Risk Based Approach putting it into practice

(1)

Risk Based Approach

– putting it into

practice

Collin Lobo

Regional Head of Financial Crime Risk –

Middle East, Pakistan and Africa

Disclaimer – This presentation / document has been prepared to assist improve the general awareness about Risk Based Approach to AML / Sanctions / Financial Crime in general and KYC / CDD processes in specific for the attendees of the Outreach Session by DFSA and has been created for discussion purposes only. It reflects only the personal views of the author and not of Standard Chartered Bank. Neither the author nor Standard Chartered Bank accepts any responsibility or liability whatsoever in regards to its contents.

(2)

Agenda

Introduction

Why do we need RBA – a practitioner’s perspective?

What does a risk based approach mean to us?

How do you go about putting a RBA into practice?

Policy

Risk Assessment

– Enterprise – Client – Segment – Product

Operating Procedures

On-going monitoring

Training

What can go wrong?

(3)

Why do we need RBA?

We need a RBA to help us as an authorised firm to:

Identify and measure potentially higher risk areas of money

laundering, terrorist financing and sanctions;

Develop strategies to mitigate those risks that have been identified;

and

Help focus resources (human and financial) in areas that are

deemed higher risk from a financial crime risk perspective.

Because

We operate in different geographies

We offer somewhat different client solutions

We have different operating models, are different in size and

complexity

We don’t have a ‘blank cheque’! and

ONE SIZE DOES NOT FIT ALL!!

(4)

What does RBA mean to us?

Allows us to risk categorize our business, products and

clients from an FCR perspective

Include a documented risk assessment covering financial

crime risks (ML,TF, Sanctions, ABC and Fraud)

Risk assessment for Financial Crime Risk takes into

account:

Clients and business relationships

Products, services and delivery channels

Jurisdictions where we draw our client base from

Jurisdiction where we operate

Continuous identification of areas for improvement in the

risk assessment and associated policies and procedures

(5)

Overarching RBA philosophy

Group AML policies and procedures

Risk Assessment – Global, Geography, Customer – flow through to Businesses (Wholesale, Consumer & Private Banking

Customer on-boarding procedures – bespoke written procedures within the boundaries of Group policies by each Business

each Business each Business

On-going monitoring – Transaction surveillance, Sanctions filtering, periodic review, trigger-event reviews and

Dynamic Risk Rating

On-going monitoring – Transaction surveillance, Sanctions filtering, periodic review, trigger-event reviews and

Dynamic Risk Rating

Training – Bespoke and fit-for-purpose training to staff – Tellers / Branches, Cash Management, Trade, RMs, CDD Advisory and Senior Management

Assurance – 3 lines of defence – KCSAs (first line), Compliance Monitoring (2nd line), Group and Country Audit (3rd line)

(6)

Building blocks that synergise each other

Financial Crime policies and procedures

Client on-boarding – KYC / CDD

Ongoing monitoring

Governance

Ongoing monitoring

Transaction

screening

Client

screening

AML

surveillance

CDD Review

Assurance

Systems, Organization and Resources

(7)

RBA – KYC (client on-boarding)

AML Risk Assessment • Risk-based approach ensuring more due diligence for situations where there is greater money Identification & Verification • Collection of information that identifies clients and verification of accuracy of information Client screening • Screening of names of clients and related parties against watch lists including sanctions lists, Client due diligence • Collection of information to understand nature of relationship the client is seeking with the Bank

Client acceptance

• Ensure that AML risks are acceptable before on-boarding • Restrict or reject relationships money laundering risk • Risk factors include geography, industry, products, clients, regulatory requirements sanctions lists, politically exposed persons lists, adverse media lists and internal lists

with the Bank • Understanding

whether client will introduce AML risks to the Bank

relationships where risks are not acceptable • Escalation to senior management/ governance committees if required

CDD is embedded in the end to end client onboarding process; No new client will

be accepted without an authorised CDD record.

(8)

RBA – the nuts and bolts (current)

Risk

over-ride

Sanctions

risk

Compulsory

EDD

Final

risk

rating

Co. type,

age,

Country

specific

5 key risk ‘pools’ drive risk assessment – to arrive at SDD (Standard Due

Diligence) or EDD (Enhanced Due Diligence)

(9)

What does each ‘risk pool’ mean?

