How to Build

an Audit Risk
Assessment Tool
to Combat Money
Laundering and
Terrorist Financing
EQUIPPING YOUR LAST LINE
OF DEFENSE The objective of this white paper
is to offer specific considerations
A white paper by Jonathan Estreich and suggestions for how
the internal audit department can
December 2013
design a firm-wide AML risk
assessment tool that: 1. improves the
auditors ability to identify relevant
AML risks; 2. sets the foundation for
thoughtful and supported risk
determinations; and 3. produces
results that can assist in the
development of an audit plan that
satisfies regulatory expectations
for deterring money laundering and
terrorist financing.
How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

TABLE OF CONTENTS
EXECUTIVESUMMARY..................................................................................................................................3
INTRODUCTION.............................................................................................................................................3
Regulatoryexpectationsarehighandtheauditorsroleisevolving........................................................3
TheauditplanreflectswhetherAuditisontrackintheeyesoftheregulators...................................5
Auditsriskassessmentprocessdrivestheauditplan..............................................................................5
ThereisadifferencebetweenanAuditAMLRAandotherAMLriskassessments...............................6
Assumptions..............................................................................................................................................7
DEVELOPINGANAUDITAMLRISKASSESSMENTTOOL................................................................................7
Overview...................................................................................................................................................7
Acloserlook..............................................................................................................................................8
THESUPPORTFRAMEWORK:InvestinginAuditsriskassessmentprocess...............................................25
INTERPRETINGANDUSINGRESULTS:Theauditplanandbeyond.............................................................27
TAKEAWAY:TheriskassessmentdesigncanbetterequipAudit............................................................28
APPENDICES................................................................................................................................................30
AOverviewofconsiderations...............................................................................................................30
BExamplesofconsiderations...............................................................................................................31
CReferences.........................................................................................................................................35
DHelpfulresourcesforratingandscoring...........................................................................................37
EAcronymsandtermsusedthroughoutthispaper.............................................................................37
FAbouttheauthor................................................................................................................................39

Theviewsexpressedinthispaperarethoseoftheauthor,andtheauthoralone.The
authorisnotnecessarilyrepresentingtheviewsoropinionsofJPMorganChase.

2|Page equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

EXECUTIVE SUMMARY

Forreferencepurposesherein,BankSecrecyAct(BSA),antimoneylaundering(AML),OfficeofForeignAssets
Control(OFAC)andsanctionswillbereferredtocollectivelyasAML.

Theprimaryobjectiveofthiswhitepaperistoofferspecificconsiderationsandsuggestionsforhowafinancial
institutionsinternalauditdepartment(Audit)candesignafirmwideAMLriskassessment(AMLRA)toolthat:
1.improvestheauditorsabilitytoidentifyrelevantAMLrisks;2.setsthefoundationforthoughtfulandsupported
riskdeterminations;and3.producesresultsthatcanassistinthedevelopmentofanauditplanthatsatisfies
currentregulatoryexpectationsfordeterringmoneylaunderingandterroristfinancing.

Internalauditsarecriticalforproactivelyidentifyingdeficienciesandforensuringthatfinancialinstitutions(FIs)
maintainAMLfunctionsandprogramsthatarealignedwithsupervisoryrequirementsandexaminerexpectations.
TheselectionoftheseauditsasrepresentedbyanauditplanistheprimaryroadmapforAMLtesting
activitiesandisoftendeterminedbyariskassessment.Anotablechallengerelatingtothecompilationofanaudit
planthateffectivelycapturesAMLrisklieswiththeinitialdesignoftheriskassessmenttool1,whichshould,ata
minimum,producemeaningfulresultsthattheauditdepartmentcaninterpret,analyzeandusetobuildan
appropriateriskbasedplan.

MostFIsthatperformawiderangeofactivitiesacrossanumberofseparatebusinesslines,legalentitiesand
jurisdictionshaveorareexpectedtohaveariskassessmentprocessthatcanassistwiththeirauditplanning.
ThedegreetowhichthisprocessfocusesonAMLandcomplieswithregulatoryexpectationsvariesfrominstitution
toinstitution.

Thecontentprovidedhereinisintendedtoofferguidanceforenhancingorconstructingariskassessmenttoolthat
delivershelpfuldirectiontotheauditdepartmentinevaluatingitsFIsAMLrisksandcontrols,aswellasin
documentingdecisions.Thiswhitepaperisnotintendedtodetailthecompleteprocessofariskassessment,but
rathertodescribehowtoworkwithinAuditsexistingriskassessmentframeworktoensurethattheAML
componentisdevelopedandrepresentedappropriately.Astrongandwelldesignedtoolshouldequiptheauditor
toidentifyriskandtodemonstrateandevidencehowriskratingsandrelatedconclusionswerederived.

*Theviewsexpressedinthispaperarethoseoftheauthor,andtheauthoralone.*

INTRODUCTION

RegulatoryexpectationsarehighandtheauditorsroleisevolvingTherequirementsforAML
complianceprogramsandrelatedinternalAMLcontrolshaveremained,forthemostpart,consistentwithpast
regulatorystatutesandguidancesuchastheBSA[12CFR21.21]andtheUSAPATRIOTACT[section352].
However,withinthepastfiveyears,thefinancialservicesindustryhasexperiencednoticeablechangesinthe
articulationofregulatoryexpectationsregardingtheadequacyandoverallviewofinternalcontrols.Concurrently,
therehasbeenasignificantincreaseinboththefrequencyandseverityofenforcementactionsamongtheworlds
largestandmostreputablefinancialcorporations.Advancesintechnologyandanexpansionofsophisticated
productsanddeliverysystemsmaybepartiallyresponsibleforthechangingenvironment.Thesedevelopments
havenotonlyprovidedadditionalbankingopportunitiesbuthavealsoresultedinmorecomplexfinancial
relationshipsandhavecompelledmoneylaunderstobecomesmarterandmorecreative.Nonetheless,despitethe

1
Thetermtoolwillbeusedhereintorepresentthemechanism(suchasabasictemplateorsystem)usedbytheFItoorganize,record,assess
andrateAMLrisks.Thetoolcanbeasophisticatedsystemorasimplespreadsheet,aswellasanyaccompanyingguidance.

3|Page equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

manypossibleimpetusesfortheincreasedlegalforce,itisclearthattherehasbeenashiftintheaccepted
standardforsoundbankingpractices.

Betweentheyears2010and2013,therehavebeenovertwentyfiveAMLrelatedconsentorders,written
agreementsandceaseanddesistordersandmorethan$900millioninfines2.Accordingtoareportissuedbythe
U.S.Senate,recentprosecutionsandlegalactionsrelatingtoOFACviolationsbetween2010and2012have
amountedtoover$1.4billion,involvingwellknownfinancialinstitutions3.BasedonmetricsfromtheU.S.
DepartmentoftheTreasury,OFACrelatedpenaltiesandsettlementsbetweenJanuary2,2013andOctober25,
2013totaled$12,875,2784.Inarecentindustrypaper,KennethSimmons5analyzedBSAexaminationresultsof
137financialinstitutionsthatwereissuedreportsbetweenSeptember2009andMarch2013;theseresults
reflectedthat,asofApril2013,thereweremorethan202openMattersRequiringAttention(MRAs)thatrelated
tothefourpillarsofanAMLprogram(audit,internalcontrols,trainingandtheBSAofficer).OfallMRAsreviewed,
83.88%ofoutstandingMRAsreferencedinternalcontrolfailures.

Basedonareviewofregulatoryordersin2012and2013,frequentlycitedAMLprogramweaknessesincluded:

Inadequatecustomerduediligenceandenhancedduediligencepractices.
Incompleteidentificationofhighriskcustomers.
Insufficientpolicies,proceduresandtraining.
Failuresinmonitoringandidentifyingsuspiciousactivity.
Poorreportingandfilingpracticesrelatingtosuspiciousactivity.
Ineffectiveindependenttestingandauditfunctions.

TheunderlyingmessagesuggeststhattheexpectationforFIstobelessreactiveandmoreproactive(e.g.,by
enhancingriskmanagementpracticesandmaintaininganeffectiveregimetoaudittheirAMLcompliance
programs)hasbecomeaminimumstandardintheeyesofsupervisoryagencies.Thisincludesfurtherattentionto:

A risk-based approach Timely identification of deviations Testing the adequacy

that focuses on higher-risk from policy, laws, rules
of internal controls designed
clients, products, and regulations within individual
services, geographies and business lines and to ensure compliance
relationships across businesses and activities with AML requirements

Aspartofthisenhancedscrutiny,regulatorsareemphasizingtheimportanceofindependenttestingandthe
evolvingroleoftheAMLauditorinhelpingtheirFItomanageriskandsustainanoperationalAMLprogram,such
asthroughadditionalfocusonrisktolerance,thelevelofassurance,thedepthandprecisionofcontrols,the
natureofsubstantivetestingandthedegreeofcrediblechallenge.Consequently,Audithasbecomeevenmore
criticalinpositioningitsFItoavoidcompliance,legalandreputationalrisksrelatingtoAMLfunctions.

2
Seehttp://www.bankersonline.com/security/bsapenaltylist.html.
3
SeetheMinorityStaffofthePermanentSubcommitteeonInvestigationsreportdatedJuly17,2012entitledU.S.VulnerabilitiestoMoney
Laundering,Drugs,andTerroristFinancing:HSBCCaseHistory.
4
Seehttp://www.treasury.gov/resourcecenter/sanctions/CivPen/Pages/civpenindex2.aspx.
5
KennethSimmonsisaBankExaminerandBSA/CompliancespecialistwiththeOfficeoftheComptrollerCurrency.SeeSimmons,Kenneth.
(2013,December).LearningfromtheMistakesofothersMattersRequiringAttention.

4|Page equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

Inaddition,Auditsroleanditsrelationshipwithregulatorsmaybeimportantforanotherreason.Due
tothestrongfocusonAMLandtheextentofrelatedchallengeswithinthefinancialindustry,theneedfora
collaborativeapproachtocombatmoneylaunderingandterroristfinancinghasbecomemoreapparent.
Assuchsubjecttoareasonablelevelofcomfortthattheauditdepartmentiseffective,competentand
dependableexaminersmaygraduallyexpandtheirrelianceontheworkofAMLauditors.Thistrustwould
bemutuallybeneficialforbothparties.

Theauditdepartmentisthelastlineofdefense.Auditisresponsibleforconductingan
objectiveevaluationoftheAMLcomplianceprogramforsoundness,adequacyandsustainability
whilemaintainingindependencefromcomplianceandbusinessfunctions.Thisincludes
areviewoftheFIsriskassessmentforreasonablenessgiventheFIsriskprofile(e.g.,products,
services,customers,entities,geographiclocations).

TheauditplanreflectswhetherAuditisontrackintheeyesoftheregulatorsInordertomeet
regulatoryexpectationsandcomplywithfiduciaryresponsibilities,Auditisresponsibleforassemblinganaudit
planthatdemonstratesitsorganizationsknowledgeofitsBusinessUnits6andanunderstandingofthebusiness
associatedrisks.TheauditplandictateswhatareaswillbetestedinordertoensurethattheFIisprotectedbyway
ofcontrolsthatareoperatingeffectively.Iftheplanislacking,theFImaybeexposedtocontrolgapriskor
breachesinregulatorycompliance.Asufficientplanshould,ata
minimum,focusonthehighestriskareastoensurethateither
OVERVIEW OF PRIMARY AUDIT OBJECTIVES
theFIhasasoundcontrolenvironmentorthattheassessedrisks
DeterminewhethertheoverallAML/BSAcompliance
donotposeasignificantthreat.Thecornerstoneofanadequate programissuitablydesignedandoperatingeffectively.
auditplanisastrongriskassessmenttool.
Identifyanymaterialprogramweaknesses,control
deficienciesandcorrespondingopportunitiesfor
Auditsriskassessmentprocessdrivestheauditplan program,processandcontrolenhancements,andreport
themtoseniormanagementandtheboard(usually
Withoutaproperriskassessment,itwouldbeparticularlydifficult
theauditcommittee).
foralarge,complex,multinationalFItofigureoutwhattoaudit.
Assistmanagementwithidentifyingmoneylaundering,
AnauditplanthatincludeseverypossibleauditableBusinessUnit terrorismfinancingandotherfinancialcrimevulnerabilities.
isarguablynotaplanandismostlikelyanunrealisticapproach Performanddocumentproceduresandresultsthat
inaworldoffiniteresources.Theauditdepartmentisexpected maybeusefultoregulatorsinconductingtheir
toselectauditsusingariskbasedapproachthatprovidesa supervisoryexaminations.

reasonablebeliefthatcriticalriskssuchasthoserelatingto
moneylaunderingandeconomicsanctionsareidentifiedand
assignedadequatetestingcoverageinatimelyfashion.Assuch,a
successfulriskassessmentshouldresultinadetailedriskprofile
foreachBusinessUnit,whichcansubsequentlydrivethelevelof
auditcoverage,includingbothscope(e.g.,extentoftesting
areas/testingsteps)andfrequency(e.g.,annually,biannually).
Further,awelldocumentedandthoroughassessmentcansupply
therationaleforincludingorexcludingaspecificauditarea.The
processofbuildingtheauditplanshouldinvolveconsiderationof
existingorpriorauditcoverage,uniquebusinessrisks,pre
existingissuesandtheseverityofAMLriskfactors.
Assessandidentifypossiblegapsandopportunities
formanagementtocontinuallyimproveitssuspicious
activitydetection,investigation,analysis,escalation,
documentationandreportingprocessesandcontrols,
includingduediligencefeedbackandtheenterprisewide
AMLriskassessmentprocess.
AssessmanagementsAMLstrategicplanningprocess.
Identifyopportunitiesandmethodstohelpmanagement
makeprogramenhancementscontinuousandsustainable.
Assessandidentifyopportunitiestoenhancemanagements
selfmonitoringandselftestingcompliancereviewprogram.
AssesshowwellAMLcomplianceisintegratedinto
thebusiness.
Adaptedfrom:TheSARActivityReviewTrends,Tipsand
Issues(Issue16),(October,2009).

6
Forthepurposesherein,allauditablebusinessareas,controlfunctions/utilitiesandlinesofbusinesses(LOBs)willbereferredtocollectively
asBusinessUnits.

5|Page equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

ThereisadifferencebetweenanAuditAMLRAandotherAMLriskassessmentsMostrisk
assessmentexerciseshavethecommonobjectiveofidentifyingandassessingriskwiththepurposeofdetermining
howtoprioritizeandfocusresourcesbasedontheareasofmostconcern.Differencesbetweenriskassessment
toolsdoexist,however,andthesemaybeattributedtowhothetoolisdesignedforandhowtheresultswill
ultimatelybeused.Thedesignsetsthestageforwhattheoutputwilllooklike,andassuch,boththewhoand
thehowareimportantconsiderations.Understandingthisdistinctionattheonsetwillfacilitatethedevelopment
oftheriskassessmenttool.

AnAuditAMLRA,forinstance,targetsdifferentinformationfromalineofbusiness(LOB)AMLriskassessment.
LOBAMLRAsareusuallyapprovedbytheAMLofficerorotherAMLdepartmentdesigneeandthepredominant
objectiveistoidentifyandassessAMLriskwiththepurposeofresolvingissues,drivinginstitutionalactivities,
allocatingresourcesandinformingriskbasedbusinessdecisions.Thesedecisionscouldincludewhethertoexit
relationshipswithparticularclienttypes,whethertoeliminateparticularproductsorservices,orwhetherto
expanduponthecontrolenvironment.

ThepredominantobjectiveofanAuditAMLRAusuallycompletedbyanauditororotherauditdepartment
designeeistoidentifyandassesspotentialrisk(e.g.,controlgaps)withthepurposeofconstructinga
standaloneAMLriskassessmentthatcanpinpointareaswarrantingeitherimmediateescalation(suchasablatant
differenceinhowAudithasperceivedariskversusthebusinesslinesview)orareaswarrantingfurther
substantiationandtesting.Byconductingamoredetailedreview(anaudit)oflessapparentareas,thedepartment
isabletoperformindependentevaluation,substantiateconcernsandcommunicateissuestotherelevantbusiness
area(s)forthemtotakeappropriateaction.Auditmayalsoriskratecontrolgapsandweaknesstoassistthe
businesswithprioritizingandplanningitsactivities.Accordingly,itmaybemorereasonabletoexpecttheBusiness
UnitstoderivestatisticsandpullinformationfrombusinessspecificmetricsorreportsaspartofitsLOBAMLRA,
whileanAuditAMLRAmayreflectacombinedapproachofindependentlyderivingsomepiecesofinformationand
leveragingotherpieces,suchasbydiscussingpreexistinginformationfrompriorriskassessments(e.g.,country,
client,LOB,product)ormaterialfrompreviouslyidentifiedissues(e.g.,audit,regulatory)7.

