Anti-Money-Laundering (AML) & Countering Financing of Terrorism (CFT) Risk Management in Emerging Market Banks Good Practice Note 1 © International Finance Corporation 2019. All rights reserved. 2121 Pennsylvania Avenue, N.W. Washington, D.C. 20433 Internet: www.ifc.org The material in this work is copyrighted. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The contents of this document are made available solely for general information purposes pertaining to AML/CFT compliance and risk management by emerging markets banks. IFC does not guarantee the accuracy, reliability or completeness of the content included in this work, or for the conclusions or judgments described herein, and accepts no responsibility or liability for any omissions or errors (including, without limitation, typographical errors and technical errors) in the content whatsoever or for reliance thereon. IFC or its affiliates may have an investment in, provide other advice or services to, or otherwise have a financial interest in, certain of the companies and parties that may be named herein. Any reliance you or any other user of this document place on such information is strictly at your own risk. This document may include content provided by third parties, including links and content from third-party websites and publications. IFC is not responsible for the accuracy for the content of any third-party information or any linked content contained in any third-party website. Content contained on such third-party websites or otherwise in such publications is not incorporated by reference into this document. The inclusion of any third-party link or content does not imply any endorsement by IFC nor by any member of the World Bank Group. All statements and/or opinions expressed in these materials are solely the opinions and the responsibility of the person or entity providing those materials, and do not necessarily reflect the opinion of IFC. This document does not constitute legal, regulatory or investment advice, nor guidance or advice regarding the preparation of policies and procedures relating to AML/CFT compliance and risk management, and we assume no duty of care with respect to this document. The practices and standards described in this document may not be sufficient under applicable law or for another financial institution with which the user seeks to do business. Users of this guide are urged to seek their own advice with respect to AML/CFT standards applicable to them, as well as the practices and procedures that they implement with respect to AML/CFT compliance and risk management. International Finance Corporation is an international organization established by Articles of Agreement among its member countries, and a member of the World Bank Group. All names, logos and trademarks are the property of IFC and you may not use any of such materials for any purpose without the express written consent of IFC. Additionally, “International Finance Corporation” and “IFC” are registered trademarks of IFC and are protected under international law. Anti-Money-Laundering (AML) & Countering Financing of Terrorism (CFT) Risk Management in Emerging Market Banks Good Practice Note Table of Contents FOREWORD V ACKNOWLEDGMENTS & ABBREVIATIONS OF COMMON TERMS VI CHAPTER 1: INTRODUCTION 1 CHAPTER 2: ESTABLISHING A SOUND FINANCIAL INSTITUTION RISK MANAGEMENT FRAMEWORK, GOVERNANCE STRUCTURE, AND CULTURE 7 CHAPTER 3: ESSENTIAL ELEMENTS OF A SOUND AML/CFT PROGRAM 15 3.1 Introduction 15 3.2 Governance 16 3.3 Risk Identification, Assessment, and Mitigation 19 3.4 Policies and Procedures 24 3.5 Customer Identification and Due Diligence 27 3.6 Transaction Monitoring 37 3.7 Reporting 42 3.8 Communication and Training 43 3.9 Continuous Improvement and Testing 45 3.10 Internal and External Audit 45 CHAPTER 4: DEALING WITH YOUR CORRESPONDENT BANK AND OTHER STAKEHOLDERS 47 CHAPTER 5: AML/CFT PROGRAM MATURITY FRAMEWORK SELF-ASSESSMENT 53 CHAPTER 6: CONCLUSION 65 ANNEX 1: INITIATIVES UNDERTAKEN BY INTERNATIONAL INSTITUTIONS AND SYSTEMIC BANKS TO ADDRESS DE-RISKING 69 ANNEX 2: RECENT DEVELOPMENTS IN CORRESPONDENT BANKING 71 ANNEX 3: LIST OF MOST RELEVANT FINANCIAL ACTION TASK FORCE RECOMMENDATIONS AND BASEL PUBLICATIONS 73 ANNEX 4: GENERAL GUIDE TO ACCOUNT OPENING 74 ANNEX 5: WOLFSBERG GUIDELINES 77 Foreword In recent years, simultaneous increases in reserve capital requirements, Anti-Money Laundering and Countering the Finance of Terrorism (AML/CFT) compliance requirements have created a marked increase in cost and complexity to banks globally. While many of these regulatory changes have increased financial system resilience and helped battle financial crime, they have also put increased pressure on correspondent banking relationships and cross border financial networks. These networks make trade possible, support remittances, and facilitate foreign currency settlements. Faced with orders for corrective action, deferred prosecution agreements, and punitive financial fines issued by regulators, correspondent banks have responded by limiting their activities to markets with more acceptable regulatory risk-reward economic benefits. The regulatory challenges and commercial economic factors in many of the emerging markets, particularly the smaller economies, have resulted in a disproportionate increase in costs and implementation challenges, exacerbated by the impact of withdrawal of the corresponding banking relationships. There has been a notable concentration of flows within trade lines and remittance channels, undermining smaller local banks which can be critical to financial sector stability and the growth and prosperity of emerging market countries. IFC’s study and publication, “De-Risking and Other Challenges in the Emerging Market Financial Sector,”1 highlighted that over 25 percent of 300-plus banks in over 90 emerging markets reported correspondent bank relationship losses. Seventy- two percent of the banks covered by the study reported that they face exogenous challenges – primarily correspondent banking stress and related compliance challenges – that have touched every surveyed market irrespective of size or risk. There is a compelling business case to be made for upgrading a bank’s AML/CFT capabilities. Banks that lead the way in emerging markets are in stronger positions to maintain and/or grow their cross-border correspondent banking networks, putting them in a position to better serve customers and their respective connections to the global economy. This provides unique growth opportunities for their business, strengthening their market presence and stability. It opens doors to deeper data – driven innovation for viewing their markets, customers and product potential, which shifts their own individual growth curve. As expectations for continuous improvement in AML/CFT compliance pervades the global financial system, it is important that EM financial institutions: (i) understand the business implications of ML/FT along with implications for security and criminality; (ii) identify additional compliance requirements for participating in the global financial system and (iii) find their own path to excellence in this area. We recognize that each country and each institution is different – each will need different levels of support or clarity as they work to achieve these goals. However, in many cases, the request is for guidance across several fronts: basic AML/CFT concepts, interpreting and implementing regulatory guidance, correspondent bank reporting and systems alignment, interpreting US/EU regulatory requirements, and technology-based solutions. It is our belief that this publication can provide a measure of guidance, and that it can spur additional solutions opportunities to address the challenges currently faced by cross border financial networks. It is my hope that, as each financial institution stretches to address this issue, the attention to quality and excellence as well as the opportunity for innovation embedded in the collective effort will provide for an even stronger EM global financial system. Paulo de Bolle, Senior Director Global Financial Institutions Group 1 http://documents.worldbank.org/curated/en/895821510730571841/pdf/121275-WP-IFC-2017-Survey-on-Correspondent-Banking-in-EMs-PUBLIC.pdf v Acknowledgments Under the supervision of Manuela Adl and Cameron Evans, this Good Practice Note was prepared with contributions from Ebrahim Farouk, Annetta Cortez, Yannick Stephant, Susan Starnes, Robert Heffernan, Brian Robert Sokoliuk, Margarete O. Biallas, Mariyam Zhumadil, William C. Hayworth, Matthew Huggins, Sokhareth Kim, Elizabeth Gibbens, Andrew Berghauser, Lauren Kaley Johnson, and Rob Wright. IFC would like to thank our colleagues and partners who reviewed and provided the insightful comments for the document including Yan Liu, IMF Assistant General Counsel, Emile J. M. Van Der Does De Willebois, World Bank Lead Financial Sector Specialist, John T. Murray, BONY-Mellan, Ayo Omoogun, Standard Chartered Bank,William L. Burmeister, Citibank, Lisan Hannah, The Bank of Nova Scotia, Lauren Girard and Jeff Gontero, JP Morgan Chase, Steven Puig, Banco BHD Leone, and Miriam Ratkovicova, Deloitte Transactions and Business Analytics LLP, without their input, this publication would not have been materialized. Abbreviations of Common Terms FT Financing of terrorism AM L Anti-money laundering GPN Good Practice Note BCBS Basel Committee on Banking Supervision IFC International Finance Corporation BIS Bank for International Settlements IMF International Monetary Fund CBR Correspondent banking relationship KRI Key risk indicators CDD Customer due diligence KYC Know your customer COSO The Committee of Sponsoring Organizations of the Treadway Commission KYCC Know your customer’s customer CPMI The Committee on Payment and Market ML Money laundering Infrastructures MTO Money transfer operators CFT Combating the financing of terrorism PEP Politically exposed person EDD Enhanced due diligence STR Suspicious-transaction report FATF Financial Action Task Force WBG World Bank Group FIU Financial intelligence unit FSB Financial Stability Board vi Chapter 1 Introduction Background The International Finance Corporation (IFC) is the private sector arm of the World Bank Group (WBG) and one of the leading investors and lenders in emerging markets. IFC’s vision is that people should have the opportunity to escape poverty and improve their lives. IFC’s purpose is to promote open and competitive markets in developing countries, support companies and other private sector partners, generate productive jobs, and deliver basic services. IFC’s belief is that inclusion of emerging markets in the global economy is critical for building strong global financial systems. Efforts to strengthen the global financial system following the 2007-2008 global financial crisis have contributed to withdrawal of correspondent banking services, which has a disproportionately negative impact on emerging markets. In the 2017 Correspondent Banking in Emerging Markets Survey2 of over 300 banking clients in 92 countries, more than a quarter of global survey participants claimed reductions in correspondent banking relationships (CBRs). Increasingly, correspondent banks are paying greater attention to their respondents’ Anti-Money Laundering / Combating the Financing of Terrorism (AML/CFT) program effectiveness, Know Your Customer and Customer Due Diligence (KYC/CDD) programs, and their jurisdiction-related obligations to comply with AML/CFT requirements.3 In the Survey, private sector emerging market banks identified assistance with understanding and adapting to new global standards as one solution component that would be most useful. In response, IFC has published this Good Practice Note: AML/CFT Risk Management in Emerging Market Banks (GPN) for banks to advance their knowledge and capabilities in AML/CFT risk management and facilitate and support the maintenance of CBRs. 2 IFC. 2018. De-Risking and Other Challenges in the Emerging Market Financial Sector. 3 The World Bank Group. 2018. The Decline in Access to Correspondent Banking Services in Emerging Markets: Trends, Impacts, and Solutions. 1 De-Risking and its Impact on of respondents) gain access to financial services in foreign jurisdictions and provide cross-border payment services Emerging Markets to their customers, ultimately promoting inclusion in the For simplicity, this GPN defines correspondent banking as an global financial system. “arrangement under which one bank (correspondent) holds deposits owned by other banks (respondents) and provides In recent years, a decline in correspondent banking payment and other services to those respondent banks.”4 relationships known as “de-risking” has become apparent. Correspondent banking facilitates banking services and is According to the Financial Action Task Force (FATF), de- critical to international economic infrastructure. Some of risking refers to the “phenomenon of financial institutions the banking services and products affected by reductions in terminating or restricting business relationships with clients correspondent banking are listed in the table that follows. or categories of clients to avoid, rather than manage, AML/ CFT risk in line with the FATF’s risk-based approach.”5 The de-risking trend appears to affect the smallest and poorest Primary Products / Secondary countries in emerging markets more severely, although none Services: Products/Services: are immune. A recent publication issued by IFC indicates • Clearing and settlement • Investment services that Sub-Saharan Africa, North Africa, Middle East, Latin • International wire • Structured finance/ America and the Caribbean, and Europe and Central Asia, transfers foreign investment are among the regions that most frequently reported a • Cash management • Securities =custody decline in correspondent banking relationships.6 services services • Trade finance/credit • Cross-border lending The factors contributing to the termination of letters and documentary • Check clearing collections correspondent banking relationships are multiple and • Foreign exchange services interrelated. As shown in Box 1, the drivers of de-risking can be grouped into two categories: business related and regulatory and risk related. The drivers may lead to either Correspondent banking relationships play a key role in a complete withdrawal from markets, banks, and/or client linking emerging market banks and their customers to segments or selective de-risking in the form of a partial the global financial system. Through these contractual withdrawal of correspondent banking services. relationships, emerging market banks (often in the role Box 1 De-Risking Drivers De-Risking Approaches BUSINESS RELATED: SELECTIVE DE RISKING Profitability Partial withdrawal of Strategy correspondent banking Prudential Requirements services REGULATORY & RISK RELATED: WHOLESALE DE RISKING Uncertainty Regulatory Intent Complete withdrawal AML/CFT from markets and/or KYC client segments Non-Compliance Fears Source: Excerpt from The Bankers Association for Finance and Trade (BAFT), De-Risking: How to address the de-risking dynamics? 4 CPMI. 2015. A glossary of terms used in payments and settlement systems. 5 http://www.fatf-gafi.org/topics/fatfrecommendations/documents/rba-and-de-risking.html 6 IFC. 2017. De-Risking and Other Challenges in the Emerging Market Financial Sector. 2 The ongoing evolution of higher AML/CFT risk large portions of their essential food, energy, and medical management standards at the regional, national, and supplies. sometimes subnational level has created increasing ambiguity as well as inconsistent expectations. This The WBG’s paper that summarizes the main observations of environment has increasingly challenged developed market the eight country case studies conducted in 2017 suggests and emerging market banks in appropriately implementing that money transfer operators (MTOs) have been risk-based controls and determining their reasonable risk particularly affected. In almost all surveyed countries, a appetite. For example, in 2016, to provide additional number of respondent banks have been instructed by their clarification on customer due diligence for correspondent correspondent banks to stop servicing MTOs. Cross-border banking relationships, FATF stated that banks are not financial services provided by MTOs are used intensively in required to conduct customer due diligence on the emerging markets. The flow of funds from migrant workers customers of their customers (known as KYCC). Despite to their home countries is an important source of income in these efforts to clarify customer due diligence requirements, many emerging economies.9 The decline in CBRs can some global banks remain concerned about the clarity of negatively affect remittances and the ability of families in regulatory expectations and the liability associated with emerging markets to receive income they depend on. failure of their own AML/CFT risk management systems and processes that fully meet regulatory standards. The uncertainty around due diligence on a customer’s customer The IFC’s purpose in publishing this GPN is to makes it difficult for correspondent banks to assess the risk provide practical guidance and information associated with respondent banks and motivates them to to assist emerging market banks in profitably terminate some of these relationships.7 providing cross-border services to their clients, managing their correspondent Increasing compliance costs have also affected the relationships more effectively, maintaining risk reward calculation for offering and maintaining correspondent banking relationships. Some of these costs, their existing CBRs to avoid de-risking, and such as operational ones, are easy to quantify. Other facilitating opening of new CBRs. costs, such as reputational impact of potential enforcement actions, are harder to assess. Many banks recognizing the business need are instituting global best practices In September 2018, IFC published “Navigating Essential and investing in new processes and systems to more Anti-Money Laundering and Combating the Financing efficiently and effectively manage AML/CFT risk. Some of Terrorism Requirements in Trade Finance: A Guide of these investments include detailed KYC databases, for Respondent Banks” to increase respondent banks’ systems enabling ongoing monitoring of their customer’s awareness of AML/CFT requirements and developments as transactions, and investigating, as appropriate, unusual and they related to trade finance. Similar to the GPN, this guide potentially suspicious transactions. is intended to assist emerging market banks in securing and retaining CBRs. Both publications are intended to assist A decline in correspondent banking relationships has been a emerging market banks in developing and revising their risk concern for emerging market countries for some time given management strategies, with the former providing guidance that this trend appears to negatively affect trade, putting at related to a robust enterprise-wide AML/CFT program risk the import and export of critical goods and ultimately and the latter mainly focusing on AML/CFT developments economic growth.8 In the Caribbean for example, countries related to trade finance. heavily rely on trade and cross-border payments to the extent that in 2014, Caribbean countries’ external trade Other organizations, such as the World Bank, International accounted for 94 percent of those countries’ collective GDP. Monetary Fund (IMF), and Financial Stability Board (FSB), Additionally, these countries heavily rely on the import of are also monitoring developments and analyzing the impact 7 CPMI. 2016. Correspondent Banking. 