COMPLIANCE IN BANKING OPERATIONS 1. Changing Profile of Risk 2. Compliance Risk 4. Money Laundering Risk Perception 4.

.1 Money laundering activities expose the Bank to various risks such as: 4.2 Reputation Risk Risk of loss due to severe impact on Banks reputation. This may be of particular concern given the nature of the banks business, which requires the confidence of depositors, creditors and the general market place. 4.3 Compliance Risk Risk of loss due to failure of compliance with key regulations governing the banks Operations. 4.4 Operational Risk Risk of loss resulting from inadequate or failed internal processes, people and Systems or from external events. 4.5 Legal Risk Risk of loss due to any legal action, the bank or its staff may face due to failure to comply with the law.
Legal and Regulatory Compliance Risks Enterprises of any nature operate in environments where they must comply with a wide range of legal risks as well as government-imposed or industry regulations. While compliance rules and risks can be monitored and recognized in many instances, legal risks are sometimes totally unanticipated. In the United States, for example, an aggressive plaintiff legal system can pose a major risk to otherwise well-intentioned enterprises. Asbestos litigation during the 1990s and beyond is an example. A fibrous mineral, asbestos has three extraordinary characteristics: It works as an insulator for heat and electricity; it resists or protects areas from many chemicals; and, when inhaled, it has now been found to cause cancer and other illnesses that can take decades to develop.

A natural insulation material, previously used extensively in building materials and then considered totally benign, it has been subsequently found that too much direct contact with asbestos fibers over time can cause severe lung problems and even death. Miners working underground extracting asbestos have met that fate. Extracted asbestos was used in many other products, such as sealed wrappers to insulate heating pipes or fire protection wall barriers. The risks to persons working or living in a structure with these asbestos-sealed pipes are fairly minimal. Nevertheless, aggressive litigators have brought actions against corporations, claiming that anyone who could have had any contact, no matter how minimal, with a product that used asbestos could be at risk sometime in the future. The result was litigation damage claims against companies that had once manufactured products containing some asbestos, calling for damages for potential human risks in future years. Because of huge damage awards, virtually all major corporations that once used asbestos have gone bankrupt, out of business, or have had to pay huge court-imposed damage losses. This is the type of legal risk that is very difficult to anticipate but that can be disastrous to an enterprise.

COSO ERM recommends that compliance-related risks be considered for each of the risk framework components, whether in the context of the internal environment, objective setting, or risk monitoring, as well as across the enterprise. The COSO ERM guidance material does not offer much additional information on this compliance objective other than to state that IT refers to conformance with applicable laws and regulations. These are important elements of the risk management framework that need to be communicated and understood. Understanding Regulatory Compliance Risks As enterprises become more interconnected on a worldwide basis and as laws frequently become complex sets of administrative rules, all enterprises face a wide range of regulatory compliance requirements. The number and extent of these is very broad, with some impacting virtually all enterprises and others related to only single business units of an enterprise in a specialized industry sector. The nature of those compliance risks needs to be communicated and understood through all levels of an enterprise. This is also an area where an enterprise may accept a certain level of risk in terms of its concerns regarding legal compliance issues. While an enterprise should not deliberately ignore a major law because of a feeling they never will be caught, they should always take a reasoned approach to these risks in conjunction with their overall philosophy and risk appetites. For example, many regulatory rules specify that all expenditures must be supported by a receipt. While there usually are no reasonableness guidelines, one enterprise could decide that all expenditures goes down to employee travel expenses of less than $1, while another might require receipts for anything above $25. The latter enterprise has made a decision that the costs of documenting these small expenditures are greater than any fine it might receive if caught in a regulatory compliance issue. This type of risk-related decision is similar to the new AS5 financial internal control rules for SOx discussed in Chapter 3. When an enterprise establishes such guidelines, they should be communicated to all levels and units. In order to manage and comply with regulatory risk requirements, an enterprise needs to have an understanding of the nature and extent of all of the regulatory risks it faces as well as the enterprises overall position on each. This is an area where information is often lacking within an organizational unit. The board of directors and senior management needs to have information on these key regulatory risk areas and actions taken. A regulatory risks status report, as shown in Exhibit 9.7, provides sample information regarding some of the various legal regulatory risks facing a hypothetical enterprise. This sample exhibit shows just a few of the many enterprise-level risks ranging from major to minor, but it might cover a different set of risks for an enterprise in a different industry

