Chapter 3 Anti-Money Laundering/Countering the Financing of Terrorism Compliance Programs Flashcards
Assessing AML/CFT Risk
An AML/CFT program should be risk-based
risk-based approach is preferable to a more prescriptive approach in the area of AML/CFT because it is more
- Flexible: Money laundering and terrorist financing risks vary over time and across jurisdictions, customers, products, and delivery channels.
- Effective: Companies are better equipped than legislators to effectively assess and mitigate the specific money laundering and terrorist financing risks they face.
- Proportionate: A risk-based approach promotes a more practical and intelligent approach to fighting money laundering and terrorist financing
FATF Recommendations on Assessing Risk
- Customer risk factors, such as nonresident customers, cash-intensive businesses, complex ownership structures, and companies with bearer shares
- Country or geographic/jurisdictional risks, such as countries with
inadequate AML/CFT systems, sanctioned countries , countries involved TF, and countries with significant levels of corruption - Product, service, transaction, and delivery channel risk factors, such as private banking, anonymous transactions, and payments received from unknown third parties
many organizations find it valuable to develop money
laundering/terrorist financing (ML/TF) risk models that assess risk at the enterprise level
Maintaining an AML/CFT Risk Model
A risk-based analysis should include appropriate inherent and residual risks at the country, sectoral, legal entity, and business relationship level, among others
Thorough understanding of the inherent risks in its customer base, products, delivery channels, services offered
This usually requires expert input from the business lines, risk
management, compliance, and legal units, together with advice from external experts, when necessary
guidance is regularly published by various bodies
ML/TF risk model is subject to regular review
In some countries, there is a legislative obligation for such reviews to
be undertaken on a regular basis
Understanding AML/CFT Risk
- Prohibited: The organization will not tolerate any dealings of any kind
- High risk: The risks are significant, but they are not necessarily prohibited,should apply more stringent controls,
- Medium Risk: Medium risks merit additional scrutiny, but they do not rise to the level of high risk
- Low Risk: This represents the baseline risk of money laundering. Typically, low risk indicates normal, expected activity
AML/CFT Risk Scoring
A risk-scoring model uses numeric values to determine the category of risk,categories are then combined to give a composite score
The model can be made more complex by
weighting each of the factors differently, such as putting more emphasis on the type of customer, as opposed to the product or country
when the categories are combined, the customer’s risk profile becomes clearer
The next step is to determine what thresholds to establish for each risk category.
Although there is generally no requirement to
update a risk assessment on a continuous or specified periodic basis, risk assessments should be updated before the launch of a new product or other significant changes.
Periodically reassessing risk-rating criteria will reveal if the customers that are scored as higher risk are actually more likely to engage in potentially suspicious activity
Assessing the Dynamic Risk of Customers
initial assessment of the inherent risk,important to consider how a customer’s relationship—and risk—with the
organization changes over time
Modify Risk Ratings based on:
- Unusual activity, such as alerts, cases, and SAR filings
- Receipt of law enforcement inquiries, such as subpoenas
- Transactions that violate economic sanctions programs
- Other considerations, such as significant volumes of activity
AML/CFT Risk Identification-Customer type
Supervisory authorities in various countries have identified some types of customers are inherently high risk for money laundering, including
- Banks,Casinos,Offshore corporations and banks located in tax/banking havens,Embassies,MSBs, including currency exchange houses, money remitters, and check cashers
- Virtual currency exchanges
- Car, boat, and airplane dealerships
- Used car and truck dealers and machine parts manufacturers
- Professional service providers (e.g., attorneys, accountants, investment brokers, and other third parties who act as financial liaisons for their clients)
- Travel agencies
- Broker-dealers in securities
- Jewel, gem, and precious metals dealers
- Import and export companies
- Cash-intensive businesses (e.g., restaurants, retail stores, parking)
Geographic location/jurisdiction
Sanction lists by (FCA), OFAC, FinCEN, the EU, the
World Bank, the United Nations Security Council, and each local jurisdictions’ regulatory and law enforcement agencies
A risk management model should also take into
account whether a country is a member of FATF or an FSRB and has AML/CFT requirements equivalent to international best practices
How Cash intensive is the country
How to identify High risk countries:
- The US Department of State issues an annual International Narcotics Control Strategy Report, which rates more than 100 countries on their money laundering controls.