Likewise,afirmwidecustomerriskassessmentprocessisgenerallyconductedbythebusinessline,complianceor
riskdepartmentsandfocusesondeterminingwhichindividualcustomersshouldberankedashighrisk(HR)
basedonthefirmsapprovedcustomerriskratingmodel.WhenAuditconductsanassessmentofcustomerriskfor
auditplanningpurposestheyarelikelyinterestedinassessingtheaggregatelevelofcustomerriskwithina
particularbusinessarea,andthusitmakessenseforanAuditAMLRAtofocusondeterminingtheproportionof
customersthatarecategorizedasHRaspertheexistingfirmwidecustomerriskassessment.

Ideally,aneffectiveAuditAMLRAshouldassistwithauditdecisionsrelatingto:a)whethertheFIsriskassessment
processesareeffective;b)whatBusinessUnitsshouldbeaudited;c)whatAMLcomponentswithinaBusinessUnit

7
WhilethebusinessriskassessmentsandcorrespondingdatashouldbetestedaspartofacomprehensiveAuditprogram,itmaynotalways
befeasibletosubstantiateandindependentlyvalidateallpiecesofinformationaspartoftheAuditAMLRAprocessduetotimingconstraints,
suchasannualplanningdeadlines,andotherchallenges,includingalargevolumeofassessmentsrequiringcompletionbyAudit.Assuch,rather
thantestingallreferencedfirmwideriskassessments(country,client,LOB,product,etc.)andindependentlyderivingallinformationusedfor
theAuditAMLRA,theAuditAMLRAmaybeconductedmoreefficientlyattheriskassessmentstagebyallowingforsomelevelofrelianceon
existinginformationwhendrawingconclusions.Intheseinstances,Auditshouldhaveareasonablelevelofcomfortthattheleveraged
informationisaccurateand/orreliable(suchasthroughpreviousvalidationexercises).Althoughnotencouraged,insituationswhereAuditmay
referenceorleverageinformationthathasnotbeenpreviouslyverifiedorthatrelatestoknownissuesorconcernsAuditshould
documentthisandflagforsubsequentsubstantiationandtesting.Ifforinstance,theAuditAMLRAreliesontheproductriskassessmentfor
supportthatremotedepositcaptureisaHRproductandthenreliesontheLOBriskassessmentforsupportthat50%ofcustomerswithinRetail
Bankinguseremotedepositcapture,thenAuditmaywanttoconsiderseparateauditsforboththeproductandLOBriskassessmentsto
supportitsinferences.

6|Page equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

maywarranttestingcoverage;d)thefrequencyforwhichaBusinessUnitmayneedtobetested;e)prioritization
andtimingofauditcoverageacrossBusinessUnits;andf)potentialresourcingdemandsforconductingthe
resultingaudits.

ThesharingofAuditsAMLRAresultswiththebusinesslinemaybeawinwingain.
Theauditdepartmentmaywanttoconsiderwhetheritmakessensetoestablishavehiclefor
sharingrelevantresultswiththebusinessand,ifso,underwhatcircumstances.
Certainfindings,suchasdifferencesinopinions,potentialtestingareas,openquestions
regardingspecificdataorotherwisehelpfulinformation,mayonoccasionserve
usefultoprovidesoonerratherthanlatertoassistwithclarifyingissues,resolving

discrepanciesandexpeditingcorrectiveaction.

AssumptionsTheguidanceprovidedhereinisbasedonthefollowingassumptions:

Theauditdepartmenthasanexistingriskassessmentprocessforitsannualauditplanning.
Theauditdepartmenthasanexistingscoringmodel/methodology(e.g.,definitions,weightings,
numericalcriteria)8.
ForeachBusinessUnitwithintheFI,thereareoneormoreindividualswithintheauditdepartment
whounderstandthebusinessandarefamiliarwiththebusinessuniquerisks.
TheauditdepartmenthasoneormoreAMLsubjectmatterexpertsand/orwouldbewillingto
hireadditionalAMLresources.

DEVELOPING AN AUDIT AML RISK ASSESSMENT TOOL

OverviewThedevelopmentofarobustriskassessmentmodelislargely,ifnotcompletely,dependentupon
theindividualelementsthatarechosenastheriskandcontrolenvironmentfactorstobeassessedandevaluated.
BasedontheFederalFinancialInstitutionsExaminationCouncil(FFIEC)9andotherleadingindustrysources,
therearecertaincategoriesofinherentAMLriskthatapplybroadlyacrossthefinancialindustryandare
universallyacceptedasstandardrisksthatmustbeaddressed.AsexplainedbytheFederalDepositInsurance
Company(FDIC),[i]nherentrisksaretherisksthatexistbeforetheapplicationofcontrolsintendedtomitigate
thoserisks.Clearlyidentifyinginherentrisksisparticularlybeneficialinmakingdeterminationsforthescopeand
frequencyofauditandindependentreviewsdeterminationsthatshouldbebasedonafinancialinstitutions
assessmentofinherentriskwithoutassumingthatcontrolsarefunctioningasintended.Residualrisksarethose
thatexistaftertheapplicationofcontrols.Inthiscontext,riskscannotbecompletelyeliminated,eventhough
layeredsecuritymayreducerisktoanacceptablelevel.10

PrimaryinherentAMLrisksrelatebroadlytoanFI's:

2. Products and 3. Transaction 4. Geographic

1. Customers
Services Activity Presence

PursuanttoanFI'sobligationtomaintainanadequateAMLcomplianceprogram,FIsareexpectedtoestablisha
controlenvironmentthatminimizesandwherepossiblesafeguardsagainstAMLrisks.FromanAudit

8
SeeAppendixDforhelpfulresourcesforratingandscoring.
9
See2010FFIECBankSecrecyAct/AntiMoneyLaunderingExaminationManual.
10
SeeFromtheExaminer'sDesk:CustomerInformationRiskAssessments:MovingTowardEnterprisewideAssessmentsofBusinessRisk.

7|Page equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

perspective,whenevaluatinganindividualBusinessUnit'scontrolenvironment,theauditdepartmentshould,at
aminimum,assessthecurrentstaterelatingto:

KnowYourCustomerPractices. ManagementandOversight.
Suspiciousand/orUnusualActivity. Policies,ProceduresandProcesses.
OFACandSanctions. OperationsandTechnology.
EmployeeAMLExpertiseandCoverage.

AccordingtotheAssociationofAntiMoneyLaunderingSpecialists(ACAMS)11,commonlycitedriskassessment
weaknessesbyregulatoryauthoritiesinclude:a)assessmentswerenotperformedand/ornotevidencedthrough
documentation;b)assessmentsdidnotincludealllinesofbusinessorentities;c)assessmentsdidnotconsiderall
majorriskcategories;d)therewasalackofmethodologyforassigningriskratings/levels;and/ore)policiesand
procedureswerenotcommensuratewiththeinstitution'sriskprofile.Thefollowingsectionswillexploretheart
andscienceofformingawellcraftedAMLriskassessment.

Auditorsandregulatorsmaybeconsideredtheprimaryaudience.
Thetwokeyplayerswhowillbeusingthetoolthemost
aretheauditorcompletingAuditsassessmentandtheAML
examinerevaluatingAuditsassessment.Thisisahelpful
considerationwhendesigningthetool.
AcloserlookAttheveryleast,anALMRAtoolshouldbe
conducivetotheidentification,quantification,assessmentand
documentationofthelevelofriskwithinaBusinessUnit.A
strongdesignleads,directsandguidestheauditorsfocusand
helpstheauditortosuccessfullyexecutethesefunctionswhile
avoidinggeneralizations.Byhighlightingkeyfocalpointsand
providingcleardescriptionsandexamplesofpertinentriskand
controlconsiderationswithinthedesignofthetoolitself(e.g.,
thetemplatecompletedbytheauditororaccompanying
guidance),thetoolcanpavethewayforamoreefficientassessment
thatreflectsstrongerquantitativeandqualitativeanalysis.
COSOnotesthatariskassessmentallowsanentitytoconsiderthe
extenttowhichpotentialeventshaveanimpactontheachievement
ofobjectives.Managementassesseseventsfromtwoperspectives
likelihoodandimpactandnormallyusesacombinationof
qualitativeandquantitativemethods.Thepositiveandnegative
impactsofpotentialeventsshouldbeexamined,individuallyorby
category,acrosstheentity.Risksareassessedonbothaninherent
andaresidualbasis.Inherentriskistherisktoanentityinthe
absenceofanyactionsmanagementmighttaketoaltereitherthe
riskslikelihoodorimpact.Residualriskistheriskthatremainsafter
managementsresponsetotherisk.
TheCOSOERMFrameworknotesthattheriskassessment
componentisacontinuousanditerativeinterplayofactionsthat
takeplacethroughouttheentity.Whilemanagersresponsiblefor
businessunit,function,process,orotheractivitiesdevelopa
compositeassessmentofriskforindividualunits,entitylevel
managementshouldconsiderriskfromaportfolioperspective.
TheFDICsInternalRiskManagementProgram(November2007)
ReportNo.EVAL08001
InternalControl IntegratedFramework(COSO,1992,2004)

Thefollowingsectionisahighlevelillustrationofrelevantconsiderationsthatcanbeincorporatedinto,or
addressedaspartof,thedesigntoimprovetheconsistencyandqualityofriskassessmentresultsincluding
betternarratives(e.g.,writtenrationale,executivesummaries)andmoredetailedevaluationsoftherelevant
BusinessUnit(s).Whilethefollowingelementsdonotrepresentarestrictivelist,theframeworkisintendedto
broadlycaptureallfacetsofanAMLprogramandserveasacomprehensivesetofconsiderationswiththe
flexibilitytoaddressadditionalitemsthatmaynotbespecificallymentionedherein.

11
SeeSpotlightonLargeInstitutions:ConductingEnterpriseWideAMLRiskAssessmentsthatGoBeyondtheExpectationsofExaminersand
SeniorManagement,ACAMS;June26,2013.

8|Page equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

InherentRisks

Theprocessofidentifyingandassessingthedegreeofinherentrisk
withinaBusinessUnitwillhelptoquantifytheextentofresidual
risk,whichinturncaninformauditplanningdecisionssuchaswhether
toincludeaBusinessUnitintheannualplan,andifso,atwhat
testingfrequencyandscope.

Potentialinherentriskareasinclude,butarenotlimitedto:

CustomersCertaincustomers12mayposeahigherriskofmoneylaunderingand/orterroristfinancingwith
respecttouniquecharacteristics,suchasthenatureoftheirbusiness(forlegalentities),theiroccupation(for
individuals),thedurationoftherelationshipwiththeFIand/orthenumberofaccountsacrossvariousbusiness
lines.ThefocusofAudit'sassessmentshouldbeonidentifyingtheextenttowhichtheBusinessUnit'scustomer
populationreflectshighriskcharacteristicsbasedontheriskattributesthathavebeenconsidered.

Potentialconsiderationsforassessingthelevelofrisk(i.e.,high,medium,low)include:

HRCustomerTypesMostlargemultinationalFIsmaintaincomplianceapprovedliststhatreflecttheFIs
agreeduponcategorizationsforHRcustomertypes.Thiscommonlyincludesparticularindustries/occupations
(e.g.,smallarmsmanufacturing,usedcardealers)orotherdesignatedcustomercategoriesthatmayrequire
specialduediligence(e.g.,nongovernmentalorganizations,bearershareentities,moneyservicesbusinesses
andforeignexchangehouses,thirdpartypaymentprocessors,politicallyexposedpersons[PEPS]).An
appearanceonsuchalistdoesnotnecessarilyindicatethatthecustomershouldbetreatedasaHRcustomer;
however,itdoessuggestthatthecustomerhasoneormoreHRcharacteristicsthatwarrantfurther
consideration.ThefinaldecisiontoassignaHRratingisgenerallygovernedbyaseparatecustomerrisk
assessmentmodelthatconsidersavarietyofcustomerspecificfactorssuchaslocation,productsused,
ownershipattributes,thepresenceofantimoneylaunderingsystems,extentofregulatoryoversightand/or
materialnegativeinformation(e.g.,associationswithenforcementactions,sanctions,criminalactivity,
governmentinquiries,knownmoneylaundering).WhenevaluatingaparticularBusinessUnitscustomerbase,
itmaybehelpfultoconsiderboththeFIsassignedriskratingforthecustomeraswellasotherindividualrisk
factorcomponentsthatmayinfluenceAMLrisk.

DurationofRelationshipThelengthofaclientrelationshipasindicatedbyaccountmaturity(i.e.,basedon
thedatethatthefirstaccountwasopenedwiththeFI)maybeanindicatorofhowwelltheFIknowsits
customer.FIstendtohaveabetterunderstandingoftheircustomers'expectedactivitiesandbehaviorwhen
theyhavehadtimetoobservethemandinteractwiththem.

Closed/BlockedAccountsFrequentbankinitiatedaccountclosuresand/oraccountblocksmaybe
indicativeofcustomercharacteristicsortransactionsthatareeitherunexplained,questionableorundesirable.

12
AccordingtotheFFIEC,[a]customerisaperson(anindividual,acorporation,partnership,atrust,anestate,oranyotherentityrecognized
asalegalperson)whoopensanewaccount,anindividualwhoopensanewaccountforanotherindividualwholackslegalcapacity,andan
individualwhoopensanewaccountforanentitythatisnotalegalperson(e.g.,acivicclub).Acustomerdoesnotincludeapersonwhodoes
notreceivebankingservices,suchasapersonwhoseloanapplicationisdenied.Asdefinedin31C.F.R.103.121(a)(1),[a]ccountmeansa
formalbankingrelationshipestablishedtoprovideorengageinservices,dealings,orotherfinancialtransactionsincludingadepositaccount,a
transactionorassetaccount,acreditaccount,orotherextensionofcredit.Accountalsoincludesarelationshipestablishedtoprovideasafety
depositboxorothersafekeepingservices,orcashmanagement,custodianandtrustservices.

9|Page equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

NumberandNatureofAccountsCustomerswhohaveaccountsoraccesstoservicesacrossmultiple
BusinessUnits,aswellascustomerswithaccountsthatofferenhancedorflexiblefeatures(e.g.,higher
transactionslimits,minimalrestrictions),maypresentincreasedriskexposureduetotheirabilitytoconducta
widerrangeofactivitiessuchasthoseinvolvingadditionalproducts/services,deliverychannels,locationsor
accounttypes.Thesecustomersmayengageincomplex,frequentand/ordiversetransactionswithinthe
FIandmayposeadditionalmonitoringandcontrolchallenges.Inaddition,wherecustomershaveafootprint
acrossmultipleBusinessUnits,thereisahigherpotentialforconfusionoveraccountabilityandrespective
responsibilities.

Magnitudeprovidesperspective;besuretoconsidercontextwhenassessinganddocumenting
statisticsandothermetrics.Theuseofquantitativeinformationisinstrumentalinsignalingthe
qualityandcredibilityofariskassessment;however,numberswithoutcontextarejust
noise.Whencollecting,reviewinganddocumentingmetricsforassessingrisk,itisimportantto
considerboththeabsolutenumbersandchangesinthosenumberswithinthecontextofthe

BusinessUnit,includingcleardemonstrationoftherelativesignificancewithinthe
assessment.AcertainnumberofHRcustomerswithinoneBusinessUnitmayhaveaverydifferent
connotationthanthesamenumberofHRcustomersinanotherarea,dependingonfactorssuch
astheproportionoftheoverallpopulationrepresented.Similarly,twoBusinessUnits
mayhavethesamenumberofnewcustomerrelationships;however,oneofthesemayhave
rapidlyincreasedthenumberofnewcustomerswithinthepastyear.Material
increasesordecreasesshouldbeevaluatedanddocumentedwithintheassessment.

