13 minute read
Risk Mitigation
● Introduction of new products or services, new technologies, or delivery processes
● establishment of new branches and subsidiaries locally and abroad
● Unusually high growth or disproportionately large share of profits from a certain branch or subsidiary
● Mergers and acquisitions of businesses
● significant growth in high-risk products or services
● new typologies on ML/tF
● Changes in AML/CFt laws, regulations, and guidelines
● High staff turnover in high-risk business lines and compliance
● ML/tF investigations or legal and regulatory action affecting the institution.
RISK MITIGATION
A well-thought-out ML/tF risk assessment provides the foundation for financial institutions to develop an effective and proportionate AML/CFt framework. this framework includes AML/CFt policies, procedures, and controls to mitigate inherent risks as well as institution-wide vulnerabilities. Compliance measures need to be enhanced for higher-risk scenarios, while less rigorous controls can be applied to lower-risk scenarios. standard controls should apply in the areas or scenarios that are identified as medium risk. Additional factors that are relevant to the adequacy of the AML/CFt framework include the size and complexity of operations, regulatory requirements, the economic environment (for example, level of informality and use of cash in the economy), and the experience and capacity of staff. the following are some of the building blocks for an effective AML/CFt framework.
Role of the Board and Senior Management
An effective risk-based approach to AML/CFt implementation requires a board of directors and senior management that are committed to lead and oversee its development and implementation. the AML/CFt framework should be implemented across the financial institution or group. this commitment requires the following actions:
● Fostering a culture of compliance as a core value of the financial institution that focuses on intrinsic motivation to control ML/tF risks
● Implementing robust AML/CFt policies, procedures, and controls adapted to the financial institution’s ML/tF risk profile and regulatory environment
● Having transparent and effective governance and management information systems that keep the board and senior management informed of ML/tF risks, emerging threats and trends, and compliance issues—such as statistics on unusual and suspicious transactions, regulatory measures, and sanctions—in a timely manner
● Having effective communication systems to inform staff of ML/tF risks and (changes to) the
AML/CFt policy and related matters
● Designating a director or board member to be responsible for AML/CFt compliance and
ML/tF risks as well as a chief compliance officer at the senior management level
● Having adequate resources for the main control functions of the institution, especially compliance and internal audits, to enable the board to monitor the effective implementation of the AML/CFt framework
● Having sufficient budget and resources for AML/CFt, including staff training, software, and equipment.
Compliance and Internal Audit Functions
strong compliance and audit functions are important preconditions for an effective governance, risk management, and compliance framework. As required by the FAtF standards, financial institutions should appoint a compliance officer at the management level to signal that AML/CFt compliance is an important function for the institution.6 the compliance function is intended to ensure effective implementation and compliance with legal and regulatory requirements and with the institution’s AML/CFt policies and controls. Compliance should therefore have the necessary independence, authority, resources (including information technology tools), and expertise to carry out these functions effectively, as well as unrestricted access to all relevant internal information, including information from (foreign) branches and subsidiaries. the board and senior management should actively promote the compliance officer’s role and responsibility within the organization. the compliance officer should provide practical advice and ensure that staff receive training on ML/tF risks and the implementation of AML/CFt policies, procedures, and controls and regulatory requirements. the compliance officer should also participate in monitoring and assessing risks across the financial institution and group as well as the effectiveness of compliance measures.
Financial institutions must have an independent audit function to test the institution’s AML/CFt system. this function provides a higher level of control for monitoring, among others, the adequacy of and adherence to AML/CFt policies and controls, including the compliance function. the audit function should also review the effectiveness of compliance measures across all business lines, branches, and subsidiaries, both domestically and abroad. similar to the compliance function, the audit function should have unrestricted access to all information relevant to its task, including confidential information reported via whistleblowing or other internal mechanisms.
Policies, Procedures, and Controls
In addition to high-level controls on governance, compliance, and internal audits, financial institutions should implement risk-based policies, procedures, and controls to mitigate ML/tF risks that they have identified and assessed with respect to their customers, products, services, transactions, geographic locations, and delivery channels. Customer risk, in combination with these other risk factors, requires a comprehensive set of policies, procedures, and controls. For this reason, the standard on customer due diligence is one of the most comprehensive and important preventive measures in
the FAtF standards.7 In addition, the policies, procedures, and controls should extend to monitoring, managing, and mitigating proliferation financing risks. the BCBs also provides guidance to banks on the management of ML/tF risks, including with respect to a customer acceptance policy, customer and beneficial owner identification, verification and risk profiling, and ongoing monitoring (BCBs 2020). the following are some of the main risk-based policies, procedures, and controls that a financial institution should implement in order to mitigate inherent ML/tF risks with respect to the abovementioned risk factors.
