On-site and Off-site Supervision Andrew Milford Financial Sector Supervision Advisor International Monetary Fund

Overview of presentation Off-site supervision Licensing Governance Off-site considerations On-site supervision Planning examinations Work performed Results Relationship between on- and off-site supervision

Off-site supervision

The Purpose of Off-site Monitoring Supervisors should know the institution and understand its business activities. The purpose of off-site monitoring is to determine if the subject institution exhibits a risk profile suggestive of: Non compliance with regulations or directives; Ineffective internal compliance procedures; or Engaging in possible money laundering activities. Risk based supervision.

Off-site Monitoring - Licensing Ensure FIs well supervised and reputable Admission criteria include Financial strength & track record Ownership structure, and whether it has fit-and-proper management Supervision by home supervisor Risk management, asset quality Reputation, etc

Off-site Monitoring – Corporate Governance Powers to approve changes in Ownership Control Senior management of banks Significant changes in ownership / control require Minister’s approval Senior Executives – Supervisor’s approval

Meetings with Management Regular meetings - Discuss bank’s latest efforts on AML/CFT Awareness of latest regulations/circulars Assess staff screening policies

Compliance Function - 1 Regular meetings to review roles and responsibilities relating to AML/CFT Expertise and experience Reporting line to management Prompt dissemination of AML/CFT regulation

Compliance Function - 2 Regular meetings to review roles and responsibilities relating to AML/CFT Ongoing monitoring of compliance with AML/CFT regulations and P&Ps Investigate and escalate STRs Reports to Senior Management

Internal Audit Function Meet with internal audit to assess Competence Reporting line / independence Roles and responsibilities Frequency and scope of AML audits Review work papers Training programmes Processes for follow-up of issues identified

Leveraging on Auditors Review quality, extent and frequency Recent audit Why repeat coverage? Allows modification of examination / review scope

On-site supervision

What is the purpose of the AML/CFT on-site examination? On-site examinations To determine whether the FI has developed, administered and maintained and effective program for compliance with AML/CFT laws and regulations. International obligations on supervisors FATF – recommendation 23 BCP – principle 18 IAIS – principle 28

Core Principles for on-site work – 1 Review the written policy to ensure it contains the requirements as set out in your laws/regulations/guidelines, e.g.: Minimum CDD requirements Compliance program Staff training Independent testing Monitoring of transactions

Core Principles for on-site work – 2 Determine whether the compliance program includes policies and procedures that: Identify high risk operations (products, services, customers and geographic locations) Ensure senior management/board are informed of compliance initiatives, deficiencies, STR reporting Nominates a compliance officer Meets all statutory/regulatory requirements Provides sufficient controls and monitoring systems to identify potential suspicious transactions Trains employees Incorporates compliance into job descriptions and performance evaluations

Core Principles for on-site work – 3 Is the policy subject to independent testing: Do these reviewers have appropriate reporting lines? How often is the testing performed and is it adequate? Does it address key issues such as CDD and record keeping and do practices comply with policy? Is there transaction testing, particularly of high risk clients Is the training regime adequate? Can the bank aggregate transactions? What are the arrangements for STRs, especially in relation to the exercise of discretion not to submit to the FIU. Is management following up deficiencies in a timely manner?

Core Principles for on-site work – 4 The role of the compliance officer: Is there a designated compliance officer? Does the compliance officer have the necessary authority and resources to effectively execute and of his/her responsibilities? Are compliance staff knowledgeable about the FI’s products, customer base, etc to ensure that all AML/CFT issues are adequately addressed in policies and procedures? Are they consulted for new products? Review reports completed by the compliance officer.

Core Principles for on-site work – 5 Adequacy of training and issues such as: The importance the board/senior management place on AML/CFT. Employee accountability. Comprehensiveness Frequency Coverage Does it look at different forms of money laundering/terrorist financing as it relates to identification and examples of suspicious activity New policies/regulations You need to meet with individual staff to ‘test’ training

Core Principles for on-site work – 6 Transaction testing: Select a sample of transactions that includes transactions other than those tested by the internal/external auditor. Sample of newly opened accounts. Wire transfers Recently closed/cancelled policies Suspicious transactions

Planning the inspection Need to focus supervisory efforts What activities is the institution undertaking and who are its clients? Remittance activities Non-resident clients Use of third party introducers Overseas offices Correspondent banks Feedback from the market, the FIU or other supervisory agencies

Assessing the risk - 1 Where are the FI’s clients located? Geographic (OFAC, NCCT, drug trafficking jurisdictions) What is the profile of the FI’s clients? ‘Mums and dads’ Corporate clients Import/export orientated Trade finance Does the institution operate in a largely cash based economy? Is the institution part of larger group supervised by another authority? FATF Recommendation 22 - FIs should ensure that AML/CFT requirements apply to branches and subsidiaries in countries which do not apply the FATF recommendations

Assessing the risk - 2 Is there a compliance officer? Is there a compliance culture? Based on previous dealings and market intelligence Compliance with statutory and regulatory requirements Does the audit program (internal and external) cover AML/CFT policies? Does it have a lot of correspondent banking relationships? Have the rules changed recently?