Risk Categories
Each organization will have its own interpretation of risk. And this interpretation will fit the market, culture and mission of the organization in question. To help align the risk management process with the organizations systems and procedures many organizations capture risk in a structured manner, via a set of categories that suit them. We can review some of the well-known published risk guides and consider the prompts they contain on categorization. The King report suggests several general headings as a start to addressing the companys exposure to at least the following: physical and operational risks, human resource risks, business continuity and disaster recovery, credit and market risks and compliance risks. The UK Government Treasurys guide to the management of risk isolates three main categories of risk: External Arising from the external environment, not wholly within the organizations controls, but where action can be taken to mitigate the risk. Comprising political, economic,

socio-cultural, technological, legal/regulatory and environmental risks. Operational Relating to existing operationsboth current delivery and building and maintaining capacity and capability. Comprising delivery, service/product failure, project delivery, capacity and capability, resources, relationships, operations, reputation, risk management performance and capability, governance, scanning, resilience and security. Change Risks created by decisions to pursue new endeavours beyond current capability. Comprising targets, change programmes, new projects and new policies.

COMPLIANCE RISKS Environmental risk Regulatory risk Policy and procedures risk Litigation risk
Compliance risks: _ Financial reporting errors or missed reports _ Compliance reporting failures at any level of local or national operations _ Failure to establish appropriate company-wide ethical and financial reporting compliance standards _ Failure to meet product quality standards

As discussed in earlier chapters of this volume, therefore, an Enterprise Risk Management (ERM) model must address the enterprises objectives with the following categories of control objectives: Planninghigh-level planning, resource allocation, and budgeting Operational riskday-to-day activities Financial reporting riskpresentation of financial results Compliance riskadherence to statutory requirements of all jurisdictions within which the company does business

Consolidated BSA/AML Compliance Risk Assessment

Banks that implement a consolidated or partially consolidated BSA/AML compliance program should assess risk both individually within business lines and across all activities and legal entities. Aggregating BSA/AML risks on a consolidated basis for larger or more complex organizations may enable an organization to better identify risks and risk exposures within and across specific lines of business or product categories. Consolidated information also assists senior management and the board of directors in understanding and appropriately mitigating risks across the organization. To avoid having an outdated understanding of the BSA/AML risk exposures, the banking organization should continually reassess its BSA/AML risks and communicate with business units, functions, and legal entities. The identification of a BSA/AML risk or deficiency in one area of business may indicate concerns elsewhere in the organization, which management should identify and control. Refer to the expanded overview section, BSA/AML Compliance Program Structures, pages 160 to 165, for additional guidance.

3. Banks Updating of the Risk Assessment

An effective BSA/AML compliance program controls risks associated with the banks products, services, customers, entities, and geographic locations; therefore, an effective risk assessment should

be an ongoing process, not a one-time exercise. Management should update its risk assessment to identify changes in the banks risk profile, as necessary (e.g., when new products and services are introduced, existing products and services change, higher-risk customers open and close accounts, or the bank expands through mergers and acquisitions). Even in the absence of such changes, it is a sound practice for banks to periodically reassess their BSA/AML risks at least every 12 to 18 months.