8 IFC. 2018. De-Risking and Other Challenges in the Emerging Market Financial Sector. 9 The World Bank Group. 2017. The Decline in Access to Correspondent Banking Services in Emerging Markets: Trends, Impacts, and Solutions. 3 of the decline in CBRs. The GPN is unique in that it is in About This Good Practice Note response to our clients’ requests and aims to be a practical guide that may help mitigate some of the negative impacts of This GPN synthesizes current international AML/ CFT standards and guiding principles in a practical de-risking while adding to the many initiatives undertaken format to assist banks in emerging markets in effectively by the international community to address de-risking.10 implementing the desired good practices that will enhance the maintenance of CBRs. Why Should a Bank like Yours Invest in the Development of a Robust AML/CFT Program? A robust AML/CFT program requires a substantial investment because it calls for not only a sufficient number of experienced resources but also for advanced technology that can support the bank’s AML/CFT compliance function to better identify, measure, monitor, control, and report on Money Laundering/Financing of Terrorism (ML/FT) risks. So why should a bank like yours want to make this investment? Having a robust AML/CFT program offers multiple benefits to your bank. Consider that: • An AML/CFT program can mitigate the risk faced by a correspondent bank in doing business with you if your bank is located in a high-risk jurisdiction and can bring the overall residual risk to a level acceptable to your correspondent banks. • Your ability to obtain and retain CBRs will enable your bank to provide the full spectrum of offshore banking services demanded by your high-value banking customers. • If your correspondent bank is satisfied with your customer due diligence standards, it will likely be receptive to providing payable-through-accounts services you may need. • Having robust systems and technologies will provide your bank with required capabilities to participate in KYC utilities used by some large correspondent banks. Such KYC utilities have the potential to improve efficiency and lower costs because of a lesser amount of documentation being exchanged. Lower costs have the potential to make CBRs more attractive for correspondent banks that have indicated these relationships have become unprofitable. Additionally, new technologies may lower your own compliance costs over the long run. • Failure to have an effective AML/CFT compliance program can result in enforcement action from the supervisory authorities that generally include large fines in addition to: • Heightened regulatory scrutiny; • Pressure on the bank’s funding and liquidity; • Costly remediation efforts and high legal costs; • Civil and criminal liability of the board of directors/senior management/other employees; • Shareholder lawsuits against board of directors/senior management for lack of oversight and negligence; • Reputational damage; • Lack of foreign direct investments; and • Higher cost of borrowing in the international arena. 10 Refer to Annex 2 for a list of recent work related to correspondent banking conducted by different international bodies. 4 THIS GOOD PRACTICE NOTE WILL This GPN is organized as follows: • Highlight the business case for respondent banks to Chapter 1 Introduces the GPN, its role and objectives, invest in an improved AML/CFT risk management de-risking phenomena, impact on program. correspondent banking services, and emerging markets. • Interpret for emerging market bank professionals the AML/CFT guiding principles and standards published Chapter 2 Introduces the foundational concepts and importance of establishing a strong enterprise by various international bodies, including FATF, the risk management framework and links the Basel Committee on Banking Supervision (or BCBS), establishment of the AML/CFT program and the Wolfsberg Group. component within this risk framework. • Increase emerging market banks’ awareness of AML/ Chapter 3 Establishes the core of the AML/CFT program CFT expectations of U.S. and European regulators that within a bank and provides details of the key elements of a bank’s AML/CFT internal oversee many of their correspondent banks. controls. • Describe what is expected of emerging market banks Chapter 4 Supports the bank in establishing a dialogue implementing an AML/CFT risk management program. with its correspondent bank and other stakeholders, such as supervisors, to develop a • Highlight where new technologies and operating models shared view of requirements and capabilities. may be deployed to enhance emerging market banks’ AML/CFT programs. Chapter 5 Establishes the foundation for an internal controls assessment tool and introduces a • Provide real-world examples and case studies that can high-level maturity matrix measuring and/or documenting the strength of internal controls. be used by banks to enhance their AML/CFT programs. Chapter 6 Summarizes the critical elements of the GPN • Outline a process for self-assessment of the maturity and guidance on how best to manage CBR level of an emerging market bank’s AML/CFT program. relationships. • Provide insight into the potential impediments to an emerging market bank’s effective AML/CFT program. An AML/CFT risk management program is one of many This Good Practice Note will not components of an institution’s overall risk management framework, which includes various risk categories, such as • Interpret regulatory requirements and expectations credit risk, interest rate risk, operational risk, compliance imposed by national and/or local regulators in emerging risks, and reputational risk, to name a few. An effective markets. risk management framework is fundamental to a safe and sound financial institution, jurisdiction financial system, and • Provide a one-size-fits-all solution that can be deployed ultimately the integrity of the international financial system. by any emerging market bank; instead best practices Although this GPN briefly discusses the link between a discussed in this GPN should be tailored to the banks’ bank’s overall risk management framework and other risk profile and the overall risk management framework. financial crime risks (including AML/CFT, fraud, antibribery and corruption, market manipulation and tax evasion risks), its main focus is on the development and enhancement of the AML/CFT compliance component. 5 Chapter 2 Establishing a Sound Financial Institution Risk Management Framework, Governance Structure, and Culture Introduction • Business/Strategic risk is the risk that affects or is created by an organization’s business strategy and Taking risk is fundamental to the business of banking. strategic objectives. Successfully managing those same risks is critical to • Market risk is the risk to a bank’s financial condition profitable and sustainable banking. Establishing a strong risk resulting from adverse movements in market rates or management framework for the range of risks encountered prices, such as interest rates (for example, interest rate by a bank is essential for its safe and sound operation. A risk), foreign exchange rates, or equity prices. formal risk management program creates the framework for identifying, measuring, monitoring, reporting, and ultimately • Credit risk arises from the potential that a borrower or addressing risks. The Committee of Sponsoring Organizations counterparty will fail to perform on an obligation. of the Treadway Commission (COSO) Enterprise Risk • Liquidity risk is the potential that an institution will be Management (ERM) Framework is one example of an unable to meet its obligations as they come due because internationally accepted framework. It is similar to other of insufficient funds or an inability to liquidate assets international risk management guidances from the Basel or obtain adequate funding, or that it cannot easily Committee on Banking Supervision (BCBS), International unwind or offset specific exposures without significantly Organization for Standardizations (ISO), and others.11 affecting its balance sheet/capital levels, in some cases as a result of lowered market prices because of inadequate A strong risk management framework sets the foundation for market depth or market disruptions. establishing a robust AML/CFT program. Regardless of size and complexity, a bank must have effective risk management • Operational risk arises from inadequate or failed programs appropriately designed to the organization’s internal processes, people, and systems or from external products, services, customers and overall risk profile. Adequate events. Examples include inadequate information risk management frameworks can vary considerably systems, operational execution problems, breaches in sophistication based on the bank’s business strategy, in internal controls, fraud, or unforeseen external markets, and risk profile but are ultimately judged by their catastrophes that result in unexpected losses. effectiveness in managing risk across all a bank’s operations. • Legal risk arises from the potential that unenforceable contracts, lawsuits, or adverse judgments can disrupt or The principles of sound risk management apply to the entire otherwise negatively affect the operations or condition spectrum of risks facing a financial institution, including, of a banking organization. but not limited to business/strategic, market, credit, liquidity, operational, legal, reputational, and compliance • Reputational risk is the potential that negative publicity risk , each of which is best described as follows: 12 regarding an institution’s business practices, whether 11 “Enterprise Risk Management—Integrating with Strategy and Performance;” June 2017. Committee of Sponsoring Organizations of the Treadway Commission (COSO). https://www.coso. org/Pages/erm.aspx; Sound management of risks related to money laundering and financing of terrorism;” June 2017. Basel Committee on Banking Supervision (BCBS); https://www.bis.org/ bcbs/publ/d405.htm; “Risk Management – Guidelines, ISO 31000:2018;” International Organization for Standardizations (ISO). https://www.iso.org/iso-31000-risk-management.html 12 Board of Governors of the Federal Reserve System SR 95-51. 7 true or not, will cause a decline in the customer base, has had substantial effects within jurisdictions as well as costly litigation, or revenue reductions. across the globe’s financial activities. For example, increasing compliance costs, new risk/reward calculation for financial • Compliance risk is exposure to legal penalties, financial relationships, and the resultant phenomena of de-risking. forfeiture and material loss an organization faces when it fails to act in accordance with industry laws and This shift has affected several global banks, which regulations, internal policies or prescribed best practices. have been subject to varying types of civil and criminal AML/CFT risks are primarily incorporated within the sanctions (financial penalties and remedial regulatory Compliance or Legal risk category. AML/CFT risks can also actions) and required to substantially enhance of their affect multiple risk categories, including liquidity, strategic, AML/CFT programs. In addition, FATF’s new mutual operational, legal/compliance, reputational, and in some evaluation standards, implemented in 2014, which include instances credit risk. The Board, Chief Risk Officer (CRO), an effectiveness assessment, have increased pressure on and senior management must monitor the range of AML/ emerging market jurisdictions to reassess and enhance CFT risk across the organization to ensure it remains within portions of their own AML/CFT infrastructure and internal the defined risk appetite parameters. requirements. As a result, governments and financial sector supervisors worldwide have increasingly emphasized From a risk management perspective, before about the importance of having a strong culture of AML/CFT 2005, AML/CFT compliance shortcomings generally did compliance within their financial sector and its leadership, not trigger substantive civil and criminal enforcement including the Board of Directors, senior management, actions against banks. Over the last 10 years there has middle management, and owners of banks regardless of size, been an increasing emphasis on AML/CFT compliance, complexity, or region. civil enforcement actions, civil penalties, and criminal prosecutions (deferred and not deferred). This change This increasing emphasis and attention on compliance in emphasis and approach to enforcement of relevant and financial and criminal penalties (including potential regulations was a result of governments viewing AML/ individual liability against AML officers and others) has CFT compliance as part of the jurisdiction’s national impacted the cost of AML/CFT compliance and banks’ risk security infrastructure versus the earlier view of AML/CFT appetites. It also had a direct follow-on affect in the provision compliance as more of a bank internal matter. This shift of of correspondent banking services (for example, de-risking). prominence and approach to risk management expectations Figure 1: AML/CFT Risk Relationship Chart Business/ Strategic Risk Compliance Credit Risk Risk Reputational AML/CFT Market Risk Risk Risk Legal Risk Liquidity Risk Operational Risk 8 Compliance Risk Management Active Board and Senior Firmwide compliance risk management13 refers to Management Oversight processes used to manage compliance risk across an entire Effective risk management is a central element of proper organization, both within and across business lines, support corporate governance. In particular, the requirement for units, legal entities, and jurisdictions. This approach ensures the Board of Directors to approve and oversee the policies that compliance risk management is conducted in a broader for risk, risk appetite, internal controls, and compliance is context than would occur solely within individual business appropriate for ML/FT risk. The board of directors must lines of legal entities. establish an infrastructure to fully identify risk, monitor risk exposures, ensure sufficiency of the internal control A bank’s compliance risk management program should environment implemented to manage the unique risks of be documented in the form of compliance policies and the bank, and actively engage with leadership and bank procedures and compliance risk management standards. personnel concerning the organization’s culture. These include: As part of a bank risk management framework, regulatory and legal compliance is typically considered within either • Developing business strategy and organizational goals the Legal risk or Compliance risk category. Regardless, as that promote and communicate organizational culture banking organizations have greatly expanded the scope (that is, tone at the top). Culture describes what a group and global nature of their business activities, compliance does as opposed to what it says it does. The “control requirements associated with these activities have become environment” is the organization’s culture. It can be more complex. As a result, organizations are confronted inferred from observable behaviors and a description of with risk management and corporate governance challenges, prevalent relationships. particularly with respect to compliance risks that transcend business lines, legal entities, and jurisdictions. Many • Identifying and hiring qualified senior management. banking organizations have enhanced firmwide compliance • Establishing risk appetites and a risk framework, risk management programs and program governance/ including policies and procedures. oversight. A firm-wide compliance function plays a key • Monitoring operational performance. role in managing and overseeing compliance risk, including AML/CFT, while promoting a strong culture of compliance • Aligning business strategy as the business environment across the organization. evolves. At the best banks, AML/CFT risk management is regarded Elements of a sound compliance risk management system14 as an integral part of a bank’s risk and compliance include the following: management framework. Information about AML/CFT • Active Board and senior management oversight risk is communicated to the Board in a timely, complete, (including emphasis on culture to ensure a balance is understandable and accurate manner so that the board is achieved between profit motive and risk taking, and equipped to make informed decisions. Explicit responsibility compliance across all categories15); is allocated by the Board of Directors, establishing the governance structure of the bank, for ensuring that the • Comprehensive risk measurement, monitoring, and bank’s policies and procedures are implemented and management information systems; and managed effectively. The Board and senior management • Comprehensive internal controls, including adequate generally appoint an appropriately qualified chief AML/ policies, procedures, and limits. CFT officer having overall responsibility for the AML/CFT function. The chief AML/CFT officer must have the stature and necessary authority within the bank such that she/he has the necessary access to the Board, senior management, and business lines. 