April 17 Risk Management & Internal Controls – KYC for banks Michael J Lesser, Managing Director, Supervision Qatar Financial Centre Regulatory Authority 1st Annual Compliance & AML Seminar – Riyadh 24-25th March 2009 Qatar Financial Centre Regulatory Authority

RISK MANAGEMENT - IDENTIFYING AND DOCUMENTING YOUR AML RISK PROFILE April 17 RISK MANAGEMENT - IDENTIFYING AND DOCUMENTING YOUR AML RISK PROFILE Assess and identify the AML/CFT vulnerabilities posed by your organisations: Products, services and delivery channels Customers Geographic area of operation Establish and implement effective policies, procedures, systems and controls to mitigate the risks identified. Embed the controls into day to day operating procedures. Continue to monitor, review and update AML risk profile. Document the risk profile, the mitigating controls. Obtain senior management approval of the AML Risk Profile. SAMA Rules require firms to adopt a risk based approach in designing their AML / CFT programmes to ensure that measures used to mitigate money laundering and terrorist financing are commensurate to the risks identified in their organisation. Allows resources to be used more efficiently, focus on higher threats and better management of risks. Assessing the AML/CFT vulnerabilities posed by: Products, services and delivery channels Customers Geographic area of operation [we’ll address each of these in more detail in the next slides] Establish and implement effective policies, procedures, systems and controls to mitigate these risks Document the assessment and risk profile and mitigating factors and controls Embed the controls into day to day operating procedures. Continue to monitor and improve. Qatar Financial Centre Regulatory Authority Qatar Financial Centre Regulatory Authority

RISK MANAGEMENT - IDENTIFYING AND DOCUMENTING YOUR AML RISK PROFILE April 17 RISK MANAGEMENT - IDENTIFYING AND DOCUMENTING YOUR AML RISK PROFILE Products, services and delivery channels Document your product range and services against the perceived attraction for them to be used by ML/TF Consider new and developing technologies (m banking etc), be involved in product development Riskier products and services (wire transfers, correspondent banking, e-banking) Qatar Financial Centre Regulatory Authority Qatar Financial Centre Regulatory Authority

RISK MANAGEMENT - IDENTIFYING AND DOCUMENTING YOUR AML RISK PROFILE April 17 RISK MANAGEMENT - IDENTIFYING AND DOCUMENTING YOUR AML RISK PROFILE Customers Consider the risk that different types of customers pose in relation to the threat that they will launder proceeds or crime, fund terrorist activity or be involved in other types of illicit activities. Riskier types of customer could include: PEPS, those will complex legal or trust structures, use of intermediaries, those from particular jurisdictions Qatar Financial Centre Regulatory Authority Qatar Financial Centre Regulatory Authority

RISK MANAGEMENT - IDENTIFYING AND DOCUMENTING YOUR AML RISK PROFILE April 17 RISK MANAGEMENT - IDENTIFYING AND DOCUMENTING YOUR AML RISK PROFILE Geographic area of operation Risks posed by different countries and territories. Consider in relation to where customers are resident or incorporated and where they are trading or doing business. Consider whether the jurisdiction has a stringent or equivalent AML/CFT framework and whether it seen as a jurisdiction of high corruption, terrorist activities, drug trafficking or crime. Qatar Financial Centre Regulatory Authority Qatar Financial Centre Regulatory Authority

RISK MANAGEMENT - IDENTIFYING AND DOCUMENTING YOUR AML RISK PROFILE April 17 RISK MANAGEMENT - IDENTIFYING AND DOCUMENTING YOUR AML RISK PROFILE Mitigating the risks / implementing controls Robust and documented AML policies, produces and controls including: Risk based KYC policies and procedures; Establish customer profiles: Identification and verification of identity and location; allocate AML risk rating; Identify nature of business, source of wealth and funds; ‘transaction profile’ - expected types, levels of business. Risk based monitoring over customer accounts and activity’ Level of due diligence based upon level of risk identified. Increased KYC and monitoring for higher risk customers. Qatar Financial Centre Regulatory Authority Qatar Financial Centre Regulatory Authority

RISK MANAGEMENT - IDENTIFYING AND DOCUMENTING YOUR AML RISK PROFILE April 17 RISK MANAGEMENT - IDENTIFYING AND DOCUMENTING YOUR AML RISK PROFILE Mitigating the risks / implementing controls Effective identification of suspicious activity, analysis and reporting. Regular management reporting on AML matters. Staff training and awareness. Remain vigilant and aware of changes to your organisation: be involved in product development, the firm’s business plan and strategy to identify the AML/CFT risks and update the risk profile and implement appropriate controls. . Qatar Financial Centre Regulatory Authority Qatar Financial Centre Regulatory Authority