Examiner Development of a BSA/AML Risk Assessment

In some situations, banks may not have performed or completed an adequate BSA/AML risk assessment and examiners must complete one based on available information. When doing so, examiners do not have to use any particular format. In such instances, documented workpapers should include the banks risk assessment, the deficiencies noted in the banks risk assessment, and the examiner-prepared risk assessment. Examiners should ensure that they have a general understanding of the banks BSA/AML risks and, at a minimum, document these risks within the examination scoping process. This section provides some general guidance that examiners can use when they are required to complete a BSA/AML risk assessment. In addition, examiners may share this information with bankers to develop or improve their own BSA/AML risk assessment. The risk assessment developed by examiners generally will not be as comprehensive as one developed by a bank. However, similar to what is expected in a banks risk assessment, examiners should obtain information on the banks products, services, customers, entities, and geographic locations to determine the volume and trend for potentially higher-risk areas. This process can begin with an analysis of: -reporting database information (Web Currency and Banking Retrieval System (Web CBRS)).

Income (Call Report) and Uniform Bank Performance Report (UBPR). Examiners should complete this analysis by reviewing the level and trend of information pertaining to banking activities identified, for example:

onetary instrument sales. Foreign correspondent accounts and PTAs. Branch locations. This information should be evaluated relative to such factors as the banks total as set size, customer base, entities, products, services, and geographic locations. Examiners should exercise caution if comparing information between banks and use their experience and insight when performing this analysis. Specifically, examiners should avoid comparing the number of SARs filed by a bank to those filed by another bank in the same geographic location. Examiners can and should use their knowledge of the risks associated with products, services, customers, entities, and geographic locations to help them determine the banks BSA/AML risk profile. Examiners may refer to Appendix J (Quantity of Risk Matrix) when completing this evaluation. After identifying potential higher-risk operations, examiners should form a preliminary BSA/AML risk profile of the bank. The preliminary risk profile will provide the examiner with the basis for the

initial BSA/AML examination scope and the ability to determine the adequacy of the banks BSA/AML compliance program. Banks may have an appetite for higher-risk activities, but these risks should be appropriately mitigated by an effective BSA/AML compliance program tailored to those specific risks. The examiner should develop an initial examination scoping and planning document commensurate with the preliminary BSA/AML risk profile. As necessary, the examiner should identify additional examination procedures beyond the minimum procedures that must be completed during the examination. While the initial scope may change during the examination, the preliminary risk profile will enable the examiner to establish a reasonable scope for the BSA/AML review.

Examiner Determination of the Banks BSA/AML Aggregate Risk Profile

The examiner, during the Developing Conclusions and Finalizing the Examination phase of the BSA/AML examination, should assess whether the controls of the banks BSA/AML compliance program are appropriate to manage and mitigate its BSA/AML risks. Through this process the examiner should determine an aggregate risk profile for the bank. This aggregate risk profile should take into consideration the risk assessment developed either by the bank or by the examiner and should factor in the adequacy of the BSA/AML compliance program. Examiners should determine whether the banks BSA/AML compliance program is adequate to appropriately mitigate the BSA/AML risks, based on the risk assessment. The existence of BSA/AML risk within the aggregate risk profile should not be criticized as long as the banks BSA/AML compliance program adequately identifies, measures, monitors, and controls this risk as part of a deliberate risk strategy. When the risks are not appropriately controlled, examiners must communicate to management and the board of directors the need to mitigate BSA/AML risk. Examiners should document deficiencies as directed in the core examination procedures, Developing Conclusions and Finalizing the Examination, pages 48 to 51. A consolidated BSA/AML compliance program typically includes a central point where BSA/AML risks throughout the organization are aggregated. Refer to Consolidated BSA/AML Compliance Risk Assessment, page 28. Under a consolidated approach, risk should be assessed both within an d across all business lines, legal entities, and jurisdictions of operation. Programs for global organizations should incorporate the AML laws and requirements of the various jurisdictions in which they operate. Internal audit should assess the level of compliance with the consolidated BSA/AML compliance program.

Management and Oversight of the BSA/AML Compliance Program

The board of directors and senior management of a bank have different responsibilities and roles in overseeing, and managing BSA/AML compliance risk. The board of directors has primary responsibility for ensuring that the bank has a comprehensive and effective BSA/AML compliance program and oversight framework that is reasonably designed to ensure compliance with BSA/AML regulation. Senior management is responsible for implementing the board-approved BSA/AML compliance program.