13 Board of Governors of the Federal Reserve System SR 08-08/CA 08-11 October 16, 2008. 14 COSO – Enterprise Risk Management Framework. 15 Risk category examples include business/strategic, credit, market, liquidity, operational, compliance, legal, and reputational risk. 9 Although all Boards of Directors are ultimately responsible Some of the key reports necessary for monitoring the for bank strategy and operations, they also are responsible operation of AML/CFT risk management operations for ensuring that management is taking the necessary steps are related to overall bank risk assessment, customer to identify, measure, monitor, and control these risks, retain identification, periodic assessment and reassessment the level of technical knowledge required to operate a bank, of higher-risk customers, performance of suspicious and communicate the proper culture. transaction monitoring and reporting systems, and trainings. Senior management is responsible for implementing strategies in a manner that manage risks associated with each strategy At a minimum, a bank should have a monitoring system in and ensures compliance with laws and regulations on a place that is suitable with respect to its size, activities, and long-term and day-to-day basis. Accordingly, management complexity as well as the risks present in the bank. For most should be fully involved in the activities of their institutions banks, especially those that operate across borders, effective and possess sufficient knowledge of all major business monitoring is likely to require automation of the monitoring lines to ensure that appropriate policies, controls, and risk process. monitoring systems are in place and that lines of authority are clearly delineated. Senior management is also responsible An annual internal audit should evaluate the IT system to for establishing and communicating a strong awareness ensure that it is appropriate and used effectively by the first of and need for effective internal controls and high ethical and second lines of defense.16 standards. Meeting these responsibilities requires senior managers of a bank to have a thorough understanding COMPREHENSIVE INTERNAL CONTROLS, of banking and financial market activities and detailed INCLUDING POLICIES, PROCEDURES, AND LIMITS knowledge of the activities their institution conducts, After the Board and senior management have finalized their including the nature of internal controls necessary to limit the business strategy, quantified the risks within the institution, related risks. and determined their risk appetites (including limits), they then direct senior management to work on designing and RISK MEASUREMENT, MONITORING, AND implementing tailored policies, procedures, and controls for MANAGEMENT INFORMATION SYSTEMS the risks that arise from the bank’s activities and customers. Effective risk monitoring requires identifying and measuring Although all banking organizations should have policies all material risk exposures. As such, risk monitoring activities and procedures that address their significant activities and must be supported by information systems that provide the risks, the coverage and level of detail embodied in these CRO, senior management, and the Board with timely reports statements will vary. on the financial condition, operating performance, and risk exposure of the consolidated organization. Regular and At a minimum, banks are required to have a thorough sufficiently detailed reports for line managers (for example, understanding of the inherent ML/FT risks present in its first line) engaged in the day-to-day management of the customer base, products, delivery channels, and services organization’s activities and for compliance managers (for offered (including products under development or to example, second line) are also required. be launched) and the jurisdictions within which it or its customers do business. Policies and procedures for customer Risk measurement, monitoring, reporting, and the acceptance, due diligence and ongoing monitoring should technology that supports these processes has evolved over be designed and implemented to adequately manage the the past years. It is now critical that banks leverage data identified inherent risks. and various systems and technologies to support their AML/ CFT compliance risk management program and program oversight. The use of technology will vary based on the Internal Controls size and complexity of the institution. The chief AML/CFT officer, however, should have access to and benefit from the It is well known that an institution’s internal control IT system as far as it is relevant for his/her function, even if structure is critical to the safe and sound functioning of operated or used by other business lines. the banking organization and its risk management system. 16 BCBS. 2017. Guidelines: Sound Management of Risks Related to Money Laundering and Financing of Terrorism. 10 Therefore, establishing and maintaining an effective system Risk Management and Compliance of controls, including the monitoring of official lines of Oversight Structure: Model authority and ensuring the appropriate separation of duties, is one of management’s most important responsibilities. Illustration of the Three lines of Defense The relationship between the internal audit, compliance, and The diagram that follows is an illustration of a risk risk management functions has gained greater regulatory management compliance oversight structure model18. The scrutiny since the 2008 financial crises. Regulators worldwide CRO and, for general compliance and AML/CFT controls, have focused their attention on the role of internal audit the Chief Compliance Officer (CCO) are part of the second and how it complements the overall risk management line of defense, with the senior officer typically having framework and how it assesses business line management, operational responsibility for AML/CFT compliance. It risk management, compliance, and other control functions. should also be noted that in some banks, the CCO may be It is the expectation of regulators that a bank should have an the chief AML/CFT officer. effective risk management function, a compliance function, and an internal audit function. Each of these control In the context of overall risk management, the front office functions, along with the bank’s operational management, customer-facing business units are the first line of defense constitutes a line of defense against the risks the entity faces responsible for identifying, assessing, and managing the and are referred to as the three lines of defense.17 risks within their business areas. They should know and carry out the policies and procedures and be allotted The three lines of defense are as follows: sufficient resources to do so effectively. • First line: operational management; The second line of defense are control functions that ensure • Second line: risk management function, compliance policies and procedures are followed (for example, risk function, and other monitoring functions; and management, compliance, human resources, and legal). • Third line: internal audit function. The risk management function facilitates and monitors the implementation of effective risk management practices by business-line management and reports exceptions and the status of first-line implementation. Figure 2: Three Lines of Defense Board of Directors or Board Risk Committee Senior Management FIRST LINE SECOND LINE THIRD LINE OF DEFENSE OF DEFENSE OF DEFENSE Supervisory Authorities External Auditors Risk Management/ Compliance (CCO) Internal Controls Internal Auditors Business Units 17 BCBS - The internal audit function in banks, December 2011; Principles for enhancing corporate governance, October 2010; Compliance and the 18 Adapted from the European Confederation of Institutes of Internal Auditors / Federation of European Risk Management Associations Guidance on the 8th EU Company Law Directive, article 41. 11 The third line of defense is commonly referred to as the CFT reporting responsibilities-- the identification of unusual internal audit function. The internal audit function is and suspicious activity. During their day-to-day activities, responsible for assessing the effectiveness of the design and first-line employees may observe unusual or potentially execution of internal control and compliance with laws, suspicious activity and/or behavior exhibited by customers. rules, and regulations. They also assess the work performed First-line employees are required, according to policies and by the second line to ensure that both lines are performing procedures, to be vigilant in their identification, escalation, as intended. Internal audit independently reports and and reporting of potentially suspicious and or unusual provides periodic written assessment of the testing of activities. Management should ensure that all personnel, controls and applicable legal compliance. especially employees who directly interact with customers, adhere to the internal processes for identification and For AML/CFT risk management, the front office customer- referral of potentially suspicious activity. Management facing business units continue to be responsible for must also be clear on the bank’s response to suspicious identifying, assessing, and managing the risks within activity beyond the referral including policies regarding their business areas. (Given the evolving nature of AML/ exiting the client, communications with correspondent CFT expectations and requirements, it is common for the banks, and internal review of previous customer activity. second line to support the first line regarding technical A bank must have adequate policies and processes for knowledge and to perform the AML/CFT risk assessment.) screening prospective and existing staff to ensure high In today’s environment, the AML/CFT second line, led by ethical and professional standards are met. AML/CFT the appointment of the AML officer, not only performs compliance is considered to be the responsibility of second-line compliance testing responsibilities, which can everyone within the organization. be leveraged by the third line (internal audit), but also may operate some first line functions, including monitoring Training of staff is critical. The scope and frequency of for suspicious activity, initial and ongoing screening of such training should be tailored to the risk factors to which customer onboarding, and sanctions compliance screening. employees are exposed due to their responsibilities and the The unit should know and carry out the policies and level and nature of risk present in the bank. All banks should procedures and be allotted sufficient resources to do so implement ongoing employee training programs so that bank effectively. The AML/CFT third line of defense performs staff are adequately trained to implement the bank’s policies similar functions and has the same responsibilities as the and procedures. The timing and content of training for institutional third line but is also responsible for this highly various sectors of staff will need to be adapted by the bank technical and risk-based compliance area. according to their needs and the bank’s risk profile. FIRST LINE: OPERATIONAL MANAGEMENT Training needs will vary depending on staff functions and job responsibilities. Training course organization and materials Operational management is responsible, and accountable for should be tailored to an employee’s specific responsibility or identifying, assessing, controlling, mitigating, and reporting function to ensure that the employee has sufficient knowledge on risks encountered during a bank’s business activities. and information to effectively implement the bank’s AML/ CFT policies and procedures. For the same reasons, new This “first line” is also the business generator, responsible employees should be required to attend training as soon as for defining risk-taking limits and following those limits, possible. Refresher training should be provided to ensure that following policy guidelines, implementing/using approved staff are reminded of their obligations and their knowledge procedures. First line is also instrumental, at high levels, and expertise are kept up to date. in defining a bank’s risk-taking limits Through a cascading responsibility structure, midlevel managers often design and SECOND LINE: RISK MANAGEMENT FUNCTION, implement detailed procedures that serve as controls and COMPLIANCE FUNCTION, AND OTHER supervise execution of such procedures by their employees. MONITORING FUNCTIONS Employees in the first line are integral in AML/ These are control functions that also ensure policies CFT compliance risk management through customer and procedures regarding risk-taking (risk management, interactions, management of customer relationships, and compliance risk, human resources, and legal) are in place execution of approved policies and procedures. The first and enforced. The risk management function facilitates and line is critical for meeting one of the most important AML/ monitors the implementation of effective risk management 12 practices by business-line management. It assists business- THIRD LINE: INTERNAL AUDIT FUNCTION line management in defining risk exposures and risk reporting through the organization. The compliance The internal audit function is responsible for independently function monitors the risk of noncompliance with laws, assessing the effectiveness of the design and operation of regulations, and standards. Other monitoring functions may internal controls and compliance practice with laws, rules, include human resources and the legal department. and regulations. Internal audit employees independently provide, on an annual basis, a written assessment of In most banks as part of the second line of defense, the their testing of controls and applicable legal compliance. chief AML/CFT officer has the responsibility for ongoing External auditors can also play an important role in fulfillment of all AML/CFT duties by the bank. Depending evaluating a bank’s internal controls and procedures on the size and complexity of the bank, the chief AML/ during financial audits, internal control audits, and AML/ CFT officer may also perform the function of the CRO or CFT audits. External auditors can independently confirm the CCO or equivalent. He/she should have direct access a bank’s compliance with applicable local regulations to the board or a board-appointed committee. In case of and supervisory practices as well as correspondent bank a separation of duties, the relationship between the chief expectations. officers and their respective roles must be clearly defined and well understood. The internal audit function plays an important role in the governance and oversight framework through The chief AML/CFT officer should also have the independently and objectively evaluating risk management responsibility for reporting suspicious transactions to senior and controls, and by periodically reporting to the board or management, the board, and local Financial Intelligence a board-appointed committee (that is, an audit committee Unit (FIU). The chief AML/CFT officer should be provided or a similar oversight body) evaluations of the effectiveness with sufficient resources to execute all responsibilities of compliance with AML/CFT policies and procedures. effectively and play a central and proactive role in the A bank’s internal audit program should comprehensively bank’s AML/CFT regimen. To do so, he/she must be fully cover conversant with the bank’s AML/CFT regimen, its statutory and regulatory requirements, relevant international 1. the effectiveness of compliance governance and standards, and the ML/FT risks arising from the business. oversight; the adequacy of the bank’s policies and procedures in 2. addressing identified risks (including AML/CFT); There is an inherent tension between the first-line the competence of bank staff in implementing the bank’s 3. and the second-line risk management. For example, controls and risk management; it is the second line’s responsibility to test for the detailed testing of critical internal control functions, 4. compliance or support the quality assurance process for example the suspicious activity monitoring and to ensure that the first line is meeting internal bank investigations processes; and policies, procedures, controls, and risk limits. The inherent risk-based nature of AML/CFT requirements the effectiveness of the bank’s training of relevant 5. require judgments be made by both the first line personnel. and the second line. Compliance and risk choices The board should ensure that audit functions have sufficient are not always clear given some unique situations resources and appropriate expertise and are knowledgeable and customer circumstances that create challenges of bank operations to conduct such audits. The board in working through what is the most appropriate should also ensure that the audit scope and methodology decision to meet internal and regulatory requirements. are appropriate for the bank’s risk profile and that the Regardless of a bank’s size or its management frequency of such audits and testing is also based on risk. Lastly, internal auditors should formally track and monitor structure, potential tension between different lines of their findings and recommendations for reporting to the business can occur and need to be resolved; at times, board committees responsible for the internal audit process it may be necessary for issues to be raised to senior and the lines of businesses. management for their view and decision. 