ProductsandServicesCertainproducts/servicesposeahigherriskofmoneylaunderingand/orterrorist
financingdependingonthenatureoftheproducts/servicesandthecapacityinwhichtheymaybeused.Particular
products/services,forinstance,maysupportahigherdegreeofanonymity(e.g.,prepaidcards,Internetbanking,
virtualcurrency),allowforthirdpartyengagement(e.g.,remotelycreatedchecks[RCCs],U.S.dollardrafts)or
facilitatethehandlingofhighvolumesofcurrencyorcurrencyequivalentsacrosslessregulatedjurisdictions(e.g.,
crossborderwiretransfers).Products/servicestraditionallyviewedaslowerriskmaywarrantacloserreview
shouldtheypossessmodificationsoraccommodationsthatallowforhigherriskactivity.Likewise,bynatureofthe
products/servicesoffered,aBusinessUnititselfmayposeenhancedsusceptibilitiesduetoitsinherent
relationshipwithacustomer(i.e.,iftheBusinessUnithascloseorpersonalizedinteractionwithwealthy,
influential,orotherwiseimportantcustomers)orifitisanticipatedthatsignificantprofitorbusinessmaybe
generatedbytheBusinessUnitbasedonitscustomertypes,suchaswhatmightbeexpectedfromhighnetworth
individuals.ThefocusofAudit'sassessmentshouldbeonevaluatingthetypesofproducts/servicesoffered
(includingassociatedbusinessstrategiesandrelationships)andtheextenttowhichtheBusinessUnit'scustomers
eitheruse,orhavetheabilitytouse,products/servicesthatpresenthighoruniqueAMLrisk.

Potentialconsiderationsforassessingthelevelofrisk(i.e.,high,medium,low)include:

HRProductsandServicesMostmultinationalFIsmaintaincomplianceapprovedliststhatreflecttheFI's
categorizationsforHRproducts/services.Thiscommonlyincludesparticularproducts/servicesthatare
complexinnatureorthatofferthepotentialforanonymity,speedortransferability(e.g.,remotedeposit
capture[RDC],tradefinance,payablethroughaccounts,prepaidcards,certaintypesofmobiletechnology).
Agreaternumberofcustomersthatuse,orareexpectedtouse,HRproducts/serviceswithinaparticular
businesscouldpresentadditionalchallengesinmonitoring,understandingand/ordetectingAMLrisks.In

10 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

addition,considerationshouldbegiventohowproducts/servicesarebeingusedandwhethertheremaybe
uniqueAMLrisksthatarenototherwisecapturedbytheproduct/serviceriskrating.Alowormediumrisk
product/servicemaypresenthigherAMLriskdependingonparticularcharacteristics,modificationsorthe
overallcapacityinwhichtheproduct/servicemaybeused(e.g.automatedclearinghouse[ACH]
transactionsmaynotnecessarilyberatedasHR,butthesetransactionmayoffertheopportunityfor
unidentifiednoncustomerstoaccesstheFIsinternalsystems).Ingeneral,thepotentialfornonHR
products/servicestobeusedasaconduitformoneylaunderingishigherinenvironmentswherecontrolsare
conventionallylooseoraltogetherabsent.

NewProductsandServicesABusinessUnitwithagreaternumberofnewproducts/servicesmay
poseahigherriskthanaBusinessUnitwithmoreestablishedandfamiliarproducts/servicesthathavebeen
previouslyevaluated,monitoredand/orused.Products/serviceswithshortershelflivestendtopresent
ahigherdegreeofuncertaintyastohoweachproduct/servicemaybeusedandthesubsequentpotential
formisuse.

DegreeofBusiness/SalesGeneratedfromHRProductsandServicesAlthoughaBusinessUnitmaynot
offerasignificantnumberofHRproducts/services(orhaveasignificantnumberofcustomerswho
useHRproducts/services),thisdoesnotnecessarilynegatetheriskofhavingarelativelyhighamountof
revenuegeneratedfromtheuseofHRproducts/services.Asmallerconcentrationofcustomerswith
enhancedusageorlargedollarvaluetransactionactivityderivingfromHRproducts/servicesmayalsobe
anindicatorofAMLrisk.

RiskToleranceandBusinessStrategiesBusinessUnitswithahighertoleranceforriskareinherentlymore
risky,regardlessofthecontrolsthatmaybeinplace.Indicatorsofahighriskappetite13mightinclude:a
willingnesstoaccepthigherriskcustomersortoprovideHRproducts/services,expansionofproducts/services
intoriskierjurisdictions,laxcommitmenttoimplementingcriticalAMLprocessesorcontrols(e.g.,throughan
approvalorexceptionprocessthatallowstheBusinessUnittodeviatefromnormalprotocol)orradicaland
frequentchangesinbusinessstrategies.

TransactionActivityCertaintransactionalbehaviorandpatterns,suchasahighvolumeoftransactions,large
aggregatedollaramountsofactivityortransactionsenteringandleavingaccountsathighspeeds(alsoknownas
velocity),maywarrantfurtherattentionasmoneylaunderingand/orterroristfinancingofteninvolves
transactionactivitycharacterizedbycomplexflows,higherspeedsandsometimeslargerdollaramountssoasto
obscureaudittrailsofselecttransactionsandaccumulatesufficientfundstosupportcriminalintentions.In
addition,ahighvolumeoftransactionsinvolvingHRjurisdictions,transactionsinvolvingindirectcustomersand/or
otherwiseunexplainedorunreasonablebehaviormaybeindicativeofpotentialmoneylaunderingand/orterrorist
financing.ThefocusofAuditsassessmentshouldbeonevaluatingthetransactionprofilefortheBusinessUnitand
theextenttowhichtheBusinessUnitreflectstransactionactivitythatmaybeindicativeofenhancedAMLrisk.

13
AccordingtotheInternationalOrganizationofSupremeAuditInstitutions(INTOSAI),"[r]iskappetiteistheamountofriskonabroadlevel
thatanentityiswillingtoacceptinseekingtoachieveitsobjectives.Itreflectstheriskmanagementphilosophyandinturninfluencesthe
entity'scultureandoperatingstyle.Riskappetitecanbeconsideredquantitativelyorqualitatively.Itshouldbeconsideredinstrategysetting,
wherethedesiredreturnfromastrategyshouldbealignedwiththeriskappetite,thatisthewillingnesstoacceptortoleraterisk[r]isk
tolerancesaretheacceptablelevelsofvariationrelativetotheachievementofobjectives.Theycanbemeasuredthroughperformancetargets.
Oftenperformancetargetsarebestmeasuredinthesameunitsastherelatedobjectives.Operatingwithinrisktolerancesprovides
managementgreaterassurancethattheentityremainswithinitsriskappetiteandwillachieveitsobjectives."
http://www.issai.org/media/13341/intosai_gov_9130_e.pdf

11 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

Potentialconsiderationsforassessingthelevelofrisk(i.e.,high,medium,low)include:

ActivityInvolvingHRProducts/ServicesABusinessUnitwithahighoverallvolumeand/ordollar
valueofactivityinvolvingproducts/servicesthatareconsideredtobeHRbytheBusinessUnitmaypose
higherriskthanaBusinessUnitthatreflectslessactivityinvolvingHRproducts/services.Incertain
circumstances,anincreaseintheabsolutevolumeand/ordollarvalue,aswellasanincreaseintheoverall
velocityofHRandnonHRtransactions,maybeindicativeofenhancedAMLrisk.Considerationshouldalsobe
giventothedollarvaluesizeofindividualtransactionsinvolvingHRproducts/servicesandthetotal
numberofaccounts(andanyidentifiedincreasesinthenumberofaccounts)withintheBusinessUnitthat
involveHRactivityasdescribedabove.

InternationalActivityAhighabsolutelevel(e.g.,volume)and/orhighabsoluteamount(e.g.,dollarvalue)
ofinternationalactivityand/orsignificantincreasesineitherthevolumeofinternationaltransactionsorthe
dollarvalueofinternationaltransactionsmaypresentadditionalmoneylaunderingand/orterroristfinancing
riskasparticularcountriesmaybemorevulnerabletomoneylaunderingand/orterroristfinancingduetolax
ornonexistentcontrols,lawsand/orregulations.Internationalactivityincludescrossborderandintra
countryactivityinvolvinginternationaljurisdictions.

TransactionsInvolvingIndirectPartiesTransactionsinvolvingpartieswhoarenotcustomersoftheFIor
transactionsroutedthroughthirdpartiesposeadditionalchallengesinmonitoring,understandingand/or
detectingAMLrisks,asthereisnodirectrelationshipwiththeFI.Thismayoccurwhencustomersare
correspondentbanksthatprovideaccesstothirdpartyforeignfinancialinstitutionsthroughnestedaccounts
orwherethecustomerisathirdpartypaymentprocessor(suchasPayPalorAmazon)thatprovidespayment
processingservicestomerchantsandotherbusinessentitiesthatdonothavearelationshipwiththeFI.As
such,duetotheabsenceofinformationsurroundingtheseoftenunidentifiedpersons,itismoredifficultto
identify,understandandassesstheirbehavior.

ReportableTransactionActivityActivityreportsareeffectivemechanismsforidentifyingpotentially
suspicious,questionableorunreasonablecustomerbehavior.ABusinessUnitthatreflectsasignificantlevelof
reportabletransactionactivitymayposeahigherriskthanaBusinessUnitthatdoesnotexhibitsuchbehavior.
Transactionactivityreportsincludesuspicioustransactionreports(STRs),suspiciousactivityreports(SARs)
andotherrelatedreportssuchascurrencytransactionreports(CTRs).

GeographicPresenceTherearecertainjurisdictionsthatarerecognizedasbeingmoresusceptibletomoney
launderingand/orterroristfinancingbasedontheirpotentialtofacilitatethemovement,concealmentanduseof
illicitfunds.Geographiescharacterizedbyweakerregulatoryenvironments,higherlevelsofcorruption,legal
uncertaintyandpoliticalandeconomicinstability,forinstance,presentdifficultiesindetectinganddeterringillegal
operations.Anextensiveamountofworkhasbeenperformedbyestablishedandinternationallyrecognized
organizations(e.g.,OFAC,FinancialCrimesEnforcementNetwork[FinCEN],FinancialActionTaskForce[FATF],
TransparencyInternational)toevaluateandriskratecountriesbasedontheircapacitytofostermoneylaundering.
AvailableinformationalsourcesandlistsincludetheFATFBlackList;theSection311designatedcountrieslist;
SpeciallyDesignatedNationals(SDN)andBlockedPersonsList;countriessubjecttoOFACsanctions;offshore
financialcenters(OFC);highintensitydrugtraffickingareas(HIDTA);highintensityfinancialcrimeareas
(HIFCA);aswellasothernonU.S.lists.Inaddition,manyFIswithaninternationalpresencetendtohavea
processinplaceforleveragingandconsolidatingtheavailablecountryriskinformationtodeveloptheirown
internalcountryliststhatarethentailoredfortheirspecificorganization.ThefocusofAuditsassessmentshould

12 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

beonevaluatingtheextenttowhichtheBusinessUnitisinvolvedwithhigherriskjurisdictionsasindicatedbythe
FIspreexistingcountryriskratings.

Potentialconsiderationsforassessingthelevelofrisk(i.e.,high,medium,low)include:

CustomersinHRLocationsAsignificantnumberofcustomerswithaknownpresenceinaHRlocationmay
poseincreasedmoneylaunderingand/orterroristfinancingriskduetotheirabilitytoaccumulateandroute
fundsthroughlesssecureregions.Apresencemaybeinferredbyanoperatingaddress,aresidentialaddress
oranyotherknownaddressthatmaybeindicatedinthecustomersprofile.

PhysicalPresenceinHRLocationsTheextenttowhichaBusinessUnitisinvolvedwithHRjurisdictions
may,tosomedegree,bereflectedbywhethertheBusinessUnithasaccesstoaphysicaloperatingbranchor
legalentitywithinaHRjurisdiction.

TransactionalActivitywithHRLocationsTheextenttowhichaBusinessUnitisinvolvedwithHR
jurisdictionsmay,tosomedegree,bereflectedbythenumberofcustomerswhoexhibitfrequenttransactions
withinHRjurisdictionsand/orthenumberofcustomerswithaccountfeaturesorproductsthatindicate
activitywithforeignlocations(e.g.,crossjurisdictionalwiretransfers,internationalACHtransactions).

Youmightnotowncustomersorproducts,butlookdeeperforpotentialAMLrisk.NotallAML
risksmaybeidentifiedthroughthesamelens.EachBusinessUnithasdifferentrisksdependingon
itsactivitiesandhowbusinessisconducted.AMLriskmightbemoreapparentforBusinessUnits
thatdirectlyowncustomers,suchasaninvestmentbankingdivision;however,forotherareas
suchastechnology,proprietarytradingdesksorBusinessUnitsthatsellordevelopproductson
behalfofotherbusinesses,itmaybelessobviousastohowinherentrisksshouldbe
identified,ratedanddiscussedwithintheAMLRA.

Intheseinstances,ithelpstoconsidertransactionalactivity(e.g.,withvendorsorcounterparties)
andtothinkholisticallyabouttheBusinessUnitspotential(e.g.,intheabsencecontrols)
toinfluenceAMLRisk,suchaswhethertheBusinessUnitaffectsriskinotherbusinessareas
withintheFI.Atechnologyfunction,forinstance,mayprovideAMLdatatoaretailbusinessto
assisttheminunderstandingitscustomersegmentation.Ifthisdataisincorrectandsubsequently
reliedupon,itmayleadtounintendedbusinessdecisions,suchasonboardingadditionalHR
customers.Likewise,ifaBusinessUnitsKYCsystemexperienceslostoralteredcustomer
informationasaresultofarequestforthetechnologyfunctiontoimplementsystemupdates,
customersmaywindupwithinaccurateriskratingsorimproperduediligence.Anassessment
thatisattentivetopotentialimpactandconsidersriskinisolationofthecontrolenvironment
canhelptodrawoutthoselessobviousinherentrisks.

13 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

ControlEnvironmentandRiskMitigants

Awelldesignedriskassessmenttoolshoulddemonstratethata
strongcontrolenvironmentisacontinuousfeedbackloopof
interconnectedareaswithintheAMLprogramrequiring
ongoingandenterprisewideevaluation.

Potentialcontrolenvironmentareasinclude,butarenotlimitedto:

KnowYourCustomer(KYC)KYCencompassesallpracticesrelatingtothecollection,reviewand
verificationofcustomerinformation.Theprocessofgatheringinformationisanongoingriskbasedcyclethat
beginswithverifyingthecustomer'sidentityandobtainingapreliminaryunderstandingastothepotentialrisks
associatedwiththecustomer.Thisinitialriskprofile,whichincludescustomerdetailssuchasidentifying
information(e.g.,legalname,address,governmentidentificationnumber)andbasicduediligence(e.g.,customer
type,anticipatedactivity,namescreeningresults)isoftenusedtoriskratethecustomer(i.e.,high,medium,low)
inaccordancewiththeFIscustomerriskscoringmethodology.Therelationshipbetweencustomerinformation
andperceivedriskisbidirectionalcustomerdetailsinformthelevelofriskandthelevelofriskgovernsthe
extentofrequiredcustomerinformation.

TheessenceofKYCistoenabletheFItoformareasonablebeliefastotheidentityofthecustomerandtoobtain
anunderstandingoverthecustomersexpectedbehavior,includingtheabilitytoidentifyabnormalities.The
informationaccumulatedthroughthisprocessfeedsandinformsallpillarsoftheAMLprogramand,assuch,
policies,proceduresandprocessesshouldbeinplaceforobtaining,validatingandupdatingcustomerinformation
inamannerthatallowsforeffectivedetection,monitoring,investigatingandreportingofsuspiciousactivity.KYC
requirementsandfunctions,includingcustomeridentificationprograms(CIP),customerduediligence(CDD),
enhancedduediligence(EDD)andspecialcircumstancesduediligenceshouldbeclearlydefinedandalignedto
customerattributesandrisks.Enhancedorspecializedcustomerduediligencepractices(e.g.,forcorrespondentor
privatebankingaccounts)shouldbeinplaceforcustomerswhoposeincreasedoruniqueAMLrisks.Thefocusof
Audit'sassessmentshouldbeonevaluatingthestrengthoftheBusinessUnit'sKYCpractices,itsabilitytocollect
andmaintaincompleteandrelevantinformation;andthecapacitytousethisinformationtomakeappropriate
decisionsregardingthelevelofcustomerrisk.