Customer Due Diligence
Financial institutions should develop and implement policies, procedures, and controls to mitigate the customer risks they have identified through their business-wide risk assessment. the customer due diligence processes enable financial institutions to obtain and verify information proportionate to the risks that customers represent to the financial institution and in accordance with regulatory requirements.
Financial institutions should assess the level of risk of new customers at the onboarding stage. Based on the customer due diligence information obtained, financial institutions should establish a customer risk profile that will determine whether normal, simplified, or enhanced measures are to be conducted and the level of monitoring of the business relationship that is required. this process can entail an assessment of risk based on the category of customer (for example, resident vs. nonresident), in combination with the type of product and services to be used (for example, retail vs. private banking), expected volume of business and transactions, and place of business. thereafter, risk should be monitored through ongoing customer due diligence processes to ensure that the initial risk assessment is still relevant. A customer risk profile can change due to changes in the transaction profile (for example, increase in volume and nature of transactions), products and services used, and business activities or legal form (for example, sole proprietor or partnership), among others. Whatever model is used, an institution should be able to update its risk assessment of customers to ensure that the results are up-to-date and relevant.
Risk profiles can apply at the individual or group customer level, depending on the type of customer and how homogeneous the group is. For instance, certain types of retail customers may be grouped, while corporate and private banking customers may require more tailored customer due diligence and ongoing monitoring. nevertheless, even with a risk assessment at the group customer level, it is necessary to determine whether certain indicators or red flags require a risk assessment of an individual customer.
Recommendation 10 lists the required due diligence measures that should be applied to customers:
● Identify the customer and verify the customer’s identity using reliable and independent source documents, data, or information
● Identify the beneficial owner and take reasonable measures to verify the identity of the beneficial owner, such that the financial institution is satisfied that it knows who the beneficial owner is.
For legal persons and arrangements, understand the ownership and control structure of the customer
● Understand and, as appropriate, obtain information on the purpose and intended nature of the business relationship
● Conduct ongoing due diligence on the business relationship and scrutinize transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution’s knowledge of the customer, its business, and its risk profile, including, where necessary, the source of funds.
Where a financial institution is unable to comply with the customer due diligence measures with respect to a customer, the institution should not open the account, commence a business relationship, or perform transactions. If a business relationship already exists, the institution should terminate it. In both cases, the financial institution should consider whether the circumstances require filing a suspicious transaction report (stR) with the FIU in relation to the (prospective) customer.
Financial Inclusion
Financial institutions should be mindful of the fact that applying an overly cautious approach to customer due diligence can have the unintended consequence of excluding legitimate businesses and consumers from the formal financial system. one of the main obstacles to providing financial services or products to unbanked customers is their lack of reliable documentation of identity and data verification. Low-income individuals or displaced persons such as refugees often do not possess the proper identification documentation and therefore are not able to meet certain customer due diligence requirements. FAtF guidance on AML/CFt measures and financial inclusion provides examples of customer due diligence measures adapted to the context of financial inclusion (FAtF 2013–17). those examples illustrate how simplified customer due diligence measures or alternative forms of identity verification—for example, the use of e-identity tools—can support financial inclusion, while appropriately mitigating ML/tF risks. to ensure financial inclusion, financial institutions can apply a certain amount of flexibility to the provision of basic, regulated financial products to a larger proportion of the population.
Ongoing Due Diligence
Depending on the risk profile of the customer, financial institutions should apply ongoing due diligence to determine whether transactions or patterns of transactions are consistent with the institution’s knowledge of the customer, its business or activities, and its initial risk profile. Preferably, the risk profile also includes information on the expected transaction behavior of the customer. such monitoring enables financial institutions to ascertain whether transactions are consistent with the information obtained during the onboarding process or subsequent customer reviews. transactions and activities of a customer should be monitored continuously, paying special attention to activities or transactions that depart from the known customer profile. ongoing due diligence also involves updating documentation and data collected through the customer due diligence process. ongoing customer due diligence is an important part of a financial institution’s overall system for identifying and reporting unusual or suspicious transactions and activities. Depending on the size and complexity of the operations, both manual and automated systems can be used to monitor customer transactions. For customers and business lines with very large volumes of transactions, automated systems may be necessary. In such cases, the automated system should be reviewed periodically and tested for effectiveness to ensure that it is adequate for transaction-monitoring purposes.