13 Summary or its customers do business. This understanding should be based on specific operational and transaction data Sound risk management principles apply to the entire and other internal information collected by the bank as spectrum of risks facing a bank. In conducting a well as external sources of information, such as national comprehensive risk assessment, a bank should consider risk assessments and country reports from international all the relevant inherent and residual risk factors at the organizations. Policies and procedures for customer country, sector, bank, and customer relationship levels, to acceptance, due diligence, and ongoing monitoring should determine the institution’s risk profile and appropriate level be designed and implemented to adequately control the of mitigation to be applied. identified inherent risks.19 Similarly, banks are required to have a thorough As a key success factor, banks are expected to identify the understanding of the inherent ML/FT risks present in its applicable risks their correspondent relationships pose customer base, product offerings, delivery channels, and and implement internal controls to mitigate those risks, service offerings (including products under development including having effective KYC/CDD processes. or to be launched) and the jurisdictions within which it 19 BCBS. 2017. Guidelines: Sound Management of Risks Related to Money Laundering and Financing of Terrorism. 14 Chapter 3 Essential Elements of a Sound AML/CFT program 3.1 Introduction how individuals and businesses can have access to useful and affordable financial products and services that meet A sound AML/CFT program should be based on a full their needs delivered in a responsible and sustainable way understanding of the risks faced by the financial institution, (financial inclusion20) and the risk-based approach,21 both relevant regulatory requirements, regulatory guidance, plus of which can be helpful in building an effective AML/CFT the potential impact of noncompliance. An AML/CFT program. The BCBS guidelines further expand on how program must incorporate all national requirements and banks should manage ML/FT risk based on the FATF 40 expectations. A bank should also, as business demands, go Recommendations, which they complement. beyond national requirements to embody global best practices and principles. In addition to this guidance note, Respondent banks should also be aware of major OECD the main international AML/CFT standards relevant to private sector-led industry initiatives intended to clarify emerging-market banks that serve as a starting point ML/FT challenges faced by their partnering correspondent include: the FATF International Standards on Combating banks. Examples include the best practices and guiding Money Laundering and the Financing of Terrorism and principles for effective ML/FT risk management developed Proliferation; subsequent interpretive notes issued by FATF by the Wolfsberg Group,22 an association of 13 global (together “the FATF 40+9” Recommendations); and BCBS’s banks. Their recommended practices are consistent with the guidelines on Sound Management of Risks Related to other international standards cited. Money Laundering and Financing of Terrorism. One helpful initiative undertaken by Wolfsberg is the publication of a model Correspondent Banking A robust AML/CFT program can reduce the Due Diligence Questionnaire23 used by many OECD correspondent banks to evaluate a respondent bank’s AML/ higher perceived risk of respondent banks, CFT practices when considering whether to undertake, thereby improving their standing with a maintain, or terminate a CBR. Please note, however that network of large global correspondent banks. the decision to establish or terminate a CBR is based on more that this due diligence questionnaire. Country risk, ongoing compliance costs, and forecasted revenue The FATF 40 Recommendations establish a foundational are some additional considerations that may outweigh framework of measures that individual countries and banks results from a single bank’s AML/CFT due diligence. Still, can build off to effectively manage ML/FT risks. FATF respondent banks may wish to familiarize themselves with has supplemented its recommendations with interpretive this questionnaire and the best-practice standards that are notes and additional guidance documents that address implied when developing their own AML/CFT program 20 Anti-Money Laundering and Terrorist Financing Measures and Financial Inclusion (2013) 21 FATF. Guidance for a Risk-Based Approach. The Banking Sector. 2014 22 The Wolfsberg Group mission, timeline, and background can be found at https://www.wolfsberg-principles.com/ 23 The Wolfsburg Group Correspondent Banking Due Diligence Questionnaire can be found at https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Wolfsberg%27s_CBD- DQ_220218_v1.2.pdf 15 as this questionnaire is used by many global and large 3. Policies and procedures internationally oriented correspondent banks as part of 4. Customer identification and due diligence their decision-making process. 5. Transaction monitoring Using best AML/CFT risk management practices will enable 6. Reporting respondent banks to meet the expectations of correspondent 7. Communication and training banks that clear and settle offshore transactions in U.S. 8. Continuous improvement and testing dollars and euros. This will improve their ability to retain and as necessary obtain new CBRs and to continue 9. Internal and external audit providing cross-border banking services to their clients. The following sections discuss key elements of an AML/CFT Beyond maintenance of CBRs, a sound AML/CFT program program and global best practices to consider implementing will minimize the bank’s exposure to regulatory sanctions, to ensure establishment of a robust AML/CFT program penalties, and associated reputational risks. As institutions to obtain and retain correspondent bank accounts and to develop more robust AML/CFT programs, ongoing provide the offshore banking services demanded by high- investment can potentially become an operational challenge value banking customers. In addition, investing in a strong as resource allocation for AML/CFT compliance typically AML/CFT program allows institutions to efficiently and increases. These additional investments and enhanced AML/ effectively strengthen internal controls, assess risk, and CFT controls need to be viewed in terms of the business easily respond to any requests related to their AML/CFT need to retain, maintain, and obtain a correspondent compliance program. bank relationship for business purposes and the potential reduction in risks— financial and reputational, for covering sanctions or penalties that may be imposed. 3.2 Governance Enhancing AML/CFT programs to ensure continued cross- A sound governance structure is the foundation of an border banking services are available to clients; your bank effective AML/CFT program and will include the board of remains connected to the global financial system; meets directors and senior management setting the tone at the international or other standards; and you ultimately attain top, hiring a qualified chief AML/CFT officer, and properly a strong, sustainable, and mature compliance program may resourcing the three lines of defense. The “tone at the top” take several years and be accomplished in stages. is a public commitment at the highest levels of the bank to complying with AML/CFT requirements as part of its core A sound AML/CFT program should include the following mission and recognition that this is critical to the overall interrelated components designed to address all the critical risk management framework of the bank. aspects of ML/FT risk management:24 The best practices outlined here will strengthen a bank’s 1. Governance AML/CFT governance structure:25,26 2. Risk identification, assessment, and mitigation Board of • The board of directors should include people who have a clear understanding of ML/FT risks and who are able directors to make informed decisions related to AML/CFT matters. The board’s awareness of AML/CFT compliance can be increased by training and periodic monitoring of applicable operations. • The board is responsible for approving and overseeing enterprise wide AML/CFT policies and procedures. Depending on the size and complexity of the institution, this responsibility can be carried out by one of the board’s committees (for example, the compliance committee or risk committee). • The board should be informed of main compliance risks and plans to mitigate them, at least annually, and be informed of other AML/CFT matters, such as major compliance failures and corrective actions, in a timely and comprehensive manner. • The board should be responsible for appointing a qualified chief AML/CFT officer. The board should continuously monitor the bank’s resource allocation to ensure the bank has sufficient expertise, technology, and control systems dedicated to AML/CFT compliance. 24 BCBS. 2017. Guidelines: Sound Management of Risks Related to Money Laundering and Financing of Terrorism. 25 BCBS. 2017. Guidelines: Sound Management of Risks Related to Money Laundering and Financing of Terrorism. 26 BCBS. 2015. Guidelines: Corporate Governance Principles for Banks. 16 Senior • Senior management AML/CFT-related responsibilities should include: management • Assisting the board in identifying, assessing, and hiring a qualified chief AML/CFT officer; • Communicating and reinforcing the AML/CFT compliance culture established by the board, and implementing and enforcing the board-approved AML/CFT compliance program requirements to ensure compliance with local laws and other policy requirements (for example, any international standards adopted); • Approving and monitoring the AML/CFT risk assessment; • Approving all AML/CFT-related policies; • Approving all major compliance-related initiatives and action plans discussed at the board compliance committee(s), or ad hoc proposals made through the AML/CFT officer; • Monitoring and assessing, through the third line of defense, the effectiveness of established AML/CFT control mechanisms for the bank on an ongoing basis and reporting and escalating to the board areas of concern, as needed; • Ensuring accountability within all lines of defense; and • Incorporating AML/CFT compliance into job descriptions and performance evaluations of appropriate personnel. • Senior management should monitor and be informed of critical new AML/CFT compliance risks and weaknesses in the execution of policies, procedures, and risk controls. Corrective action plans should be developed in a timely manner to mitigate issues identified. First line of • Typically, the business units (for example, customer-facing personnel, front office) are the first line of defense defense responsible for identifying, assessing and controlling the risk posed by their particular business line or focus. • The business units’ personnel should understand and carry out AML/CFT policies and procedures and should be provided with sufficient resources and training to accomplish this part of the organizational mission. Second line of • The second line of defense includes the AML/CFT compliance function and the chief AML/CFT officer defense responsible for the execution of specific parts of the AML/CFT compliance (for example, policy and procedure development, operating the suspicious-transaction system, investigation and reporting processes, required currency reporting, and other local law requirements), working closely with the business units to provide training, and an understanding of AML/CFT requirements and risk-based concepts. • They also can perform compliance testing in some areas to ensure that risks in the business units are identified and managed and that policies and procedures are adhered to and in compliance with local laws. AML/CFT Compliance Function: • AML/CFT compliance function should have a formal status within a bank and must be independent (for example, compliance personnel should not be in a position where there is conflict of interest between their compliance responsibilities and any other first-line responsibilities they may have). • To employ and retain talent with the required knowledge and skillset, the bank should ensure that the level of compensation is commensurate with the level of expertise and authority. • The compliance function employees should develop key risk indicators (KRIs) to identify, measure, and monitor AML/CFT risks. Detailed reports of KRIs should be made available to all relevant stakeholders from the board of directors and senior management to operational management. • Based on the risk profile of the bank, compliance function employees should design a framework of controls and develop policies and procedures necessary to mitigate the ML/TF risk. • Compliance function employees should have access to all the information and bank personnel necessary to carry out their responsibilities. • Compliance function employees should conduct periodic testing to ensure the first-line internal controls are working as intended. • Compliance activities should be subject to periodic review by independent audit. 17 AML/CFT Officer: • The AML/CFT officer should have appropriate qualifications and knowledge of the bank’s regulatory requirements and ML/FT risks arising from various lines of business and bank operations. • The officer should be responsible for applicable AML/CFT programs across the entire institution and have sufficient authority and seniority within the bank to be able to influence decisions related to AML/CFT risks and ensure effective fulfillment of AML/CFT requirements by the bank. • If the chief AML/CFT officer reports directly to the chief executive officer (CEO), chief financial officer (CFO), or other senior management, he/she should also report and have direct access to the board. • The officer should report to the board of directors and senior management on AML/CFT compliance matters, including a risk assessment, any changes in the compliance risk profile based on relevant performance indicators, any identified breaches, and the corrective actions. • Independence of AML/CFT officer is paramount, and he/she should have the role that is distinct from business-line responsibilities and other executive functions, such as CFO, chief operating officer, or chief auditor. • A bank conducting business nationally and internationally should appoint a chief AML/CFT officer for the entire group. The chief AML/CFT officer should oversee implementation of all strategies and make regular on- site visits to ensure adequate compliance. • The AML/CFT officer should be a point of contact for all AML/CFT-related matters for internal and external parties, including regulators and financial intelligence units (FIUs). Third line of • The third line of defense is the internal audit function that is responsible for independently assessing the defense effectiveness of the AML/CFT compliance and risk processes created in the first and second lines of defense.25 Internal audit employees should have sufficient AML/CFT expertise and auditing experience. • Their AML/CFT-related responsibilities should include: • Conducting periodic assessment of relevant AML/CFT program documentation (for example, KYC/ CDD/enhanced due diligence [EDD] policies and procedures and procedures related to identifying, investigating, and reporting suspicious transactions); • Conducting testing of AML/CFT controls and processes carried out by both first and second lines of defense, such as KYC/CDD/EDD, training, suspicious-activity reporting, record keeping, and retention, among others; • Conducting periodic evaluation of the bank’s AML/CFT risk assessment; and • Following up on any remedial actions arising from independent audit or regulatory findings. • Internal audit function employees should be independent and have sufficient authority within the bank to be able to perform their responsibilities with objectivity. • Internal audit function employees should report to the audit committee of the board of directors or a similar oversight body. For effective AML/CFT governance, the board of directors and is key to demonstrating the overall effectiveness of the and senior management must demonstrate commitment bank’s AML/CFT risk management function. 27 to their responsibilities in setting the risk and compliance culture at the bank. Effective AML/CFT governance defines and clarifies the responsibilities of all applicable employees 27 In some emerging market countries, external audit may perform responsibilities related to assessing the effectiveness of the AML/CFT processes created in the first and second lines of defense. 18 3.3 Risk Identification, The AML/CFT risk-assessment methodology illustration that appears here is a high-level illustration. A substantial Assessment, and Mitigation amount of work, data gathering, analysis, and expertise is Banks must have a thorough understanding of the specific involved in developing a comprehensive and mature risk- ML/FT risks they face through a periodic enterprise wide assessment methodology and process. This example should AML/CFT risk assessment. Although there are several not be interpreted as a one-size-fits-all approach. approaches within the industry to performing an AML/CFT risk assessment, they all commonly include the following PHASE 1: IDENTIFICATION OF INHERENT ML/FT three phases: RISKS FACED BY THE BANK To assess the inherent ML/FT risks faced across all business 1. Identification of inherent ML/FT risks faced by the lines, the bank should include the following risk categories bank; in its risk assessment process: 2. Assessment of internal controls; and 3. Assessment of the residual risk, which considers the • Customer base effectiveness/status of the controls against the inherent • Products and services offered risks of the bank. The resulting residual risk should be measured and within the bank’s risk appetite.28,29 • Delivery channels • Jurisdictions • Other qualitative risk factors A robust AML/CFT program can reduce the perceived higher risk of respondent banks, thereby improving their standing with a network of large global correspondent banks. Figure 3: Phases of EWRA An e ective AML/Sanctions Compliance Program starts with an in-depth and enterprise-wide risk assessment (EWRA) Phase I: Phase III: Phase II: Planning & Results & Implementation Scoping Recommendations Assess Assess Assess Action Plan Scope Inherent Risk Controls Residual Risk and Reporting Define the scope and Select risk areas and Assess design and Highlight risk factors Develop action plan for structure of business factors to assess operating e ectiveness without su cient underperforming controls areas to assess, including inherent risk based on of mitigating controls mitigation and business based on identified gaps, business units, legal empirical data analysis based on historical audits, areas posing the greatest create reporting, and entities, divisions, and analytical techniques self-evaluation question- risk, and evaluate results prepare documentation countries and regions for both ML/FT risks naires, and document against institution’s risk for audit / exam purposes evidence of controls. appetite statement Source: Deloitte Risk and Financial Advisory. 