ANTI-MONEY LAUNDERING PROCESS MATURITY NEPAL BANKING INDUSTRY Survey Report 2017 Survey Partner
AML PROCESS MATURITY - NEPAL BANKING INDUSTRY Survey Report 2017 Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) are becoming increasingly complex and dynamic functions. Periodic review and assessment of any country s AML/CFT regime is critical to strengthening the compliance environment and staying a step ahead of the perpetrators of money laundering and terrorism. A detailed AML/CFT survey was conducted in December 2016 for compliance officers at Nepali banks to assess the regulatory environment and benchmark AML processes. A total of 23 compliance officers from commercial and development banks in Nepal participated in the survey. This first of its kind survey for Nepal covers, in detail, the processes related to risk identification and assessment, monitoring and record keeping, Politically Exposed Persons (PEPs), Foreign Account Tax Compliance Act (FATCA), technology and systems, resources, training and other parameters. In addition, opinions of compliance officers on issues such as current challenges, organisational priorities, senior managerial involvement, Financial Information/Intelligence Unit (FIU) and regulatory programmes were also solicited. The National Banking Institute (NBI) facilitated the survey and was the research partner for Fintelekt during this study in Nepal. We are thankful to all the respondents as well as to the NBI for their significant contribution to this study. We are also grateful to Mr. Hari Kumar Nepal, Deputy Director, FIU Nepal for his valuable insights while designing the survey questionnaire. As evidenced from the survey results, the overall AML/CFT regime in Nepal, is as yet developing. Besides, maturity levels vary across banks, with some banks ahead of others on the curve in terms of risk identification and assessment, monitoring, technology and training. We hope that the findings from this survey report will contribute to the AML debate in Nepal and help in building a stronger AML regime. Shirish Pathak Managing Director shirish@fintelekt.com Arpita Bedekar Research Director arpita@fintelekt.com
Table of Contents Executive Summary 1. Organisational Concerns and Challenges 1 2. AML Compliance as an Organisational Priority 3 3. Risk Identification and Assessment 5 4. Monitoring and Reporting 7 5. Politically Exposed Persons 9 6. FATCA Compliance 9 7. Technology 10 8. Training 12 9. Compliance Costs 12 10. FIU & Regulatory Involvement 13
EXECUTIVE SUMMARY Out of the compliance officers from 23 commercial and development banks in Nepal, who participated in the survey, 91% identified the top threat for their organisation as an inadequate understanding of the sources of customers funds. The top challenge for AML compliance in banks emerged as technology inadequacies or gaps, identified by 96% of respondents. While technology was a key organisational challenge, the automation of AML functions was cited as the top priority area for AML compliance officers particularly. Some specific concerns, and therefore areas for improvement for Nepali banks, that emerged from the survey are as follows: Governance Compliance officers in at least three quarters of the banks surveyed send regular AML reports to board members. Additionally, in more than half the banks surveyed, the Designated Director keeps the Board informed about AML compliance matters. Despite relatively defined reporting structures, a large majority of compliance officers (78%) believe that they require more support and involvement from the senior executive management and the Board of Directors in AML compliance related matters. Nearly 40% of the compliance officers also felt that more efforts are required to internally promote the organisational AML policy. The lack of support and involvement from the top management team and the Board of Directors points to low priority being accorded to AML compliance within banks in Nepal. Stronger and well-defined governance frameworks that encourage regular communication and interaction between compliance and management teams will be more conducive to the AML compliance priorities of the organisation.