Defining the Scope - 1 What areas are you going to review? Policy document Is it up to date with your jurisdiction's requirements? Is it endorsed by the board/senior management? Newly opened accounts Are CDD procedures being applied? Is the institution checking names against databases? Are copies of documents relied on at the account opening stage kept?

Defining the Scope - 2 What areas are you going to review? Inward and outward transfers Do messages contain the right information? Does the bank seek to verify the nature of the transaction? Account history/transactions Are transactions consistent with the purpose of the account? Is the bank monitoring transactions in the account and questioning transactions which appear unusual? Account monitoring arrangements

Defining the Scope - 3 What areas are you going to review? Staff knowledge of AML/CFT policies Do staff know what the policies are and what is required of them? How are staff made aware of issues and problems? Frequency of training Management reporting What information is reported to management? Do management monitor level of STRs, frequency of staff training?

Prior to the examination - 1 To understand the FI’s risk profile you could: Review prior examination reports, work-papers, management responses, deficiencies and recommendations. Review prior examination work-papers to identify specific procedures/areas reviewed and understand what internal reports exist. Contact the bank to discuss: compliance program; management structure; internal risk assessment; level of STR reporting; extent to which monitoring systems are automated.

Prior to the examination - 2 Write to the FI requesting information to be provided by the FI including: policy documents; copies of internal/external audit reports; staff structure; copies of staff training material. Liaise with the FIU on any concerns it has with the FI, e.g.: reporting errors/issues; penalties imposed on the FI; number of STRs/CTRs submitted. Not a numbers game Need to understand significant changes in volume. Review any internal and external reports on the FI’s AML/CFT policies and compliance issues. Management follow up Status of outstanding issues

Performing the examination Meet with senior management and get them to explain their roles and functions and the nature of activities undertaken. This is not a sign that you do not understand what you are doing. Select a sample of accounts and transactions. Interview staff. Ask to see any information you deem necessary. Management/audit reports

Preparing the report Specific breaches of requirements should be clearly documented. Make reference to examples of breaches or other issues that you identified that have lead you to conclude that there is a weakness in the FIs policies and procedures. Elicit comment from the FI on findings. Recommend solutions. Very important; not good enough to tell them they are doing it wrong but you must also give guidance especially to smaller players.

Communicating the results Meet with key management. Outline key areas of concern and why Examples are very useful Formalize report to the FI taking on board any comments arising from the closing meeting. Report should be passed to the FI in a timely manner. Copy to head office and/or board Deadlines for action should be consistent with the nature of the breach/issue. Outline your potential follow-up actions. Is the supervisor required to report to the FIU? This can arise through the working relationship; or A statutory obligation especially if you find suspicious transactions

Follow up Supervisory actions should be followed up. Deadlines should be monitored and non-compliance addressed. Should be consistent and achievable. Unrealistic deadlines could leave supervisor open to claims that they are vindictive. The supervisor needs to respond to the FI in a timely fashion: Is the response satisfactory? If not, why not. Take action if nothing happens.

Relationship between On- & off-site supervision

Relationship between On-site examination and Off-site monitoring Risk assessment & pre-examination planning Update risk profile & follow-up Off-site monitoring

10 questions that FIs and Supervisors should ask themselves How have AML policies and procedures been updated and disseminated to all customer facing staff? How does the compliance officer satisfy him/herself that customer KYC records are adequate and that the Money Laundering Regulations are being applied effectively across all business units? How does the compliance officer control the content and frequency of training and satisfy him/herself that the records are appropriately detailed? How does the compliance officer ensure that he/she has access to all “know your customer” data when deliberating STRs?

10 questions that FIs and Supervisors should ask themselves What “exception reports” does the company generate to monitor suspicious transactions across all platforms? Which of your products is at the top of your AML risk spectrum? How do you process the sanctions and FATF/FBI/OFAC lists against your customer lists? How do you establish the identity of customers who are introduced to you by 3rd parties? How do you control differing product exemptions cross-group? How do you deal with client funds held in suspense pending receipt of adequate KYC?

Questions