28 Wolfsberg. 2015. The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption. 29 The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption (2015) define inherent risk, controls and residual risk as follows: “Inherent Risk represents the exposure to money laundering, sanctions or bribery and corruption risk in the absence of any control environment being applied.” “Controls are programmes, policies or activities put in place by the FI to protect against the materialisation of a ML risk, or to ensure that potential risks are promptly identified. Controls are also used to maintain compliance with regulations governing an organisation’s activities.” “Residual risk is the risk that remains after controls are applied to the inherent risk. It is determined by balancing the level of inherent risk with the overall strength of the risk management activities/controls. The residual risk rating is used to indicate whether the ML risks within the FI are being adequately managed.” 19 CUSTOMER BASE • Cross-border, bulk-cash delivery The bank must understand the risks associated with its • Domestic bulk-cash delivery customers, either individually or as a category. When • International cash letter assessing customer risk, it is essential that the bank establish • Remote-deposit capture criteria for identifying high-risk customers. The following factors can be used to differentiate customer risk: customer • Virtual/digital currencies type, ownership, industry, profession / business, past • Low-price securities activities, political / governmental role, product usage, and • Hold mail the customer’s transactional activity. Each customer should • Cross-border remittances be risk rated based on the criteria. This information is used • Service to walk-in customers (nonaccount holders) by the bank to determine the makeup of its customer base • Sponsoring private automatic teller machines (for example, at a minimum, the percentage of high-risk, medium-risk, and low-risk populations). Banks should consider that certain categories of customers may pose a In addition to the products listed, wire transfers may perceived higher risk. Examples of such customers include: present a high degree of risk. Banks should monitor wire transfers and related messages to detect those that do • Politically exposed persons (PEPs) (generally have not contain all required beneficiary and/or originator a higher risk of ML/FT when operating in countries information and to take appropriate measures to prevent characterized by higher levels of bribery and government processing of wire payments associated with designated corruption). persons and entities (for example, persons and entities • Money or value transfer services providers (considered subject to financial restrictions because of human rights higher risk as the business is cash intensive and may abuses, terrorist activity, or other reasons). Complete and have poor AML/CFT controls). accurate records are critical to AML/CFT risk management and to demonstrating compliance because transparency is • Correspondent banking customers (generally considered essential in managing these risks and protecting the bank higher risk when the executing bank must rely on a from possible criminal abuse. respondent bank’s AML/CFT controls, the strength of which may be unknown). DELIVERY CHANNELS PRODUCTS AND SERVICES OFFERED The risk assessment should also consider delivery During the risk-assessment process, a bank should take channels. Certain delivery channels (for example, business inventory of the products and services it offers and assess relationships or transactions that are not face to face) may the inherent risk of the products. The assessment should pose a higher ML/FT risk as they increase the challenge of include not only the existing products and services offered verifying the customer’s identity and activities. by the bank but also those under development or to be launched. Including future product offerings in the JURISDICTIONS assessment helps management forecast if current controls will be sufficient to manage the risk or if additional controls The risk assessment must consider the risks associated with are necessary. Typically, the following products and services jurisdictions in which the bank operates as well as the risk have higher ML/FT risk as they have historically been used associated with jurisdictions in which the bank’s customers to place, layer, or integrate the proceeds of crime and thus conduct business. A bank should conduct the analysis to are considered to have a high ML/TF risk: understand its geographic footprint and determine the number of customers within each country. Determining • Correspondent banking the number of customers in different jurisdictions can be based on either some or all of the following factors: • Private banking (domestic and international) domicile, nationality, and/or incorporation. When assessing • Trade finance jurisdiction risk, the bank can use an externally purchased • Payable through accounts country risk methodology/model or develop its own for • Stored-value instruments sub-national jurisdictions that pose higher risk. If a bank 20 undertakes the development of its own methodology, of inherent risks. The listed risk factors and measures are it should consider leveraging country reports from for illustrative purposes only and should not be viewed as international organizations that identify countries subject to exhaustive. economic sanctions, known to be supporting international terrorism, and those with deficiencies in combatting money PHASE 2: ASSESSMENT OF INTERNAL CONTROLS laundering and terrorist financing, such as a list of high-risk and other monitored jurisdictions published by FATF30 or After a bank identifies its inherent risks, the second the OECD Country Risk Classification.31 In addition, the phase of the process involves assessing the quality of Basel AML Index32 is an independent annual ranking that existing controls to determine how well they manage the assesses the risk of ML/TF around the world. identified risks. The bank is to evaluate the overall design and operating effectiveness of existing controls. Control effectiveness can be assessed through a self-assessment and OTHER QUALITATIVE FACTORS challenges by subject matter experts. Independent audit There are other qualitative factors that can affect the bank’s testing and internal compliance testing results should also inherent risk and therefore should be or may be considered be considered in determining the effectiveness of internal during the ML/FT risk assessment. Some of the qualitative controls. factors that should be considered are: The following illustration shows an AML/CFT controls • Expected account and revenue growth; assessment approach. This methodology is commonly used for the control portion of the risk-assessment process and • Recent AML/CFT compliance personnel turnover; involves the creation of control questionnaires (see “sample • Reliance on third-party providers to perform AML/CFT control categories”) to assess and document the status of program requirements and responsibilities; each of the critical controls. The results of the controls assessments and subsequent calculation of the effectiveness • Recent enforcement actions and/or penalties; and of the controls are then compiled and summarized through • Independent audit and regulatory findings. various risk levels (see “satisfactory,” “needs improvement,” and “unsatisfactory” ratings). This phase of the risk- The figure below provides a summary of the assessment assessment process also requires a substantial amount of Figure 4: Risk Factors Example Inherent Risk Factors and Measures: Customer Products/ Delivery Qualitative Jurisdictions Base Services Channels Factors RISK FACTORS • Legal form/ • High degree of • Account • Location of business • Growth vs. stability ILLUSTRATIVE ownership structure anonymity or origination MEASURES • Location of clients • Mergers & limited • Length of • Account servicing acquisition transparency • Origin or relationship destination of • Strategy changes • Rapid movement • PEP status transactions of funds • New regulatory • Industry requirements • High volume of • Customer Risk currency or • Emerging risks Rating (CRR) equivalents • Payments to/ from third parties Source: Deloitte Risk and Financial Advisory. 30 http://www.fatf-gafi.org/countries/#high-risk 31 http://www.oecd.org/trade/xcred/crc.htm 32 https://index.baselgovernance.org/sites/index/documents/Basel_AML_Index_Report_2017.pdf 21 work, control assessment creation, data gathering, analysis, tier scale34, the residual risk rating would be “high.” As and expertise to develop a comprehensive and mature illustrated in Figure 6, this “high” residual risk rating is control risk-assessment methodology and process. found at the intersection of the “medium” risk rating and the “unsatisfactory” control rating. Risk identification and assessment should be based on internal information, such as operational and transactional The frequency of the risk assessment varies depending data produced by the bank, as well as external information, on a number of factors, such as the domestic regulatory such as country reports from various international requirements, mergers and acquisitions affecting the risk organizations and national risk assessments. The risk- profile of the bank, new products and services, results of assessment methodology should include both quantitative the risk assessment, and potentially correspondent bank and qualitative elements (for example, volume and value of expectations, as well as others.35 It is common for banks to transactions)33 and be clearly documented and approved by perform risk assessments annually. However, banks should senior management. update their risk assessment more frequently than annually if they identify new or emerging risks that significantly PHASE 3: ASSESSMENT OF RESIDUAL RISK change the bank’s risk profile (for example, when expanding to new markets or geographies or implementing new Once a bank has assessed its inherent risks and the delivery channels). effectiveness of controls designed to mitigate, phase three of the risk assessment can be completed. The residual risk is Although banks can rely on external parties or externally the remaining risk after controls are applied to the inherent purchased technology to conduct risk assessments, they risk. It is a process by which the aggregated conclusions should remember that the responsibility for assessing and are deduced from both the inherent and controls risk managing risk ultimately lies with the bank board and assessment and a residual risk determination is made (see senior management and cannot be “outsourced.” If the the following residual risk approach illustration). The bank engages an external party to assess risk, the external residual risk indicates whether ML/FT risks posed by the party must follow the risk-assessment methodology and bank are being effectively managed. For example, if the relevant policies and procedures established by the bank bank’s inherent risks are considered “medium” and the and local requirements. In case of an externally purchased controls are rated “unsatisfactory,” based on the three- technology/risk assessment model, the bank should take Figure 5: Risk Control Categories Sample Control Categories: Illustrative Risk Levels: • AML/CFT Corporate Governance, Management Oversight and Accountability • Policies and Procedures 91- Satisfactory: Substantially 100% meeting all control requirements • Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), Simplified Due Diligence (SDD) and Politically Exposed Persons (PEPs) • Previous Other Risk Assessments • Management Information System (MIS) / Reporting Needs Improvement: Meeting 75- • Record Keeping and Retention between 75% and 90% of control 90% requirements • Designated AML/CFT O cer • Detection and Suspicious Activity Report (SAR) Filing • Monitoring and Controls Unsatisfactory: Meeting less • Training <75% than 75% control requirements • Independent Testing and Oversight • Other Controls Source: Deloitte Risk and Financial Advisory. 33 BCBS. 2015. Guidelines: Corporate Governance Principles for Banks. 34 This illustration is of a three-tier rating scale. Some institutions use four-tier rating scales, which include the following ratings for “inherent” risk: high, medium-high, medium, and low and the following ratings for “controls” assessment: strong, satisfactory, needs improvement, and unsatisfactory. Residual risk determination ratings include: high, medium-high, medium, and low. 35 The Wolfsberg Group’s Correspondent Banking Due Diligence Questionnaire suggests that the frequency of the enterprise wide risk assessment should be 12 months. 22 Figure 6: Residual Risk Illustrative Residual Risk Approach: Illustrative Residual Risk Matrix: • Residual risk is determined by balancing Inherent Risk the inherent risk with the overall strength Residual Risk of the risk management activities/controls Determination Low Medium High • The residual risk rating is used to assess whether the ML/FT risks within the business unit as well as for the institution 91 – 100% Low Low Medium as a whole are being adequately managed Satisfactory • The residual risks should be calculated Control 75 – 90% Assessment Needs Improvement Low Medium High across each business unit • The residual risks should be available in a < % visual heatmap format Unsatisfactory Medium High High Source: Deloitte Risk and Financial Advisory. necessary steps to validate the technology and ensure it directors and senior management in a timely, complete, addresses the needs of the bank.36 and accurate manner. This will help not only the board but also senior management, the CRO, and the chief AML The results of the risk assessment, the methodology officer in making informed decisions and ensuring that the employed, and any measures taken by the bank to manage bank’s resources, expertise, and technology are aligned with the identified risks should be consolidated within a mitigating its risks. comprehensive report and communicated to the board of 36 BCBS. 2015. Guidelines: Corporate Governance Principles for Banks. 23 Example: Risk Assessment Inherent Risk Assessment: The assessment of inherent risk can be conducted by administering questionnaires for qualitative risk factors and by extracting quantitative data from the relevant bank systems. A bank should be prudent about the threshold for the quantitative risk factors based on its risk appetite and provide risk weights to both the qualitative and quantitative factors. The information gathered should be populated against the ML/TF inherent risk-assessment questionnaire to calculate the bank’s inherent risk. The ML/TF inherent risk-assessment questionnaire should cover critical areas of the bank’s business (for example, customers, geographies, products, services, transactions, and delivery channels) and consider the operational and regulatory risk factors that should be taken into account when assessing the robustness of the AML/CFT program (for example, introduction of new products, expansion into new markets, mergers and acquisitions, new regulatory requirements, recent regulatory actions, and so forth). Mitigating Controls Assessment: To assess the mitigating controls, the bank should create a register of regulatory requirements or obligations, including known regulatory expectations and applicable industry-leading practices (with respect to known ML red flags and typologies). The bank’s policies and procedures and process controls that have been implemented should be mapped against the register. This exercise should lead to identification of control gaps, if any. The controls that are implemented should be tested for effectiveness. Its strongly recommended that banks consider the following while assessing control effectiveness: 1. Review of the bank’s policies and procedures to identify any gaps between the policies and regulatory requirements; 2. Walkthroughs with the business and operations teams to identify if the policies and procedures are being operationalized effectively (that is, implemented and operating as designed); and 3. Sample testing against key control indicators and control sample testing thresholds. The controls in place should be periodically reviewed and tested for effectiveness and whether any change in the inherent risk of the business or residual risk necessitates enhancement of such controls. Source: Adopted from “Best Practices for Countering Trade Based Money Laundering” 18 May 2018 published by AML/CFT Industry Partnership (ACIP) https://abs.org.sg/industry-guidelines/aml-cft-industry-partnership. 3.4 Policies and Procedures When designing and implementing policies, procedures, and internal controls, the bank should use a risk-based AML/CFT policies, procedures, and internal controls should approach. This approach implies that higher-risk customers, be designed to mitigate the inherent risks identified by the higher risk products, or other factors may necessitate more risk assessment. They should address the unique risks and stringent controls and ongoing monitoring. The following is bank risk profile. AML/CFT policies and procedures should an illustrative example of a risk-based approach for policies be in writing and serve the purpose of preventing, detecting, and procedures and other AML/CFT controls. and reporting potentially suspicious activity, complying with local laws, and establishing a strong internal control AML/CFT policies and procedures should37,38 and risk management environment. 