- Transparency International publishes a yearly Corruption Perceptions Index, which rates more than 100 countries on perceived corruption.
- FATF identifies jurisdictions with weak AML/CFT regimes and issues
country-specific mutual evaluation reports. - In the US, certain domestic jurisdictions are evaluated based on whether they fall within government-identified higher risk geographic locations, such as high-intensity drug trafficking areas (HIDTAs) and high-intensity financial crime areas (HIFCAs)
Products and services
The compliance officer should be an active participant in project teams that identify appropriate control frameworks for new products and systems.
This risk rating calculated using several product-related factors
likelihood that the product requested might be used for money laundering or terrorist financing.
When assessing the AML/CFT risks of products and services, consider
whether they:
* Enable significant volumes of transactions to occur rapidly
* Allow the customer to engage in transactions with minimal oversight by
the organization
* Afford significant levels of anonymity to the users
* Have an especially high transaction or investment value
* Allow payments to third parties
* Have unusual complexity
* Require government verification of customer eligibility
Products and services-certain banking functions and products
- Private banking
- Offshore international activity
- Deposit-taking facilities
- Wire transfer and cash-management functions
- Transactions in which the primary beneficiary is undisclosed
- Loan guarantee schemes
- Travelers checks
- Official bank checks
- Money orders
- Foreign exchange transactions
- International remittances
- Payment services such as payment processors, prepaid products,
automatic clearing house - Remote deposit capture
- Trade-financing transactions with unusual pricing features
- Payable through accounts
AML/CFT risk identification (Case example: Failure to identify high-risk activity)
September 2020, Westpac Banking Corporation,AUD$1.3 billion for over 23 million breaches of Australia’s (AML/CTF) Act
(AUSTRAC) aunched legal action against Westpac in November 2019, for failing to detect and report nearly 3,000 transactions related to child trafficking
In 2016, senior managers were alerted to the risk of suspicious payments using its low-value payment service, LitePay. Westpac did not implement controls to detect illicit activity using LitePay for two years
May 2016 Westpac had determined that the child exploitation risks,ow-value payments to the Philippines,ntroduced a detection scenario to one of its payment channels that failed to
detect any issues,detection test was replaced by another in June 2018,applied to only one payment channel, LitePay.
Twelve customers were identified Eleven of them had activity patterns of frequent, lowvalue transactions that were consistent with child exploitation.
customer had a prior conviction for child sexual exploitation, which should have triggered EDD by the bank
Westpac had also failed to adequately assess high-risk
correspondent banking risks, other banks
that held nested relationships with respondents,DRC, Iraq, Libya, and Zimbabwe.
AML/CFT risk identification (Case example: Failure to identify high-risk activity)-Key Takeaways
- Westpac did not apply the correct typologies or monitoring tools to detect payments linked to child exploitation, even when the risks had been identified.
- Westpac did not have a consistent and clear understanding of its AML/CFT risk and how it should be managed and mitigated.
- Westpac’s control failures extended to other high-risk areas such as
correspondent banking.
The Elements of an AML/CFT Program
Four Pillars:
*A system of internal policies, procedures, and controls (first line of
defense)
* A designated compliance function with a compliance officer (second line
of defense)
* An ongoing employee training program
* An independent audit function to test the overall effectiveness of the AML program (third line of defense)
FinCEN established a fifth pillar that requires appropriate, risk-based procedures for CDD
These procedures include:
* Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile
* Conducting ongoing monitoring to identify and report suspicious
transactions
* Maintaining and updating customer information
A System of Internal Policies, Procedures,
and Controls
every employee throughout a financial organization, at all levels of the organization, must contribute to the creation, maintenance, and overall success of the AML/CFT program
large financial organizations, there is a critical need to adopt an enterprisewide approach
there is also a need to accommodate regional and/or business line-specific requirements
achieved by having a different version of the AML/CFT program or by having country-specific addenda to the global AML/CFT program
Internal AML/CFT policies should be established and approved by executive management and the board of directors
The standard AML/CFT operating procedures should be drafted at the operational level in the financial organization,procedures must be
modified and updated, as needed.
Procedures more detailed than policies as they focus on how to achieve the policy goals. Procedures also form a base for Training and Compliance Monitoring Program.
