Beruflich Dokumente
Kultur Dokumente
.1 Money laundering activities expose the Bank to various risks such as: 4.2 Reputation Risk Risk of loss due to severe impact on Banks reputation. This may be of particular concern given the nature of the banks business, which requires the confidence of depositors, creditors and the general market place. 4.3 Compliance Risk Risk of loss due to failure of compliance with key regulations governing the banks Operations. 4.4 Operational Risk Risk of loss resulting from inadequate or failed internal processes, people and Systems or from external events. 4.5 Legal Risk Risk of loss due to any legal action, the bank or its staff may face due to failure to comply with the law.
Legal and Regulatory Compliance Risks Enterprises of any nature operate in environments where they must comply with a wide range of legal risks as well as government-imposed or industry regulations. While compliance rules and risks can be monitored and recognized in many instances, legal risks are sometimes totally unanticipated. In the United States, for example, an aggressive plaintiff legal system can pose a major risk to otherwise well-intentioned enterprises. Asbestos litigation during the 1990s and beyond is an example. A fibrous mineral, asbestos has three extraordinary characteristics: It works as an insulator for heat and electricity; it resists or protects areas from many chemicals; and, when inhaled, it has now been found to cause cancer and other illnesses that can take decades to develop.
A natural insulation material, previously used extensively in building materials and then considered totally benign, it has been subsequently found that too much direct contact with asbestos fibers over time can cause severe lung problems and even death. Miners working underground extracting asbestos have met that fate. Extracted asbestos was used in many other products, such as sealed wrappers to insulate heating pipes or fire protection wall barriers. The risks to persons working or living in a structure with these asbestos-sealed pipes are fairly minimal. Nevertheless, aggressive litigators have brought actions against corporations, claiming that anyone who could have had any contact, no matter how minimal, with a product that used asbestos could be at risk sometime in the future. The result was litigation damage claims against companies that had once manufactured products containing some asbestos, calling for damages for potential human risks in future years. Because of huge damage awards, virtually all major corporations that once used asbestos have gone bankrupt, out of business, or have had to pay huge court-imposed damage losses. This is the type of legal risk that is very difficult to anticipate but that can be disastrous to an enterprise.
COSO ERM recommends that compliance-related risks be considered for each of the risk framework components, whether in the context of the internal environment, objective setting, or risk monitoring, as well as across the enterprise. The COSO ERM guidance material does not offer much additional information on this compliance objective other than to state that IT refers to conformance with applicable laws and regulations. These are important elements of the risk management framework that need to be communicated and understood. Understanding Regulatory Compliance Risks As enterprises become more interconnected on a worldwide basis and as laws frequently become complex sets of administrative rules, all enterprises face a wide range of regulatory compliance requirements. The number and extent of these is very broad, with some impacting virtually all enterprises and others related to only single business units of an enterprise in a specialized industry sector. The nature of those compliance risks needs to be communicated and understood through all levels of an enterprise. This is also an area where an enterprise may accept a certain level of risk in terms of its concerns regarding legal compliance issues. While an enterprise should not deliberately ignore a major law because of a feeling they never will be caught, they should always take a reasoned approach to these risks in conjunction with their overall philosophy and risk appetites. For example, many regulatory rules specify that all expenditures must be supported by a receipt. While there usually are no reasonableness guidelines, one enterprise could decide that all expenditures goes down to employee travel expenses of less than $1, while another might require receipts for anything above $25. The latter enterprise has made a decision that the costs of documenting these small expenditures are greater than any fine it might receive if caught in a regulatory compliance issue. This type of risk-related decision is similar to the new AS5 financial internal control rules for SOx discussed in Chapter 3. When an enterprise establishes such guidelines, they should be communicated to all levels and units. In order to manage and comply with regulatory risk requirements, an enterprise needs to have an understanding of the nature and extent of all of the regulatory risks it faces as well as the enterprises overall position on each. This is an area where information is often lacking within an organizational unit. The board of directors and senior management needs to have information on these key regulatory risk areas and actions taken. A regulatory risks status report, as shown in Exhibit 9.7, provides sample information regarding some of the various legal regulatory risks facing a hypothetical enterprise. This sample exhibit shows just a few of the many enterprise-level risks ranging from major to minor, but it might cover a different set of risks for an enterprise in a different industry
