Chapter 3 Flashcards
MAINTAINING AN AML/CFT RISK MODEL
Why is it important to continue to update and revisit risk assessments?
Risk is dynamic and needs to be continuously managed. It should also be noted that the environment in which each organization operates is subject to continual change. Externally, the political changes of a jurisdiction or whether economic sanctions are imposed or removed may impact a country-risk rating. Internally, organizations respond to market and customer demands by introducing new products and services and implementing new delivery systems. The combination of these changes makes it critical that the ML/TF risk model is subject to regular review. In some countries, there is a legislative obligation for such reviews to be undertaken on a regular basis — usually annually or when new products, delivery channels or customer types are introduced.
AML/CFT RISK SCORING
What does FATF recommend considering when assessing risk?
When assessing risk, FATF recommends considering:
• Customer risk factors such as non-resident customers, cash-intensive businesses, complex ownership structure of a company, and companies with bearer shares.
• Country or geographic risks such as countries with inadequate AML/CFT systems, countries subject to sanctions or embargos, countries involved with funding or supporting of terrorist activities, or those with significant levels of corruption.
• Product, service, transaction or delivery channel risk factors such as private banking, anonymous transactions, and payments received from unknown third parties.)
ASSESSING THE DYNAMIC RISK
OF CUSTOMERS
What are some factors an institution should consider when assessing the dynamic risk of its customers?
As every financial institution develops transaction history with customers, it should consider modifying the risk rating of the customer, based on:
• Unusual activity, such as alerts, cases and suspicious transaction report (STR) filings.
• Receipt of law enforcement inquiries, such as subpoenas.
• Transactions that violate economic sanctions programs.
• Other considerations, such as significant volumes of activity where it would not be expected, such as a domestic charity engaging in large international transactions or businesses engaged in large volumes of cash where this would not normally be expected.
AML/CFT RISK IDENTIFICATION—GEOGRAPHIC LOCATION
What are some sources of identifying countries that pose heightened geographic risk?
- The US State Department issues an annual “International Narcotics Control Strategy Report” rating more than 100 countries on their money laundering controls
- Transparency International publishes a yearly “Corruption Perceptions Index,” which rates more than 100 countries on perceived corruption
- FATF identifies jurisdictions with weak AML/CFT regimes and issues country-specific Mutual Evaluation Reports
- In the United States certain domestic jurisdictions are evaluated based on whether they fall within government-identified higher-risk geographic locations such as High Intensity Drug Trafficking Areas (HIDTA) or High Intensity Financial Crime Areas (HIFCA).
SYSTEM OF INTERNAL POLICIES, PROCEDURES AND CONTROLS
What are some examples of internal controls, outside of policies and procedures?
While policies and procedures provide important guidance, the AML/CFT program also relies on a variety of internal controls, including management reports and other built-in safeguards that keep the program working. These internal controls should enable the compliance organization to recognize deviations from standard procedures and safety protocols. A matter as simple as requiring a corporate officer’s approval or two signatures for transactions that exceed a prescribed amount could be a critical internal control element that if ignored seriously weakens an institution’s AML/CFT program and attracts unwanted attention from supervisory authorities.
THE COMPLIANCE FUNCTION
What factors should be considered when determining the sophistication of a compliance function within an institution?
The sophistication of the compliance function should be based upon the institution’s nature, size, complexity, regulatory environment, and the specific risk associated with the products, services, and clientele. No two institutions will have exactly the same compliance structure because the risk facing each institution is going to be different, as identified in their respective risk assessments.
DESIGNATION AND RESPONSIBILITIES OF A COMPLIANCE OFFICER—COMMUNICATION
Why is it critical that the Compliance Officer have good communications skills?
The compliance officer must also have the means to communicate at all levels of the organization — from front-line associates all the way up to the CEO and Board of Directors. It is critical for a compliance officer to be capable of articulating matters of importance to senior and executive management, particularly significant changes that may present risk to the organization, such as a sudden or substantial increase in STRs or currency transaction reports (CTRs). Other items of concern that need to be escalated to management may include changes to laws or regulations that may require immediate action. A compliance officer must have the skills necessary to be able to analyze and interpret these ongoing changes, determine what effect they may have on the institution, and suggest an action plan when appropriate.
DESIGNATION AND RESPONSIBILITIES OF A COMPLIANCE OFFICER—DELEGATION OF AML DUTIES
What controls should a Compliance Officer consider over an AML duty that has been delegated?
The compliance function may establish risk-based quality assurance reviews and monitoring and testing activities to ensure the functions are being performed appropriately. This may include a review of the CDD collected to ensure completeness, monitoring reports of CDD completeness or defects to ensure the systems are working as expected, and performing testing to assess whether the monitoring and the business performance are satisfactorily measuring and ensuring compliance.
AML/CFT TRAINING — WHO TO TRAIN
What are some of the target audiences for training?
- Customer-facing staff
- Operations personnel
- AML/CFT compliance staff
- Senior management and board of directors
- Independent testing staff
AML/CFT TRAINING — HOW TO TRAIN
Why is it important to have a test at the end of a training session?
Tests should be considered as a means to evaluate how well the training is understood with a mandatory passing score.
AML/CFT TRAINING — WHEN TO TRAIN
When should an institution conduct training?
An institution’s training should be ongoing and on a regular schedule. Existing employees should at least attend an annual training session. New employees should receive appropriate training with respect to their job function and within a reasonable period after joining or transferring to a new job. Situations may arise that demand an immediate session. For example, an emergency training session may be necessary right after an examination or audit that uncovers serious money laundering control deficiencies. A news story that names the institution or recent regulatory action, such as a Consent Order, might also prompt quick-response training. Changes in software, systems, procedures or regulations are additional triggers for training sessions.
KNOW YOUR CUSTOMER/CDD
According to FATF, when should an institution conduct CDD?
FATF recommends that financial institutions should
be required to undertake CDD measures when:
• Establishing business relationships.
• Carrying out occasional transactions under certain circumstances.
• There is a suspicion of money laundering or terrorist financing.
• The financial institution has doubts about the veracity or adequacy of previously obtained customer identification data.
EDD
According to FATF, when should an institution conduct enhanced due diligence on a customer?
FATF indicates that when there are circumstances where the risk of money laundering or terrorist financing is higher, enhanced CDD measures should be taken.
EDD FOR HIGHER RISK CUSTOMERS
What are some examples of enhanced due diligence for higher risk customers?
A financial institution should consider obtaining additional information from high-risk customers such as:
• Source of funds and wealth.
• Identifying information on individuals with control over the account, such as signatories or guarantors.
• Occupation or type of business.
• Financial statements.
• Banking references.
• Domicile.
• Proximity of the customer’s residence, place of employment, or place of business to the bank.
• Description of the customer’s primary trade area and whether international transactions are expected to be routine.
• Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers.
• Explanations for changes in account activity.
ACCOUNT OPENING, CUSTOMER IDENTIFICATION AND VERIFICATION
According to FATF, when should the identity of a customer be verified?
A bank should not establish a banking relationship, or carry out any transactions, until the identity of the customer has been satisfactorily established and verified in accordance with FATF Recommendation 10.