37 BCBS. 2017. Guidelines: Sound Management of Risks Related to Money Laundering and Financing of Terrorism. 38 The Wolfsberg Group. 2018. Correspondent Banking Due Diligence Questionnaire. 24 Figure 7: Applying a Risk-Based Approach Activities Driven by Customer Risk Levels – For Illustrative Purposes Only LOW/MEDIUM RISK HIGH RISK HIGHEST RISK Basic due diligence: In-depth EDD EDD: collect and corroborate Due Diligence customer identification (for example, additional additional information program (CIP), CDD level of ownership) Supplemental and targeted transaction Supplemental and monitoring rules with tightened Transaction General transaction targeted transaction parameters and frequency. Additional Monitoring monitoring rules monitoring rules with scrutiny through separate tightened parameters transaction-monitoring analytics teams Screening all customers Screening at a lower level of Screening customer’s Screening and related parties ownership/control customers Ongoing Due Risk-based reviews Review of customer’s customers, Annual review Diligence (2- to 5-year cycles) expected versus actual activity Source: Deloitte Risk and Financial Advisory. • Be approved by the bank’s board or directors or senior • Be consistent throughout the organization, with committee. adjustments made in accordance to the risk of the business line or geographic location of the operation. • Designate a chief AML/CFT officer to coordinate and oversee the AML/CFT program. • Be applied to all branches and subsidiaries in the home country, as well as in locations outside of the jurisdiction • Outline processes regarding the assessment of the AML/ (if applicable). CFT program by either an internal audit or independent third party. • Be updated on a regular basis and disseminated and accessible to all relevant personnel. • Document the processes regarding AML/CFT training; policy updates; CDD and EDD; due diligence AML/CFT policies and procedures should not39,40 conducted on or by other banks; detecting and reporting potentially suspicious transactions; reporting of currency • Allow anonymous accounts or accounts in obviously transactions; responding to law enforcement requests; fictitious names. and sanctions compliance. • Allow correspondent banking relationships with shell • Use a risk-based approach to apply CDD standards to banks. all new accounts, as well as refresh CDD on existing • Allow transactions with designated persons and entities. relationships as necessary. • Be a “cut-and-paste” guide from documentation found • Outline processes regarding screening for PEPs. on the Internet or another institution’s procedures. • Document a retention policy in which banks maintain • Be outdated and provide inconsistent information. all necessary records; records should be kept for 5 years or the time period complying with local law. 39 BCBS. 2017. Guidelines: Sound Management of Risks Related to Money Laundering and Financing of Terrorism. 40 FATF. 2018. International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation. 25 AML/CFT in a Groupwide and Cross-Border Context Financial institutions operating in multiple jurisdictions should consider developing groupwide AML/CFT policies and procedures to ensure that they are accounting for risk across their international operations. Policies and procedures at the branch or subsidiary levels should not only reflect local requirements and considerations of the host jurisdiction but also be consistent with and support groupwide policies and procedures. If legal requirements differ between the home and host countries, the higher standard of the two should be followed. Additionally, if a jurisdiction does not allow for the proper implementation of standards, the chief AML/ CFT officer should inform the home supervisors. Another important consideration for banks with international operations is the extent to which the bank can rely on procedures from other banks when business is being referred. Banks must ensure that they do not allow for policies and procedures that are less strict than their own, meaning that banks must do their own due diligence on the standards used in the jurisdiction of the referring bank. If the introducer is part of the same financial group, a bank could rely more heavily on the introducer’s customer information, so long as the introducer abides by the same standards as the bank and the application of the standards is supervised. If a bank takes this approach, it should still obtain customer information (KYC and transaction data) from the referring bank in case the referred customer is found to be engaging in suspicious activity. If implementing centralized systems and databases, a bank should have adequate documentation of all local and centralized functions to ensure monitoring of suspicious activity across the entire group. To ensure that the groupwide ability to obtain and review information regarding the groups’ global AML/CFT standards is met, vigorous information sharing among the head office and all branches and subsidiaries (when allowed) must be encouraged. A bank’s groupwide policies and procedures should include a process, to be followed in all jurisdictions, for identifying, monitoring, and investigating potentially suspicious activity; this includes the coordination of information sharing when necessary. Branches and subsidiaries should be able to provide the head office with information relating to high-risk customers and specific activities that are considered relevant to the global standards. All requests made by the head office should be answered in a timely manner. When designing policies and procedures regarding information sharing requests, the bank should consider: • Any local laws and regulations related to data protection and privacy of customers. • How to handle requests from law enforcement, supervisory authorities, or FIUs. • The type of information that can be shared and requirements for storage, retrieval, distribution, and disposal. • The potential risks posed by the reported activity, the risk of a given customer or group of customers, and if other branches or subsidiaries also hold accounts for that customer. Source: Excerpt from BCBS. 2017. Guidelines: Sound Management of Risks Related to Money Laundering and Financing of Terrorism. 26 3.5 Customer Identification and Due Diligence To manage ML/FT risks effectively, banks must understand What CDD measures who their customers are. To achieve this, banks must should banks undertake? conduct customer identification and due diligence when onboarding a new customer, as well as update CDD Financial institutions should be required to throughout the banking relationship with the customer. The conduct the following CDD measures: following tables outline when banks should be required by a. Identifying the customer and verifying the regulators to conduct CDD, when partner correspondent customer’s identity using reliable, independent banks will be expecting vigorous CDD, and what CDD source documents, data, or information. measures they must be undertaking: b. Identifying the beneficial owner and taking reasonable measures to verify the identity of the beneficial owner. c. Understanding and, as appropriate, obtaining When should banks information on the purpose and intended nature of the business relationship. perform CDD? d. Conducting ongoing due diligence on the business relationship and scrutiny of Financial institutions should be required to transactions undertaken throughout the conduct CDD when: course of that relationship to ensure that the • Establishing a new business relationship. transactions being conducted are consistent • Carrying out occasional transactions (i) with the institution’s knowledge of the above the applicable designated threshold customer and the customer’s business and risk (equivalent to $15,000/€ 15,000) or (ii) profile, including where necessary, the source that are cross-border and domestic wire of funds. transfers Source: Excerpt from FATF Recommendation No. 10. • There is suspicion of money laundering or terrorist financing. • The financial institution has doubts about assessing customer risk, a bank should consider relevant the veracity or adequacy of the previously factors, such as the customer’s background (for example, obtained customer identification data. occupation), country of origin or residence, bank products If the financial institution is unable to comply with used, nature and purpose of account, transactions, and these requirements, it should be required to: business activities.41 • Not open the account, commence business CUSTOMER RISK RATING PROCESS relations, or perform the transaction. • Terminate the business relationship. Customer risk ratings support the bank’s decision whether • Consider filing a suspicious-transaction to enter, continue, or terminate the business relationship and report in relation to the customer. determine the level of controls needed to be employed to Source: Excerpt from FATF Recommendation No. 10. manage the risk, including the type of ongoing suspicious- activity monitoring. Customer risk ratings and profiles can be developed at either the individual customer level or for groups of customers displaying similar characteristics (for example, a group of retail customers who have a Banks are to apply each of these CDD measures to all similar income range and conduct similar transactions).42 customers; however, these measures or additional measures The following figure is a summary of a CRR process that should be determined based on a customer risk level. When 41 BCBS. 2017. Guidelines: Sound Management of Risks Related to Money Laundering and Financing of Terrorism. 42 FATF. 2014. Guidance For a Risk-Based Approach. The Banking Sector. 27 presents and takes into account various risk measures. The bank should also develop clear customer acceptance Similar to the risk-assessment process, the CRR process policies that lay out circumstances under which a requires a substantial amount of work, data gathering, new relationship would not be accepted, or a current analysis, and expertise to develop a comprehensive CRR relationship would be terminated. When implementing a methodology and process. customer acceptance policy, it is important that it not be so restrictive that it results in the denial of customers who are For customers deemed to be of a lower risk, simplified due considered financially or socially disadvantaged; a risk- diligence measures may be allowable. If the customer risk based approach should be taken to understand and mitigate is deemed to be higher, enhanced controls and CDD/EDD risk as opposed to simply avoiding it.43 measures should be taken by the bank to mitigate risk. Figure 8: Customer Risk Rating (For Illustrative Purposes Only) EXAMPLES OF RISK MEASURES • Employment classification and occupation • Visa status Customer’s • PEPs Demographics • Length of relationship • Industry • Entity type/Ownership structure • High-risk products/services • High volume/value of cash/monetary instruments Products/Services • High volume/value of wires to/ /Channels from high- risk countries CRR • Customer location • Location of customer’s operations/assets Geographies • Country of incorporation • Nationality • Citizenship • Country/regulatory risk • Customer’s AML/CFT program Other Factors • Negative news/regulatory action • Previous compliance history (alerts, investigations, • suspicious transaction reports, internal watch list) Source: Deloitte Risk and Financial Advisory. Lower-Risk Customer Examples Higher-Risk Customer Examples • Low transaction volume retail customers • High net worth individuals • remittance customers are ONLY low risk if there are low • PEPs amounts of transactions and and low aggregate annual • Government entities of a high-risk country volumes • Money transfer operators (MTOs) • Publicly held companies traded on a recognized stock • Automatic teller machine operators exchange filing quarterly financial reports and annual audited financial statements. • Casinos • Financial institutions on a recognized stock exchange in a • Foreign private investment corporations compliant country • Trusts and shell companies in offshore jurisdictions (Note: depending on other factors, such as transactional activity and geographies, the customers listed above can present higher risk.) 43 FSD Africa. 2017. Anti-Money Laundering, Know Your Customer, and Curbing the Financing of Terrorism 28 Examples of Enhanced Due Diligence/Simplified Due Diligence measures Enhanced Due Diligence (EDD) • Obtaining additional information on the customer (for example, occupation, volume of assets), and updating more regularly the identification data of customer and beneficial owner. • Obtaining additional information on the intended nature of the business relationship. • Obtaining information on the source of funds or source of wealth of the customer. • Obtaining information on the reasons for intended or performed transactions. • Obtaining the approval of senior management to commence or continue the business relationship. • Conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied and selecting patterns of transactions that need further examination. Simplified Due Diligence • Verifying the identity of the customer and the beneficial owner after the establishment of the business relationship (for example, if account transactions rise above a defined monetary threshold). • Reducing the frequency of customer identification updates. • Reducing the degree of ongoing monitoring and scrutinizing transactions based on a reasonable monetary threshold. • Not collecting specific information or carrying out specific measures to understand the purpose and intended nature of the business relationship but inferring the purpose and nature from the type of transactions or business relationship established. Source: Excerpt from FATF. 2018. International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation. When developing their customer acceptance and customer due • Conduct enhanced ongoing monitoring of such diligence policies and procedures, banks should give special relationships. consideration to the treatment of PEPs (whether as customer Banks should also take reasonable measures to determine or beneficial owner). In relation to foreign PEPs,44 besides whether a customer or beneficial owner is a domestic PEP performing normal customer due diligence, banks should:45 or a person who is or has been entrusted with a prominent function by an international organization. In cases in which • Have appropriate systems to determine whether the such PEPs present higher risk, banks should apply the same customer or the beneficial owner of a legal entity is a requirements to them as for foreign PEPs.46 PEP; • Obtain senior management approval for establishing or To adequately assess the risks posed by PEPs, banks continuing such relationships; should consider obtaining and evaluating the following information: • Take reasonable measures to establish the source of wealth and source of funds; and 44 The FATF Recommendations define PEPs as follows: “Foreign PEPs are individuals who are or have been entrusted with prominent public functions by a foreign country, for example Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state owned corporations, important political party officials. Domestic PEPs are individuals who are or have been entrusted domestically with prominent public functions, for example Heads of State or of government, senior politicians, senior govern- ment, judicial or military officials, senior executives of state owned corporations, important political party officials. Persons who are or have been entrusted with a prominent function by an international organisation refers to members of senior management, i.e. directors, deputy directors and members of the board or equivalent functions. The definition of PEPs is not intended to cover middle ranking or more junior individuals in the foregoing categories.” 45 FATF. 2018. International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation. 46 FATF. 2018. International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation. 