Technology Know Your Customer (KYC) and Customer Due Diligence (CDD) records are maintained manually by 47% of the banks that participated in the survey. The lack of an automated system that will allow front-line and compliance staff to readily and easily access customer information digitally is likely to compromise monitoring and reporting. Nevertheless, it appears as if banks do recognise that technology inadequacy is a weakness in the AML regime currently. Procuring or enhancing transaction monitoring systems is the top priority for banks AML compliance related spending in the next one to two years. Several banks mentioned during the survey that they are in the process of putting in place or enhancing technology systems. Compliance officers were asked to rate the most important factors that they would consider while evaluating an AML data provider or software vendor. Data privacy or security from the vendor emerged as the top factor, chosen by 90% of the compliance officers, followed by AML knowledge (86%). Credibility of the vendor and conformation to international standards, in addition to price were the three other factors considered important while comparing vendors. Risk Identification and Assessment Of the participating banks, 40% have never renewed or have not renewed the risk profiles in the last three years. Only 47% of the participating banks have updated highrisk customer profiles in the last six months. Risk assessments is another area of concern for banks. 35% have never undertaken an organisation-wide AML/CFT risk assessment. Further, only 41% of the banks that participated in the survey are reviewing money
laundering risks at every transaction. Overall, banks need to invest more in risk identification and assessment, not only to keep up-to-date with current typologies, but also to keep in line with regulatory compliance. Training With low technological usage and less than adequate investments in governance systems and processes, banks rely mostly on employee-generated triggers and alerts for monitoring. Training must take center stage in such a case, so as to ensure that employees are aware of recent threats and ever evolving risks. Most banks provide annual training to their front-line and compliance staff. However, nearly half the banks indicated that they do not provide any training to board of directors or senior managerial team members. Without an understanding of current risks, top management members may not be equipped to take the right decisions relating to AML/CFT compliance. The Way Forward The presence of the concerns highlighted above, calls for corrective action by banks themselves, as well as tighter enforcement by the regulators. Some of these concerns can be addressed by putting in place stronger governance frameworks or by additional investments in critical technology or systems within the banks. Yet others may need strengthening of the regulatory framework so as to ensure that loopholes in the national AML/CFT compliance framework are plugged.
1. ORGANISATIONAL CONCERNS AND CHALLENGES Compliance officers at 91% of the banks participating in the survey regarded understanding the sources of customers funds as the top source of concern for the organisation. Officers from another 83% banks stated that understanding the Ultimate Beneficial Owner (UBO) of corporate clients was a perceived organisational risk. Tradebased money laundering (TBML) activity was in third place as the next important source of concern for banks. Most of these threats reported by compliance officers at Nepali banks are universal in nature, and are concerns for compliance officers globally. Top AML Compliance Challenges for Banks The top AML compliance challenge for the organisation as reported by 96% of the compliance officers was technology inadequacy or gaps, followed by coping with domestic regulations or regulatory expectations reported by 91% of the compliance officers. Although lower down the priority list, the fifth challenge stated by compliance officers was that of less than adequate involvement from the senior management, a concern that we have highlighted later in the report. 1
Top Challenges for Compliance Officers Overall, Nepali banks seemed to be lacking on robust systems and processes that will help them establish greater control over AML monitoring and record keeping. This is borne out by the fact that the top challenge faced by 91% compliance officers currently in their role emerged as automation of AML functions, followed by automation of transactional monitoring and alerts, mentioned by 78% of the respondents. Maintaining PEP and other negative lists and ongoing CDD were other important challenges. Lastly, balancing business and AML compliance priorities was cited as a challenging area for AML compliance officers. 2