Internal controls, including management reports and other built-in safeguards, four eyed principle, technology
AML policies, procedures, and controls
An AML/CFT compliance program should be in writing and include policies, procedures, and controls that are designed to prevent, detect, and deter money laundering and terrorist financing, including how the organization will:
- Identify high-risk operations
- Periodically update its risk profile and provide for an AML/CFT compliance program tailored to manage risks
- Inform the board of directors of compliance related actions
- Assign clear accountability to people for performance of duties
- Provide for program continuity, despite org changes
- Meet all regulatory requirements and recommendations
- Provide for periodic review and timely updates
- Implement risk-based CDD policies, procedures, and processes
- Provide for dual controls and segregation of duties.
- Comply with all recordkeeping requirements
- Provide sufficient controls and monitoring systems for detection and reporting of SARs and large transaction reporting
- Establish clear accountability lines and responsibilities
- Establish training requirements and standards
- Clearly explain the importance of reporting suspicious activity
- Incorporate into all job descriptions and performance review processes the requirement to comply at all times with AML policies and procedures
- Develop and implement screening programs during hiring
- Develop and implement quality assurance testing programs
A system of internal policies, procedures,
and controls (Case example: Lack of overall
policy control and oversight)
In October 2016,Monetary Authority of Singapore (MAS)revoked the license of the Singapore branch of Falcon Bank Limited
Individual linked to the 1Malaysia Development Berhad (1MDB) scandal and was facilitated by the actions of a former member of senior management
fine of SGD 4.3 million,14 breaches of AML/CTF regulations, branch manager28 weeks in jail and personally fined SGD 128,000
first identified AML/CFT failings in 2013,follow-up inspection in 2015, the situation had deteriorated
2012 and mid-2015 approved US$3.8 billion of asset transfers linked to the 1MDB fund Despite red flags in these payments processed via urging of senior management
branch manager ,failing to take action on more than SGD 1.3 billion or US$1 billion in payments linked to 1MDB, accused of lying about his links to the alleged mastermind of the 1MDB
A system of internal policies, procedures,
and controls (Case example: Lack of overall
policy control and oversight)-Key takeaways
- Falcon Bank failed to remedy its AML/CTF control deficiencies, and
regulators found the situation got progressively worse. - Senior management exerted influence to facilitate transactions that were flagged as suspicious and unusually large.
- The sentencing of the Singapore branch manager was intended to be a deterrent to other bankers.
A system of internal policies, procedures,
and controls (Case example: PEP risks)
April 2017,Hong Kong Monetary Authority (HKMA),Hong Kong
branch of Coutts & Co AG HKD 7 million.
failed to identify PEPs due to a lack of effective policies and procedures,
only partial screening of customers, lack of action on screening alerts, delays in obtaining senior management approvals for customer relationships with PEPs, and undisclosed customer due diligence (CDD) failures
between 2012 and 2015, Coutts failed to establish effective procedures for identifying PEPs
Coutts had subscribed to a commercially available PEP database that generated alerts during screening, but they were not promptly addressed
HKMA found four instances of PEPs who were not identified or
classified as high-risk customers, despite publicly available information
failed to establish effective procedures for PEP alerts,did not establish a management information system to oversee
the approval process,s limited PEP screening to new customers,identified nine PEPs without management approvals, of which five had generated alerts that were not promptly addressed
A system of internal policies, procedures,
and controls (Case example: PEP risks)-Key takeaways
- Effective policies and procedures for PEPs require an effective control framework based on local regulations.
- PEP screening should be conducted throughout the customer relationship. PEP policies and procedures need to explicitly and clearly direct when screening takes place. It should not be left open to interpretation.
- Controls for screening alerts and management approvals need to be consistently followed.
- Ineffective screening for PEPs and associated procedures can result in regulatory failings.
The Designation and Responsibilities of a
Compliance Officer
the board of directors is responsible for appointing a qualified
individual as the organization’s AML/CFT compliance officer
responsible for managing all aspects of the AML/CFT compliance program.
This includes, but is not limited to, designing and implementing the program, making necessary changes and updates, disseminating information about the program’s successes and failures to key staff members, constructing AML/CFT-related content for staff training programs, and managing the organization’s adherence to applicable AML/CFT laws and regulations, including staying current on legal and regulatory developments in the field.
Compliance Officer-Communication
The ability of the compliance officer to communicate effectively, both in writing and verbally, is vital to the success of an organization’s AML/CFT program
critical for a compliance officer to be capable of articulating matters of importance to senior and executive management
A compliance officer must have the skills necessary to be able to analyze and interpret these ongoing changes, determine what effect they may have on the organization, and recommend an action plan, when appropriate
In many countries, the AML/CFT officer must also have a direct reporting line
to the board or equivalent body
Compliance Officer-Delegation of AML duties
Examples of AML/CFT subgroups include:
* Program Management
* Know Your Customer
* Sanctions Screening
* Transaction Monitoring
* Financial Investigations
CDD forms are often completed by account officers and other staff members when a new account is opened
branch personnel participate in periodic reviews of high-risk customers and might be required to provide additionalinformation or explanation to support investigations into potentially suspicious activity
The business and the compliance function might establish risk-based
quality assurance reviews and monitoring and testing activities to ensure the functions are being performed appropriately
Compliance officer accountability
responsible for executing the AML/CFT program
various regulators are seeking enforcement actions against not
only the organization, its executive management team, and board of directors for AML/CFT violations, but the compliance officer as well.
Compliance officer accountability (Case
example: US bank)
March 2020,Financial Crimes Enforcement Network (FinCEN),US$450,000 civil money penalty against Michael LaFontaine
chief operational risk officer (CRO) at US Bank National Association (US Bank)
held senior positions in US Bank’s AML department from 2005 to
2014
He failed to:
* Implement and maintain an adequate AML program
* Adequately staff the compliance program with sufficient resources to execute their regulatory expectations
* File suspicious activity reports (SARs) in a timely manner, including on transactions that potentially laundered the proceeds of crimes
LaFontaine knew US Bank’s inadequate policies, procedures, and controls would result in its failure to investigate and report
suspicious and potentially illegal activity
failed to exercise the responsibilities for monitoring and reporting suspicious activity by:
* Imposing upper limits on the number of alerts produced by the institution’s automated transaction monitoring system
* Failing to subject Western Union money transfers to the monitoring system
* Inadequately identifying and monitoring high-risk customers in compliance with the bank secrecy act
LaFontaine was advised of the staffing issues and alert
capping through internal memos,staff resources were
“stretched dangerously thin.”
Compliance officer accountability (Case
example: US bank)-Key takeaways
- Compliance departments should be adequately staffed to meet regulatory requirements.
- Compliance officers should escalate and act upon internal warnings and identified risks.
- Compliance officers are increasingly held personally liable for wrongdoing and may be prosecuted
- Compliance officers should always act with integrity and do what is in the best interest of the organization.
- Compliance officers must understand their legal obligations and act in the spirit and letter of the law
Compliance officer accountability (Case
example: Personal liability)
October 2020,FinCEN) assessed a $60 million civil penalty against Ohio resident Larry Dean Harmon,founder and primary operator of the convertible virtual currency businesses Helix and Coin Ninja
failed to designate a compliance officer
2014 through 2017, Helix and Coin Ninja operated as unregistered money services businesses (MSBs),offering anonymous convertible currency exchange services for bitcoin holders
FinCEN determined that Harmon failed to register his businesses as MSBs, implement and maintain an effective AML program, and report suspicious activity
customers included narcotics traffickers, counterfeiters, fraudsters, and child exploitation websites
willfully violated Bank Secrecy Act (BSA)
Helix and Coin Ninja provided “mixers” or “tumblers,” allowing customers, for a fee, to send bitcoin to designated recipients in a manner that was designed to conceal the source or owner of the bitcoin
Harmon knowingly obscured the nature and identity of customer transactions by
- Designing Helix to “break the blockchain” by taking bitcoin from the user’s wallet and giving the user new bitcoin from a different pool that could not be traced back to the user
- Failing to collect and verify customers’ names, addresses, or identifiers on over 1.2 million transactions
- Failing to collect CDD info for over US$311 million in transactions
- Deleting customer information after seven days and allowing customers to manually delete their logs
2,400 instances in which Harmon failed to file a SAR on suspicious Helix transactions.
forfeiture of 4,400 bitcoin as part of plea
Compliance officer accountability (Case
example: Personal liability)-Key Takeaways
- Providers of convertible virtual currency anonymizing services are
considered money transmitters under FinCEN regulations and must
register as MSBs - MSBs are required to develop, implement, and maintain an effective AML program
- FinCEN can investigate and impose civil money penalties on current and former employees of MSBs that participate in willfully violating BSA regulations.
- Individual compliance officers can be held criminally accountable for their actions
Components of an effective training program
An effective training program should not only explain the relevant AML/CFT laws and regulations, but also cover the organizations’ policies and procedures used to mitigate money laundering risks
ongoing awareness about AML/CFT requirements, such as emails, newsletters, periodic team meetings, intranet sites, and other means of sharing information
Who to train
In some countries, training programs must extend beyond full- or part-time employees to include contractors, consultants, students, apprentice placements, and secondees
- Customer-facing staff: a general course will often be
sufficient to address the importance of AML and provide some basics, additional training on specific unit procedures related to the products and services carried out by the business line is often needed
Operations personnel:cash vault, wire transfer, trade finance, loan underwriters, loan collections, and treasury management personnel are often in positions to recognize illegal, fraudulent, and unusual account activity
- AML/CFT compliance staff: more advanced
ongoing training to stay abreast of requirements and emerging trends is important. Often, this requires attending conferences or AML/CFT-specific presentations that are more robust in nature - Independent testing staff: employees should receive periodic training concerning regulatory requirements, changes in regulation, money laundering methods and enforcement, and their impact on the organization
- Senior management and board of directors:address the importance of AML/CFT regulatory requirements, regulatory changes that impact the organization, penalties for noncompliance, personal liability, and the organization’s unique risks
Training topics
- General background and history pertaining to money laundering controls
- Legal framework on what AML/CFT laws apply to organizations and their employees
- New and changing regulatory requirements that affect the organization
- Penalties for AML/CFT violations,
- Internal policies
- Review of the internal AML/CFT and sanctions risk assessments
- Legal recordkeeping requirements
- Suspicious transaction monitoring and reporting requirements
- Currency transaction reporting requirements
- How to react when faced with a suspicious client or transaction
- How to respond to customers who want to circumvent reporting
requirements - Duties and accountability of employees
- How to maintain confidentiality with AML-related matters
- AML trends and emerging issues related to criminal activity,TF
- Real-life money laundering schemes
Training best practices
The FCA published guidance
* Appropriate training tailored to the individual’s specific roles. Roles lacking specific training included the following areas: offshore centers, mortgage lending, areas servicing PEPs and other high-risk clients, investment banks, and trade finance.
* Periodic refresher training—usually annually—is important for existing employees.
* Banks should assess whether third parties and employees working in outsourced functions need to attend specific AML training.
How to train
- Identify the issues that must be communicated and decide how best to disseminate the message
- Identify the audience by functional area and by level of
employee/management - Determine the needs that should be addressed
- Determine who can best develop and present the training program
- Determine if “Train the Trainer” sessions are necessary, when
decentralized training is involved - Create a course abstract or curriculum that addresses course goals,
objectives, and the desired results - To the extent possible, establish a training calendar
- Consider whether to provide handouts
- Tests should be considered as a way to evaluate how well the training is understood, with a mandatory passing score.
- Focus on small, easy-to-digest, and easy-to-categorize issues
- Track employee attendance
When to train
training should be ongoing and on a regular schedule
New employees should receive appropriate training within a reasonable period after joining the organization or
transferring to a new position
Situations may arise that demand an immediate session or enhanced training beyond the basic training program
Where to train
Some types of training are more effective when conducted in small groups
Role-playing exercises, which may be used to complement a prepared lecture or panel discussions, are also more effective in small groups
Large groups can be trained using computer-based training courses,which can be designed to automatically record attendance and test attendees,with a required minimum score.
AML/CFT training (Case example)
On February 25, 2016,FinCEN and the Office of the Comptroller of the
Currency (OCC),
actions against Gibraltar Private Bank & Trust Company in Coral Gables, Florida, for willful AML compliance violations
failure to properly train compliance staff, led to a US$2.5 million civil money penalty assessed by the OCC and a US$4 million civil money penalty assessed by FinCEN
From 2009 to 2014, the bank’s implementation of AML training was inadequate and not tailored to the needs of specific positions
In May 2013, a training assessment was undertaken by management that identified the need for significant training to adequately implement the bank’s AML program, over a year later still not done.