Potentialconsiderationsforassessingthestrength(i.e.,strong,adequate,weak)ofthecontrolinclude:

ExceptionsorWaiversThroughoutthefinancialservicesindustry,therehasbeenincreasedfocuson
developinginternalpolicies,proceduresand/orstandardsthatpromulgateaconsistentandcomprehensive
approachtoconductingKYC.Althoughdeviationsfromagreeduponpracticesmaybereasonableinspecific
circumstances,asignificantnumberofexceptionsorwaiversmayposeadditionalchallengesinmaintaining
adequateandconsistentinformationandmayweakenthecontrolenvironment.Inaddition,thenatureofthe
exceptionorwaivermayplayaroleinthelevelofrisk.Forinstance,relevantcharacteristicssuchasthe
duration(temporaryversuspermanent),thelocation(highriskcountryversuslowriskcountry)orthescope
(oneofforacrossaparticulargroup)shouldbeconsideredwhenassessingtherisk.Asabestpractice,a
processshouldbeinplacetoensurethatexceptions,waiversordeviationsareapproved,documentedand
supported.Ininstanceswheretemporaryexceptionsorwaiversarepermitted,formaltrackingandfollowup
processes(e.g.,automatedflagsorreports)shouldbeineffect.

14 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

RelianceRelianceonotherBusinessUnitsorthirdpartiestoperformKYCprocessesortoprovidecustomer
informationisattimesappropriate.Thismightapplytoinstanceswhereacustomerhasanaccountwith
anotherBusinessUnitthatmaintainsKYC,orwhereacentralutilityexecutesKYCfunctions.Despitethevalue
inleveragingpreexistingresources,theopportunityforoversightordeficienciesinmaintainingadequate
customerinformationmayariseininstanceswhereaBusinessUnitdoesnotfullyowntheprocessorpossess
propermanagementcontrols.Extensivereliance(particularlyininstanceswheregovernanceoverthereliance
isweak)maydiminishtheBusinessUnit'sabilitytodemonstratethatitunderstandsitscustomer.Instances
involvingrelianceshouldbedocumented,approvedandmonitoredtoensurethattheBusinessUnitis
effectivelymanagingKYCandisawareofrelevantrisks.Supplementalmeasuresonthepartofthebusiness,
suchasanoversightprogramthatincludesqualitycontrolchecksormonitoringprocessestosuperviseand
reportontheactivitiesperformedbyotherBusinessUnitsorthirdpartiescanhelptomaintainsustainability
andminimizereliancethreats.

CompletenessofCustomerInformationCustomerprofilesthatlacktherequiredKYCcomponentsfailto
adequatelyrepresentthecustomerandmayresultininaccurateriskratings.Amisalignmentbetweenthe
customer'scurrentriskratingandtheavailableKYCinformationcanhindertheBusinessUnitsabilityto
understandthecustomerandidentifyrisk.Frequentorrepetitiveoccurrencesofcustomeraccountswith
incompleteordeficientinformationmayindicatesystematicweaknessesintheKYCprocess.

Renewals,UpdatesandPeriodicReviewsPerformingperiodicriskbasedrenewalsandmaintainingupto
datecustomerinformationarecriticalcomponentsofunderstandingthecustomerbase.Thisinvolveslooking
forchangesinKYCinformation(e.g.,expectedaccountactivity,employmentorbusinessdetails,business
ownership,etc.)aswellasbeingcognizantofHRactivityinlowriskaccounts.Customerprofileswithoutdated
informationmayindicateadditionalriskexposureastheremaybeinstanceswhereacustomer'sriskrating
shouldbeelevatedand/oradditionalinformationcollected.Bestpracticesincludeupdatingcustomer
informationandreassessingcustomerriskratingsinaccordancewithestablishedpoliciesandprocedures.

CustomerNameScreening(seetheOFACandSanctionscontrolsectionfordetailsonOFACscreening)
Anessentialaspectof"knowingyourcustomer"lieswithperformingcustomernamescreeningandlist
comparisonsearches.Thisfunctionusuallyoccursataccountopeningandrenewalstagesandincludesthe
identificationofPEPs,customerswhomayappearinsection314(a)searchrequests,customerswhoare
subjectsofadverseinformationorcustomerswhoappearoninternalbadguylists(e.g.,customerswith
whomtheFImaynotwanttoconductbusiness).Processesforcontinualscreeningofcustomernamesagainst
relevantinternalandexternaldatabasesorlistsshouldbeinplace.Inaddition,policiesandprocedures
should,ataminimum,definematerialversusimmaterialmatches,articulatethescreeningprocess(including
escalationorreferralpoints)andclearlyindicateexpectedscreeningrequirementsbycustomertypeand
relatedparties(e.g.,beneficialowners,authorizedsigners,powersofattorney,personswithauthorityto
influencetheaccountorrespectivefunds).Whereautomatedscreeningmechanismsareemployed,ata
minimum,testingproceduresshouldbedocumentedandfollowed,andalgorithms,suchasfuzzylogic,should
besupported(e.g.,rationaleforhowthresholdlevelswereselected).Asabestpractice,internalandexternal
sources(e.g.,LexisNexis,Worldcheck,Internetsearches)shouldbeaccompaniedbyinstructionsforusage
andreviewsshouldbeconducted(anddocumented)periodicallytoconfirmthatpracticesareconsistentand
thatdatasourcesremaineffectiveandreliable.Ininstanceswherethisfunctionisperformedbyacentral
screeningunitorequivalentutility,auditors(throughdiscussionswiththebusiness)shouldillustratean
understandingoverthecontrolenvironmentanddiscussadditionalconsiderations,suchastheriskimpactofa
controlfailureorthedegreeofcommunicationbetweenthebusinessandthecentralscreeningunit.

15 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

KYCmetricsareinstrumentalinprovidingacollectiveviewofrisk.Inadditiontobeingusedtoderive
individualcustomerriskprofiles,KYCinformationcanbeaggregatedatvariouslevels(suchasbybusinessorlocation)
tocompareactualrisktoapredeterminedriskappetite.If,forinstance,aparticularBusinessUnithasa
lowriskappetiteforPEPs,butKYCmetricsindicatethat20%ofthecustomerbaseiscomprisedofPEPs,theBusiness
UnitmaywishtoadjustitsrisktoleranceorreducethenumberofPEPs.Collectiveviewsof
KYCcanassistwithmanagingriskandassessingthecurrentstateofthecustomerportfolio(e.g.,bycustomer

types,products/services,geographiesortransactionactivity).Assuch,reportingprocessesshouldbein
placeandalignedwithriskmanagementobjectives.

PotentiallySuspiciousand/orUnusualActivityFIsarerequiredundertheBSAtomonitor,detectand
reportsuspicioustransactions.Assuch,FIsareexpectedtobevigilantandtoestablishformalmethodsfor
effectivelyevaluatingcustomeractivity,managingalerts,conductinginvestigationsanddeterminingwhetherto
fileaSARoranSTR(nonU.S.suspicioustransactionsreport).Thisincludes
recognizingandescalatingactivitywhereappropriate.Arobustcontrol Financialinstitutionsareresponsiblefor
environmentshouldincludewelldefinedandeffectiveprocessesforpromptly apprisingfederallawenforcementauthorities
detecting,monitoring,escalating,investigating,decisionmakingandfiling ofanyknownorsuspectedviolationofa
federalcriminalstatuteandofanysuspicious
potentiallysuspiciousand/orunusualactivity(referredtocollectivelyas
financialtransaction.Suspiciousfinancial
PSUAforthepurposesherein).Certainaspectsofthesefunctionsmayapply transactionscanincludetransactionsthatthe
totheBusinessUnitand/orseparatededicatedareasthatspecializein banksuspectsinvolvedfundsderivedfrom
activities,suchasmonitoring,escalationorinvestigating.Whereactivitiesare illicitactivities,wereconductedforthe
purposeofhidingordisguisingfundsfrom
fragmentedorsharedamongseveralareas,allpartiesshouldmaintainanopen
illicitactivity,otherwiseviolatedthemoney
andcontinuousdialogueandtherolesandresponsibilitiesamongallfunctions launderingstatutes(18U.S.C.1956and1957),
shouldbeclearandestablished.ThisallowsBusinessUnitstomoreefficiently werepotentiallydesignedtoevadethe
shareinformation,reduceredundanciesandmanageactivitythatrequires reportingorrecordkeepingrequirementsof
theBankSecrecyActortransactions
attention.InallaspectsoftheSARprocess,controlsshouldbeinplaceto
thebankbelievesweresuspiciousfor
ensureconfidentialityandsecurity.ThefocusofAuditsassessmentshouldbe anyotherreason.
onevaluatingtheBusinessUnitsabilitytocomplywithregulationsandlaw
enforcementrequests,aswellasitscapabilityformanagingPSUAwith FederalRegister/Vol.60,No.178

attentiongiventotechnology,processesandcontrols.

Potentialconsiderationsforassessingthestrength(i.e.,strong,adequate,weak)ofthecontrolinclude:

DetectionandMonitoringFIshaveanumberofchannelsforwhichtoidentifyPSUA.Atahighlevel,these
include:activitiesconductedaspartofnormaloperations(e.g.,manualmonitoring,suchasactivityobserved
andreferredbyemployees);activitiesconductedasaresultoflawenforcementandgovernmentrequests
(e.g.,subpoenas,nationalsecurityletters,section314(a)and314(b)informationsharing);andinformation
obtainedviasurveillancemonitoringsystems.TheBusinessUnitisresponsibleforensuringthatithasaccess
totransactionreportsandsystemoutputasnecessarytoidentifyrelevantPSUAandsatisfyreporting
obligations.Ataminimum,thefollowingreportsshouldbereliable,completeandroutinelyavailable:
currencyactivityreports,fundstransferreports,velocityoffundsreports,wiretransferrecords,monetary
instrumentreports,largeitemreports,significantbalancechangereportsandnonsufficientfundsreports.
Automatedmonitoringmechanismsandrelatedtechnology(e.g.,commercialproductssuchasFiserv,Oracle
orSASaswellasinhousesolutions)areoftenusedtocapture,monitorandalertonPSUAonacontinuous
basis.Asabestpracticeforensuringthatthesesystemsareeffective,parametersandfiltersshouldbe

16 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

designedandsubsequentlytailoredtofocusonactivitythatisrelevanttotheBusinessUnitandthatreflects
anindepthunderstandingofthecustomerbase.

Aperiodicreviewofparametersandfilters,includingtestingforgaps,applyingstatistical/correlationanalysis
toresults(e.g.,toassessforreasonableness),determiningwhethermonitoringscenariosarecomprehensive
andperformingfinetuningtoaccountforknownrisksandredflags(e.g.,Uturntransactions,activitywith
sanctionedcountries,wiretransfersinvolvingfinancialsecrecyhavens,transactionsinvolvingcasasde
cambios,unusualfundtransfersbetweenrelatedaccountsortransactionsthatexceedpredefinedthresholds)
shouldbeinplacetofurtherenhancetheeffectivenessofthemonitoringtool(s).Inaddition,thisreview
shouldevaluatetheappropriatenessofanyexistingexceptionstomonitoringrules,suchasparticular
transactiontypes(e.g.,intercompanytransfers)orcustomers(e.g.,goodguylistscompiledbytheFI)that
mayhavebeenapprovedtobypassmonitoringchannels.Toassistwithcalibratingandbenchmarkingthe
effectivenessoffilters,existingmanagementinformationsystem(MIS)data,suchasperformanceratios
(e.g.,alerttocasemetrics),shouldbereviewedtodeterminewhethertheresultsmakesenseandappear
meaningful.Thismayinvolvetestingaboveandbelowmonitoringthresholdstoobserveresultingoutcomes.
Althoughthirdpartyvendorsmayhavebeenused(e.g.,forsystemimplementationorforestablishingrules),
testingandfinetuningactivitiesshouldbeperformedeitherinconjunctionwithorindependentofthethird
partytoavoidoverreliance.Further,byensuringthattestingisconductedinaconsistentfashionthroughout
theFI,asopposedtoperforminginisolation,theFIisbetterpositionedtomanagerisk.

SourceDataandInternalReportsRelatingtoPSUATheabilitytoproduceeffectiveandtimelyreportsthat
assistinidentifyingPSUA(e.g.,manualMISorsurveillancemonitoringreports)andthatadheretoU.S.and
nonU.S.reportingrequirementsisdependentuponboththequalityandcompletenessofthesourcedata.If
theunderlyinginformationreviewedformonitoringpurposeswhetheritbetransactiondataorKYCis
questionable,orifthereareflawsinhowtheinformationflowstoreportingmechanisms,theresultswillnot
bereliable.TheBusinessUnitshouldpossesscontrolsforensuringthatallrelevantdata(e.g.,thecomplete
populationofcustomers,accountsortransactions)arebeingcapturedandfedappropriately.Theprocesses
associatedwithpulling(orfeedingdatatoautomatedreportingsolutions)areinfluencedbythenumberof
datasourcesinvolvedandwhethertheprocessesarewellintegratedorwhethertheyaremanualand
disparate.Inaddition,thecleanlinessofthedatabywayofappropriatesegmentation(e.g.,customerrisk
ratings,customertypes,transactiontypes)isanessentialcomponentinpromotingreportingefficiency.A
formalprocessforconfirmingthatallrelevantsourcedataisaccurate,completeandtimelywillimprovethe
usefulnessandreliabilityofresultingreports.

EscalationandReferralofActivityPolicies,proceduresandprocessesshouldbeinplaceforreferringPSUA
fromallareasoftheBusinessUnittothepersonnelordepartmentresponsibleforevaluatingPSUA.This
includesestablishinganddocumentingaclearanddefinedescalationprocessfromthepointofinitial
detectiontothecompletionoftheinvestigation.AdditionalchannelsforemployeestoreferPSUAprivately
(suchasananonymouscallcenter)shouldbeavailableandcommunicatedinpoliciesandprocedures.Ifthe
BusinessUnitdoesnotperformtheinvestigativefunctionitself,thereisanexpectationthatitshouldmaintain
adequateinteractionandcommunicationwithallpartiesinvolvedintheprocess.Inaddition,proceduresand
guidanceshouldberegularlyreviewedandupdatedtoensurethatrelevantandspecificexamplesareusedto
demonstratepotentialescalationpoints.

AlertManagementInvestigativeunits,orsimilardistinctgroups,areoftentaskedwithmanagingand
researchingactivityidentifiedasbeingpotentiallysuspiciousanddeterminingwhethertheywarrantfurther

17 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

investigation.Thisisoftenreferredtoasthealertmanagementprocess.Asabestpractice,thisprocess
shouldensurethatallapplicableinformation(e.g.,criminalsubpoenas,nationalsecurityletters,section314(a)
requests)iseffectivelyevaluated.Policies,proceduresandprocessesforthetimelyreviewof,andresponseto,
alertsusedtoidentifyunusualactivitiesmayassistinfacilitatingthereview.Toreduceriskexposure,staffing
levelsshouldbesufficienttoreviewreportsandalertsinatimelymannerandthestaffshouldpossess
specializedknowledgewithadequateexperienceandresearchtools.

InvestigationAsabestpractice,theprocessofinvestigatinganalertanddeterminingwhetheraSARshould
befiled(oftenreferredtoascasemanagement),shouldincludecleardecisionmakinganddocumentation
standards.Designateddecisionmakers(whetheritbeacommitteeorspecificindividuals)shouldpossess
sufficientauthorityandcompetencetomakefinalSARfilingdecisions.SARdocumentationshouldbe
thoroughandincludethereasonforfiling(ortherationalefornotfiling),aswellasadditionalconsiderations,
suchaswhethertocloseanaccountasaresultofcontinuoussuspiciousactivity.Althoughthedecisiontofile
aSARmaybesubjectivelydetermined,BusinessUnitsshouldestablishaneffectiveinvestigativeandSAR
decisionmakingprocessthatappropriatelyconsidersallavailableCDDandEDDinformation.Ininstances
whereinvestigativeprocessesorSARdecisionsliewithintheBusinessUnit,additionalexternalreviewsand
approvalsshouldexisttoensureindependence.

SAR/STRCompletionandFilingNumerousSARusers,suchasintelligenceagencies,lawenforcement,
regulatoryauthoritiesandFinCEN,allrelyonthedetailsprovidedinSARs.InformationprovidedbyFIsisused
toexecuteinvestigations,gatherintelligenceaboutemergingmoneylaunderingtactics,identifyillegal
activitiesandprosecutecriminals.WhereadecisionismadetofileaSAR,thequalityoftheSARcontentis
criticaltotheeffectivenessofthesuspiciousactivityreportingsystem.AwellwrittenanddetailedSARwill
allowtheFItomoreeffectivelymanagelargevolumesoffilingsandconductmorefruitfulexaminationsof
suspectcustomersoractivity.Policies,proceduresandprocessesshouldreflectstandardsandguidelinesfor
ensuringthatSARsaretimely,completeandaccurate,andthatnarrativessufficientlydescribethereported
activityaswellasthebasisforfiling.ThisincludesretainingSARsandtheirsupportingdocumentation,
reportingSARstotheboardofdirectors(oracommitteethereof)informingseniormanagementandsharing
SARswithheadofficesasnecessary.ByappointingdedicatedandqualifiedindividualstoreviewSARsthrough
aforumthatallowsfordiscussingandsharingbestpractices(e.g.,foraddressingessentialelementsof
informationwho?what?when?where?andwhy?),SARqualitymaybesignificantlyuplifted.Inaddition,a
controlmechanism(suchasaSARlogintheformofasimplespreadsheetoramoreadvanceddatabase)to
monitor,trackandreportonthestatusofalldecisions(e.g.,whethertofileaSARorcloseanaccount)is
typicallyexpectedandcanhelptoensurethatdecisionsarefollowedthroughasintended.