29 • The position the PEP holds/held; The nature and extent of the information required for verification will depend on the customer risk rating and risk • Whether this position is/was in a higher-risk country; assessment conducted by the bank on the customer. • Whether the PEP has the ability to move government funds; • Nature of the PEP’s current business; For large integrated or cross border financial groups incorporating numerous financial • Pattern of related transactions; institutions, there should be shared CDD • The PEP’s source of wealth and source of funds; and policies and procedures. However, based on • The PEP’s reputation. the risks inherent in each sector of business, Banks’ policies and procedures should clearly outline CDD measures should be tailored for each what additional due diligence is required for PEPs. The specific group. requirements for PEPs should also apply to family members or close associates of such PEPs. As noted, when conducting due diligence, the bank should For additional information on collection of customer take reasonable measures to identify and verify the identity information and verification of customer identity, please of beneficial owners (when the customer is a legal entity). refer to Annex 5, which has specifics and details covering This includes knowing and understanding the ownership this subject. and control structure of the customer and determining whether the beneficial owner is a PEP (whether foreign, or Banks should ensure that the information collected as domestic, or a person who holds a prominent position by part of CDD is kept up to date by developing policies and an international organization), a designated person, or an procedures regarding the frequency of confirming and individual associated with negative news. If requested by law collecting customers’ CDD. Review of higher-risk customers enforcement or other authorities, information on all beneficial should be performed more frequently and should require owners and controls should be given in a timely manner. enhanced due diligence. It should be noted that terrorist and sanctions screening should be performed on all Banks should be able to demonstrate that they truly customers, irrespective of the customer risk profile. Banks know who their customers are. For example, if the bank should consider using automated solutions to conduct such determines that 20% of a corporate customer is owned screening and should freeze without delay and prior notice by a trust, the bank’s due diligence efforts should not stop the funds/assets of identified designated persons and entities, there. The bank should gather sufficient information about as required by applicable laws. the trust itself and any related parties, such as the settlor, trustee(s), and beneficiaries. The bank should conduct periodic screening of its customer base to identify high-risk customers requiring EDD (for Due diligence should be applied not only to customers and example, PEPs) or any prohibited customers (for example, beneficial owners but also to persons acting on behalf of designated persons and entities). the customer. The bank should ensure that any individuals acting on behalf of the customer are authorized to do so CDD and the related customer risk ratings optimally and should verify the identity of such individuals. should be held in a centralized database or in a system that provides access to anti-money laundering and sanctions To verify the identity of a customer, beneficial owners, or compliance officials responsible for bank compliance. authorized persons, the bank should use reliable, independent Management information systems (MISs) provide key source documents, data, and information. If using information about customers and their activities to both supplemental sources other than official documents, banks business units and compliance personnel. MISs should should ensure that the methods and sources are in line with be able to provide all necessary information about the their jurisdictional requirements and expectations and the customer, such as account documentation, transactional bank’s policies and procedures. These methods may include history, and any changes in the customer profile; this obtaining financial statements or checking references with information should be provided at the enterprise wide level other banks and recognized entities such as public utilities. (across all business lines). 30 Ongoing Monitoring – For Illustrative Purposes Only Risk Level Frequency Illustrative Steps to be Taken by the Bank High risk Every 12 months In relation to customers who did not trigger an alert, the bank may consider refreshing required information by Medium risk Every 18–36 months or trigger-based reviews sending an automated e-mail asking the customer to confirm baseline information on file. Low risk Every 36–60 months (for corporate customers) For customers who triggered an alert, a more in-depth Trigger-based reviews (for retail customers) assessment, including a manual request for information (RFI) and review of the customer activity, may be required. RELIANCE ON THIRD PARTIES EMERGING TECHNOLOGY SUPPORTING KYC/CDD CDD compliance is ultimately the responsibility of the There are a number of emerging technology applications bank. There may be times, however, when a bank is that have the potential to improve the efficiency and permitted to rely on third parties to perform certain effectiveness of AML/CFT processes and thereby improve a elements of the CDD procedures. Allowing a third party bank’s operations. Several global banks are experimenting to conduct CDD must be permissible based on local laws. with multiple technologies that address some AML/CFT A bank must ensure that it is within legal boundaries to compliance challenges.48 Smaller institutions may also outsource the collection and updating of CDD. Banks benefit from the new technologies in terms of compliance should verify that their jurisdiction privacy laws permit and cost saving and in terms of obtaining and maintaining these types of activities. A bank may use a third party for47: CBRs. Some of these innovations are described here. • Identifying and verifying the customer’s identity using KYC UTILITIES reliable, independent source documents, data, or information. KYC utilities may take several forms as described in the • Identifying the beneficial owner and taking reasonable text box below. Focusing on one type, the use of KYC measures to verify the identity of the beneficial owner. utilities that take the form of a centralized database registry For legal persons, this should include understanding the is an innovative way for banks to store collected CDD ownership and control structure of the business. information. KYC utilities can help a bank’s procedures by reducing the amount of data redundantly sent from • Understanding and, as appropriate, obtaining respondent banks to correspondent banks. Utilities also information on the purpose and intended nature of the allow correspondent banks to monitor their respondent business relationship. banks on an ongoing basis. There are three common When using a third party, the following minimum criteria challenges correspondent banks and their respondent banks must be met: face when it comes to KYC document collection without use of a utility: • The bank must receive the CDD information collected on the customer before onboarding. 1. Typically, the same, or similar, information needs to be collected by all correspondents making use of the widely • The bank should take adequate steps to ensure that all popular Wolfsberg Group Correspondent Bank Due documentation, including copies of identification data, Diligence Questionnaire. are received or available to them without delay from the third party. 2. Some correspondents have differing KYC due diligence requirements. • The bank should satisfy itself that the third party is 3. The KYC due diligence collection and ongoing regulated, supervised, or monitored appropriately and monitoring process is labor intensive and can be has measures in place for CDD and record-keeping complex, costly, and time consuming. compliance. 47 FATF. Feb 2018. FATF Recommendations 48 IFC. 2018. A Guide to Respondent Banks: Essential KYC Considerations to Manage Correspondent Banking Relationships in Trade. 31 Figure 9 illustrates how KYC utilities can centralize KYC standardization of the KYC due diligence information activities and assist with the aforementioned problems. collection, which typically covers most of the correspondent banks’ KYC obligations. There are a number of advantages that KYC utilities 4. The use of a KYC utility greatly reduces the amount provide, including: of additional unique KYC due diligence of each correspondent bank. 1. Respondent banks enter applicable KYC due diligence into one database for all correspondent relationships 5. The accuracy and consistency of the KYC due diligence to access and use. This greatly reduces the number of information is improved because respondent banks times the respondent needs to collect and send similar maintain only one set of updated information within the information to their various correspondent banks. utility. 2. Correspondent bank transactional costs may be reduced 6. The use of a centralized KYC utility speeds up the thanks to a need to provide, update, and exchange KYC availability of KYC due diligence information for due diligence documentation with only one entity, the correspondent banks when they are considering starting KYC utility. a relationship or opening an account with a respondent bank.49 3. The use of a single template promotes the Figure 9: Centralizing KYC Activities Pre-utility State Post-utility State Utility Source: IFC. May 2018. A Guide to Respondent Banks: Essential KYC Considerations to Manage Correspondent Banking Relationships in Trade. 49 CPMI. 2016. Correspondent Banking. 32 www.ifc.org/thoughtleadership What is a Know-Your-Customer Utility? Jurisdictional Utility: Monetary Authority of Singapore KYC Utility There are three types of KYC utilities operating today: Industry Collaboration Utilities, Jurisdictional In 2017 the Monetary Authority of Singapore Utilities, and Utility Service Providers. Two announced development of a national KYC utility that subcategories of utility service providers are: a) would cover all individuals with accounts in Singapore. Utility Services, which are primarily data services The “MyInfo” service, a personal data platform that and identification (ID) information storage; and b) contains government verified personal details for Managed Services, which are basically outsourced every account holder, is the foundation for this utility. utility services, plus transaction tracking and CDD. Residents provide their data to the government once, Examples of each type of utility are as follows: and it then supports all subsequent online transactions. The goal is to link all FIs to this validated database, Industry Collaboration Utility: SWIFT which will reduce redundancy and improve information CDD requires records of where customer payments quality. Singapore has the advantage of a very good originate and terminate. This explains why one of national ID system and database, and the nation is the first successful KYC utilities was introduced by highly digitally enabled. Its utility does not address SWIFT, the Society for Worldwide Interbank Financial transaction monitoring or ongoing CDD; that role Telecommunications. is retained by the individual FIs. A more ambitious effort by MAS to do the same for corporate banking Essentially, SWIFT deals in electronic messages transactions was recently put on hold in November between banks, and these messages provide a 2018 pending a review of implementation costs and transaction trail, documenting where money originates anticipated savings. and terminates. SWIFT does not clear or settle transactions, and holds no accounts, but does pass Utility Service Provider: BAE Systems information about payments through its highly secure BAE Systems is the largest defense contractor in the messaging system. SWIFT has a successful shared world and offers its “NetReveal” product as a managed data repository that holds profile data for hundreds service for KYC/CDD solutions. This enterprisewide of respondent and correspondent banks. The SWIFT approach is intended to satisfy all KYC/CDD KYC utility, available to SWIFT members, is useful requirements for the financial institutions (primarily for member correspondent/respondent banking European banks) that outsource financial functions to relationships, and reduces correspondents’ risk BAE. BAE’s system includes customer information when dealing with respondent banks in high-risk or capture, validation, risk rating, politically exposed sanctioned jurisdictions because the SWIFT utility person (PEP) checking, investigation, regulatory validates where the money goes, and that the recipient reporting, continuous monitoring, beneficial ownership is acceptable. The utility, which is used by major validation, risk ratings, changes in management, correspondent and respondent banks, is used primarily adverse events, business expansion, new lines of for the larger payments of larger corporations. There business, initial public offerings (IPOs), acquisitions, are around 11,000 SWIFT users today, which makes divestitures, geographic expansion, social media SWIFT a significant player in international corporate coverage, credit rating changes, etc. The system also payments; however, many smaller banks and FIs in monitors transactions and uses artificial intelligence emerging markets are not SWIFT members. (AI) and other applications to automate most of these activities (Figure 10). (continued on next page) 33 FIgure 10: BAE’s KYC Utility Product Offering—The NetReveal risk, fraud, and compliance solution suite 3rd party case management Command and Control Dashboards and KPIs On boarding & Ongoing detection & prevention Investigate & data collection respond Risk Entity-centric Social network Watch list scoring analysis management EIM alert and AML transaction Payments fraud 1st party/ case management Fraud monitoring bust out fraud Online fraud Alert triage and Composite KYC/CDD Account takeover optimisation Check and risk score Transaction filtering deposit fraud Sta /collusion Alert and case Compliance insider fraud management Application fraud Sanctions/ Debit card fraud PEP screening Secured lending/ Financial KYC CPP / MAC fraud mortgage fraud management EDD/ODD Market abuse/ operational risk Disclosure management Real time or batch Outcome Analytical workbench–configure and tune models and rules capture Bank systems data 3rd party risk, Customers Employees fraud or Applications Online data compliance Financial crime repository Transactions 3rd party data engines Source: www.baesystems.com To be ready to use KYC utilities, a bank must have the for any breach in compliance or liability arising from internal capacity and infrastructure to enter and update reliance on any third-party tools or methods. Additionally, all essential data regularly. This may require a significant KYC utilities should not displace institution-specific KYC technology investment on the part of the bank. There are processes and procedures. then certain internal infrastructure and capacities necessary before adopting a KYC utility. Examples of essential There are certain limitations that global correspondent capacity needed may include : 50 banks need to keep in mind when considering the use of KYC utilities. Some of these limitations include: • Identification systems (whether developed by national authorities or the private sector). • Routine or automated updates by the respondent bank are still needed to ensure information is current and • For primary information that exists in non-English accurate. languages, translation services acceptable to correspondent banks. • KYC utilities may not collect all necessary CDD information, so other information may need to be • Other validation/certification that gives comfort to collected bilaterally. the correspondent banks of the authenticity of the information submitted. • Privacy laws in some jurisdictions may prohibit sharing, storing, or mining of basic information. • Systems and processes for ongoing updates and maintenance of data in the utilities in a timely manner.51 Despite these limitations, KYC utilities can be a highly valuable tool for emerging market banks to take Although such utilities may have the potential to lower advantage of when approaching KYC/CDD sharing with costs, they will not replace all procedures at a bank, and correspondent banks. banks are still responsible (in the eyes of US regulators) 50 IFC. 2018. A Guide to Respondent Banks: Essential KYC Considerations to Manage Correspondent Banking Relationships in Trade. 51 IFC. 2018. A Guide to Respondent Banks: Essential KYC Considerations to Manage Correspondent Banking Relationships in Trade. 34 KYC Utility Vendors IFC does not endorse a specific KYC utility, and the sample listing of vendors is provided for information purposes only: • SWIFT has developed the KYC Registry, to which respondent banks can contribute their data at no cost, whereas correspondent banks pay a fee to access the data. • Thomson Reuters has also developed its own “KYC as a Service” utility solution employed by over 55 global financial institution clients. • IHS Markit has created a KYC Services platform that has over 140,000 entities represented, including over 80,000 with legal entity identifiers. • Bankers Almanac has developed a suite of solutions for risk and compliance, including counterparty KYC, due diligence repository, KYC due diligence data file, regulatory views, and ultimate beneficial ownership data. Local KYC solutions: • Thomson Reuters has launched a national KYC service in South Africa, where participating financial institutions have access at no charge via a web-based portal. • African Export Import Bank (Afreximbank) has created African Customer Due Diligence Repository Platform that stores information on African financial institutions and corporations to reduce KYC costs for African clients. Source: IFC. 2018. A Guide to Respondent Banks: Essential KYC Considerations to Manage Correspondent Banking Relationships in Trade. LEGAL ENTITY IDENTIFIERS does not apply to natural persons, a similar solution for individuals would be required. The international community has recently called for the widespread use of Legal Entity Identifiers (LEIs) which The importance of an unambiguous legal entity identifier are internationally recognized 20-character alpha-numeric (LEI) also became apparent after the global financial crisis. codes that identify distinct legal entities engaged in financial Authorities worldwide were unable to identity parties transactions. The LEI is a global standard, designed to be a form conducting transactions across different markets, regions, and of non-proprietary data that is freely accessible to all parties. products, which in turn made it difficult for banks to identify trends, evaluate emerging risks, and take corrective action. To The first LEIs were issued in December 2012. Currently, the combat these difficulties, regulators in collaboration with the U.S. and European countries require corporations to use the private sector have developed a framework that allows for legal entity identifier when reporting the details of transactions unambiguous identification of entities54 through the issuance with over-the-counter derivatives to financial authorities. As of a unique a 20-digit alphanumeric reference code. Although of December 2018, over 1,300,000 legal entities from more they were not designed to be used for AML/CFT purposes, than 200 countries have been issued with LEIs. they can improve the effectiveness of certain AML/CFT processes, specifically in correspondent banking relationships. Several international bodies, such as Committee on Payment The KYC utilities and information sharing described and Market Infrastructures (CPMI) and Wolfsberg Group, previously require identification of banks or customers point out that wide adoption of LEIs has the potential included in respective databases. Rather than developing to significantly reduce false-positive alerts generated by a new standard, the LEI is commonly being adapted as a transaction monitoring systems for sanctions and AML/CFT standard for such utilities. purposes.52,53 Although the LEI may provide certain benefits related to AML/CFT compliance, it was not designed for LEIs are issued in various jurisdictions through local AML/CFT purposes, and its potential and limitations need operating units (LOUs), which issue LEIs for a fee and to be investigated further. Additionally, because the LEI validate the reference data upon issuance and after periodic 52 CPMI. 2016. Correspondent Banking. 