Components of a Fit-For-Purpose Risk Assessment. A Fit-For-Purpose Risk Assessment is Key to Effective Risk Management

Similar documents
The Wolfsberg Correspondent Banking Due Diligence Questionnaire (CBDDQ) Completion Guidance 22 February 2018

HSBC USA INC. HSBC BANK USA, N.A. CHARTER OF THE COMPLIANCE AND CONDUCT COMMITTEE

TRUST COMPANY BUSINESS

ANTI-MONEY LAUNDERING IN

ANTI BRIBERY AND CORRUPTION POLICY

Anti-money laundering Annual report 2017/18

AML/CTF and Sanctions Policy

Failure to prevent the facilitation of tax evasion: Our solution to help you avoid committing the new offence

Failure to prevent the facilitation of tax evasion:

When insight matters. TM. Insight changes everything

Money Laundering and Terrorist Financing Risk Assessment and Management

CITIZENS, INC. BANK SECRECY ACT/ ANTI-MONEY LAUNDERING POLICY AND PROGRAM

Anti-Money Laundering & Terrorist Financing (AMLTF) Training Course. Module: Introduction

Regulatory Update on AML/CFT

Foreign Vendor Due Diligence: Ensuring Banks Perform Sufficient Due Diligence When Contracting with Foreign Vendors

UNITED STATES OF AMERICA DEPARTMENT OF THE TREASURY COMPTROLLER OF THE CURRENCY CONSENT ORDER

Short, engaging headline

Risk management culture focused on integrity and good conduct

1. ENTITY & OWNERSHIP 1 Full Legal name

THE CO-OPERATIVE BANK PLC RISK COMMITTEE. Terms of Reference

Managing BSA/AML Compliance Risk

Practical Suggestions for an Effective AML/OFAC Compliance Function

September 7, Via Electronic Mail

by: Stephen King, JD, AMLP

Press Release. August 19, Contact: Matt Anderson,

RISK COMMITTEE CHARTER THE CHARLES SCHWAB CORPORATION

Sanctions Risk Management Symposium

Multi-asset capability Connecting a global network of expertise

Anti-money laundering and countering the financing of terrorism the Reserve Bank s responsibilities and approach

New York Banking Regulator Issues Anti-Money Laundering Rules for Transaction Monitoring and Filtering Programs

Better Compliance Adapting to the shifting landscape of AML compliance

To us there are no foreign markets. Managed Portfolio Service. Dynamic solutions in an ever changing world

Al Rajhi Bank Malaysia Anti-Money Laundering Questionnaire

Bank Of America Corporation Aml Policy Manual

UNITED STATES OF AMERICA DEPARTMENT OF THE TREASURY FINANCIAL CRIMES ENFORCEMENT NETWORK

FINANCIAL CRIME GUIDE (AMENDMENT NO 3) INSTRUMENT 2015

Unique Markets, Responsible Investing

SWIFT Financial Crime Compliance

Lawyer Insights. AML and Sanctions Compliance Issues Facing Cryptocurrency Companies. June 4, by Richard S. Garabedian and Shaswat K.

FINCEN GUIDANCE. Under 31 CFR , an MSB s AML program must, at a minimum:

1. ENTITY & OWNERSHIP 1 Full Legal Name

TABLE OF CONTENTS. Compliance Manual Version: 4.9 Author: [Your Company Name] Updated: 14/10/2017

Taiwan Shin Kong Commercial Bank Co., Ltd. (Shin Kong Bank) 21F, No.36, Songren Road, Xinyi District, Taipei, Taiwan

BERMUDA INSURANCE (PRUDENTIAL STANDARDS) (INSURANCE MANAGERS ANNUAL RETURN) AMENDMENT RULES 2018 BR 4 / 2018

1. ENTITY & OWNERSHIP 1 Full Legal Name

New Coordinates. Boards of Directors Face Growing AML Accountability By Saverio Mirarchi

1. ENTITY & OWNERSHIP 1 Full Legal Name

Direct Line Insurance Group plc (the Company ) Terms of Reference of the Board Risk Committee (the Committee )

TABLE OF CONTENTS. Compliance Manual Version: 4.9 Author: [Your Company Name] Updated: 28/10/2017

Assessment of Governance of the Insurance Sector

CHARTER PEOPLE S UNITED FINANCIAL, INC. ENTERPRISE RISK COMMITTEE

SFC reprimands and fines Ping An of China Securities (Hong Kong) Company Limited $6 million over internal control failures

