each Business On-going monitoring Transaction surveillance, Sanctions filtering, periodic review, trigger-event reviews and Dynamic Risk Rating Training Bespoke and fit-for-purpose training to staff Tellers / Branches, Cash Management, Trade, RMs, CDD Advisory and Senior Management Assurance 3 lines of defence KCSAs (first line), Compliance Monitoring (2nd line), Group and Country Audit (3rd line)

6 Building blocks that synergise each other Financial Crime policies and procedures Client on-boarding KYC / CDD Governance Ongoing monitoring Assurance Transaction screening Client screening AML surveillance CDD Review Systems, Organization and Resources Training

7 RBA KYC (client on-boarding) AML Risk Assessment Identification & Verification Client screening Client due diligence Client acceptance Risk-based approach ensuring more due diligence for situations where there is greater money laundering risk Risk factors include geography, industry, products, clients, regulatory requirements Collection of information that identifies clients and verification of accuracy of information Screening of names of clients and related parties against watch lists including sanctions lists, politically exposed persons lists, adverse media lists and internal lists Collection of information to understand nature of relationship the client is seeking with the Bank Understanding whether client will introduce AML risks to the Bank Ensure that AML risks are acceptable before onboarding Restrict or reject relationships where risks are not acceptable Escalation to senior management/ governance committees if required CDD is embedded in the end to end client onboarding process; No new client will be accepted without an authorised CDD record.

8 RBA the nuts and bolts (current) Risk override Sanctions risk Compulsory EDD Co. type, age, Country Final risk rating Country specific 5 key risk pools drive risk assessment to arrive at SDD (Standard Due Diligence) or EDD (Enhanced Due Diligence)

9 What does each risk pool mean? Co. type, age, Country Risk over-ride Combination of multiple, over-riding risk parameter feeds Business type, age, country of inc. or operation (higher) Allows assignment of SDD rating for listed entities, companies subject to statutory licensing, Governments, Ministries, SWEPEs etc irrespective of Co. type, age, Country rating Sanctions risk Link to any sanctioned country required assignment of EDD risk rating and obtaining related approvals Compulsory EDD CDD procedures require assignment of compulsory EDD risk rating for specific client types (PEP link, off-shore trusts, gambling / casino businesses, arms, bearer shares, rough diamonds etc.) Country specific Over and above Group CDD policies and procedures, local country regulators may require assignment of specific risk rating to certain types of clients (manual over-ride in ecdd system)

10 RBA the nuts and bolts (enhanced) Country of establishment or operation Industry Client AML risk rating Banking products and services Client AML risk L M H Ownership, regulated status, length of relationship AML Control \ Risk Due Dilig ence Requ irem ent All clients Defined situation Frequency of CDD Review Automated AML surveillance risk weighting L M H Low Medium High Standard Due Diligence (SDD) Enhanced DD (EDD) Specialised Due Diligence (SpecDD) Every 3 years Annually Low Medium High Based on global benchmarking and studies, we are moving to a more focused, next-gen risk assessment mode

11 RBA the nuts and bolts (enhanced) SpecDD Special Due Diligence based on the driver PEP, Sanctions, Complex Ownership, FI / Correspondent Banking/ MSBs, Adverse media Client AML risk rating is now independent to Due Diligence level (SDD / EDD and Spec DD) Due Diligence level drives the periodicity of CDD reivew(1 or 3 years) Client AML risk rating drives the risk-based thresholds in surveillance systems (progressive thresholds set for each Detection Scenario based on risk rating) Client AML Risk Rating flows-through to Transaction Surveillance systems to help build RBA in our Financial Crime Intelligence Operations program

12 Multiple levels of review / sign-off Role SDD EDD / Spec DD Relationship Manager Sign off / Approve Recommend Compliance / FCR ---- Review / Advise Sr Management ---- Sign off / Approve Country Governance ---- Review periodically For signing off CDD file, RMs consider all the information gathered during the due diligence process, including consideration of any reputational risks identified through media searches. Material reputational risk considerations are escalated to Senior management for consideration and decision

13 Ongoing monitoring / continuous loopback Stage Transactions screening Nature of activity Automated screening of cross-border SWIFT messages to / from against numerous regulatory (e.g. OFAC) and internal watch lists Client screening Comparison of client names against a wider set of watch lists e.g. sanctioned persons, politically exposed persons (PEPs), internal lists AML surveillance Post-transaction review Detection Scenarios, prompting investigation ; performing research and analytics to generate FCR intelligence ; and disclosure to authorities as a STR where appropriate CDD review Three key activities information updates; trigger-based CDD reviews, periodic CDD reviews. Follows similar process as client on-boarding to ensure appropriate challenge

14 Assurance three lines of defence 1st line Business (Front Office) Act as primary gatekeepers for client acquisition Ensures ongoing compliance with all relevant policies and procedures Tools include MI (KRIs, KCIs, KPIs), Key Control Standards, Key Control Self Assessments, Peer Reviews 2nd line Compliance and other RCOs Sets policies and standards for regulatory compliance Provides advice to business in relation to policies Monitors to ensure ongoing business adherence to policies Tools include Compliance Monitoring Reviews, Controls Effectiveness Reviews 3rd line Group Internal Audit Conducts internal audits Assesses effectiveness of a process as a whole

15 What can go wrong? Failure to include all products and systems will cause your risk assessment to be incorrect Failure to include all key stakeholders will not allow you to consider operational challenges faced by them Failure to interpret/implement local requirements will expose you to local regulatory risk and internal challenges from assurance functions (e.g. Internal Audit) Over complicated procedures will cause confusion in the front line Failure to train staff appropriately will lead to poor quality of CDD Overly rigid procedures may cause operational difficulties Failure to have a process of continuous evaluation of risk and associated procedures will expose your organization to ML/TF/Sanctions risk