53 The Wolfsberg Group. 2017. Payment Transparency Standards. 54 LEIs are for identification of legal entities (including legal arrangements such as trusts) and are not applicable to natural persons, except for individuals acting in a business capacity. 35 certifications.55 The Global LEI Foundation (GLEIF) • Big data: Customer data collected from a variety of coordinates the LEI system on a global basis, and the list of sources now, including social media data, enterprise accredited LOUs can be found on the GLEIF website.56 The customer data, publicly available data, location data, cost of obtaining an LEI as well as jurisdictions served will mobile data, web data, and behavior data. When vary by LOU. Therefore, banks interested in obtaining LEIs aggregated, such data can give banks a better idea for themselves and assisting all the legal entities they do of who the customer is, especially when deciding a business with should visit the websites of these LEI issuers customer’s creditworthiness. to determine which ones meet their needs. • Artifical Intelligence: Artificial intelligence is the branch of computer science that aims to create intelligent ADVANCED TECHNOLOGY APPLICATIONS machines. It has become an essential part of the fintech industry focused on programming computers for When implemented appropriately, adequately, and certain traits such as reasoning, problem solving, and sufficiently, financial and regulatory technologies (fintech and perception. However, computers can often act and regtech) may offer banks time- and money-saving solutions react with “intelligence” if they have large data sets (Big to KYC/CDD. Some such technology methods include:57 Data) relating to the problems assigned. For example, artificial intelligence has the potential to help banks • Cryptology: Data communication and storage in secure become more efficient in the processing of information and usually coded form can be used by banks when by scanning and analyzing legal documents to extract looking to share KYC/CDD information. Additionally, important data points and clauses related to risk. cryptographic proofs of data stored externally (that is, Dropbox) can be kept. • Machine learning: Machine learning is a subcategory e-KYC: The Case of India India has come a long way in lowering the costs for KYC using electronic means. It uses the Aadhaar system for identifying customers as the basis for its KYC efforts. Aadhar is a unique 12-digit identification number issued by the Indian government to every citizen. The idea behind Aadhar is to have a single, unique identification number on a document, the Aadhar card captures all details, including demographic and biometric information, of every individual resident in India. The Aadhar card does not mandate replacement of existing identification documents, but it can be used to serve as the basis for compliance with KYC norms by financial institutions and other businesses that maintain customer profiles. A resident Indian can apply for the Aadhar number and card by submitting the existing proof of identity (passport, driver’s license, and so forth) and proof of address (phone, power bill, bank statements, and so forth) and by undergoing biometric profiling (fingerprints and iris scan) at any Aadhar center. Aadhaar became the foundation of some transformative projects within India. For example, in 2014, India launched the Prime Minister’s People’s Wealth Scheme, which gives low-cost, no-frills bank accounts to the underserved if they can provide details about their identity. From 2014 to 2017, the number of simple bank accounts such as these grew tenfold, from 30 million to 300 million, thanks partly to the availability of Aadhaar authentication. For correspondent banks, the knowledge that its respondents use a biometric identification system and have access to reliable and up-to-date information on their customers gives them a degree of comfort regarding KYC by their respondents and thus, all other things being equal, makes this relationship more attractive. Source: Excerpt from The World Bank Group’s “The Decline in Access to Correspondent Banking Services in Emerging Markets: Trends, Impacts, and Solutions,” 2018 and https://www.foreignaffairs.com/articles/asia/2018-08-13/data-people 55 CPMI. 2016. Correspondent Banking. 56 https://www.gleif.org/en/about-lei/how-to-get-an-lei-find-lei-issuing-organizations. 57 European Banking Authority. 2018. EBA Report on the Prudential Risks and Opportunities Arising for Institutions from Fintech. 36 of artificial intelligence. If specific risks are managed place, which means the system must be commensurate with properly, this technology can be used to further the bank’s risk profile, size, complexity, and activities.58 refine processes for detecting patterns of suspicious Although it may be appropriate for some small banks to transactions by “learning” from experience of detecting employ manual scanning of transactions, most banks, true positives. particularly those that conduct international transactions, are expected to have an automated solution in place which • Biometrics: Biometric authentication technologies enable them to identify unusual transactions and patterns in measure a person’s unique and stable biometric features a more efficient and effective manner. and match them with authorized biometric samples of that same person. This allows for accurate verification The degree and nature of transaction monitoring should of that person’s identity with external features unique be risk based. With this approach, although higher-risk to them, such as fingerprint, face, iris patterns, or situations may require enhanced monitoring, banks may voice. Although the opportunities from biometric apply reduced monitoring to lower-risk situations (for authentication are great for both banks and customers, example, customers with lower inherent risk, products and there are legal, security, and reputational risks involved services that have strict limits, and lower-risk jurisdictions in such technology. It is imperative that banks address of customers and transactions).59,60 all possible risks and be familiar with local laws to ensure that such technology is appropriate not only for When designing thresholds and risk parameters, the the risk assessment within the AML/CFT program but bank should consider customer risk profiles, information also for the laws and regulations within the institutions’ collected during its CDD process, and if applicable, jurisdiction. any information provided by law enforcement or other The case study provided here discusses how KYC-related authorities to account for any ML/FT schemes identified by innovations are being used in India and the benefits they them.61 Monitoring controls can include alert scenarios or offer to respondent and correspondent banks. setting limits for a particular activity. The system thresholds and parameters are to be assessed by the AML/CFT Although digital options can and should be used as compliance function and independent audit on a regular appropriate, they cannot completely replace AML/CFT basis. processes. The risk and responsibility of adequate policies and procedures, especially in terms of KYC/CDD, falls on The bank’s monitoring system should have a capability to the bank itself. All financial technologies should be used in detect transactions with known or suspected terrorists or combination with a risk-based approach and in adherence sanctioned persons or entities. It is strongly recommended with local laws or data privacy regulations that may restrict that messages associated with wire transfers be subject certain activities, such as information sharingz. to ongoing monitoring. In the context of wire transfers, messages MT 103 and MT 202 COV are particularly important as they identify the originator and beneficiary of the wire transfer. 3.6 Transaction Monitoring Transaction monitoring involves manual or electronic At a minimum, a transaction-monitoring system should scanning of transactions based on certain parameters (for have the capability to generate key information for example, customer and beneficiary names, and volume, the board of directors and senior management, such as value, country of origin or destination of transactions) to changes in customer profiles. The system should also have determine if they are consistent with the bank’s knowledge capabilities to provide a centralized view of information of the customer. Transaction monitoring is intended to alert by customer or product or across group entities.62 The the bank to unusual business relationships and activity, ability to provide a centralized or enterprise wide view is enabling the bank to meet its statutory obligations with particularly important when the bank has customers served respect to reporting potentially suspicious transactions. by multiple business units. This functionality enables the Banks should have an adequate monitoring system in bank to account for all the risks posed by such customers. 58 BCBS. 2017. Guidelines: Sound Management of Risks Related to Money Laundering and Financing of Terrorism. 59 FATF. 2017. Anti-Money Laundering and Terrorist Financing Measures and Financial Inclusion. With a Supplement on Customer Due Diligence. 60 FATF. 2014. Guidance For a Risk-Based Approach. The Banking Sector. 61 BCBS. 2017. Guidelines: Sound Management of Risks Related to Money Laundering and Financing of Terrorism. 62 BCBS. 2017. Guidelines: Sound Management of Risks Related to Money Laundering and Financing of Terrorism. 37 SUSPICIOUS-TRANSACTION REPORTING Banks are to have procedures and processes for identifying, Financial Institutions And Their Employees investigating, and reporting suspicious transactions. These processes should include the necessary automated, Should Be Protected By Law From Criminal semiautomated or manual monitoring systems to flag And Civil Liability For Breach Of Any Restriction unusual or potentially suspicious-transaction activity that On Disclosure Of Information Related To The requires further investigation to determine whether the Filing Of A Suspicious-Transaction Report. transactions are suspicious and are required to be reported to the relevant authorities. When designing the process for identifying, investigating, Banks must have access to sufficient expertise and resources and reporting suspicious activity, banks should consider in order to design and implement the necessary monitoring coordinated information sharing. Branches and subsidiaries systems. A critical part of design and implementation should be able to provide the head office with information of monitoring systems is ensuring they are aligned with relating to high-risk customers and any STRs filed on them the bank’s risk assessment results, as well as the criminal as part of the enterprise risk management framework. typologies related to the products, services, customers, and Due to the confidential nature of STRs, however, a bank geographies addressed within the risk assessment and CRR should take steps to protect such information since there results. Mature processes also include computer-based case may be local laws in which a bank can be liable for direct management systems that track and document transaction or indirect disclosure, whether by its controlling company monitoring system output, investigation activities, and or head office if an STR itself, or even just the fact that suspicious-transaction report (STR) filing or nonfiling. an STR was filed becomes public. Typically the recipient head office, controlling entities, or related parties may not Personnel responsible for identifying, investigating, and disclose any STR information or the fact that such a report reporting suspicious transactions should be well trained has been filed. Some jurisdictions do allow institutions to on internal policies, procedures, and legal requirements disclose—without government approval the underlying (for example, how to prepare STRs) and provided with information relating to the STR (that is, information about necessary resources and guidance on how to recognize the transaction[s] or type of activity reported) as long as the suspicious activity based on applicable criminal typologies information does not explicitly reveal that an STR was filed and schemes.63 and that is not otherwise subject to disclosure restrictions. For these reasons, the bank, as part of its anti-money Financial institutions and their employees should be laundering program, should have written confidentiality protected by law for breach of any restriction on disclosure agreements or arrangements in place specifying if STR of information related to filing an STR if the institutions filings are shared that the head office or controlling report their suspicions in good faith and should be company must protect the confidentiality of the STR prohibited by law from disclosing that an STR is being filed through appropriate internal controls. with the FIU. As discussed in Section 3.5 Customer Due Diligence, when certain triggering events occur, such as the bank filing an It is imperative that financial institutions and STR on its customer, the bank should reassess the potential their employees not disclose or “tip off” the risk posed by this customer and reevaluate the risk rating. Also, when multiple STRs are filed on a customer or an fact that a suspicious-transaction report or STR alleges serious criminal activity, the institution must related information is being filed. Tipping- immediately take appropriate steps to mitigate the risk, off a customer is a criminal offense in many for example by (i) requiring an approval from an AML/ countries. CFT officer or another high-level decision maker within AML/CFT compliance function to continue the business relationship, (ii) subjecting the customer to enhanced monitoring and setting up lower thresholds, or (iii) 63 BCBS. 2017. Guidelines: Sound Management of Risks Related to Money Laundering and Financing of Terrorism. 38 Practical Tips for Fine-tuning AML/CFT Transaction Monitoring Systems62 Selection of • Perform ML/FT risk assessment for the identification of red flags or the type of unusual/suspicious scenarios/rules behavior to be monitored for, given the inherent risks associated with the bank’s customers, products, services and geographies in scope • Understand scenarios/rules logic (risk mitigation, scenario focal entity, frequency, lookback period, and tunable parameters) and map red flags to the scenarios/rules offered by the transaction monitoring solution • To the extent some risks cannot be addressed by the automated transaction monitoring tool, identify an alternative approach to implement mitigating controls (for example, manual monitoring) Identify customer • Consider segmenting customers such that more focused and enhanced scenario/rules logic can be segmentation to applied apply to scenario/ • Use KYC information to segment customers into population and peer groups for the purposes of rules targeted monitoring (for example, net worth of the customer, business/personal, types of business) • Assess how CRRs and geography risk ratings used by the institution can be adopted and used by the monitoring platform rules for further segmentation • Determine how customer population/peer groups will “inform” the transaction monitoring scenarios/rules Initial threshold • Establish clear protocols and procedures for preproduction tuning, including sampling approaches, setting/ sample scoring, and risk tolerances (risk tolerance defines the level of risk exposure that is preproduction tuning acceptable to the bank in relation to achieving a specific scenario’s/rule’s objective) in advance of the initial tuning • In a test environment, perform statistical analyses to identify distributions and statistical properties for each scenario/rule using de minimis (low value) thresholds using any defined population/peer groups • Identify initial thresholds for each scenario/rule based on the distribution of alerting activity (for example, 95th percentile) • Threshold fine-tuning: perform statistical sampling of test alerts above the line and below the line of the initial threshold and provide a sample test alert around the threshold to the financial investigations unit for high-level investigation (the financial investigations unit should be trained on rules and risk coverage before sampling) and scoring (“false positive,” “of interest,” “high-interest”) • Based on the results of the sample scoring and the bank’s risk tolerance, select additional samples slightly higher/lower than the initial threshold and repeat sampling and investigation of alert around the new threshold, as required • Set final threshold at a level that provides coverage of risk within the bank’s risk tolerance (that is, at a level where the number of true-positive or of-interest alerts missed is low) • Revisit all initial parameters set within 6 to 12 months, using production history for tuning Tuning of production • Establish clear protocols and procedures for production tuning thresholds • Perform production tuning in a similar manner to preproduction tuning • Perform a distribution analysis of historical alerts, cases, and STR filings for each rule • Depending on the distribution of activity, perform above-the-line and below-the-line sampling and scoring to reduce the occurrence of false-positive alerts or minimize not capturing true-positive alerts; repeat sampling, as necessary, at different threshold values • Based on sampling results, adjust threshold values, as needed Documentation • Document the process, methodology, and evidence and outcome of tuning processes used restricting the customer’s transactions to a limited number bank should consider closing the account.64