April 17 A CASE STUDY - ABN AMRO The ABN AMRO case study illustrates an example of how actions taken in one jurisdiction can create problems in another. Relevant to any financial institution, even those that only operate in a single jurisdiction, Need to understand the requirements of your correspondents in other jurisdictions The implication here is NOT that rules in one jurisdiction are applicable in another, but that financial institutions must take care, if they are operating in multiple jurisdictions, to avoid situations where their actions in one jurisdiction violate the rules in another. They must take care NOT to have their acts in one country purposely or inadvertently violate the rules in another jurisdiction. Acts taken by a bank to purposely violate a countries laws or rules, will be treated more harshly—as was the case here. Even if you only operate here in Saudi or in another single jurisdiction, you need to be aware of the requirements in the jurisdictions of your correspondents. For example if you expect to clear any US dollar transactions, you need to understand the OFAC rules, since ultimately the transaction must flow through a US clearer, who will need to assure that it does not violate the OFAC rules. If your item lacks sufficient information on source and beneficiary, it may be refused, or if this is a chronic problem, you may find that your US correspondent closes the relationship. Qatar Financial Centre Regulatory Authority Qatar Financial Centre Regulatory Authority

ABN AMRO Case Study: Overview In December 2005 ABN AMRO agreed to a Cease and Desist Order covering a variety of Anti-Money Laundering weaknesses and violations of OFAC sanctions. The use of “special procedures” to obfuscate source and/or beneficiary information on payment instructions and thereby facilitate payments relating to Iran and Libya through the NY branch’s US dollar clearing was the most serious matter ABN AMRO paid an $80 million penalty The order involved an unprecedented level of cooperation between US federal, state and international bank supervisors, as well as numerous US law enforcement agencies

Chronology Previous Supervisory Action at another bank in NY relating to US dollar clearing, led to Examiners following the money trail of US dollar transactions for some of the same names Examiners noted that similar transactions were being cleared through the ABN AMRO NY branch Exams conducted in 2003 and 2004 at ABN AMRO NY branch included transaction reviews of the US dollar clearing activity of these and similar accounts, noting suspicious patterns of activity .

Chronology (cont’d) In July 2004 a Written Agreement (“WA”) was entered into with ABN AMRO covering “deficiencies relating to compliance … relating to anti-money laundering policies and procedures … (and) … the suspicious activity reporting requirements” Among other requirements, the bank had to “engage an qualified independent firm” to do a two year look-back of account and transaction activity to determine whether suspicious activity was being “properly identified and reported” .

Chronology (cont’d) As a result of the “look-back” “requirements “ABN AMRO discovered … a pattern of previously undisclosed unsafe and unsound practices warranting further enforcement action” ABN AMRO had implemented “special procedures” designed to “circumvent the (US) Branches’ compliance with “ OFAC regulations Failed to follow-up on negative audit findings and provide them to US supervisors Failed to follow-up on inquires on US law from non-US offices .

Chronology (cont’d) Misrepresented the extent of due-diligence efforts undertaken by non-US branches In December 2005 ABN AMRO agreed to an “Order to Cease and Desist” Penalties in the amount of $80 million were paid by the bank to the US federal and state governments The cost of legal fees and investigation expenses relating to the two actions was much more The C&D Order was lifted in September 2008 .

Agencies Involved: 2004 Written Agreement Parties to the Written Agreement: New York State Banking Department Federal Reserve Bank of New York Federal Reserve Bank of Chicago State of Illinois Department of Financial and Professional Regulation Other parties involved: FinCEN The US Department of Justice Manhattan District Attorney’s Office .

Agencies Involved: 2005 Cease and Desist Parties to the Order: De Nederlandsche Bank NV New York State Banking Department Federal Reserve Board, also on behalf of: Federal Reserve Bank of New York Federal Reserve Bank of Chicago State of Illinois Department of Financial and Professional Regulation Additional parties to Order of Assessment of Penalty: OFAC FinCEN Other parties involved, but not on the Orders The US Department of Justice

A CASE STUDY - ABN AMRO July 2004 Written Agreement April 17 A CASE STUDY - ABN AMRO July 2004 Written Agreement http://www.banking.state.ny.us/ea040726.pdf December 2005 Order to Cease and Desist http://www.banking.state.ny.us/ea051219b.pdf December 2005 Order of Assessment of a Civil Money http://www.treas.gov/offices/enforcement/ofac/civpen/penalties/amrocmp.pdf Qatar Financial Centre Regulatory Authority Qatar Financial Centre Regulatory Authority