Boards of directors. The board of directors is responsible for approving the BSA/AML compliance program and for overseeing the structure and management of the banks BSA/AML compliance function. The board is responsible for setting an appropriate culture of BSA/AML compliance, establishing clear policies regarding the management of key BSA/AML risks, and ensuring that these policies are adhered to in practice. The board should ensure that senior management is fully capable, qualified, and properly motivated to manage the BSA/AML compliance risks arising from the organizations business activities in a manner that is consistent with the boards expectations. The board should ensure that the BSA/AML compliance function has an appropriately prominent status within the organization. Senior management within the BSA/AML compliance function and senior compliance personnel within the individual business lines should have the appropriate authority, independence, and access to personnel and information within the organization, and appropriate resources to conduct their activities effectively. The board should ensure that its views about the importance of BSA/AML compliance are understood and communicated across all levels of the banking organization. The board also should ensure that senior management has established appropriate incentives to integrate BSA/AML compliance objectives into management goals and compensation structure across the organization, and that corrective actions, including disciplinary measures, if appropriate, are taken when serious BSA/AML compliance failures are identified. Senior management. Senior management is responsible for communicating and reinforcing the BSA/AML compliance culture established by the board, and implementing and enforcing the boardapproved BSA/AML compliance program. If the banking organization has a separate BSA/AML compliance function, senior management of the function should establish, support, and oversee the organizations BSA/AML compliance program. BSA/AML compliance staff should report to the board, or a committee thereof, on the effectiveness of the BSA/AML compliance program and significant BSA/AML compliance matters. Senior management of a foreign banking organizations U.S. operations should provide sufficient information relating to the U.S. operations BSA/AML compliance to the governance or control functions in its home country, and should ensure that responsible senior management in the home country has an appropriate understanding of the BSA/AML risk and control environment governing U.S. operations. U.S. management should assess the effectiveness of established BSA/AML control mechanisms for U.S. operations on an ongoing basis and report and escalate areas of concern as needed. As appropriate, corrective action then should be developed and implemented.

152

1. 2. 3. 4. 5. 6. 7. 8.

Compliance Key yo Prudent Operation Definition & Scope Compliance V/S Audit Compliance in the content of Banking Operation Need for Purpose Oriented Compliance Assignment of compliance officer Critical Areas of Compliance Credible Compliance a. The Requirement b. A/C Opening

9.

10. 11. 12. 13. 14.

15.

16.

17.

c. Money Laundering d. Lending Operations e. Overall Risk f. Reporting Compliance in account relationship establishment a. KYC Policy b. Customer Due Diligence c. Enhanced Due diligence d. Identifying Suspicious Transactions (STR) e. Combating Financing for terrorism (CFT) Compliance in continuing Account Relationship Compliance in AML Key SBP Regulations Compliance Officer knowledge Need Compliance in Lending Operations a. Risk Clearance b. Business Charter c. Terms of Sanction d. Financing Limits e. Documentation f. Pre-disbursement Audit g. Business Reciprocity h. Default i. Audit Objections Compliance in Risk Management a. Regulatory Compliance b. Liquidity c. Deposit= mix d. Concentration e. Liquidity Ratios f. Collateral Compliance in Foreign Trade Transactions a. Exchange exposure b. Reconciliation c. System Security d. System integrity e. Record Keeping f. Internal safety and security g. Safeguards against reputational Risk Making Compliance Effective a. Best Practices for compliance Technology b. Selecting a compliance system

Practical Group Based Exercises and AML / Control Break-Down case Studies: DAY ONE: 1. Catch me if you can (GAP ANALYSIS) a. Searching for control breakdowns b. Surfing for legal compliance in banking operations 2. Deliberating with customers (Role Play) a. Investigating STRs b. Analyzing possibilities of Money Laundering throughout banking conduit DAY TWO: 1. Syndicates a. Sharing self-raised Suspicious Transactions by participants 2. Self diagnosis exercise 3. Case Studies a. Pertaining to International FIUs