2. AML COMPLIANCE AS AN ORGANISATIONAL PRIORITY AML/CFT is considered as a specialised function and an integral part of the organisation by all the compliance officers who participated in the risk assessment survey. AML Policy Review All the banks that participated in the survey have an AML policy in place. 45% of the banks review their AML policy once a year while another 27% review it once in two years. The rest of the banks review the policy on a need basis and issue directives as and when regulations are changed or updated. Team Size The size of the dedicated AML compliance team was found to be small, with 70% banks operating with a team strength of five or less dedicated AML compliance professionals. 21% have a 6 to 10- member team. Only 2 banks reported a team strength of between 21 to 50 professionals. Most banks, in addition to dedicated AML compliance staff in the head-office, also have branch level officers assigned to the compliance function. Branch Visits Around 40% of the compliance officers visit their branches every quarter, while another 30% visit every year, which allows the AML compliance officer to ensure adherence to policies at a branch level. A few banks manage compliance solely through the branch level officers, visiting only on a need basis. About 17% compliance officers indicated that they do not visit the branch due to resource constraints. AML Compliance Budgets Out of the participating banks, 68% compliance officers considered the AML budget allocated to their department as nominal, but 75% of those who considered the budget as nominal opined that budgets are on an increasing trend. Only 3 banks reported receiving a higher share of budget compared to other functions in the organisation. This points to a likely difficulty in getting budgetary approvals for key improvements in the AML compliance regime, across technology and systems, people and processes. 3
Decision Making Nearly half the banks indicated that the authority of the Compliance officer to make decisions regarding AML compliance would vary depending on the specific issue. 26% compliance officers indicated that they were the sole decision making authority, while in the rest of the cases, the compliance officer would be a co-decision maker or advisor on the issue. Governance and Reporting Compliance officers in 75% of the banks send quarterly reports to board members. Others send annually or do not send regularly. Additionally, in more than half the banks surveyed, the Designated Director keeps the Board informed about AML compliance matters. In some of the other banks, the Board members are kept informed through the Risk Management Committee, or ask for specific information from compliance officers on a need basis. Senior Managerial Involvement Out of the respondents, 61% believe that their organisation s policy of internally publicising the AML compliance programme is adequate, while the rest held that more is needed to be done in order to sensitise employees and the senior management to the importance of AML/CFT within the organisation. Although the board members and senior management are kept regularly informed in a majority of the banks, 78% compliance officers indicated that they would welcome more support and involvement from the senior executive management and the Board of Directors in AML compliance related matters. Given the complexity and importance of AML/CFT compliance, senior management and board of directors need to be equally aware and supportive of the AML compliance regime within the organisation, and a lack of involvement from the top would signal a potential gap in AML compliance. 4
3. RISK IDENTIFICATION AND ASSESSMENT More than half, or about 55% of the banks do not allocate a risk score to each individual customer, but most banks categorise customers into high, medium or low risk categories. 75% of the banks surveyed periodically review and update customer profiles as per the risk category. Almost all the banks conduct an Enhanced Due Diligence (EDD) for high-risk customers. Updating Customer Risk Profiles Banks are more regular in updating customer profiles of high-risk customers than those categorised as lower risk, with 47% of the banks updating highrisk customer profiles once in 6 months, while another 37% updating once every year. For medium-risk customers, an equal proportion of 37% update the risk profiles every year or every two years. For low-risk customers, at least 40% of the banks have either never renewed the risk profiles or have not done so within the last three years. Audit and Assessment 50% banks have undertaken an AML/CFT risk assessment in the last one year 15% banks have undertaken an AML/CFT risk assessment in one to three years 35% banks have never undertaken an AML/CFT risk assessment An organisation-wide AML/CFT risk assessment was undertaken by 55% of the banks in the last year, while 15% banks have conducted a risk assessment within the last one to three years. 35% have never undertaken such an assessment. Risk assessments are being primarily conducted internally. 5
61% banks conduct an annual AML Audit. 21% conduct a quarterly audit. 17% do not have regular audits scheduled. 72% of the banks undertake periodic review of suspicious transactions as a potential risk management tool. However, given the low numbers of suspicious transactions reported, this may not necessarily be effective. A similar number - 73% of banks assess money laundering risks before launching a new product, service or channel. Only 41% of the banks that participated in the survey are reviewing money laundering risks at every transaction. 45% of the banks do not review money laundering risks at a transactional level unless some specific concerns are raised about the customer or the transaction. The rest of them (14%) review the risk only when a customer initiatives a new type of transaction. It appears that Nepali banks are not investing enough in risk identification and assessment. Banks that do not update risk profiles or do not do so regularly, face the risk of working with outdated typologies as well as of regulatory non-compliance. Further, regular risk assessment and review of risks before launching a new product of service should ideally be an integral part of processes to safeguard the bank's position from money laundering and terrorist financing risks. 6
