1. Implementing AML
Compliance Program for
Financial Institutions
Dr. LAM Yat-fai (林日辉博士林日辉博士林日辉博士林日辉博士)
Doctor of Business Administration (Finance)
CFA, CAIA, FRM, PRM, MCSE, MCNE
PRMIA Award of Merit 2005
E-mail: quanrisk@gmail.com
2
Outline
Supervisory framework on AML
Risk-based AML compliance program
IT systems for AML compliance
Sound practices of AML compliance
3
Supervisory framework
Regulatory guidelines
Circulars
AML profiling
Prudential survey
Offsite review
Onsite examination
Control self-assessment
Tripartite meeting
4
Regulatory guidelines
Hong Kong Monetary Authority
Guideline on Anti-Money Laundering and
Counter- Terrorist Financing (for Authorized
Institutions)
Issued in January 2012, 12 chapters, 112 pages
Securities and Futures Commission
Guideline on Anti-Money Laundering and
Counter- Terrorist Financing
Issued in April 2012, 10 chapters, 130 pages
2. 5
Circular
6
AML profiling
A long questionnaire consisting 30 to 40 questions
AML compliance officer
Composition of AML compliance committee
IT systems for AML compliance in place
Major MIS reports
No. of PEP customers
Customer AML risk classification system
No. of incidents reported to JFIU during the last three years
Latest audit findings
To capture static information about a FI’s AML compliance program
To be completed within two to three months, renew on annual basis
Regulators to build a centralized database
7
Prudential survey
A short questionnaire to collect some ad-hoc
information during the year
No. of transactions with Mr. 薄熙來, Ms. 谷開來 or Mr.
薄瓜瓜 during the last three years
No. of large amount out-going fund transfers from
Chongqing city during the last three years
No. of customers in North Korea
Driven by contemporary political, economic,
regulatory and/or media focus
Issued on ad-hoc basis
To be completed within two to four weeks
8
Off-site review
Revised and updated policies and procedures
Independent audit reports on an FI’s AML
compliance program
Action plans to rectify audit findings
Progress report on rectification actions
Major incident reports
Follow up by meetings
3. 9
Onsite examination
Comprehensive examination
Two/three-people group, around two to three months
Covering major topics of an FI’s AML compliance
program
To assess the quality of an FI’s AML compliance program
Thematic examination
One man band, around one month
Covering one to three hot AML compliance topics
Aim at identifying sound practices and common issues of
contemporary AML topics
10
Control-self assessment (“CSA”)
A comprehensive audit check list
To be completed by an FI herself
Covering critical policy areas
For each control procedure
Compliance status – fully, partially or not
compliant
Explanations of compliance
Mitigation plan and tentative completion date
11
CSA summary
12
CSA summary by institution
4. 13
CSA summary by control procedure
14
CSA summary by institution and
control procedure
15
Compliance projection
16
Tripartite meeting
Three-party senior meeting among
Financial institution
Auditor
Regulator
To assess the major and critical areas for
improvement and/or development
5. 17
Challenges facing FIs
External
Regulatory requirements keep on changing and
tightening
Internal
AML compliance a cost centre
Limited budget
Lack of manpower
AML compliance impacts customer relationship
18
Outline
Supervisory framework on AML
Risk-based AML compliance program
IT systems for AML compliance
Sound practices of AML compliance
19
Senior management oversight
Senior management is fully responsible for
the AML compliance program
A committee comprises senior staff from
different business units
A comprehensive terms of reference
Regular meetings – at least quarterly
Meeting minutes with discussion items on
AML compliance
20
Corporate AML policy
Match the regulatory guidelines
Topics and no. of pages
Reviewed and updated
At least annually
Incorporating material changes on business or
regulatory requirements during the year
Approved by AML committee
6. 21
AML procedures
A guide book to carry out a specific AML activity,
e.g.