TokenLot, LLC BSA Officer TokenLot, LLC Board of Directors

UNITED STATES OF AMERICA DEPARTMENT OF THE TREASURY COMPTROLLER OF THE CURRENCY

UNITED STATES OF AMERICA DEPARTMENT OF THE TREASURY FINANCIAL CRIMES ENFORCEMENT NETWORK

Anti-Money Laundering Update: Regulations, Enforcement Actions and Red Flags

ISO Anti-bribery management system standard

Corporate Governance of Federally-Regulated Financial Institutions

INSURANCE. Forensic services. Helping to protect your business from fraud, misconduct and non-compliance ADVISORY. kpmg.com/in

FinCEN s New Customer Due Diligence Requirements and Their Impact on Community Banks

Trust Company Business Examination Feedback 2015

CHARTER PEOPLE S UNITED FINANCIAL, INC. ENTERPRISE RISK COMMITTEE

HSBC HOLDINGS PLC FINANCIAL SYSTEM VULNERABILITIES COMMITTEE. Terms of Reference

BSA/AML & OFAC Volunteer Compliance Training. Agenda

2020 Foresight Report: The Impact of Anti-Money Laundering Regulations on Wealth Management

Independent auditors report to the members of Savills plc

summary of directors duties under OSFI guidance

HANDBOOK FOR FINANCIAL SERVICES BUSINESSES ON COUNTERING FINANCIAL CRIME AND TERRORIST FINANCING

SEI Investments (Europe) Limited Pillar 3 Disclosure

VODAFONE GROUP PLC TAX STRATEGY

UNITED STATES OF AMERICA DEPARTMENT OF THE TREASURY FINANCIAL CRIMES ENFORCEMENT NETWORK

Artificial Intelligence:

Global Banking Supervision

How we manage risk. Risk philosophy. Risk policy. Risk framework

Key risks and mitigations

An Overview of FinCEN s Customer Due Diligence Rule

2017 Year-End Review: Anti-Corruption Trends and Other Corporate Enforcement Issues

Risk Management and Regulatory Examination/Compliance Seminar

STANDARD OF SOUND PRACTICE ON AGENT BANKING

RISK COMMITTEE TERMS OF REFERENCE. The Board has resolved to establish a Committee of the Board to be known as the Risk Committee.

West Midlands Pension Fund. Statement of Investment Principles 2016

Banco General, S.A. Panama, Republic of Panama. Banco General, S.A.

Market Allocation Platform Guiding investment decisions to maximize ROI. Tourism Economics

Risk-based approach and the risk management and compliance programme. Presented by Ashleigh Mooij 11 September 2018

Conducting KYC of Third Parties: Best Practices for Conducting Due Diligence

FINAL NOTICE. Ground Floor, 10 Chiswell Street, London, EC1Y 4UQ

UNITED STATES OF AMERICA BEFORE THE BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, D.C.

TRUST COMPANY BUSINESS

Designing and Implementing an Anti-Corruption Compliance Program. Sarah M. DiLorenzo Senior Counsel McDonald s Corporation November 6, 2009

Attachment: References for formulating a list of countries/regions with higher risks of money

The Panama Papers. A KPMG Survey of Initial Responses by Financial Institutions. kpmg.com

ADVISORY. Forensic services. Assisting Legal Practitioners. kpmg.com/in

PGGM Responsible Investment in Real Estate

GUIDELINES ON RISK-BASED APPROACH (RBA) FOR THE PURPOSE OF ANTI-MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM (AML/CFT)

Money Laundering and Terrorist Financing Risks in the E-Money Sector

Risk management policy

Financial Crime Governance, Risk and Compliance Fund Managers & Fund Administrators. Thematic Review 2017

RESPONSIBLE INVESTMENT POLICY. (Initially Adopted by Compliance Committee on February 7, 2013)

RISK APPETITE OVERVIEW

REGULATORY M&A DUE DILIGENCE 1 REGULATORY M&A DUE DILIGENCE

Transcription:

Components of a Fit-For-Purpose Risk Assessment A Fit-For-Purpose Risk Assessment is Key to Effective Risk Management

ABOUT EXIGER Exiger is a global regulatory and financial crime, risk and compliance company. Exiger arms financial institutions, multinational corporations and governmental agencies with the practical advice and technology solutions they need to prevent compliance breaches, respond to risk, remediate major issues and monitor ongoing business activities. Exiger works with clients worldwide to assist them in effectively managing their critical challenges while developing and implementing the policies, procedures and programs needed to create a sustainable compliance environment. A global authority on regulatory compliance, the company also oversees some of the world s most complex court-appointed and voluntary monitorships in the private and public sectors, including the monitorship of HSBC. Exiger has four principal business units being: Exiger Advisory; Exiger Analytics, including DDIQ, the groundbreaking cognitive computing and intelligent search platform; Exiger Diligence and Exiger Insight 3PM. Exiger operates through offices in New York City, Silver Spring (DC Metro), Miami, Toronto, Vancouver, London, Hong Kong, and Singapore.