18 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

OFACandSanctionsOFACregulationsandotherregionalandinternational Definiteexpectationsexistwithregard
mandates(e.g.,UnitedNationssanctions)includerequirementstoblockaccountsand totheprocessingoftransactions
involvingcountriesundersanctions.
otherpropertyortoprohibitorrejecttransactionswithspecificcountries,entities Banksarerequiredtoreportallblockings
andindividualsasappropriate.AsstatedintheFFIECmanual,AllU.S.personsmust toOFACwithintendaysofoccurrence.If
yourbankdoesnotblockandreporta
complywithOFACregulations,includingallcitizensandpermanentresidentaliens
transferandanotherbankdoes,then
regardlessofwheretheyarelocated,allpersonsandentitieswithintheUnitedStates, yourbankisintrouble.Abankin
allU.S.incorporatedentitiesandtheirforeignbranches.Inthecaseofcertain noncompliancemaybeopeningitselfto
adversepublicity,fines,andeven
programs,suchasthoseregardingCubaandNorthKorea,foreignsubsidiariesowned criminalpenalties(ifviolationsareother
orcontrolledbyU.S.companiesalsomustcomply.Certainprogramsalsorequire thaninadvertent)[w]hileeveryfinancial
institutionmustcomplywiththesame
foreignpersonsinpossessionofU.S.origingoodstocomply.14 lawsandregulations,noonecompliance
programcanbeprepackagedfor
Withfrequentlychangingandgrowinglists,progressivelycomplexsanctionsterms, everyoneintheopenmarketplace.Every
programmustbetailoredtomeetthe
varyingguidanceforhowtointerpretrequirementsandthecontinualriseofnewand needsandstructureofindividual
cleverevasiontactics,compliancewithOFAC,sanctionsandembargoregulations financialinstitutions.
(referredtocollectivelyasOFACherein)isanincreasinglydifficultresponsibilitythat
DepartmentoftheTreasury,OFAC
requiressignificantresources,ongoingattentionandspecializedknowledge.Even Brochure:OFACRegulationsforthe
withassistancefromsophisticatedautomatedsolutionsandadvancedtechnology, FinancialCommunity

thereisoftenaneedtoimplementmanualprocesses,suchasindividualizedreviews
fordoublecheckingalerts,confirmingfalsepositives,managingdataoradjustingandtestingscreening
mechanisms.ForFIswithavastnumberoftransactionsandatransnationalpresence,thedemandsandpotential
forerrorarehigh.Duetotheserecognizedchallenges,includingtheintricaciesofdeterminingwhichrequirements
applytowhatcustomersunderwhatscenarios,OFACcontrolsrequireenhancedscrutinyandevaluation.Asa
minimumstandardforsecuringastrongcontrolenvironment,theBusinessUnitshouldmaintainaformaland
writtenOFACprogramwithnecessaryinternalcontrols(screening;reporting;testing;OFACspecificrisk
assessments;OFACspecifictraining;dedicatedresourceswithspecializedOFACknowledge;qualitycontrol
mechanismsforensuringappropriateactions[e.g.,blocking/prohibiting]foraccountsandrelatedproperty).The
focusofAuditsassessmentshouldbeontheBusinessUnitsabilitytocomplywithexistinglawsandregulationsby
effectivelyblockingandrejectingaccountsand/orpaymentsandscreeningagainstOFACandothergovernment
lists.

Potentialconsiderationsforassessingthestrength(i.e.,strong,adequate,weak)ofthecontrolinclude:

OFACScreeningandProcessingOFACscreeningcontrolsrelatebroadlytothefunctionsassociatedwith
maintainingOFACrelatedlistsandidentifyingaccountsorpropertythatmayneedtobeblockedor
transactionsthatmayneedtobeprohibitedorrejected,suchasthoseinvolvingBurma,Cuba,Iran,Sudan
and/orSyria.Ataminimum,formalanddocumentedprocessesshouldbeestablishedformanagingalerts,
developingeffectivescreeningmechanisms(e.g.,realtimescreening),updatingandreviewingOFAClistsand
escalatingalertswhereappropriate.Thisincludes,butisnotlimitedto:checkingaccountsagainstOFAClists
priortoinitialaccountopening(e.g.,fornoncustomertransactions),orshortlythereafter;identifyingand
investigatingpotentiallyrelevanttransactions;managingblockedfundsandaccounts(e.g.,status,amount,
ownershipdetails,interest,etc.);regularlytestingfilteringcriteriaforissues(e.g.,misspellingsandname
derivations);developingandadjustingparametersasappropriatetoaccountforknownrisks(e.g.,false
positives,truncatedpaymentinstructions,incorrectlycodedorcharacterizedtransactions,coverpayments,

14
See2010FFIECBSA/AMLExaminationManual,OfficeofForeignAssetsControlOverview,Page148.

19 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

straightthroughprocessing15);andmaintainingeffectiveprocessesforinvestigatingandescalating
potentialmatches.

Inaddition,asabestpractice,theBusinessUnitmayhavedocumentedanalyses(e.g.,formalgap
analyses/reports)thatreflectpotentialOFACrisksrelatingtoeachproduct/service(e.g.,transactionsthat
involveunknownthirdparties)andasubsequentplanforscreeningandmonitoringfortheserisks.These
assessmentsandcorrespondingscreeningprocessesshouldlinktogovernanceandriskmanagementforums
thatupdateandeducatetheBusinessUnitonOFACrelatedmattersanddevelopments(suchasthatofIran
turningtotheautomotivesectortoevadesanctionslegislationandattractrevenue).

OFACPoliciesandProceduresInordertomaintainaneffectiveOFACcomplianceprogram,OFACspecific
policiesandproceduresshouldbedocumented,regularlyupdatedandtailoredtotheBusinessUnitsrisk
profile,customerbase,products/services,transactionactivityandgeographicpresence.Ataminimum,
policiesandproceduresshouldaddressallaspectsofOFACcomplianceandcontrols,includingcustomer
onboarding,screeningandtransactionreviewprocesses;managementofblockedaccounts;recordkeeping
requirements;maintainingOFAClicenses;independenttestingfunctions;rolesandresponsibilitiesforOFAC
compliance;openlinesofcommunication;specializedtraining;andreportingrequirements.

OFACLicensesSubjecttospecificprovisionsandclearlydocumentedconditions,OFAClicensesallowfor
certainexceptionstoOFACrequirementsforselecttransactionsthataredeemedtobeinlinewithU.S.policy
objectives.Inaddition,OFACmaygrantagenerallicensethatappliestoagrouporacategoryoftransactions
withoutrequiringoneoffapprovalsfromOFAC.TheBusinessUnitshouldensurethataneffectiveprocessisin
placeforverifyingthatthesetransactionscomplywithalltermsandconditionsofanOFACissuedlicenseprior
toprocessingthem.Inaddition,copiesofallOFAClicensesshouldbecollectedandkeptonfileasappropriate.

OFACReportingandRelatedMetricsInaccordancewithOFACregulations,theBusinessUnitisrequiredto
reportallblockedpaymentstoOFACwithintendaysoftheoccurrenceandannuallybySeptember30;once
thoseassetsorfundsareblocked,theyaretobeplacedinablockedaccount.Prohibitedtransactionsthatare
rejectedmustalsobereportedtoOFACwithintendaysoftheoccurrence.TheBusinessUnitshouldestablish
effectivereportingandrecordkeepingprocesses,includingmaintainingcompleteandaccuraterecordsforall
rejectedtransactionsforaminimumoffiveyearsafterthedateofthetransactionandfortheentireperiod
duringwhichthepropertyisblockedandforfiveyearsafterthedatethepropertyisunblockedforblocked
propertyortransactions.InadditiontotheBusinessUnitsexternalOFACreportingobligations,theBusiness
UnitshouldhaveaccesstoallinternalOFACrelatedmetricsthatexistwithintheFI.ThismightincludeOFAC
specificdatathatinformscustomerrisk(e.g.,customersassociatedwithOFACcountries/entities),productrisk
(e.g.,products/services,suchasRDC,prepaidaccess,ebankingorcorrespondentaccountsthatpresent
enhancedOFACrisk)andtransactionalrisk(e.g.,transactionswithOFACcountries/entities).Further,this
informationshouldcontainappropriatedetails,suchasvolumeanddollarvalues.

15
AccordingtoaJuly17,2012U.S.SenateReport,coverpaymentsaretransfersbetweencorrespondentbanksinnonsanctionedjurisdictions
whichlackunderlyingpaymentdetailsandcanbeusedasadisguiseforfacilitatingtransactionswithsanctionedcountriesorpersons.Likewise,
anothertacticknownasstraightthroughprocessingcouldbeemployedtodisguisetransactionsasbanktobanktransfersandcircumvent
OFACfiltersviaautomatedprocessingproceduresthatbypasshumaninterventionormanualreview.Thiswasamethodthatevolveddueto
theallowancethatMT202/203SWIFTmessages(orpaymentinstructions)previouslydidnotrequireidentificationoftheunderlyingoriginator
orultimatebeneficiaryforbanktobanktransactions.

20 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

EmployeeAMLExpertiseandCoverageDespitesignificantadvancesin Thefollowingareextractedreferencesto
informationtechnologyformanagingAMLoperationsandcontrolprocesses,the staffingandtrainingasreflectedin
accountabilityandsuccessovertheAMLprogramultimatelylieswiththepeople enforcementactionsfromtheyear2013:

andtherespectiveexpertisewithintheorganization.Regulatorybodies,suchas
theOfficeoftheComptrollerCurrency(OCC),havehighlightedthismessageby didnotensureappropriatecompliance
staffingandtraining,andexercisedinadequate
alludingtoinadequatestaffingasarootcauseforcompliancefailuresinseveral oversightforcomplianceresponsibilities.
enforcementactions.Todaysenvironment,characterizedbyincreasedattention (CMPFinCEN,September24,2013)

tocompliancewithAMLlawsandtheadventofsophisticatedtoolsand Alackofadequatetrainingforboththe
technologyrequiringenhancedexpertise,mayhaveaccentuatedtheneedto businessandBankSecrecyAct/AntiMoney
Launderingstaffcontributedtothefailureto
focusmorenarrowlyonthepeople.Inordertopreventstaffrelatedissuesand recognizethissuspiciousactivity.
minimizetheriskofhumanerror,AMLfunctionsandresponsibilitiesshould,ata (CMPFinCEN,September22,2013)
minimum,encompassanadequatenumberofresources,asufficientlevelof
Trainingmustbesufficientforstaffand
aggregateAMLexpertiseamongthestaffandanappropriateallocationoftimeto officialstoperformtheirresponsibilitiesand
AMLtasksbyseasonedpersonnel.Staffingcoverageandtrainingshouldbe ensurecompliance...
(C&DNCUA,September6,2013)
alignedtoAMLresponsibilities.ThefocusofAudit'sassessmentshouldbeon
evaluatingtheextenttowhichtheBusinessUnit'sAMLfunctionsarestaffed TheBankshallensurethatithassufficient
appropriatelyasindicatedbyfactorssuchasthenumberofdedicatedemployees, processes,personnel,andcontrolsystems
and...[t]heBSA/AMLActionPlanmustspecify
thelevelofexpertiseofassignedpersonnelandexistingstaffingplans(e.g., indetailbudgetoutlaysandstaffing
(C&DOCC,January14,2013)
allocationofhourswithaconsiderationforsharedresources).

Potentialconsiderationsforassessingthestrength(i.e.,strong,adequate,weak)
ofthecontrolinclude:

AMLStaffingCoverageInaccordancewithcurrentexpectation,AMLrelatedfunctionsshouldreflectan
appropriatelevelofattentionfromdedicatedresourcescommensuratewiththerelativedegreeofrisk.In
instanceswhereresourcesaresharedorpartiallyallocated,considerationshouldbegiventotheextentofthe
staffstimeandavailabilityasitrelatestoeachAMLfunctiontoensurethatstaffingplacementisappropriate.
Asabestpractice,aBusinessUnitshouldbeabletodemonstratethatithasastaffingplanorstrategyinplace
toaccountforproperAMLcoverageparticularlyinHRareas.Thisincludes,butisnotlimitedto,afocuson:
a)totalnumberofavailableresources;b)AMLcompetencyamongthoseresources;andc)distributionoftime
andeffortamongthepoolofavailableAMLresources.

EmployeeKnowledgeandCapabilitiesAstrongawarenessofthelevelofcompetencyamongthestaffis
criticalinensuringthatstaffexpertiseandexperienceisappropriatelyalignedtoexistingAMLfunctions.
Formalmethodsforevaluatingstaffcompetency(includingestablishingcriteriathatmayberepresentativeof
AMLproficiencyandperformingsomelevelofanalysis,suchasthroughasurveyorleveragingexisting
employeeinformation)isoftenessentialforaccuratequantification.Relevantindicatorsofexpertiseinclude:
a)theextentoftechnicalknowledgeoverthetools/systemsthatarerequiredfortherelevantjobfunction(s);
b)thelevelofspecializedknowledgefortherelevantAMLarea(e.g.,products/services);c)AMLrelated
certificationsandtraining;andd)thenumberofyearsofAMLrelatedjobexperience.Otherusefulattributes
maybeavailableinexistinghiringplansorinpreviouslydocumentedperformanceexpectationsforthe
respectiveBusinessUnit.

21 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

TrainingandAwarenessAstheexpectationforskilledAMLresourcescontinuestorise,thereisagrowing
needfortrainingplansandcurriculatobetailored,relevant,frequentandmandatory.Inadditiontobasic
AMLtrainingrelatingtoregulatory,legalandpolicyrequirements,staffshouldreceivetrainingin:a)allcritical
AMLtopics;b)BusinessUnitspecificinformation(e.g.,products/services,customers,riskprofiles,policiesand
procedures,etc.);andc)targetedandmoreadvancedtrainingthatisrelevanttorolesandresponsibilities.
Moneylaunderersareconstantlyevolvingandrefiningtheirstrategies.Assuch,trainingshouldexplorerecent
trendssuchasthroughcasestudiesandalsoincludeafocusondetectingpotentialriskinlessapparent
areassuchasinconventionallylowriskproducts,businessesoractivity(e.g.,intercompanytransfersor
travelerchecksthatmaybemaskingtheflowoffundstothirdparties).Theintensity,scopeandfrequencyof
trainingshouldbecommensuratewitheachemployeesjoblevelandrespectiveduties.Someinstitutionsalso
riskrankemployeestoassistwithdisseminatingtraining.Adiversetrainingandawarenessprogrammay
employmultiplemethodsofdelivery,suchaslunchandlearns,computerbasedplatforms,webinars,live
sessionsoremailupdates/newsletters,toofferbothformalizedtrainingandproactivecommunicationof
lessonslearned.Trainingshouldbecontinuallyupdatedandperformedasnecessarytoincorporatecurrent
developmentsandchanges,suchasthoserelatingtotheregulatoryenvironmentorinternalsystemsand
processes.Inordertoensurethattrainingisadequate,trainingprogramsshouldbedocumented,approved
andtested.Further,aspartofaneffectiveprogram,recordkeepingandtrackingmechanisms(including
reportabletrainingmetrics)canbeemployedtocaptureemployeeattendance
andlearninghistory.
...[B]ankingorganizationshavegreatly
OverallAMLInfrastructure,FrameworkandPractices(policies,procedures expandedthescope,complexityandglobal
andprocesses;managementandoversight;technologyandoperations) natureoftheirbusinessactivities.Atthe
sametime,compliancerequirements
ThechallengeofmanagingandoverseeingabroadrangeofAMLactivitiesand associatedwiththeseactivitieshave
functionsforalargeandcomplexorganizationrequirescarefulattentiontothe becomemorecomplex.Asaresult,
strengthanddesignoftheFIsAMLinfrastructure,frameworkandrelatedpractices.

organizationshave confrontedsignificant
riskmanagementandcorporate
Ataminimum,thesearegenerallyinfluencedby,andcomprisedof,thefollowing governancechallenges,particularlywith
interconnectedcomponents:policies,proceduresandprocesses;managementand respecttocompliancerisksthattranscend

businesslines,legalentities and
oversight;andtechnologyandoperations.Eachareaisinterdependentand jurisdictionsofoperation.Toaddressthese
contributestoacollectivesystemofchecksandbalances.ThefocusofAudits challenges,manybankingorganizations
haveimplementedorenhancedfirmwide
assessmentshouldbeonevaluatingthefundamentalsoundnessoftheBusiness complianceriskmanagementprograms
UnitsoverallAMLinfrastructure,frameworkandpractices,andwhetherthese andprogramoversight.

factorsareconducivetoaneffectiveandhealthyAMLprogram. BoardofGovernorsoftheFederal
ReserveSystem
Potentialconsiderationsforassessingthestrength(i.e.,strong,adequate,weak)of
thecontrolinclude:

ManagementandOversightTheAMLprogramandassociatedinitiativesshouldbecommensuratewiththe
FIsriskprofileinordertomaintainefficientoperations,regulatorycomplianceandriskmanagement.Assuch,
theBusinessUnitsapproachandtoneshouldbealignedtotheoverallfirmwidegovernancepolicy;together,
theyshouldpromotecooperationbetweenAMLcompliancefunctionsandtheBusinessUnit.Foramore
completepictureoftheFIsoverallframework,anAuditAMLRAshouldevaluatebothfirmwideandBusiness
UnitspecificoversightandgovernancepracticesformanagingandidentifyingAMLrisk.Thisincludesareview
of:businessstrategy;operatingcontrols;reportingandescalation;rolesandresponsibilities;resource
management;responsivenesstoissues;andtheBusinessUnitsorganizationalstructure(including
coordinationwithanexecutiveandmanagementcommitteeoracorporatecompliancefunction).