Due diligence procedure
Suspicious transaction management procedure
JFIU reporting procedure
Department and business dependent
From one page to hundred pages
Reviewed at least on annual basis
Approved by department head and/or AML
committee
22
MIS reporting
MIS reports with key risk indicators (“KRIs”)
No. of high/medium/low risk customers
No. of rejected potential customers
No. of suspicious transactions detected
No. of suspicious transactions approved
No. of suspicious transactions under investigation
Trend analysis
Peer analysis among business lines and country
offices
23
Compliance and audit
Compliance
To ensure that AML policies and procedures are
followed through
Compliance staff are advised not to be involved
in daily operations to maintain independency
Audit
To ensure that compliance staff are doing their
jobs
Do more on fashion topics
24
Training and awareness
New staff training within three months
Annual training on regulatory updates
Keep attendancy record
Follow up with simple test
7. 25
Risk-based approach
To justify that there is no AML activity,
please do more on
Customers with higher risk – CDD
Counterparties with higher risk – sanction
filtering
Transaction with higher risk
26
Customer risk level
Higher customer risk
Customers with political background (PEPs)
Customers in business of casino or weapon
Customers in sanctioned countries
Lower customer risk
High school teachers
Restaurant waiters
Factory workers
27
Other higher risk customers
Private banking
Correspondent banking
Money changers
Companies registered in tax heavens
Client accounts – who is the ultimate owner?
28
Risk-based approach
Higher risk customers
Detailed background check
Frequent updated
Close monitoring
Lower risk customers
Simple background check
Regular updated
Less monitoring
8. 29
Counterparty risk
Higher counterparty risk
On the sanction list
Lower counterparty risk
Not on the sanction list
30
Transaction risk
Likelihood
What is the chance?
Chance of customer + chance of counterparty
Exposure
What is the amount?
Transaction risk
Likelihood x Exposure
31
Exposure
Static limits
HK$8,000 for wire transfer
HK$120,000 for other transactions
Dynamic limits
Statistical distance
Amount Mean
Standard deviation
−
=
32
Transaction risk
9. 33
Outline
Supervisory framework on AML
Risk-based AML compliance program
IT systems for AML compliance
Sound practices of AML compliance
34
AML IT systems
Customer identification
CDD and KYC
Offline checking again a sanction list
Sanction filtering
Transaction monitoring
35
Sanction filtering
Know the counterparty of your customer
Fund transfer from counterparty
Fund transfer to counterparty
Match against sanction lists
Worldcheck
Fativa
Local black list
Conducted before completion of transactions
36
Sanction filtering
False positive
Customer name similar to entities in sanction list
Urgency
Suspected transactions must be investigated
before proceeding
Resources
No. of AML compliance officers
10. 37
Risk-based approach
Transaction risk
Likelihood x Exposure
Higher transaction risk
Detailed investigation
Expert
Lower transaction risk
General investigation
Front line staff
38
Resources dedicated by the bank
Higher risk categories
Centralized expert investigation
Dedicated compliance officer
Lower risk categories
Decentralized general investigation
Front line staff
39
Sanction filtering IT solutions
40
Transaction monitoring
Know the transaction of your customer
To detect suspicious transactions
Conducted after the completion of
transactions
Implemented with offline IT systems
Not to notify customer
Suspicious crimes to be reported to police
11. 41
IT systems for transaction monitoring
Examine within a period, all
Account balances
Incoming transactions
Outgoing transactions
Criteria set out by experts based on
Historical scenarios
Exceptions to normal situations
42
Transaction monitoring solutions
43
Outline
Supervisory framework on AML
Risk-based AML compliance program
IT systems for AML compliance
Sound practices of AML compliance
44
Role of senior management
To accord AML compliance due priority, senior
management may play an active role in the following
areas.
Endorsing AML policies.
Appointing senior staff responsible for AM compliance.
Approving or declining high risk customers.
Approving or declining third party payments.
Reviewing suspicious activities/cases identified by the
staff.
Supporting compliance investigation of suspicious cases.
Participating in AML/CFT training.
12. 45
Role of senior management
To reinforce the importance of AML
compliance, the board of directors may
contribute by
Overseeing the implementation of AML policies
as part of their broader governance role.
Reviewing reports of violations of AML
procedures and controls.
46
AML policies and procedures
To help ensure that appropriate and effective AML policies
and procedures are in place, firms may implement the
following steps
AML policies are endorsed by senior management and effectively
communicated to all staff by means of training and utilizing suitable
forms of testing to ensure proper understanding of the policies.
Appoint a person to regularly review changes to applicable AML
rules and regulations, and where necessary, make changes or updates
to ensure compliance.
Perform periodic audits or compliance checks of AML controls,
including clients’ identification and verification procedures.