The goal of a risk assessment is to enable an organization to understand its risks thoroughly so that it can manage them effectively. Each organization is required to tailor its risk assessments to fit their industry, business model, customer base, products and services, distribution channels, regulatory environment, and risk appetite. A well-designed risk assessment sits at the intersection of all these elements covering the specific areas of risk exposure that the organization might face while targeting the risk management controls that are necessary to mitigate these risks. The risk assessment process is not static or immutable; it must be updated periodically to account for changes to the organization s business model, business landscape, and regulatory environment. Things to Consider When Designing a Fit-For-Purpose Risk Assessment Designing a fit-for-purpose risk assessment is a cornerstone of effective risk management. The risk assessment process must be aligned to an organization s business model in order to demonstrate that its risk control framework is sufficient to manage its actual risk exposure. Regulators and auditors often include fitness-forpurpose as a core element of their periodic examinations. In the FFIEC BSA/ AML (Federal Financial Institutions Examination Council Bank Secrecy Act/ Anti-Money Laundering) Examination Manual, for instance, the principle guidance for reviewing a bank s risk assessment states: Review the bank s BSA/AML risk assessment. Determine whether the bank has included all risk areas, including any new products, services, or customers, entities, and geographic locations. Determine whether the bank s process for periodically reviewing and updating its BSA/AML risk assessment is adequate. Using a generic template (as shown in the following charts) to begin constructing a risk assessment will generally yield a generic framework. The data captured from this type of template will not provide the expected level of granularity and specificity an organization needs to ensure a thorough and effective risk assessment. Generic Risk Assessment Templates Risk Category Risk Weighting Risk Score Products Services Customers Geographies Distribution Channels Control Category Control Weighting Control Score Onboarding Monitoring Training Program Governance Systems 3

An effective risk assessment process enables organizations in all industries to protect their customers, their stakeholders, and themselves from serious regulatory, reputational, and financial harm. Business Scenarios The following scenarios illustrate the risks and benefits an organization may experience when developing and conducting risk assessments. Background Information The following scenarios help to illustrate some of the disadvantages that result from ineffective risk assessment processes versus the benefits gained when a fitfor-purpose risk assessment model is implemented. These examples have been drawn from the highly regulated financial services industry an industry with significant experience developing effective risk assessments and/or facing the consequences when failures occur. Although organizations within other industries may face less stringent regulatory requirements and examinations than financial services companies, an effective risk assessment process is still the foundation of proper risk management. An effective risk assessment process enables organizations in all industries to protect their customers, their stakeholders, and themselves from serious regulatory, reputational, and financial harm. Bank X is a mid-sized U.S. regional retail bank with 28 branches located in six states. It has some commercial clients with international trading relationships, so it maintains representative offices in Canada and Mexico, but these foreign offices do not execute financial transactions; they merely facilitate client business dealings that are ultimately booked in the U.S. Bank X is developing a risk assessment covering its financial crime compliance (FCC) risks and controls, including risks and controls for anti-money laundering (AML), sanctions, and anti-bribery and corruption (ABC). A Risk Assessment that is Too Generic Bank X constructs a generic risk assessment framework that lacks granularity. As a result, they are not able to effectively identify the specific aspects of their business that expose them to the most significant risk, and these are the business areas that typically need stronger controls. For example, when Bank X considers the FCC risks associated with its products and services, it selects only generic banking categories to include in its risk assessment questionnaires: Deposit products Commercial lending products Consumer credit products Consumer lending products. These broad categories do not sufficiently represent a targeted understanding of the inherent risks these products can pose. For instance, when an assessment unit selects the generic category These broad categories do not sufficiently represent a targeted understanding of the inherent risks these products can pose. 4 Components of a Fit-For-Purpose Risk Assessment