4. MONITORING AND REPORTING Currently, 70% of the banks do not have a system that generates a pop-up or alert for an unusual activity or transaction. At least 4 banks indicated that they are in various stages of implementing software or systems that will allow such alerts. All the banks that have the capability to generate alerts indicated that they investigate all of these alerts. Only two banks have more than 100 triggers in place to conduct transactions or activity monitoring. Most other banks currently work with less than 50 triggers in place to conduct transactions or activity monitoring. Due Diligence Processes While most of the banks conduct monitoring based on CDD information, 15% of the banks conduct monitoring based on CDD information only upon request or a regulatory order. Except for one bank, all others indicated that a customer risk profile is revised or updated based on triggers generated by sources set up for scrutiny. Monitoring Methods At 55% banks, manual processes are being used to identify suspicious money laundering or trade financing activities which include reporting by front-line staff, manual reviews or tip offs from intelligence agencies. 40% are using a semi-automated method that includes a mix of software systems, manual monitoring and excel-based monitoring. Only 39% banks have an automated system or software solution that allows automated monitoring of suspicious ML or TF activities. 35% banks have systems that allow them to view KYC and other customer details 7
concurrently with transactions. For others, these details can be manually obtained whenever required. Suspicious Transactions The ratio of suspicious transaction reports filed by banks in comparison with the number of customer accounts held by them is mostly less than 0.1%. Banks filed between 1 and 600 STRs in the last one year depending on their size, and type of customers serviced, with an average of 90 STRs being filed per bank that participated in the survey. The proportion of unusual activities being converted into suspicious transaction reports is less than 20% cent for a majority of the banks (59%). Another 32% of the banks reported that almost all the unusual activities detected get converted into STRs, suggesting lack of due diligence or investigation conducted on the unusual activities. To decide whether a transaction is indeed suspicious based on a risk alert, 38% banks take about a day, while 29% take between 1 and 3 days. Corporate Governance Just about 32% banks reported that their AML/CFT policy is integrated with their corporate governance practices, while another 46% banks reported that it is somewhat linked. 32% banks do not have Know Your Employee (KYE) guidelines in place. Some of these banks do have employee monitoring and screening policies in their bye-laws, however these are not linked to the AML/CFT policy within the organisation. The survey results indicate a disparity in maturity levels within the banks surveyed in terms of governance and processes. Most banks rely on manual processes and the vigilance of front-line staff to detect suspicious activities. Although for the size of banks in Nepal, investments in technology and automation could be relatively hard to justify, relying on staff would necessitate investments in training and governance frameworks to reduce the risk of exposure to ML/FT threats. 8
5. POLITICALLY EXPOSED PERSONS Of the participating banks, 91% recognise PEPs, identify them and apply enhanced due diligence against them at the time of on-boarding. The definition of a PEP varies across banks, but includes in 90% of the cases, a Nepali Politician and official of a certain level and relatives and close associates of Nepali politicians. In some other cases, Nepali government officials posted overseas, foreign politicians and officials of International Organisations with certain ranking and their relatives or close associates are also included in the definition. PEPs are flagged off on the basis of media reports, or disclosures by customers and employees. Banks also use commercial PEP/Sanctions screening tools or internal databases for identifying PEPs. 90% of the participating banks maintain at least a partial database of domestic and foreign PEPs. 6. FATCA COMPLIANCE FATCA compliance is part of the enterprise-wide AML programme for 80% of the banks. Of these, only two banks reported that they are not on target to meet FATCA compliance deadlines. However, 42% banks indicated that they are still learning about FATCA requirements, while 37% are implementing solutions to address FATCA requirements. 21% banks feel that they have adequate knowledge and are fully in control in terms of implementing FATCA requirements. The main challenges for banks in implementing FATCA deadlines are reviewing existing individual customer data for US Indicia to identify account holders that are required to comply, and implementing the right software or technology for FATCA compliance. 9