Risk Categories
Each organization will have its own interpretation of risk. And this interpretation will fit the market, culture and mission of the organization in question. To help align the risk management process with the organizations systems and procedures many organizations capture risk in a structured manner, via a set of categories that suit them. We can review some of the well-known published risk guides and consider the prompts they contain on categorization. The King report suggests several general headings as a start to addressing the companys exposure to at least the following: physical and operational risks, human resource risks, business continuity and disaster recovery, credit and market risks and compliance risks. The UK Government Treasurys guide to the management of risk isolates three main categories of risk: External Arising from the external environment, not wholly within the organizations controls, but where action can be taken to mitigate the risk. Comprising political, economic,
socio-cultural, technological, legal/regulatory and environmental risks. Operational Relating to existing operationsboth current delivery and building and maintaining capacity and capability. Comprising delivery, service/product failure, project delivery, capacity and capability, resources, relationships, operations, reputation, risk management performance and capability, governance, scanning, resilience and security. Change Risks created by decisions to pursue new endeavours beyond current capability. Comprising targets, change programmes, new projects and new policies.
COMPLIANCE RISKS Environmental risk Regulatory risk Policy and procedures risk Litigation risk
Compliance risks: _ Financial reporting errors or missed reports _ Compliance reporting failures at any level of local or national operations _ Failure to establish appropriate company-wide ethical and financial reporting compliance standards _ Failure to meet product quality standards
As discussed in earlier chapters of this volume, therefore, an Enterprise Risk Management (ERM) model must address the enterprises objectives with the following categories of control objectives: Planninghigh-level planning, resource allocation, and budgeting Operational riskday-to-day activities Financial reporting riskpresentation of financial results Compliance riskadherence to statutory requirements of all jurisdictions within which the company does business
be an ongoing process, not a one-time exercise. Management should update its risk assessment to identify changes in the banks risk profile, as necessary (e.g., when new products and services are introduced, existing products and services change, higher-risk customers open and close accounts, or the bank expands through mergers and acquisitions). Even in the absence of such changes, it is a sound practice for banks to periodically reassess their BSA/AML risks at least every 12 to 18 months.
Income (Call Report) and Uniform Bank Performance Report (UBPR). Examiners should complete this analysis by reviewing the level and trend of information pertaining to banking activities identified, for example:
onetary instrument sales. Foreign correspondent accounts and PTAs. Branch locations. This information should be evaluated relative to such factors as the banks total as set size, customer base, entities, products, services, and geographic locations. Examiners should exercise caution if comparing information between banks and use their experience and insight when performing this analysis. Specifically, examiners should avoid comparing the number of SARs filed by a bank to those filed by another bank in the same geographic location. Examiners can and should use their knowledge of the risks associated with products, services, customers, entities, and geographic locations to help them determine the banks BSA/AML risk profile. Examiners may refer to Appendix J (Quantity of Risk Matrix) when completing this evaluation. After identifying potential higher-risk operations, examiners should form a preliminary BSA/AML risk profile of the bank. The preliminary risk profile will provide the examiner with the basis for the
initial BSA/AML examination scope and the ability to determine the adequacy of the banks BSA/AML compliance program. Banks may have an appetite for higher-risk activities, but these risks should be appropriately mitigated by an effective BSA/AML compliance program tailored to those specific risks. The examiner should develop an initial examination scoping and planning document commensurate with the preliminary BSA/AML risk profile. As necessary, the examiner should identify additional examination procedures beyond the minimum procedures that must be completed during the examination. While the initial scope may change during the examination, the preliminary risk profile will enable the examiner to establish a reasonable scope for the BSA/AML review.