22 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

AformalreportingprocessiscriticalformeasuringandmonitoringAMLriskandtheeffectivenessofrelated
controls,andshouldbecontinualandcomprehensive.Reportdataandmetricsshouldspeaktoallcritical
areasofanAMLprogramwithappropriatedetail(e.g.,ongoingOFACinvestigations,customernamescreening
matches,pastdueemployeetraining,quantityofagingalerts,monthlyaccountclosures,casemanagement
escalations,weeklySARfilings,openenforcementrequests,etc.)andbereviewedwiththebusinesslines,
operationsdepartment,compliancedepartmentandseniorexecutivesasappropriate.Aneffectivereporting
vehiclewillallowtheBusinessUnittoidentifyandmeasureriskaswellassubsequentrisktrends(e.g.,
whetherriskisincreasingordecreasing).Rolesandresponsibilitiesshouldbedocumented,transparentand
defined.Thisincludesindicatingaccountability(andpossiblylinkingtoperformanceevaluation)aswellas
designatingspecificindividualstocoordinateandmanagedaytodayoversightovertheAMLprogramandthe
BusinessUnitsAMLactivities;wherethisisperformedbyanindependentcompliancefunction,suchasa
governancecommittee,thereshouldbeaformalandopenlineofcommunicationbetweenthebusinessand
compliance.Inallcases,theBusinessUnitshouldpossessawarenessofrelevantAMLissues,suchasthrough
formalrepresentationatimportantfirmwideAMLmeetingsandforums.

PersonnelinmanagementandoversightrolesshouldstayabreastofexternalAMLrelatedeventsand
topicsandhaveaccesstonecessaryresources(e.g.,employees,information,tools)andtheabilitytoescalate
issuespromptly.Inaddition,selfassessmentandcompliancetestingfunctionsshouldbeongoingand
allowfortimelyidentificationandmonitoringofissuesandanycorrectiveactionsthatensueincluding
aformalizedprocessfordocumenting,communicatingandrespondingtoresults.Compliancetestingin
particularshouldreflectindependencefromthebusiness,sufficienttransactiontesting,tailoredtesting
proceduresandworkpapersthatdemonstrateaconnectionbetweenthecompliancedepartmentsrisk
assessmentresultsandrespectiveactionplans.

Policies,ProceduresandProcessesAspartofdevelopingacomprehensiveAMLprogram,FIsareexpected
todeveloppolicies,proceduresandprocessestomonitorandmitigateAMLrisksrelativetoregulatory
expectations,compliancerequirementsandbusinessspecificconsiderations.Whereappropriate,policies,
proceduresandprocessesshouldaddresstheuniqueattributesoftheBusinessUnit,includingsize,structure,
customerbaseandproductusage.Althoughthesophisticationoftheinternalcontrolenvironmentmayvary
toalignwithrisk,eachBusinessUnitshould,ataminimum,havewrittenpoliciesandprocedures,quality
managementfunctionsandriskassessmentprocesses.

Policies(thewhat)andprocedures(thehow)shouldbedocumented,approved(e.g.,byboardof
directors,seniormanagement,AMLgovernancecommittees),comprehensive,consistentwithbestpractices
andregularlyupdatedtoaddressandremaincurrentwithcriticalAMLareas(e.g.,KYC,
suspicious/unusualactivity,OFACandsanctions,training).Exceptionprocesses(suchasfordeviatingfrom
globalAMLpolicies)shouldbeclearlydocumentedwithnecessarydetails(e.g.,theapprovalsthatneedtobe
obtained).Ingeneral,policyandproceduraldocumentsthatapplyonaglobalandfirmwidebasis(andthat
describeprocessesinathoroughmannerthatcanbeeasilyunderstood)aremorelikelytopromote
consistencyandquality.Thismightinvolvetheinclusionofexamples,illustrations,astrongflow,references
andlinkstohelpfulresourcesandcontactdetailsforadditionalinformation.Ifpoliciesandproceduresdonot
providetheappropriatelevelofgranularity,thereshouldbeaccompanyingguidancetoaddresshowthey
shouldbeapplied.

AriskassessmentprocessshouldbeinplacetoevaluatetheBusinessUnitsinherentrisks(e.g.,clients,
products,transactions,geography)andcontrolenvironmentfactors(e.g.,KYC,screening,training,reporting,

23 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

monitoring,etc.)atleasteverytwelvetoeighteenmonths(preferablyannuallywithinterimassessment
exercisesasappropriate,suchasfortheintroductionofnewproducts/servicesorbusinesschanges).The
resultsoftheBusinessUnitsriskassessmentshouldbeconsistentwithitsriskappetiteanditsrespective
businesspractices(e.g.,transactionmonitoringscenariosshouldbealignedtoHRareasanduniquerisksnoted
intheassessment).Asacomplementarymeasure,theBusinessUnitmaywanttoformalizeaprocessfor
documenting,evaluatingandadjustingitsriskappetite.Qualitymanagementfunctionsforensuringquality,
consistencyandadherencetotheBusinessUnitspolicies,proceduresandprocessesshouldbedocumented,
approvedandembeddedindaytodayoperationswhereappropriate.Inaddition,specificlimitationsmaybe
appropriateforparticularcustomeroraccounttypes(e.g.,minimumassetsizesforthirdpartypayment
processorstoopenaccounts;restrictionsforMSBstooffernomorethanoneproductline,suchascheck
cashing;fundstransferlimitsforpayablethroughaccounts;yearlylimitsonthenumberofinternationalwires
thatcanbeinitiatedfromcorporatecheckingaccounts).Ininstanceswhereoutsideproviders(e.g.,vendorsor
consultants)areusedtoassistwithpolicies,proceduresorprocesses,theFImaintainsaccountabilityand,as
such,isresponsiblefordemonstratingtightoversight,suchasthroughduediligence,reportinglines,sample
testing,reviewandapprovalofitsworkandstringentdocumentationrequirements.

OperationsandTechnologyThenatureofaBusinessUnitsoperationsanditsassociatedtechnological
capacityarestrongindicatorsofwhetheraBusinessUnitiscapableofsustaininganeffectiveandwell
balancedAMLprogramthatcandefendagainsteverydayAMLrisksandadheretoapplicableregulationsand
responsibilities.FIsareresponsibleforensuringthatAMLfunctionsarewellconnected,thatevents(e.g.,
resultsfromFIsystemsorprocesses)areviewedholistically,andthatproperfeedbackloopsareinplace
acrosstheAMLprogram(e.g.,thatKYCinformationinformsthenatureoftransactionmonitoringandthat
transactionmonitoringresultsfeedbackintotheKYCprocessestoinformthelevelandtypeofinformation
needed).Inadditiontoreinforcingtheflowbetweencontrolenvironmentcomponents,theFIandBusiness
Unitshouldensurethatoperationalprocessesandautomatedsolutionsareeffectiveandworkingasintended
forallrelevantriskareas.RoutineandstandardAMLoperationsandfunctions(e.g.,currencytransaction
reporting,recordkeepingactivities,datamanagement,monetarylogs,Section314(b)informationsharing,
compliancewithOFACandsanctionsreporting)shouldaddressregulatoryrequirementsandaligntotheFIs
globalAMLpolicy.Documentedprocedures,adequatestaffingandperiodictestingfunctionswithformalized
resultsmaybeadditionalsignsofastrongoperatingenvironment.Technologydrivenmechanismsshould
havetheflexibilitytoadapttochangesandthecapacitytosupportallrequiredbusinessactivitiesand
controls,suchasthoserelatingtoreporting,datamining,recordretention,businessrecovery,information
securityandmonitoring.DatamanagementandanalyticspracticesrelatingtoAMLinformationshouldbe
consistentacrossthebusinessandallowforappropriateaccessibility,interpretationandstorage.

Alargenumberoftechnologyplatformsorsystemsthataredisconnectedfromeachothermayleadto
operationalchallengesandinconsistencies(e.g.,discrepantretrievalandanalysisofcustomerinformation).A
portionofthisburdenmaybeminimizedthroughaprocessthatlooksatwhetherthesamereferencecodes
forcustomer,productandtransactiontypesarebeingapplied(e.g.,consistentlabelingofPEPs)orreconciled
(e.g.,differentcodesareidentifiedandassignedacommonidentifier)orwhetherthesamesourcedatais
beingreferencedforsimilaractivitiesorreports(e.g.,onboardingofPEPsacrosstheBusinessUnit).Further,
thepresenceofnumerousorlargescaleprojects(e.g.,lookbacks,KYCremediations,proceduralupdates)
orchanges(e.g.,movingtoanewmonitoringsystem,mergingofbusinesslines)maypresentvulnerabilitiesin
thecontrolenvironmentduetoresourceexhaustionorrisksassociatedwithemployingchange,suchas
learningnewsystems,managingdataorerrorsthatgoundetected.

24 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

Centralunitsmayownparticularcontrols,buttherespectivebusinessareaownstherisk.Aspartofa
comprehensiveriskassessment,eachBusinessUnitshouldpossessanunderstandingoftherisksandcontrols
thataffectitsbusinessindependentofwhetherthesecontrolsareeitherpartiallyorfully
ownedbyaseparateBusinessUnit.IninstanceswhereanAMLserviceisprovidedcentrally(e.g.,customer
onboarding,screening,training,monitoring,investigating),itisimportantforAuditto:1.evaluatetheBusiness
Unitsunderstandingoverthecentralunitsprocesses,controleffectivenessandpotentialriskimpactofacontrol
failure;and2.determinewhethertheBusinessUnithassupplementalcontrolsinplacetoeithermanage
theriskonitsownortominimizerelianceonthecentralfunction.

Theimpactofacontrolfailurewithinacentralfunctionmayvarydependingon:a)aBusinessUnits
underlyingsusceptibilitytotheriskbeingmitigated(i.e.,aBusinessUnitwithalowriskcustomerbase
maybelessimpactedbyaKYCcontrolfailurethanaBusinessUnitwithahighriskcustomerbase);
orb)whethertheBusinessUnitownsadditionalcontrols(i.e.,aBusinessUnitthatmaintainsQuality
Assurance[QA]processesoveracentralunitsactivitiesandperformsperiodicsampletestingmaybeless
susceptiblethanaBusinessUnitthatisfullyreliantanddetachedfromthecontrolprocesses).

THE SUPPORT FRAMEWORK: Investing in Audits risk assessment process

Inadditiontoprovidingauditorswithguidancebydefininganddescribingriskandcontrolenvironmentfactorsand
supplyinghelpfulconsiderations,astrongsupportframeworkinvolvesadequateresourcingandeducation;
identifyingandaddressingcommonchallenges;andpromotinghealthypractices.ThisinvestmentinAudit'srisk
assessmentprocesscanprovidevaluabledividendsintheformofexecutionefficiencies,betterqualityresultsand
potentiallyreducedexposuretoadverseregulatoryfeedback.Afewcriticalelementsinthisareainclude:

Subject TheidentificationandanalysisofAMLriskcanbecomplex.Anaccurateassessmentof
AMLriskoftentimesrequiresspecializedknowledgeinAMLaswellasastrong
Matter understandingovertheBusinessUnit(e.g.,activities,products/services,customers,
geographicalpresence)andanyregionspecificconsiderations(e.g.,laws,regulations,
Expertise countryrisk)thatmaybeapplicable.Inaperfectworld,theauditorcompletingthe
andKeeping assessmentwouldbeknowledgeableinallthreeareas;however,thismaynotalways
befeasible.ByestablishinganetworkofAMLsubjectmatterexpertsanddesignated
Assessments individualsorgroupstorepresenteachregionandbusinessarea,theauditorhasaccess
Current toavaluablepoolofinformationandisbetterpositionedtoidentifyandassessunique
AMLrisks.Attheveryleast,eachriskassessmentshouldinvolveinputandoversight
fromindividualswiththerequisiteAMLcredentials,experience,trainingandsubject
matterexpertisepriortocompletion.

Keepinmindthat:Assessinganddocumentingpotentialrisksisanongoingprocess
thatrequiresacontinuousflowofinformationbetweenthosewithvisibilityand
accountabilityoverAMLmattersandthosewhoareresponsibleforAudit'srisk
assessments.Assuch,riskassessmentsshouldberevisitedasnecessaryorperiodically
(e.g.,quarterlyorsemiannually)toreflectrelevantcurrentevents,suchasinternal
developments(e.g.,mergers,acquisitions,divestitures,technology/systems
enhancements,newproducts/services,emergingrisks/issuesandotherchangesin
businessactivities)orexternaldevelopments(e.g.regulations,industryexpectations).
Onemethodtoassistwiththisincludesestablishingacultureofcommunicationand
outreach,suchasaforumforsharinginformationanddiscussingrecenteventsamong
businessrepresentatives,regionalrepresentatives,AMLsubjectmatterexpertsand
Auditmembers.

25 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

Continual Thedevelopmentanddistributionofformaltraining,policies/proceduresandequivalent
guidancepromotesconsistencyandenhancestheauditdepartmentsabilitytoassess
Trainingand AMLrisk.Ataminimum,documentedandapprovedmaterialsshoulddescribetherisk
assessmentprocess,theriskscoring/ratingmethodology,documentationstandards,
Guidance rolesandresponsibilitiesandtheidentificationandanalysisofAMLrisk.Forbestresults,
Specific materialsshouldbeeasilyaccessibleandreviewedforclarity,relevanceand
completeness.
toRisk
Keepinmindthat:Foradditionalsupport,aseparatefunctionorrolecanbetaskedwith
Assessments providingcontinualfeedbackandguidance,suchasthroughtheuseofcasestudies,live
examplesand/orperiodicgroupdiscussions.Thisrolemaysupplement,orinclude,a
formalqualitycontrol("QC")processforreviewingAuditscompletedriskassessments
andprovidinghelpfulfeedback.Bygatheringandreviewingcurrentassessmentsthrough
QCprocesses,pilottesting,samplingmethodsorequivalentmechanisms,theaudit
departmentcancompileandcompareresults,whichcanthenbeusedtocreatetraining
tools,suchas"lessonslearned."Relevantandcarefullycraftedguidancematerials(as
wellasthedeliverychannels)canbeinstrumentalinaddressingfrequentlyasked
questions,maintainingconsistency,instillingbestpracticesandeducatingthose
responsibleforcompletingriskassessments.