deposit products, Bank X is unable to differentiate between the risk posed to that unit by an individual customer s deposit activity versus that of cashintensive businesses (which represent a much higher risk for money laundering activity). A Risk Assessment that is Too Myopic Bank X decides to be especially rigorous and granular in its assessment of FCC risk. They create a model that assigns a risk score to every customer transaction processed during the past year, using a combination of risk ratings associated with the product, customer, geography and amount. The model calculates the percentage of transactions that fall into the highest risk bracket and compares this percentage to the same figure for the prior year s transactions to determine whether Bank X is increasing its risk exposure. This risk assessment model s extreme focus on single transactions precludes the possibility of assessing risks posed by product categories, customer types or geographies. It also does not afford Bank X the opportunity to measure larger risk trends associated with changes in business model, product offerings, customer populations or geographical scope. This risk assessment model s extreme focus on single transactions precludes the possibility of assessing risks It also does not afford the opportunity to measure larger risk trends. This focus on its foreign operations means that the resulting risk assessment does not cover the risks associated with its domestic operations. (which represent 100% of its commercial activity). A Risk Assessment with an Incorrect Business Focus Bank X constructs a risk assessment framework that excludes its domestic business operations. This leads the risk assessment to focus exclusively on representative office operations in Canada and Mexico. Therefore, the risk assessment determined an inherently low, and inaccurate, level of risk since these are highly regulated, domestic environments. This focus on its foreign operations means that the resulting risk assessment does not cover the risks associated with its domestic operations (which represent 100% of its commercial activity). Since the risks of violating AML, sanctions and ABC regulations reside almost entirely with the bank s domestic customers and their financial activity, this focus on the two representative offices results in an inaccurate assessment of Bank X s risk exposure. A Risk Assessment that is Fit-For-Purpose (For Now) Bank X develops a risk assessment model that includes all of its major business lines, product offerings, customer types, transactions executed, distribution channels, and geographical exposure. The control 5

The control framework used to mitigate risks caused by business activity is broad enough that trends can be established. It is also sufficiently granular to identify the root cause of control deficiencies and remedy them effectively. framework used to mitigate risks caused by business activity is broad enough that trends can be established. It is also sufficiently granular to help identify the root cause of control deficiencies and remedy them effectively. In this case, Bank X has passed the first test of developing an effective risk assessment process, which is to design a risk assessment framework that allows the organization to account for all of its business activities and areas of risk exposure. Bank X also needs to develop a governance mechanism for its risk assessment process so it can undergo a periodic evaluation to cover all areas of the bank s operations. As the organization s business model and dynamics shift, the risk assessment framework should be adjusted to account for changes or additions to its business operations, product offerings, customer base, industry standards, or regulatory expectations. A fit-for-purpose risk assessment is a critical component of effective risk management. Organizations should be cautious of the business risks that result from risk frameworks that are too generic, myopic, or represent an incorrect business focus. When an organization develops a risk assessment process that aligns with all of its business activities and areas of risk exposure and they recognize the process is not static they are much better positioned to identify, address, and minimize their regulatory and reputational risk. How Risk 360 Can Help Exiger Risk 360 is a web-based, content agnostic assessment platform that enables centralized administration of enterprisewide and targeted risk assessments. This technology tool is flexible, user-friendly, and it offers transparent methodologies that provide clear audit trail documentation. When the Risk 360 platform is used in conjunction with risk assessment subject matter experts, corporations optimize their risk assessment business model and processes in a way that enhances resource efficiency while minimizing the regulatory and reputational risk to their organization. Risk 360 is part of Exiger, a global regulatory and financial crime, risk and compliance company. Exiger arms financial institutions, multinational corporations and governmental agencies with the practical advice and technology solutions they need to prevent compliance breaches, respond to risk, remediate major issues and monitor ongoing business activities. Exiger works with clients worldwide to assist them in effectively managing their critical challenges while developing and implementing the policies, procedures and programs needed to create a sustainable compliance environment. 6 Components of a Fit-For-Purpose Risk Assessment

For more information, contact: John W. Melican Chris Andre Managing Director, Americas Regional Chair Head of Financial Crime Practice jmelican@exiger.com Managing Director, Americas Deputy Head of Financial Crime Compliance candre@exiger.com Patrick Pizzichetta Financial Crime Compliance Advisory Managing Consultant ppizzichetta@exiger.com New York City Silver Spring (DC Metro) Miami Toronto Vancouver London Hong Kong Singapore www.exiger.com

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback