The COSO Control Framework and AML Risk Assessment. FIBA AML Conference Miami

Transcription

1 The COSO Control Framework and AML Risk Assessment FIBA AML Conference Miami Alan Abel Friday February 21, 2014

2 The COSO* Enterprise Risk Management Framework *Committee of the Sponsoring Organizations of the Treadway Commission on Fraudulent Financial Reporting 2012 Crowe Horwath LLP 2

3 The COSO Risk Management Model and AML The Treadway Commission asked the U.S. accounting profession to develop a universal framework of internal control. Subsequently, other governments followed suit with their accounting societies. Today, the AICPA, the International Federation of Accountants (IFAC), and 100+ other national societies have adapted and incorporated into their own professional authoritative and technical guidance. The COSO model is a rosetta stone for understanding AML+ risk management programs of financial institutions and their integration. Globally regulators have mandated that financial institutions have the capability and technology tools to effectively identify and assess their risks and to respond Crowe Horwath LLP 3

4 Universal to all regulatory risk frameworks Basel, U.S., and other national systems around the globe, are a set of quantitative and qualitative risks: Quantitative (e.g.) Liquidity Interest rate Exchange rate Credit AML risks are the Qualitative Legal / compliance Reputational Operational Strategic 2012 Crowe Horwath LLP 4

5 Critical risk criteria Likelihood of occurrence Expected impact 2012 Crowe Horwath LLP 5

6 Risk appetite and risk tolerance Risk Appetite The amount of risk an entity is willing to accept in pursuit of goals and value Risk appetite sets the policy framework, establishes guidelines, is qualitative How much risk is the Board willing to accept? For example -- what does Know Your Customer mean to us? What is our policy, our guidelines? Where do we draw the line in the sand? What is our comfort level? There is nothing inherently wrong with increasing risk customers, third parties, products and services, geographies, distribution channels, and outsourcing processes as long as you can demonstrate that you: Understand the risks that you are assuming, and Are willing to invest in stronger processes and controls to monitor them and manage them Crowe Horwath LLP 6

7 Risk appetite versus risk tolerance... Risk Tolerance The willingness to take risk in order to achieve a pre-defined specific objective Operational -- more granular than risk appetite Interpret policy into definable, measureable, business unit specific policies and procedures. Do this in a manner that readily lends itself to risk assessment, risk response and to monitor compliance with policy. Defining risk tolerance is management s job within the framework of the Board s risk appetite Crowe Horwath LLP 7

8 Risk Assessment in AML in COSO context Enterprise wide AML risk assessment Customer risk assessment 2012 Crowe Horwath LLP 8

9 Appendix: Professional Guidance 2012 Crowe Horwath LLP 9

10 Professional Guidance in the U.S. Authoritative SAS 54 Illegal Acts Technical (for AML) SAS 82 and 99 Consideration of Fraud in a Financial Statement Audit SAS 78 Consideration of Internal Control in a Financial Statement Audit COSO Enterprise Framework General and Industry Audit Risk Alerts Journal of Accountancy International Federation of Accountants and member societies 2012 Crowe Horwath LLP 10

11 Guidance for Managing Third Party Risk* Risk Assessment Due Diligence Contract Structuring and Review Oversight Alignment with strategy Risk/reward analysis Appropriate controls and oversight Financial condition Experience Compliance history Reputation Operations and controls Scope Cost/compensation reports Audit confidentiality and security Customer complaints Business resumption Default and termination Dispute resolution Indemnification Limits on liability Formal roles and responsibilities Quality of service Risk management Financial condition Appropriate controls and reports *Sound and leading practice guidance includes FDIC, OCC, and Federal Reserve bulletins and financial institution letters, FFIEC IT Examination Handbook and numerous private sector sources 2012 Crowe Horwath LLP 11

12 Alan Abel, CPA/CFF, CFE Director and Global AML Practice Leader Regional Leader Regulatory Compliance Risk FATCA Compliance Leader Crowe Horwath LLP Member Crowe Horwath International Fort Lauderdale Miami The Palm Beaches San Juan Phone: Link to subscribe to Crowe Insights: Subscribe to our Risk newsletter: Link to Regulatory Risk page: Link to AML page: Link to Technology Risk page: Link to ABA Endorsement Overview: Link to ABA AML Endorsement: Crowe Horwath LLP 12