Issue and distribute AML internal audit reports or compliance
checking reports to all relevant business and functional departments
as well as to senior management.
47
Customer acceptance and customer due
diligence
To undertake customer acceptance and due diligence
measures on a risk sensitive basis, firms may
Risk-based assessment
Perform risk-based and extensive know-your-customer
assessment in order to ascertain a customer's identity, beneficial
owners, nature and background of its business activities and
source of funds and apply a risk rating to determine the extent of
ongoing monitoring.
Categorise customers into distinct risk categories – high, medium
and low risk. High risk customers are managed by focused
resources and enhanced due diligence processes.
48
Customer acceptance and customer due
diligence
On-going due diligence
Conduct periodic reviews depending on a customer's
risk rating. This risk-based approach allows more
detailed and enhanced reviews to be conducted for
higher risk customers on a more frequent basis than
low/medium risk customers.
Generate reports identifying those accounts showing
activity which fulfils predetermined criteria, such as
large transaction volume, or increased account usage.
The compliance officer would review and decide if
the transactions made were consistent with the
customer’s profile.
13. 49
Customer acceptance and customer due
diligence
Identification of Politically Exposed Persons and
related enhanced due diligence
Use Internet or other web-based tools to perform
background screening.
Employ external databases to perform background
screening, including names of customers, directors,
shareholders, authorised signatories and beneficial
owners and perform batch screening on all accounts
regularly.
50
Customer acceptance and customer due
diligence
Classify PEPs as high risk customers and adopt
enhanced due diligence and escalation processes, for
example by
Assessing the PEP risk by obtaining information such as the
customer’s political function, country of origin, type of
services and products sought and the source of wealth and
funds, etc.
Seeking senior management’s approval before opening PEP
accounts.
Reviewing transactions of the PEP clients on a periodic
basis.
51
Recognition and reporting of
suspicious transactions
To facilitate the identification of suspicious
transactions and help ensure that the legal
requirements for reporting suspicious transactions to
the JFIU and prohibitions against tipping-off are
complied with, firms may:
Recognition and reporting of suspicious transactions
Implement automated transaction monitoring system utilising
software which is designed to detect patterns of unusual
transactions and suspicious transactions.
Arrange to have exception reports automatically escalated to the
compliance officer for review, approval and, where necessary, to
form the basis for further investigation, reporting, raising the risk
rating of a customer for enhanced monitoring.
52
Recognition and reporting of
suspicious transactions
Cash or third-party payments
Require approval of cash or third party payments by
Head of Compliance and Head of relevant Business
Department.
Perform regular review on activities such as frequent
fund transfers or cheque payments involving
unverified or difficult to verify third parties or other
unusual fund movements and investigate accounts
with unusual activities.
14. 53
Recognition and reporting of
suspicious transactions
Review these reports from time to time to ensure that
they have been properly updated to incorporate new
indicators of suspicious activity.
Incorporate organization specific indicators of
potentially suspicious or unusual activities into AML
policies and AML training.
Conduct background checks using reliable and
independent source documents and database before
establishing business relationships in order to identify
terrorist suspects at the initial account opening stage
and on an ongoing basis thereafter.
54
Recognition and reporting of
suspicious transactions
No tipping-off
Put in place procedures whereby
Account executives and other relevant staff receive AML
training and are fully cautioned against tipping off customers
and made aware that they are subject to criminal liability for
such actions.
Only a limited number of persons, e.g. the compliance
officer and senior management, are privy to suspicious
transaction reports which are made to the JFIU strictly on a
need-to-know basis.
Account executives are not informed when suspicious
transaction reports are made to the JFIU to prevent tipping
off.
55
Staff training
To help ensure that appropriate and effective staff training
procedures are in place, firms may
Distribute their internal AML policies to new staff members during
induction training.
Require newly recruited staff to complete training on AML and
thereafter refresh themselves on AML policies and procedures
regularly.
Incorporate new or updated changes in AML regulations or policies
whenever necessary and inform staff of these changes through
different means, e.g. circulation of revised policy, internal circulars or
email alerts.
Provide tailored AML training for front office employees.
Utilize suitable forms of testing to ensure proper understanding of the
policies, e.g. quizzes.
Your opinions
http://sites.google.com/site/quanrisk