Supporting Tofacilitatethetaskofobtainingsupportingdataandinformationforcompletingthe
riskassessment,aformalfirmwideprocesscanbedevelopedpriortothelaunchofthe
Data riskassessment.Thismightincludedevelopingastrategyforcollectinginformation,
understandingwherethedataresides,ascertainingthequalityofthedata,assigning
oneormoreprojectmanagers/coordinatorstooverseetheprocess,identifying
commondatathatcanbesharedacrossBusinessUnits,establishingarelationshipwith
personnelthatcanprovideinformationanddesignatingacentrallocationforstoring
andaccessingmaterials.Duetotheextensivelaborinvolvedwiththisexercise,itis
helpfultoviewandmanagethisprocessasastandaloneproject.
Aspartofestablishingcriticalrelationshipsandmaintainingastrongsupportnetwork,
theauditdepartmentshouldengagethebusinessleadershipfromeachlineofbusiness
aswellasthetechnologydepartmenttoassistwithaccessingandprocuringdata.The
useofatool(e.g.,adocumentlist)thatindicatespotentiallyhelpfulsourcesaswellas
thelikelihoodofobtainingthemandtheparticularareaswheretheyaremostuseful,
mayfurtherminimizethecollectionburden.Thisshouldbeaccompaniedbyatracking
mechanismforcapturingandreportingonrequestedinformationthroughtheprocess.
AlthoughparticularmetricsandreportsmaybespecifictoaBusinessUnit,theremaybe
commonsourcesofinformationthatareeasiertoobtainandthatserveusefulacross
multipleBusinessUnits.(Examplesincluderegulatoryexaminationfeedback,audit
findings,compliancetestingresults,selfassessmentsperformedbythebusiness,prior

riskassessments,meetingminutes/agendas,managementreports,processflowcharts,
jobaidsandrelatedmanuals,firmwidepoliciesandprocedures,etc.).Forbestresults,
individualswithworkingknowledgeovertheFI'ssourcedataandinternalsystems
shouldbeleveragedasmuchaspossible.

Keepinmindthat:Theuseofsupportingdataisinfluential(andincreasinglyexpected)
indemonstratinghowriskdecisionsandconclusionswerederived.Quantitative
information(suchastransactionvolumesandtypesandcustomerpopulation
demographicsbyriskcategoryandlocation)shouldbeusedanddocumentedasmuch
aspossiblewhenmakinginferences.However,carefulconsiderationshouldbeapplied
whendetermininghowandwhensupportinginformationshouldbeleveragedandwhat
adeficitofsuchinformationmaysuggestfortheriskrating.Abusinessinabilityto
providekeydatamaybereflectiveofacontrolfailure,particularlyiftheinformationis
necessaryfordaytodayoperationsorisexpectedbyfirmpolicy.

26 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

Direction Aclear,conciseandconsistentnarrativeiscriticalforevidencingratingdecisionsand
articulatingpotentialrisks.Althoughtheabilitytoeffectivelycommunicateanddescribe
forCrafting one'sfindingsthroughawrittenanalysismayseemmorelikeanartformthananexact
aStrong science,thereareparticularstrategiesthatcanbeleveragedtoenhancetheoverall
assessment.Theseinclude,butarenotlimitedto:startingwithanintroductory
Narrative descriptionoftheBusinessUnit(e.g.,generaloverviewofwhattheBusinessUnitdoes
andtheAMLrelatedfunctionsorservicesthatitprovidesorsupportseitherdirectlyor
indirectly);linkingto,andreferencing,supportingsourcesofinformationwhere
possible(e.g.,particulardocuments,data,reports,contacts);representingquantitative
supportinthecontextoftheBusinessUnit(e.g.,explainingwhatthenumbersmean
andtherespectiveimpact);avoidinginformationoverload(e.g.,usingcommentsthat
arerelevanttotheassessmentandfocusonthesinglemostimportantfactorsthat
substantiatetheratings);managingtheflowandorganizationofresponses(e.g.,
bundlingcommentsinamannerthatclearlyalignsto,andaddresses,eachriskand
controlfactor);indicatingdirectionalrisktrends;andincludingabriefconclusionthat
summarizestherationaleforthefinalBusinessUnitriskrating.

Keepinmindthat:ThirdpartiesandthosewhoareunfamiliarwiththeBusinessUnit
shouldbeabletoreadthroughthenarrativeandreachthesameconclusionsasthe
auditorthatconductedtheassessment.Forthisreason,theassessmentshouldbe
craftedasaselfsufficientevaluationoftheBusinessUnitwithadequatedetail.

INTERPRETING AND USING RESULTS: The audit plan and beyond

Exampleforillustrationpurposesonly

SubsequenttocompletingAuditsriskassessmentprocess,theauditdepartmenthasaccesstoahighquality
toolboxwithwhichtocorroborateresults,assembleacomprehensiveriskbasedplanandillustrateabirdseye
viewofAMLriskwithintheenterprise.Priortopreparingtheauditplan,theresultingratingsandscoresforeach
BusinessUnit(whichmaybedevelopedinconjunctionwiththefirmsexistingriskscoringandratingmodel)canbe
usedtodriveatargetedreviewofselectriskassessmentsbasedonfactorssuchaswhetherratingsappear
reasonable,whetherinconsistenciesarepresentorwhetherthereareoutrightconflictswithcurrentauditfindings
and/orperception.AfterevaluatingAMLRAresultsandobtainingareasonablelevelofcomfortastothedata
quality,Auditwillpossessavaluablesetofdatapointsthatcanbeusedtocompileanauditplanthatevaluatesrisk
fromavarietyofangles,suchasoverallrisk,changesinrisks,businessarea,geography,centralfunctions/process
orpriorcoverage.

Withproperanalysis,AMLRAdatacanbedissectedandstratifiedtoassistinrankingandprioritizingpotential
auditsinrelationtoeachother.Ifforinstance,twoBusinessUnitsinasimilarareaappeartopresentsimilarrisk,
thedecisiontoincludeoneBusinessUnitintheplanovertheothermaybebasedonwhetheroneoftheBusiness
Unitshasrecentauditcoverage,orwhetheranotherauditintheplancoversthesameregionasoneofthetwo.

27 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

AMLRAoutputcanalsobeusedto
identifyrelevanttrendsorthemesthat
maywarrantfurtherreview.Ifmultiple
BusinessUnitshavecitedacommon
weaknessorriskwithintheirAMLRA
(e.g.,aspecificprocess,function,product
orcustomertype)thismaycallforan
auditthatlookshorizontallyacrossthe
organizationatthisparticularelement.

Inadditiontoassistingwithaudit
planning,theresultsoftheAMLRA
enabletopdownviewswithinthe
organizationandprovideperiodic
snapshotsofAMLrisk,whichallowfor
meaningfulyearoveryearcomparisons.
Auditcanusetheseviewstoidentify
whetherAMLRAresultsdeviatefrom
currentexpectation.Wherevariances
exist,theavailabledatasetcanthenbefurtherexaminedforreasonableexplanations.Ifforinstance,anidentified
patternindicatesthatriskrelatingtoOFACscreeninghasdecreasedsincethepriorperiodacrossfiveBusiness
Unitsallofwhichhaveshiftedtousingaspecializedscreeninghubthatwasrecentlylaunchedthismight
suggestthatthehubiseffective.Alternatively,ifavariancecannotbeexplained,thismightwarrantescalationto
thebusinessandfurtherexploration.

TAKEAWAY: The risk assessment design can better equip Audit

Throughitsroleastheeyesandearsoftheenterprise,theauditdepartmentisuniquelypositionedto
independentlyidentifyAMLrisksandtrends,toinspectthecontrolenvironment,totestthesustainabilityofthe
AMLprogram,toassistthebusinessfunctionsinmaintainingeffectiveriskmanagementbehaviorsandto
interveneasnecessarytoensurethatpotentiallymaterialissuesarerecognized,understoodandaddressed.As
such,AuditisavitalplayerandanessentiallineofdefenseinprotectingtheFIandensuringcompliancewith
regulatorymattersandsafebusinesspractices.Inaccordancewiththisresponsibility,Auditsriskassessment
processisanintegralcomponentinevaluatingthenatureandextentofAMLriskandsupportingAuditsplanning
decisions.Althoughthereiscurrentlynospecificmodel,methodorformatforframingtheriskassessment,the
designofanAMLRAtool,includingthesupportingframework,hasasignificantimpactontheresultingoutputthat
willbeusedtodriveAuditstestingactivities.

RegardlessofwhetherthetooliswebbasedordesignedinMSWord,MSExcelorthroughaproprietaryvendor,
thedevelopmentoftheAMLRAtoolshouldencompasscoreAMLprinciplesandcriteriathatcanbeusedasa
benchmarkforguidingtheassessmentprocesswithoutendorsingacheckliststyleapproach.Thiscanbeachieved
throughastructurethatpointsauditorstowardsrelevantconsiderations,yetfacilitatesthoughtfulanalysisand
supporteddecisionmakingwithintheassessment.Amultifaceteddesignthatiscomprehensive,dynamicand
sustainableinnatureisavaluablecontrolthathelpswithproducingmeaningfulresultsthatcanbeusedtodirect
Auditanditstestingfocus.Thisincludesdedicatingsufficientresourcestotheriskassessmentprocessand
promotinganemphasisondetailedcommentary,documentingwhetherriskisincreasing/decreasinginparticular
areas,demonstratingtherationalebehindratingdecisionsandevidencingconclusionsviasupportingdata.

28 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

AlthoughtheactofenhancingthedesignofanAuditriskassessmenttoolmaysoundlikeasmallstep,theeffect
maybesubstantialifitleadstoamoreaccurate,substantiveandreliableauditplanningandtestingprogram.Asof
now,therelationshipbetweenregulatorandauditormayleanmoretowardthatofexaminerandexaminee;
however,byinstillingtheproperconfidence,thisrelationshipmayshifttoapartnershiponewhich,between
theregulatorswealthofaggregateindustryknowledgeandtheauditorsinsideoperationalandtechnical
knowledge,isamuchmorepowerfulforceforCombatingMoneyLaunderingandTerroristFinancing.

*************************************************************************************

29 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

APPENDICES

A - Overview of considerations

INHERENT RISK CONSIDERATIONS

Productsand Transaction Geographic

Customers
Services Activity Presence

ActivityInvolving
HRCustomer HRProductsand CustomersinHR
HR
Types Services Locations
Product/Services

Physical
Durationof NewProducts International
PresenceinHR
Relationship andServices Activity
Locations

Business/Sales
Transactions Transactional
Closed/Blocked fromHR
InvolvingIndirect ActivitywithHR
Accounts Productsand
Parties Locations
Services

Numberand RiskTolerance Reportable

Natureof andBusiness Transaction
Accounts Strategies Activity

CONTROL ENVIRONMENT CONSIDERATIONS

Suspicious EmployeeAML OverallAML

OFACand
KYC and/orUnusual Expertiseand Infrastructure,
Sanctions
Activity Coverage FrameworkandPractices

Exceptionsor Detectionand OFACScreening AMLStaffing Managementand

Waivers Monitoring andProcessing Coverage Oversight

SourceDataand Employee Policies,

OFACPolicies
Reliance InternalReports Knowledgeand Proceduresand
andProcedures
RelatingtoPSUA Capabilities Processes

Completenessof Escalationand
Trainingand Operationsand
Customer Referralof OFACLicenses
Awareness Technology
Information Activity

Renewals, OFACReporting
Alert
Updatesand andRelated
Management
PeriodicReviews Metrics

CustomerName
Investigation
Screening

SAR/STR
Completionand
Filing

30 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

B - Examples of considerations

InherentRisksExamplesofHigherRisks

Customers
HRCustomerTypes
TheBusinessUnitreflectsasignificantnumberofaccountholderscategorizedasHRpertheFI'spreexisting
customerriskratingmodel.

DurationofRelationship
TheBusinessUnitreflectsasignificantnumberofaccounts(thoserepresentativeofestablishinganewcustomer
relationship)thathavebeenopenedwithinthepasttwelvemonths.

Closed/BlockedAccounts
TheBusinessUnitreflectsasignificantnumberofcustomeraccountsorrelationshipsthathavebeenclosedor
blockedatthedirectionoftheFI.

NumberandNatureofAccounts
TheBusinessUnitreflectsasignificantnumberofcustomerswithopen(e.g.,activeand/ordormant)accountsin,
orhavingaccessto,otherBusinessUnitswithintheFI.

ProductsandServices
HRProductsandServices
TheBusinessUnitoffersasignificantnumberofHRproducts/servicesorreflectsasignificantnumberofcustomers
thatuseHRproducts/services.

NewProductsandServices
TheBusinessUnitoffersasignificantnumberofrecentlyintroducedproducts/servicesorreflectsasignificant
numberofcustomersthatusetheseproducts/services.

DegreeofBusiness/SalesGeneratedfromHRProductsandServices
TheBusinessUnitstotalbusinessportfolioreflectsasignificantdollaramountofrevenuethatisattributedtothe
saleofnewproducts/services.

RiskToleranceandBusinessStrategies
TheBusinessUnithasselfevaluated(orhasindicatedelsewhere)ahighrisktoleranceortheBusinessUnithas
requestedtoforegofirmwideAMLrequirementsorprocessesdespiteknownrisks.

TransactionActivity
ActivityInvolvingHRProducts/Services
TheBusinessUnitreflectsasignificantlyhighvolumeordollaramountofactivityinvolvinghighrisk
products/services.

InternationalActivity
TheBusinessUnitreflectsasignificantlyhighvolumeordollarvalueofinternationalactivity.

31 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

TransactionsInvolvingIndirectParties
TheBusinessUnitreflectsasignificantlyhighnumberofcustomersand/oraccountswiththecapabilitytoconduct
transactionswith(oronbehalfof)nonFIcustomersthroughtheFI.

ReportableTransactionActivity
TheBusinessUnitreflectsasignificantlyhighnumberofcustomerswithtransactionactivityreporting.

GeographicPresence
CustomersinHRLocations
TheBusinessUnitreflectsasignificantnumberofcustomerswithknownaddressesinHRlocations.

PhysicalPresenceinHRLocations
TheBusinessUnithasanoperatingbranchinasignificantnumberofHRlocations.

TransactionalActivitywithHRLocations
TheBusinessUnitreflectsasignificantnumberofcustomerswithaccountsthatexhibittransactionswithHR
locations.

ControlEnvironmentandRiskMitigantsExamplesofControlWeaknesses

KYC
ExceptionsorWaivers
TheBusinessUnitreflectsasignificantnumberofexceptionsorwaiverstointernalKYCpolicies,proceduresor
standards.

Reliance
TheBusinessUnitreflectsrelianceonotherpartiesforKYCfunctionsanddoesnotreceivemetrics/status
reporting,doesnotowncontrolsformonitoringormanagingthereliance,doesnotreflectaccountabilityordoes
notdemonstrateanunderstandingovertheprocessandpotentialriskimpact.

CompletenessofCustomerInformation
TheBusinessUnitreflectsasignificantnumberofactiveaccountswithmissingorincompleteKYCinformation.

Renewals,UpdatesandPeriodicReviews
TheBusinessUnitreflectsasignificantnumberofaccountsthathavenotbeenrenewedorupdatedinaccordance
withitsrenewalcycle.

CustomerNameScreening
TheBusinessUnitreflectsdeficienciesinidentifyingnamematches;thereareinconsistenciesinscreeningpractices
orthereispoorinteractionbetweenBusinessUnitandcentralfunction.

PotentiallySuspiciousand/orUnusualActivity
DetectionandMonitoring
TheBusinessUnitisnotappropriatelyequippedtoidentifyandmonitorPSUA(e.g.,lackoftraining,proceduresor
accesstoreports)ortheBusinessUnitreflectsfrequentlyidentifiedsystemdeficienciesandissues,suchas
parametersthatarenotworkingasintendedorfailurestoeffectivelydetectdeviationsbetweenexpectedand
actualactivity.

32 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

SourceDataandInternalReportsRelatingtoPSUA
TheBusinessUnitdoesnothaveanapprovalprocesstoensurethatdataisaccurate,completeandtimely,orthe
reportsbeingproducedcontainerrorsand/orrelateddeficiencies.

EscalationandReferralofActivity
TheBusinessUnitcannotproduceevidenceofadocumentedanddefinedescalationandreferralprocess.

AlertManagement
TheBusinessUnitreflectsalargeorincreasingnumberofopenalerts,ordecisionsonwhethertofurther
investigatealertsarenotclearlydocumentedorapproved.

Investigation
TheBusinessUnitdoesnothaveproceduresthatdetaildocumentationstandardsordescribetheprocessfor
closingofaccountsduetocontinuoussuspiciousactivity.

SAR/STRCompletionandFiling
TheBusinessUnithasasignificantnumberofSARsthathavebeencorrected,reversedoridentifiedasbeing
incomplete,weakoroutstanding.