7. TECHNOLOGY Procuring or enhancing transaction monitoring systems is the top priority for banks AML compliance related spending in the next one to two years. At second place is KYC reviews, updates and maintenance while at third place is training. Clearly, banks understand the importance of all of these areas in strengthening AML/CFT monitoring within their organisations. Record Keeping Of the banks that participated in the survey, 47% maintain KYC/CDD records manually. Another 47% have an off-the-shelf software or an automated system in place for KYC/CDD record keeping. The lack of digitised customer records points to a major hindrance at more than half the banks that participated in the survey, as customer information would not be readily and easily accessible to front-life and compliance staff. Transaction Monitoring Currently, 27% of the banks are using an AML Solution or application for transaction monitoring. At least four other banks are planning to, or are in the process of setting up a software solution for transaction monitoring, as reported by compliance officers during the survey. Client Screening Of the banks that participated in the survey, 74% have a client screening solution in place, the most commonly used solutions being the Office of Foreign Assets Control (OFAC) List, United Nations (UN) List and the Ministry of Home Affairs Banned Organisation List. Companies are also using commercially available lists such as Accuity, Worldcheck, HMT and Swift for client screening. 10
Evaluating AML Data Providers / Software Vendors Several banks mentioned in the survey that they are in the process of putting in place or enhancing technology systems and software solutions for improving AML compliance related functions. This also emerged as a priority area for banks in the next one to two years. Accordingly, compliance officers were asked to rate the most important factors that they would consider while evaluating an AML data provider or software vendor. Data privacy or security from the vendor emerged as the top factor, picked by 90% of the compliance officers, followed by AML knowledge by 86%. Credibility of the vendor and conformation to international standards, in addition to price were the three other factors considered important while comparing vendors. 11
8. TRAINING Training is provided at least once a year to the front-line and compliance staff in most banks. Only one bank reported that they provide no training for their frontline staff. For senior management and board members, frequency of training is less than that for front-line and compliance staff. About half the banks indicated that their board of directors have never undergone training on AML compliance. 40% banks conduct common training programmes for all staff, regardless of their role with the rest providing specific training to their employees based on their role. A mix of classroom based, faculty-driven, web-based and written-material based training method were reported among the banks surveyed. About 75% banks said that they test the knowledge of staff on AML/CFT policy. While training for front-line and compliance staff is conducted more regularly, senior management executives and board members at several banks do not undergo regular training on AML/CFT. Moreover, training is often common for all roles, regardless of the profile of the employee. 9. COMPLIANCE COSTS Most participating banks, with an exception of 22%, reported an increase in their AML compliance staff size over the previous year, suggesting an increase in resource costs for the organisation. All the banks that participated in the survey indicated that they plan to increase their staff strength, again pointing to a further increase in compliance costs for the bank. Only one bank indicated that budgetary constraint may be a problem in terms of their plan to increase staff strength. Very few compliance officers were able to provide an estimate for average costs incurred for AML compliance per customer in the bank. The common response was that AML compliance costs are not considered per customer, but mostly viewed in aggregate terms for the bank as a whole. Most compliance officers were, however, able to confirm that this cost has increased over the last year. 12
10. FIU AND REGULATORY INVOLVEMENT All banks have participated in training programmes and workshops or seminars organised by the FIU Nepal at some point of time during the last year. Most banks, with the exception of three banks, reported using the FIU s help desk facility to clarify doubts or for other help. Those banks who used the facility reported satisfaction with the response that they received. 61% of the banks agreed that regulatory scrutiny has become more stringent now compared to that in the past. Banks reported satisfaction with the feedback made on disclosures by the bank to the FIU. 87% of the compliance officers felt that the feedback on these disclosures will contribute to better spotting of suspicious transactions in future. Areas of support from the FIU and regulatory programmes were listed as increased guidance (by 91% respondents), sectoral training (78%), and robust supervision (61%), among others. 61% compliance officers indicated that they were looking for a change in the style of regulatory visits or assessments conducted by the FIU and the Regulator. Wider publication of typologies and thematic reviews was also an expectation from regulated entities. More training programmes via more experienced practitioners was mentioned as an expected area of improvement for the FIU by a little more than half the respondents. 13