Strong enterprise compliance risk management enables effective BSA/AML/OFAC compliance Association of International Bank Audit and Compliance Professionals Inc. Eric Young, Americas & CUSO-IHC Chief Compliance Officer March 26, 2019

Agenda Thank you - Michele Fleming, Anthony D’Anna, AIBACP, and ARC Enterprise Compliance Risk Management – What / Why Important? As a foreign banking organization (FBO) in the US? For BSA/AML/OFAC compliance officers? Silos, Flows and Circles = People, Process, and Technology Effective people, process and technology = acceptable compliance residual risk Within an approved Risk Appetite Including BSA/AML/OFAC, e.g., DFS 504 certifications and equivalents Questions and answers CCO Report | | 05/02/2016 |

Enterprise Compliance Risk Management – What/Why Important? (1/2) Firm-wide approach to Compliance FBOs – US extensions of parents FBOs are part of parent’s global network Fed’s SR 08-8: “Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles” Issued in 2008—expected to be revised in 2019. Sets, at least, four key expectations regarding Compliance Programs. Compliance Independence Universally important (see Basel 2005 Compliance paper) Compliance Monitoring & Testing How do you know it’s working? Board & Executive Oversight Demands accountability, sets culture 4½ Conduct, Data Integrity, Sustainable Demands accountability, sets culture E. Young AIBACP Keynote

Enterprise Compliance Risk Management – What/Why Important? (2/2) Compliance is a key component of a larger integrated enterprise risk management framework Within the US But also across global network Especially with IT dependencies from HQ Enterprise Risk Management Framework Front Office (1LOD) Conduct (and other 1LOD Controls) Compliance (2LOD) Risk (2LOD) Audit (3LOD) A. Legal & Regulatory Inventory, and Change Management G. Reporting, Analysis, Escalation and Thematic Commentary B. Risk Assessments (factoring RCSAs, audits, exams, etc) F. Compliance Resourcing & Budgeting C. Compliance Control Documents (Policies / Procedures) and Training. Key Components of Compliance Framework E. Surveillance, Monitoring and Testing D. Compliance-Owned Internal Audit & Regulatory Findings. H. Annual Compliance Plan E. Young AIBACP Keynote 4

RE-THINKING COMPLIANCE RISK MANAGEMENT CAPABILITY Silos, Flows and Circles = People, Process and Technology - Governance, Risk Management & Compliance (“GRC) tools enable effective Compliance Risk Management RE-THINKING COMPLIANCE RISK MANAGEMENT CAPABILITY ROLES & RESPONSIBILITY ACCOUNTABLITY MODEL ORGANIZATIONAL STRUCTURE COMMON COMPLIANCE RISK PROCESSES RISK & OBLIGATION IDENTIFICATION ANALYSIS & ASSESSMENT RISK MITIGATION & CONTROL DESIGN CONTROL ACTIVITIES / CORPORATE POLICIES MONITORING, TESTING & ASSURANCE REMEDIATION ACTIONS REPORTING & COMMUNICATION INFORMATION FLOWS & REPORTING CHANNELS REPORTING & ANALYSIS TECHNOLOGY Common taxonomies & processes One Golden source for Compliance data Reporting & Visualization capabilities Data Security & Quality Mgt Repository/ Single source of « truth » Information to support risk decisions Efficiency of Compliance Risk Mgt processes Timely Assess and Report on emerging & changing risks information Avoid duplicate with multiple Assurance Activities across the Company Obtain Quality Risk Information from the Business Have Transparency on Key Risks Keep connect Risk Appetite/Risk profile & GRC efforts Avoid manual and inefficiencies processes Align GRC effort to strategy delivery Cross functional integration & clarity of accountability KEY OBJECTIVES OF GRC Technology 1 2 3 4 5 6 8 7 E. Young AIBACP Keynote

Effective people, process and technology = acceptable compliance residual risk Boards of Directors (and FBO Risk Committees) rely on: High-quality information, to oversee, approve (and certify) Especially whether residual risks are within approved Risk Appetites Key data, metrics and KRIs should be: Consolidated enterprise-wide across entities, business lines, functions Granular, comprehensive and accurate Thematic and risk-based; easily understandable to judge and act DATA INTEGRITY IS ESSENTIAL Key dependencies Information technology, model risk validation, data governance, cyber08- 08). CUSO/IHC Board Orientation Materials| | 05/12/2016 |

Effective people, process and technology = effective compliance including DFS 504 certifications and equivalents BSA/AML/Sanctions compliance Is a microcosm of an overall Compliance program An effective enterprise compliance program Enables robust AML/BSA/OFAC compliance DFS 504 codifies whether: AML/BSA/OFAC is robust Comprehensive Reflects an end-to-end, effective set of people, process and technology With data integrity Model validation Controls which can be certified Hypothetical process map of 504 compliance

Takeaways Enterprise Compliance Risk Management – IS Important for: Foreign banking organizations (FBO) in the US – however small, simple, big, complex For BSA/AML/OFAC compliance officers Silos, Flows and Circles = People, Process, and Technology Effective people, process, and technology = acceptable compliance residual risk within an approved Risk Appetite Including BSA/AML/OFAC, e.g., DFS 504 certifications and equivalents Questions and answers CCO Report | | 05/02/2016 |