OFACandSanctions
OFACScreeningandProcessing
TheBusinessUnitcontainsasignificantnumberofalertsthathavenotyetbeenreviewed;thereareasignificant
numberofmanualorinterimprocessesinplace;ortransactionsflaggedasrequiringspecificactions(e.g.,blocking)
arenotcompliantwiththeappropriatemeasures.

OFACPoliciesandProcedures
TheBusinessUnitdoesnotadequatelyupdatepoliciesandprocedurestoaccountforcontinualOFACrelated
developments;doesnotmaintainwritten,comprehensiveandapprovedpoliciesandproceduresforallcritical
OFACprogramareas;anddoesnotexhibitOFACpracticesthatareconsistentwiththosedocumentedinand
requiredbyinternalOFACpoliciesandprocedures.

OFACLicenses
TheBusinessUnitexhibitsineffectiveprocessesorproceduresforverifyingOFACissuedlicensesordoesnot
adequatelyretaincopiesoflicenseswhereappropriate.

OFACReportingandRelatedMetrics
TheBusinessUnitdoesnotreportallblockedand/orprohibitedtransactionstoOFAConatimelybasis;recordsare
notfullandaccuratewhereapplicable;orOFACmanagementreportsreflectdeficienciesincontent,distributionor
frequency.

33 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

EmployeeAMLExpertiseandCoverage
AMLStaffingCoverage
TheBusinessUnitdoesnotreflectasufficientlevelofcompetentstaffamongcriticalAMLfunctionsordoesnot
conductAMLspecificcapacityplanningorequivalentstaffinganalyses.

EmployeeKnowledgeandCapabilities
TheBusinessUnitreflectsalowlevelofstaffwithadvancedoradequateAMLcompetenciesrelativetothe
requiredAMLfunction.

TrainingandAwareness
TheBusinessUnitstrainingcontentisnotaccurate,relevantorcomplete;employeesarenotcompletingrequired
trainings;attendanceisnotbeingtracked;ortrainingfrequencyisinadequate.

OverallAMLInfrastructure,FrameworkandPractices
ManagementandOversight
TheBusinessUnithasinconsistentmanagementreports,reflectsinaccuraciesinmetrics,doesnotreportoncritical
AMLmatters(e.g.,numberofopenaccountsassociatedwithPEPs)orhastestingfunctionsthatareinfrequentand
ineffectiveinidentifyingissues,includingthoseknowntoAudit.

Policies,ProceduresandProcesses
TheBusinessUnitsriskratingmethodologiesforitsriskassessmentsareundefinedandratingdecisionsdonot
reflectadequatesupport;orqualitymanagementprocessesareinconsistent,undocumentedordeficientfor
criticalareas,suchasforSARfilingorcustomeronboarding.

OperationsandTechnology
TheBusinessUnitreflectsdeficienciesinexecutingdaytodayoperations,suchasmaintainingadequatemonetary
logsorreportingoncurrencytransactions;thetechnologicalenvironmentisincapableofmonitoringthevolume
andcomplexityofcustomertransactions;thereislackofmanagementoverthirdpartyprocessing;ormethodsfor
interpretinganddefiningdataareinconsistent.

34 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

C - References (hyperlinksaresubjecttochange)

1. ComptrolleroftheCurrencyAdministratorofNationalBanks.(2012).LargeBankSupervisionOCCBooklet:
ComptrollersHandbook(EP).
http://www.occ.gov/publications/publicationsbytype/comptrollershandbook/lbs.pdf
2. OfficeoftheComptrolleroftheCurrency.(2002).MoneyLaundering:A BankersGuidetoAvoiding
Problems. Washington,DC.
http://occ.gov/topics/bankoperations/financialcrime/moneylaundering/moneylaundering2002.pdf
3. TheWolfsbergGroup.(2006).WolfsbergStatement:GuidanceonaRiskBasedApproachforManagingMoney
LaunderingRisks.
http://www.wolfsbergprinciples.com/riskbasedapproach.html
4. BankforInternationalSettlements.(2012).BaselCommitteeonBankingSupervisionCorePrinciplesfor
EffectiveBankingSupervision.
http://www.bis.org/publ/bcbs230.htm
5. BoardofGovernorsoftheFederalReserveSystem.(2008).FRBSupervisoryLetter:SR088/CA0811
ComplianceRiskManagementProgramsandOversightatLargeBankingOrganizationswithComplex
ComplianceProfiles.Washington,DC.
http://www.federalreserve.gov/boarddocs/srletters/2008/SR0808.htm
6. TheInternationalBankforReconstructionandDevelopment/TheWorldBank/TheInternationalMonetary
Fund.(2006).ReferenceGuidetoAntiMoneyLaunderingandCombatingtheFinancingofTerrorism(Second
EditionandSupplementonSpecialRecommendationIX).Washington,DC:PaulAllanSchott.
http://siteresources.worldbank.org/EXTAML/Resources/396511
1146581427871/Reference_Guide_AMLCFT_2ndSupplement.pdf
7. UnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredToInterceptandObstruct
Terrorism(USAPATRIOTACT)ACTOF2001.272PUBLICLAW10756OCT.26,2001.
http://www.gpo.gov/fdsys/pkg/PLAW107publ56/pdf/PLAW107publ56.pdf
8. Gladstone,Rick.(2013,June).U.S.AddstoItsListofSanctionsAgainstIran.TheNewYorkTimes.
http://www.nytimes.com/2013/06/04/world/middleeast/usaddstoitslistofsanctionsagainst
iran.html?_r=0
9. FinancialCrimesEnforcementNetwork.(2013).TheSARActivityReview:TrendsTips&Issues(Issue23).
http://www.fincen.gov/news_room/rp/files/sar_tti_23.pdf
10. FinancialCrimesEnforcementNetwork.(2009).TheSARActivityReview:TrendsTips&Issues(Issue16).
http://www.fincen.gov/news_room/rp/files/sar_tti_16.pdf
11. FinancialCrimesEnforcementNetwork.(2003).TheSARActivityReview:TrendsTips&Issues(Issue6).
http://www.fincen.gov/news_room/rp/files/sar_tti_06.pdf
12. CongressionalResearchService.(2013).CRSReportforCongress:IranSanctions.(RS20871).KennethKatzman.
http://www.fas.org/sgp/crs/mideast/RS20871.pdf
13. FederalRegister/Vol.60,No.178/Thursday,September14,1995/ProposedRules/47719/Suspicious
ActivityReporting.
http://www.gpo.gov/fdsys/pkg/FR19950914/pdf/9522750.pdf
14. MinorityStaffofthePermanentSubcommitteeonInvestigationsreportdatedJuly17,2012.U.S.
VulnerabilitiestoMoneyLaundering,DrugsandTerroristFinancing:HSBCCaseHistory.
http://www.hsgac.senate.gov/subcommittees/investigations/hearings/usvulnerabilitiestomoney
launderingdrugsandterroristfinancinghsbccasehistory
15. FederalFinancialInstitutionsExaminationCouncil.(2010).BankSecrecyAct/AntiMoneyLaundering
ExaminationManual.

35 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

http://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2010.pdf
16. AMLEssentialsExaminingtheKeyComponentsofanEffectiveAMLRiskAssessmentModelPartIII,
ACAMS;May1,2013.
www2.acams.org/webinars
17. FederalDepositInsuranceCompany.(2007).TheFDICsInternalRiskManagementProgram.ReportNo.EVAL
08001.
http://www.fdicoig.gov/reports08/eval08001508.shtml
18. COSO.(1992,2004).InternalControlIntegratedFramework.
http://www.coso.org/ic.htm
19. TheInternationalStandardsofSupremeAuditInstitutions.GuidelinesforInternalControlStandardsforthe
PublicSectorFurtherInformationonEntityRiskManagementINTOSAIGOV9130.
http://www.issai.org/media/13341/intosai_gov_9130_e.pdf
20. SpotlightonLargeInstitutions:ConductingEnterpriseWideAMLRiskAssessmentsthatGoBeyondthe
ExpectationsofExaminersandSeniorManagement,ACAMS;June26,2013.
www2.acams.org/webinars
21. DepartmentoftheTreasury,OFACBrochure:OFACRegulationsfortheFinancialCommunity(2012,January).
http://www.treasury.gov/resourcecenter/sanctions/Documents/facbk.pdf
22. FederalDepositInsuranceCompany.(2007).FromtheExaminer'sDesk:CustomerInformationRisk
Assessments:MovingTowardEnterpriseWideAssessmentsofBusinessRisk.
http://www.fdic.gov/regulations/examinations/supervisory/insights/siwin09/From_Examiners_Desk.html
23. Simmons,Kenneth.(2013,December).LearningfromtheMistakesofothersMattersRequiringAttention.
http://www.acamsglobal.org/assets/materials/0924/9.24_3.15PM_Audit_Audit_Thought_Leadership_Forum_
Final_Combined.pdf

EnforcementActions

1. UnitedStatesofAmericaDepartmentoftheTreasury.ComptrolleroftheCurrency.ConsentOrder.#2013
002.AAEC1304.
www.occ.gov/newsissuances/newsreleases/2013/nrocc20138a.pdf
2. UnitedStatesofAmericaDepartmentoftheTreasury.ComptrolleroftheCurrency.ConsentOrder.#2012
232.AAEC12114.
www.occ.gov/static/enforcementactions/ea2012232.pdf
3. UnitedStatesofAmericabeforetheBoardofGovernorsoftheFederalReserveSystem.ConsentOrder.#13
004BHC.
http://www.federalreserve.gov/newsevents/press/enforcement/enf20130326a1.pdf
4. UnitedStatesofAmericaDepartmentoftheTreasury.ComptrolleroftheCurrency.ConsentOrder.#2012
262.AAEC12112.
http://www.occ.gov/newsissuances/newsreleases/2012/nrocc2012173b.pdf
5. UnitedStatesofAmericaDepartmentoftheTreasury.ComptrolleroftheCurrency.ConsentOrder.#2013
003.AAEC2012155.
http://www.occ.gov/newsissuances/newsreleases/2013/nrocc201318a.pdf
6. UnitedStatesofAmericaDepartmentoftheTreasury.FinancialCrimesEnforcementNetwork.Assessmentof
CivilMoneyPenalty.#20131.
http://www.fincen.gov/pdf/TD_ASSESSMENT_09222013.pdf
7. UnitedStatesofAmericaDepartmentoftheTreasury.ComptrolleroftheCurrency.ConsentOrder.#2013
142.AAEC201367.
http://www.occ.gov/static/enforcementactions/ea2013142.pdf

36 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

D - Helpful resources for rating and scoring

ERMRiskAssessmentinPractice(2012)
http://www.coso.org/documents/COSOAnncsOnlineSurvy2GainInpt4Updt2IntrnlCntrlIntgratdFrmwrk%20
%20for%20merge_files/COSO
ERM%20Risk%20Assessment%20inPractice%20Thought%20Paper%20OCtober%202012.pdf

RatingtheAdequacyofRiskManagementProcessesandInternalControlsatStateMemberBanksandBank
HoldingCompaniesSR9551(SUP)November14,1995
http://www.federalreserve.gov/boarddocs/srletters/1995/sr9551.htm

FederalReserveSystemFrameworkforRiskFocusedSupervisionofLargeComplexInstitutions
http://www.federalreserve.gov/boarddocs/SRletters/1997/sr9724a1.pdf

E - Acronyms and terms used throughout this paper

ACAMSAssociationofAntiMoneyLaunderingSpecialists.

Account(term)Aformalbankingrelationshipestablishedtoprovideorengageinservices,dealingsorother
financialtransactionsincludingadepositaccount,atransactionorassetaccount,acreditaccountorother
extensionofcredit.Accountalsoincludesarelationshipestablishedtoprovideasafetydepositboxorother
safekeepingservices,orcashmanagement,custodianandtrustservices.
ACHautomatedclearinghouse.

AMLantimoneylaundering.

AML(term)EncompassestheBankSecrecyAct,antimoneylaundering,OfficeofForeignAssetsControland
sanctions.

AMLRAAMLriskassessment.
Audit(term)Theinternalauditdepartment.
BSABankSecrecyAct.

BusinessUnit(term)Anauditablebusinessarea,controlfunction/utilityand/orlinesofbusiness.
CDDcustomerduediligence.
CIPcustomeridentificationprogram.

COSOCommitteeofSponsoringOrganizations.
CTRcurrencytransactionreports.
Customer(term)A"person"(anindividual,acorporation,partnership,atrust,anestateoranyotherentity
recognizedasalegalperson)whoopensanewaccount,anindividualwhoopensanewaccountforanother
individualwholackslegalcapacity,andanindividualwhoopensanewaccountforanentitythatisnotalegal
person(e.g.,acivicclub).Acustomerdoesnotincludeapersonwhodoesnotreceivebankingservices,suchasa
personwhoseloanapplicationisdenied.

EDDenhancedduediligence.
FATFFinancialActionTaskForce.

37 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

FDICFederalDepositInsuranceCompany.
FFIECFederalFinancialInstitutionsExaminationCouncil.

FIFinancialinstitution.
FinCENFinancialCrimesEnforcementNetwork.
HIDTAhighintensitydrugtraffickingarea.
HIFCAhighintensityfinancialcrimearea.

HRhighrisk.

INTOSAIInternationalOrganizationofSupremeAuditInstitutions.
KYCKnowYourCustomer.
LOBlinesofbusiness.

MISmanagementinformationsystem.
MRAmatterrequiringattention.
OCCOfficeoftheComptrollerCurrency.

OFACOfficeofForeignAssetsControl.

OFCoffshorefinancialcenter.
PEPSpoliticallyexposedpersons.

PSUApotentiallysuspiciousand/orunusualactivity.

QAqualityassurance.

QCqualitycontrol.
RCCsremotelycreatedchecks.

RDCremotedepositcapture.

RiskAppetite(term)Theamountofriskonabroadlevelthatanentityiswillingtoacceptinseekingtoachieve
itsobjectives.
SARsuspiciousactivityreport.
SDNspeciallydesignatednationals.
STRsuspicioustransactionsreport.

Tool(term)Themechanism(suchasabasictemplateorsystem)usedtoorganize,record,assessandrateAML
risks.Atoolcanbeasophisticatedsystemorasimplespreadsheet,aswellasanyaccompanyingguidance.

38 | P a g e equipping your last line of defense

How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing

F - About the author

JonathanEstreichiscurrentlyavicepresidentwithintheinternalauditdepartmentatJPMorganChase.
WithovereightyearsofexperienceworkingwithfinancialservicesfirmssuchasDeloitteFinancial
AdvisoryServicesLLPandUBSInvestmentBank,Mr.Estreichspecializesinprovidingantimoney
launderingandcounterterroristfinancingserviceswithafocusonAMLpolicies,proceduresand
internalcontrols,includingthoserelatingtotransactionmonitoring,KnowYourCustomerinitiatives,
customerduediligenceandriskassessments.Byservicingmanydifferentfinancialinstitutionswithin
thebankingsectorinmultiplecapacities,hehasaccumulatedabroadrangeofindustryknowledgeand
expertiseindiverseareassuchasglobalAMLcomplianceandOfficeofForeignAssetsControlaswellas
inworkingwithcomplexproductandcustomertypes.Hehashadconsiderableinvolvementinleading,
managingandadvisingonBSA/AMLrelatedmatters,includingauthoringseveralworkswithThomson
ReutersComplinet,ACAMSToday,InsideCounselandCorporateComplianceInsights.

Professionalcredentialsinclude:

CertifiedFraudExaminer(CFE)
CertifiedAntiMoneyLaunderingSpecialist(CAMS)
AdvancedAntiMoneyLaunderingAuditdesignation(CAMSAudit)
CertifiedAssociateinProjectManagement(CAPM)

Relatedworksbytheauthor

1. Enhancedduediligenceprogramforcorrespondentbanking:Minimizingtheriskofmoney
launderinganddrugtrafficking,ThomsonReutersComplinet,(August2011).
2. Understandingrecentdevelopmentsinprepaidaccess:Considerationsfordeterringmoney
laundering,ACAMSToday,(March2012).
3. "Knowing"yourLatinAmericancustomer:Enhancedduediligencepracticestomitigatetherisksof
moneylaunderingandterroristfinancing,InsideCounsel,(March2012).
4. CISADASection104(e):Aglanceintothefinalrulescounterterroristfinancingrequirementsand
challengesforU.S.FinancialInstitutions,CorporateComplianceInsights,(October2012).

39 | P a g e equipping your last line of defense