AML/CFT training (Case example) -Key Takeaways
- It is critical that AML training be role-specific and focused on the duties and financial crime risk exposure of relevant staff.
- Senior officials and board members do not need to be trained in carrying out business functions, but they do need to understand AML requirements, penalties for noncompliance, and how to interpret risk reporting.
- Regulated firms can be heavily penalized for failing to implement adequate AML training, especially when known gaps are not addressed in a timely manner.
Evaluating an AML/CFT program-Part 1
The audit must be independent
should report directly to the board of directors or to a designated board committee composed primarily or completely of outside directors
The independent audit should do the following:
* Assess the overall integrity and effectiveness of the AML/CFT compliance program,including policies, procedures, and processes
* Assess the adequacy of the AML/CFT risk assessment.
* Examine the adequacy of CDD policies, procedures, and processes
* Determine personnel adherence to the organization’s AML/CFT policies,procedures, and processes
* Perform appropriate transaction testing,
* Assess training adequacy
* Assess compliance with applicable laws and regulations
* Examine the integrity and accuracy of management information systems used in the AML/CFT compliance program.
* Review all the aspects of any AML/CFT compliance functions that have been outsourced to third parties
Evaluating an AML/CFT program-Part 2
- Evaluate the ability of transaction monitoring software application
o Reviewing policies, procedures, and processes for suspicious activity monitoring
o Reviewing the processes for ensuring the completeness, accuracy, and timeliness of the data supplied by the source transaction processing systems
o Evaluating the methodology for establishing and analyzing expected activity and filtering criteria
o Evaluating the appropriateness of the monitoring reports
o Comparing the transaction monitoring typologies with the AML/CFT risk assessment for reasonableness - Review case management and SAR systems
- Assess the effectiveness of the organization’s policy for reviewing accounts that generate multiple SAR filings
- Assess the adequacy of recordkeeping and record-retention processes
- Track previously identified deficiencies
*overall audit coverage and frequency are appropriate to the risk profile of the organization
*board of directors was responsive to earlier audit findings.
Evaluating an AML/CFT program-Part 3
- Determine the adequacy of the following, as they relate to the training program and materials:
o The importance the board and senior management place on ongoing education, training, and compliance
o Employee accountability for ensuring AML/CFT compliance
o Comprehensiveness of training
o Training of personnel from all applicable areas of the organization
o Frequency of training,
o Coverage of internal policies, procedures, processes, and new rules and regulations
o Coverage of different forms of money laundering and terrorist financing as they relate to identifying suspicious activity
o Disciplinary actions taken for noncompliance with internal policies and regulatory requirements
An effective internal audit department develops and maintains an audit risk assessment to determine audit priorities. It also develops and maintains detailed audit testing programs for every area
Independent audit (Case example: Apical
Asset Management Pte. Ltd.)
July 2020,Monetary Authority of Singapore (MAS),revoked the Capital
Markets Services (CMS) license of Apical Asset Management Pte. Ltd.
(AAMPL) for serious breaches of MAS’ AML/CFT requirements
2013 to 2018. Specifically, AAMPL:
* Failed to conduct an enterprise-wide AML/CTF risk assessment
* Failed to properly assess its customers for elevated financial crime risks
* Had deficient ongoing monitoring controls and procedures
* Failed to assess the effectiveness of its AML/CFT controls by conducting independent audits
MAS concluded that AAMPL did not have in place basic AML/CFT policies and procedures to manage their risks.
Independent audit (Case example: Apical
Asset Management Pte. Ltd.)-Key takeaways
- A robust, holistic AML/CTF program includes independent oversight and review.
- An enterprise-wide risk assessment is needed to identify vulnerabilities and allow organizations to develop effective controls.
- Entities must assess their customers for elevated financial crime risks.
- AML/CFT policies must be in place to manage risks.
Establishing a Culture of Compliance
the ultimate responsibility for the AML/CFT compliance program rests with the organization’s board of directors
Associates in all business units must clearly understand their
commitment to supporting the compliance program by following the rules
FinCEN’s advisory in August 2014 outlined six guidelines