Download presentation
Presentation is loading. Please wait.
Published byAlban Boyd Modified over 9 years ago
1
Association of International Bank Auditors (AIBA) - 2nd Annual Compliance Seminar Current AML Regulatory Environment June 14, 2012
2
1 Copyright © 2012 Deloitte Development LLC. All rights reserved. This publication contains general information only and Deloitte Financial Advisory Services LLP is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte Financial Advisory Services LLP shall not be responsible for any loss sustained by any person who or entity which relies on this publication. Disclaimer
3
2 Copyright © 2012 Deloitte Development LLC. All rights reserved. Stakes are getting higher, and maintaining compliance is becoming harder Increased cross-border issues and activities – International Directives More and more guidance and standards Increased governmental/regulatory activity – Enforcement Actions – Congressional Reports – Government Accountability Office (GAO) Reviews Larger, more complex organizations Current Environment
4
3 Copyright © 2012 Deloitte Development LLC. All rights reserved. Communication with/involvement of head office is important Head Office personnel responsible for oversight of/conducting testing should: –Understand both the local and head office risk profiles –Understand the legal and regulatory requirements applicable to the U.S. operations –Obtain training related to BSA/AML compliance –Establish strong information sharing practices between Head Office and U.S. offices; be given sufficient access to information in order to monitor the activity of the U.S. operations –Actively oversee the testing program/activities and “sign off” on the program/testing results –Obtain/review copies of audit reports and any other reports related to AML and internal control evaluations –Follow-up on observations (timeliness and completeness of management responses) and perform re-testing Current Environment (cont’d)
5
4 Copyright © 2012 Deloitte Development LLC. All rights reserved. Pay attention to regulatory and litigation trends and priorities BSA Program Redesign – Deeper Dive Into Risk-Based Analysis; Increased focus on firm-wide compliance risk management – Emphasis on Metrics Transaction Monitoring/Filtering – Better Use of Interdiction Software – Continued Enhancements to Existing Monitoring Systems Reporting – Connecting the Dots – Escalation and Governance Current Environment (cont’d)
6
5 Copyright © 2012 Deloitte Development LLC. All rights reserved. AML examinations are expected to be more frequent and intense –Severity of the enforcement may reach new heights –Increased resources dedicated to BSA regulation and examinations –Increased enforcement actions against mid sized and foreign banks. –Include more formal examination of AML “models”, e.g. TM, risk, etc. Personal Liability for officers and directors Greater DOJ and local law enforcement involvement in BSA related cases –More deferred prosecution agreements Emphasis on emerging technologies –Stored value –Mobile phones Compliance integration in the context of M&A deals Growing focus on OFAC enforcement FATCA compliance Emerging Trends
7
6 Copyright © 2012 Deloitte Development LLC. All rights reserved. Establish an Audit Scope, Plan and Methodology that is comprehensive and includes all relevant components of the USA PATRIOT Act including systems used to support compliance Create work papers that clearly document the testing performed, are consistent in methodology and presentation, address all audit plan items and describe the sampling methodology – explain sample size selected Document the activities performed - formal interviews, walk- throughs, documents assessed, etc. Previous audit or regulatory findings should be clearly delineated and addressed early in the audit Realign and Enhance the Audit Framework
8
7 Copyright © 2012 Deloitte Development LLC. All rights reserved. Audit Scope and Approach A lack of/inadequate independent testing and/or the Auditors did not possess sufficient AML knowledge A number of enforcement actions address the following: the Bank failed to conduct adequate independent testing, failed to adequately document its testing activities, the testing program was inadequate and the assigned ratings were not in line with testing findings/results Regulators increasingly reviewing Auditor resumes, AML training received, etc. Common Internal Audit Errors and/or Regulatory Findings
9
8 Copyright © 2012 Deloitte Development LLC. All rights reserved. Audit Scope and Approach Failure to identify and test all of the business lines that require AML The Audit Scope does not include key items or the testing failed to address all items in the Audit Plan Work papers are not adequate to support Key Findings in the final report Audit ratings are not in line with documented findings All aspects of the AML Program are not routinely tested including automated detection systems (e.g. OFAC and transaction monitoring) Third Party Service Providers which play a pivotal role in leveraging resources are not subject to annual testing Common Internal Audit Errors and/or Regulatory Findings
10
9 Copyright © 2012 Deloitte Development LLC. All rights reserved. Governance The board has not established an appropriate tone at the top of the organization Senior management does not receive adequate, periodic reporting on AML compliance by the AML Officer (e.g., metrics, risk trends, new/proposed regulations, results of compliance testing and audits, etc.) The Board and/or senior management are not actively involved in the oversight of the AML program Common Internal Audit Errors and/or Regulatory Findings
11
10 Copyright © 2012 Deloitte Development LLC. All rights reserved. Section 352 of the USA PATRIOT Act AML Officer –Board/Senior Management have not appointed an AML Officer who possesses the requisite knowledge/has the necessary stature in the org. –The AML Office is not sufficiently staffed for the overall risk level and size for the institution –There are not proper reporting lines established and appropriate escalation protocols –Decentralized activities do not report either directly or indirectly to the AML Office Common Internal Audit Errors and/or Regulatory Findings
12
11 Copyright © 2012 Deloitte Development LLC. All rights reserved. Section 352 (cont’d) Policies and Procedures –Lack of updates to policies and procedures for changes to the business, practices and/or systems within the Bank –Business and/or Support units not following documented policies and procedures –Missing policies and procedures for functions or products that should have documented processes related to AML –Untimely approval of the AML Program Common Internal Audit Errors and/or Regulatory Findings
13