Boards of directors. The board of directors is responsible for approving the BSA/AML compliance program and for overseeing the structure and management of the banks BSA/AML compliance function. The board is responsible for setting an appropriate culture of BSA/AML compliance, establishing clear policies regarding the management of key BSA/AML risks, and ensuring that these policies are adhered to in practice. The board should ensure that senior management is fully capable, qualified, and properly motivated to manage the BSA/AML compliance risks arising from the organizations business activities in a manner that is consistent with the boards expectations. The board should ensure that the BSA/AML compliance function has an appropriately prominent status within the organization. Senior management within the BSA/AML compliance function and senior compliance personnel within the individual business lines should have the appropriate authority, independence, and access to personnel and information within the organization, and appropriate resources to conduct their activities effectively. The board should ensure that its views about the importance of BSA/AML compliance are understood and communicated across all levels of the banking organization. The board also should ensure that senior management has established appropriate incentives to integrate BSA/AML compliance objectives into management goals and compensation structure across the organization, and that corrective actions, including disciplinary measures, if appropriate, are taken when serious BSA/AML compliance failures are identified. Senior management. Senior management is responsible for communicating and reinforcing the BSA/AML compliance culture established by the board, and implementing and enforcing the boardapproved BSA/AML compliance program. If the banking organization has a separate BSA/AML compliance function, senior management of the function should establish, support, and oversee the organizations BSA/AML compliance program. BSA/AML compliance staff should report to the board, or a committee thereof, on the effectiveness of the BSA/AML compliance program and significant BSA/AML compliance matters. Senior management of a foreign banking organizations U.S. operations should provide sufficient information relating to the U.S. operations BSA/AML compliance to the governance or control functions in its home country, and should ensure that responsible senior management in the home country has an appropriate understanding of the BSA/AML risk and control environment governing U.S. operations. U.S. management should assess the effectiveness of established BSA/AML control mechanisms for U.S. operations on an ongoing basis and report and escalate areas of concern as needed. As appropriate, corrective action then should be developed and implemented.
152
1. 2. 3. 4. 5. 6. 7. 8.
Compliance Key yo Prudent Operation Definition & Scope Compliance V/S Audit Compliance in the content of Banking Operation Need for Purpose Oriented Compliance Assignment of compliance officer Critical Areas of Compliance Credible Compliance a. The Requirement b. A/C Opening
9.
15.
16.
17.
c. Money Laundering d. Lending Operations e. Overall Risk f. Reporting Compliance in account relationship establishment a. KYC Policy b. Customer Due Diligence c. Enhanced Due diligence d. Identifying Suspicious Transactions (STR) e. Combating Financing for terrorism (CFT) Compliance in continuing Account Relationship Compliance in AML Key SBP Regulations Compliance Officer knowledge Need Compliance in Lending Operations a. Risk Clearance b. Business Charter c. Terms of Sanction d. Financing Limits e. Documentation f. Pre-disbursement Audit g. Business Reciprocity h. Default i. Audit Objections Compliance in Risk Management a. Regulatory Compliance b. Liquidity c. Deposit= mix d. Concentration e. Liquidity Ratios f. Collateral Compliance in Foreign Trade Transactions a. Exchange exposure b. Reconciliation c. System Security d. System integrity e. Record Keeping f. Internal safety and security g. Safeguards against reputational Risk Making Compliance Effective a. Best Practices for compliance Technology b. Selecting a compliance system
Practical Group Based Exercises and AML / Control Break-Down case Studies: DAY ONE: 1. Catch me if you can (GAP ANALYSIS) a. Searching for control breakdowns b. Surfing for legal compliance in banking operations 2. Deliberating with customers (Role Play) a. Investigating STRs b. Analyzing possibilities of Money Laundering throughout banking conduit DAY TWO: 1. Syndicates a. Sharing self-raised Suspicious Transactions by participants 2. Self diagnosis exercise 3. Case Studies a. Pertaining to International FIUs