• Combination of multiple, over-riding risk parameter feeds • Business type, age, country of inc. or operation (higher)

Co. type, age,

Country

• Allows assignment of SDD rating for listed entities, companies subject to statutory licensing, Governments, Ministries, SWEPEs etc irrespective of Co. type, age, Country rating

Risk over-ride

• Link to any sanctioned country required assignment of EDD risk rating and obtaining related approvals

Sanctions risk

• CDD procedures require assignment of compulsory EDD risk

rating for specific client types (PEP link, off-shore trusts, gambling / casino businesses, arms, bearer shares, rough diamonds etc.)

Compulsory EDD

• Over and above Group CDD policies and procedures, local

country regulators may require assignment of specific risk rating to certain types of clients (manual over-ride in eCDD system)

(10)

RBA – the nuts and bolts (enhanced)

Client AML risk rating Country of establishment or operation Industry Banking products and services Ownership, regulated status, length of relationship AML Control \

Risk Low Medium High

Due Dilig ence Requ irem

All clients Standard Due Diligence (SDD)

Enhanced DD (EDD)

Defined

Specialised Due Diligence (SpecDD)

L

M

H

Based on global benchmarking and studies, we are moving to a more focused,

‘next-gen’ risk assessment mode

L

M

H

Client AML risk

irem ent

Defined

situation Specialised Due Diligence (SpecDD) Frequency of

CDD Review Every 3 years Annually Automated AML

surveillance risk weighting

(11)

RBA – the nuts and bolts (enhanced)

SpecDD – Special Due Diligence based on the driver – PEP, Sanctions, Complex Ownership, FI / Correspondent Banking/ MSBs, Adverse media

Client AML risk rating is now independent to Due Diligence level (SDD / EDD and Spec DD)

Client AML Risk Rating ‘flows-through’ to Transaction Surveillance systems to

help build RBA in our Financial Crime Intelligence Operations program

Due Diligence level drives the periodicity of CDD reivew (1 or 3 years)

Client AML risk rating drives the risk-based thresholds in surveillance systems (progressive thresholds set for each Detection Scenario based on risk rating)

(12)

Multiple levels of review / sign-off

Role

SDD

EDD / Spec DD

Relationship Manager

Sign off / Approve

Recommend

Compliance / FCR

----

Review / Advise

Sr Management

----

Sign off / Approve

Country Governance

----

Review periodically

For signing off CDD file, RMs consider all the information gathered during the

due diligence process, including consideration of any reputational risks

identified through media searches. Material reputational risk considerations

(13)

Ongoing monitoring / continuous loopback

Stage

Nature of activity

Transactions screening _{Automated screening of cross-border SWIFT messages to / from against}

numerous regulatory (e.g. OFAC) and internal watch lists

Client screening _{Comparison of client names against a wider set of watch lists e.g. sanctioned}

persons, politically exposed persons (PEPs), internal lists

AML surveillance _{Post-transaction review – Detection Scenarios, prompting investigation ;}

performing research and analytics to generate FCR intelligence ; and performing research and analytics to generate FCR intelligence ; and disclosure to authorities as a STR where appropriate

CDD review _{Three key activities – information updates; trigger-based CDD reviews,}

periodic CDD reviews. Follows similar process as client on-boarding to ensure appropriate challenge

(14)

Assurance – three lines of defence

1st line – Business

(Front Office)

• Act as primary

“gatekeepers” for

client acquisition

• Ensures ongoing

2nd line –

Compliance and

other RCOs

• Sets policies and

standards for

regulatory compliance

• Provides advice to

3rd line – Group

Internal Audit

• Conducts internal

audits

• Assesses

effectiveness of a

• Ensures ongoing

compliance with all

relevant policies and

procedures

• Tools include MI

(KRIs, KCIs, KPIs),

Key Control

Standards, Key

Control Self

Assessments, Peer

Reviews

• Provides advice to

business in relation to

policies

• Monitors to ensure

ongoing business

adherence to policies

• Tools include

Compliance

Monitoring Reviews,

Controls Effectiveness

Reviews

effectiveness of a

process as a whole

(15)