Risk-Based Approach to Customer Due Diligence
Financial institutions should apply customer due diligence in all cases, but it should be done in a risk-based manner. the extent of the customer due diligence measures should be consistent with and proportional to the level of assessed ML/tF risks of a customer. In some cases, enhanced or simplified measures will be required or permitted by domestic laws and regulations. In cases where ML/tF risks are higher, enhanced customer due diligence measures should be conducted, which may involve implementing more rigorous information and verification procedures. Alternatively, simplified measures may be permitted where lower risks have been identified and assessed by the financial institution or authorities (for example, in the national risk assessment). Under no circumstances should simplified measures be applied if there is a suspicion of ML/tF.
Record Keeping
Financial institutions should maintain, for at least five years, all of the necessary records on transactions, both domestic and international, to enable them to comply swiftly with information requests from the competent authorities.8 the records must be sufficient to permit the reconstruction of individual transactions (including the amounts and types of currency involved, if any) to provide, if necessary, evidence for prosecuting criminal activity. to comply with the AML/CFt statutory and regulatory requirements for recording information, financial institutions should have a record-keeping policy and systems in place with respect to the minimum retention period (not less than five years after the business relationship has ended or after the date of an occasional transaction) and have security protocols and controls in place (for example, storage, backup, and recovery systems) to guard against cybercrime. the following records should be retained for the legally mandated period:
● All records obtained through customer due diligence measures (for example, copies or records of official identification documents like passports, identity cards, driving licenses, or similar documents)
● Account files and business correspondence, including the results of any analysis undertaken (for example, inquiries to establish the background and purpose of complex, unusually large transactions).
the records should allow for an audit trail and be sufficient for tracing assets and reconstructing accounts for use by competent authorities. the policy should also cover outsourcing arrangements for record keeping.
Financial institutions need to report suspicions of ML/tF promptly, including attempted transactions.9 Reporting of suspicious transactions and activities to the FIU or any other competent authority is one of the main obligations of financial institutions. their role in reporting useful financial intelligence to combat ML/tF and related predicate offenses is a critical component of the crime-fighting activities of law enforcement and judicial authorities. Customer due diligence and ongoing monitoring of transactions are important processes that enable the institution to identify unusual and suspicious transactions and activities.
the AML/CFt law should protect not only the financial institution but also its directors, officers, and employees from criminal and civil liability for breach of any restriction on the disclosure of information imposed by contract or by any legislative, regulatory, or administrative provision when disclosing information to the competent authorities. the protection from being criminally prosecuted or held liable under civil law for disclosing information on a customer can only be extended if the institution reported its suspicions in good faith to the FIU, even if it did not know precisely what the underlying criminal activity was and regardless of whether the illegal activity occurred.
Additionally, the AML/CFt law should prohibit the financial institution and its directors, officers, and employees from disclosing the fact that an stR or related information is being filed with the FIU. this so-called “tipping-off” prohibition is intended to prevent prejudice to an investigation, including flight of assets; it is not intended to inhibit information sharing within a financial group, including foreign branches and majority-owned subsidiaries.
In order for financial institutions to report stRs to the FIU, the transaction-monitoring process is an essential element in detecting and investigating possible unusual or suspicious transactions. When setting up a transaction-monitoring process and system, the following conditions apply:
● the transaction-monitoring process should reflect the ML/tF risks identified in the business-wide risk assessment.
● the transaction-monitoring policy should be elaborated in the underlying procedures and processes.
● the transaction-monitoring system should vary depending on the nature and size of the organization and its risk profile. Many institutions will adopt an automated solution for monitoring transactions, especially where the volume of transactions would make manual monitoring impossible.
● Where an automated transaction-monitoring system is used, it should incorporate substantiated and adequate business rules (detection rules with scenarios and thresholds). these business rules should be tested periodically for effectiveness. For manual screening, staff undertaking these tasks should have sufficient expertise to identify suspicious activity in line with the business-wide risk assessment.
● A clearly described process is needed for handling alerts. Investigations of alerts must be documented properly, including the decision to close the alert or to report the transaction to the
FIU. Information on alerts should inform the ongoing risk assessment of customers. even when it does not generate new alerts, transaction monitoring can help to identify patterns that can inform new typologies.
● the governance with respect to monitoring transactions and reporting suspicious transactions should be structured so that duties are allocated clearly and segregated.
● tailored training programs should allow staff, based on their functions, to identify unusual and suspicious transactions and activities.10
the transaction-monitoring systems should be set up so that aggregate customer information can be monitored on a consolidated basis across business lines, branches, and subsidiaries. With respect to operations abroad, the head office should be able to implement the transaction-monitoring system in those jurisdictions and to obtain information on unusual or suspicious transactions and activities detected, subject to local laws and regulations.