12 Copyright © 2012 Deloitte Development LLC. All rights reserved. Section 352 of the USA PATRIOT Act (cont’d) Training –All existing and new employees do not receive annual general training; “targeted/enhanced” training not provided to individuals whose job responsibilities require specific AML knowledge (e.g. Compliance) adequate documentation is not maintained; Board/sr. mgt. not trained Common Internal Audit Errors and/or Regulatory Findings
14
13 Copyright © 2012 Deloitte Development LLC. All rights reserved. Section 352 of the USA PATRIOT Act (cont’d) Testing –Lack of/Limited documented audit plan, scope and methodology –Inadequate risk based testing of policies, procedures, processes and automated systems –Inability to report and track deficiencies; corrective actions by the business and/or follow up assessments by audit are inadequate/not timely –Audit personnel do not receive training on regular basis Common Internal Audit Errors and/or Regulatory Findings
15
14 Copyright © 2012 Deloitte Development LLC. All rights reserved. Risk Assessments The risk assessments (AML and/or OFAC) are not performed or fail to adequately address the risks faced by the institution The risk assessment processes are not updated on a regular basis The risk assessments are not incorporated into other facets of the AML Program (e.g. audit or transaction monitoring) Common Internal Audit Errors and/or Regulatory Findings
16
15 Copyright © 2012 Deloitte Development LLC. All rights reserved. Challenges - Where is the risk? Identifying where AML risk originates and how the factors interrelate can be a complicated task Customers Trusts Corps. PEPS Individ. Geographies Transactions Operations Customers Outsourcers Service Providers US Channels Internet Telephone In person Products Credit Trade Finance Corresp. Banking Deposits Transactions Frequency Volume Regulation Head Office FATF US Value Affiliates
17
16 Copyright © 2012 Deloitte Development LLC. All rights reserved. Risk Assessment typically follows a three-step approach: Step 1: Assessment of Inherent Risk Objective is to assess the risk of the entity or business units based on their business activities, irrespective of any controls – For example, a business unit operating in a higher risk jurisdiction and/or offering higher risk products/services would have a higher inherent risk Step 2: Assessment of Control Environment Objective is to assess the control environment in light of the mitigating controls implemented Examples of strong internal controls: clear policies and procedures, strong KYC processes, effective systems, training program and independent audit Step 3: Determine Residual Risk Upon completion of Steps 1 and 2, determine residual risk, e.g., utilizing a Residual Risk Rating Matrix, based on the overall inherent and control assessment rating. For example, a business unit with a higher inherent risk but strong governance, internal controls and/or systems, etc. may have a lower overall residual risk than a medium risk business unit with weak controls An Approach to BSA/AML (OFAC) Risk Assessment
18
17 Copyright © 2012 Deloitte Development LLC. All rights reserved. Inherent Risk is typically based on selecting relevant, broad categories of risk: Customer Base Products and Services Transactions Delivery Channels Geography/Jurisdictions Other These broad risk categories are then sub-divided into inherent risk factors derived from regulatory guidance and industry leading practices. This tends to be more quantitative in nature. Greater reliance on quantitative data in this section to reduce subjectivity. Each inherent risk factor is assigned a weight based on its importance from an institutional, industry and regulatory perspective. The overall inherent risk is then derived based on the results of the assessment and the weights assigned to each risk factor. Step 1: Assessment of Inherent Risk
19
18 Copyright © 2012 Deloitte Development LLC. All rights reserved. As an example, the Customer Base risk category can be sub-divided into the following risk factors: Business/Occupation o Industry type (i.e., the nature of the business that is conducted by a customer) is typically considered given that certain industry types inherently present a higher sanctions risk than other industries o NAICS code Ownership Type o Individual vs. Business o Public vs. Private Legal Entity Type o e.g., Corporation, LLP, LLC, Sole Proprietor, Not-for-Profit Length of Relationship o Typically, the longer the relationship the less risky the customer because you know the customer better and their expected business activity Step 1: Inherent Risk – Customer Base Risk Factors
20
19 Copyright © 2012 Deloitte Development LLC. All rights reserved. Step 1: Assessment of Inherent Risk - Illustration Inherent AML risk is assessed across a defined set of main risk areas. Multiple risk factors are evaluated within each main risk area to determine the overall inherent AML risk for each entity/business assessed. Mortgages Length of Relationship
21
20 Copyright © 2012 Deloitte Development LLC. All rights reserved. Mitigating Controls are typically assessed across various categories, e.g.: Management: Structure, Oversight and Governance Policies and Procedures Training Systems Internal Testing, Controls, and Reporting Controls are assessed using series of questions relevant to each category. This assessment tends to be more qualitative. Each control category is then assigned a weighting based on the importance that the institution places on the control. The overall control rating is then derived based on the results of the assessment and the weights assigned to each control. Step 2: Mitigating Controls & Residual Risk
22
21 Copyright © 2012 Deloitte Development LLC. All rights reserved. Step 2: Mitigating Controls - Illustration Mitigating controls in form of AML policies, procedures and processes are assessed for each entity/business assessed. AML Officer and Function
23
22 Copyright © 2012 Deloitte Development LLC. All rights reserved. Step 2: Residual Risk - Illustration Once the overall inherent risk and the control risk ratings are derived, then residual risk can be determined. The matrix below is an example of how residual risk can be determined. Upon assessing their residual risk, a FI is better able to execute a more effective, risk-based transaction monitoring program, allocate resources to monitoring higher risk customers, identify training priorities, influence hiring practices, identify system development needs, and align due diligence with the level of risk.
24
23 Copyright © 2012 Deloitte Development LLC. All rights reserved. Contact Information Peter Fitzgerald, Principal, Deloitte Financial Advisory Services LLP 212-436-5221 pefitzgerald@deloitte.com
25
About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.www.deloitte.com/about www.deloitte.com/us/about Copyright © 2011 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.