Beruflich Dokumente
Kultur Dokumente
an Audit Risk
Assessment Tool
to Combat Money
Laundering and
Terrorist Financing
EQUIPPING YOUR LAST LINE
OF DEFENSE The objective of this white paper
is to offer specific considerations
A white paper by Jonathan Estreich and suggestions for how
the internal audit department can
December 2013
design a firm-wide AML risk
assessment tool that: 1. improves the
auditors ability to identify relevant
AML risks; 2. sets the foundation for
thoughtful and supported risk
determinations; and 3. produces
results that can assist in the
development of an audit plan that
satisfies regulatory expectations
for deterring money laundering and
terrorist financing.
How to Build an Audit Risk Assessment Tool to|Combat Money Laundering and Terrorist Financing
TABLE OF CONTENTS
EXECUTIVESUMMARY..................................................................................................................................3
INTRODUCTION.............................................................................................................................................3
Regulatoryexpectationsarehighandtheauditorsroleisevolving........................................................3
TheauditplanreflectswhetherAuditisontrackintheeyesoftheregulators...................................5
Auditsriskassessmentprocessdrivestheauditplan..............................................................................5
ThereisadifferencebetweenanAuditAMLRAandotherAMLriskassessments...............................6
Assumptions..............................................................................................................................................7
DEVELOPINGANAUDITAMLRISKASSESSMENTTOOL................................................................................7
Overview...................................................................................................................................................7
Acloserlook..............................................................................................................................................8
THESUPPORTFRAMEWORK:InvestinginAuditsriskassessmentprocess...............................................25
INTERPRETINGANDUSINGRESULTS:Theauditplanandbeyond.............................................................27
TAKEAWAY:TheriskassessmentdesigncanbetterequipAudit............................................................28
APPENDICES................................................................................................................................................30
AOverviewofconsiderations...............................................................................................................30
BExamplesofconsiderations...............................................................................................................31
CReferences.........................................................................................................................................35
DHelpfulresourcesforratingandscoring...........................................................................................37
EAcronymsandtermsusedthroughoutthispaper.............................................................................37
FAbouttheauthor................................................................................................................................39
Theviewsexpressedinthispaperarethoseoftheauthor,andtheauthoralone.The
authorisnotnecessarilyrepresentingtheviewsoropinionsofJPMorganChase.
EXECUTIVE SUMMARY
Forreferencepurposesherein,BankSecrecyAct(BSA),antimoneylaundering(AML),OfficeofForeignAssets
Control(OFAC)andsanctionswillbereferredtocollectivelyasAML.
Theprimaryobjectiveofthiswhitepaperistoofferspecificconsiderationsandsuggestionsforhowafinancial
institutionsinternalauditdepartment(Audit)candesignafirmwideAMLriskassessment(AMLRA)toolthat:
1.improvestheauditorsabilitytoidentifyrelevantAMLrisks;2.setsthefoundationforthoughtfulandsupported
riskdeterminations;and3.producesresultsthatcanassistinthedevelopmentofanauditplanthatsatisfies
currentregulatoryexpectationsfordeterringmoneylaunderingandterroristfinancing.
Internalauditsarecriticalforproactivelyidentifyingdeficienciesandforensuringthatfinancialinstitutions(FIs)
maintainAMLfunctionsandprogramsthatarealignedwithsupervisoryrequirementsandexaminerexpectations.
TheselectionoftheseauditsasrepresentedbyanauditplanistheprimaryroadmapforAMLtesting
activitiesandisoftendeterminedbyariskassessment.Anotablechallengerelatingtothecompilationofanaudit
planthateffectivelycapturesAMLrisklieswiththeinitialdesignoftheriskassessmenttool1,whichshould,ata
minimum,producemeaningfulresultsthattheauditdepartmentcaninterpret,analyzeandusetobuildan
appropriateriskbasedplan.
MostFIsthatperformawiderangeofactivitiesacrossanumberofseparatebusinesslines,legalentitiesand
jurisdictionshaveorareexpectedtohaveariskassessmentprocessthatcanassistwiththeirauditplanning.
ThedegreetowhichthisprocessfocusesonAMLandcomplieswithregulatoryexpectationsvariesfrominstitution
toinstitution.
Thecontentprovidedhereinisintendedtoofferguidanceforenhancingorconstructingariskassessmenttoolthat
delivershelpfuldirectiontotheauditdepartmentinevaluatingitsFIsAMLrisksandcontrols,aswellasin
documentingdecisions.Thiswhitepaperisnotintendedtodetailthecompleteprocessofariskassessment,but
rathertodescribehowtoworkwithinAuditsexistingriskassessmentframeworktoensurethattheAML
componentisdevelopedandrepresentedappropriately.Astrongandwelldesignedtoolshouldequiptheauditor
toidentifyriskandtodemonstrateandevidencehowriskratingsandrelatedconclusionswerederived.
*Theviewsexpressedinthispaperarethoseoftheauthor,andtheauthoralone.*
INTRODUCTION
RegulatoryexpectationsarehighandtheauditorsroleisevolvingTherequirementsforAML
complianceprogramsandrelatedinternalAMLcontrolshaveremained,forthemostpart,consistentwithpast
regulatorystatutesandguidancesuchastheBSA[12CFR21.21]andtheUSAPATRIOTACT[section352].
However,withinthepastfiveyears,thefinancialservicesindustryhasexperiencednoticeablechangesinthe
articulationofregulatoryexpectationsregardingtheadequacyandoverallviewofinternalcontrols.Concurrently,
therehasbeenasignificantincreaseinboththefrequencyandseverityofenforcementactionsamongtheworlds
largestandmostreputablefinancialcorporations.Advancesintechnologyandanexpansionofsophisticated
productsanddeliverysystemsmaybepartiallyresponsibleforthechangingenvironment.Thesedevelopments
havenotonlyprovidedadditionalbankingopportunitiesbuthavealsoresultedinmorecomplexfinancial
relationshipsandhavecompelledmoneylaunderstobecomesmarterandmorecreative.Nonetheless,despitethe
1
Thetermtoolwillbeusedhereintorepresentthemechanism(suchasabasictemplateorsystem)usedbytheFItoorganize,record,assess
andrateAMLrisks.Thetoolcanbeasophisticatedsystemorasimplespreadsheet,aswellasanyaccompanyingguidance.
manypossibleimpetusesfortheincreasedlegalforce,itisclearthattherehasbeenashiftintheaccepted
standardforsoundbankingpractices.
Betweentheyears2010and2013,therehavebeenovertwentyfiveAMLrelatedconsentorders,written
agreementsandceaseanddesistordersandmorethan$900millioninfines2.Accordingtoareportissuedbythe
U.S.Senate,recentprosecutionsandlegalactionsrelatingtoOFACviolationsbetween2010and2012have
amountedtoover$1.4billion,involvingwellknownfinancialinstitutions3.BasedonmetricsfromtheU.S.
DepartmentoftheTreasury,OFACrelatedpenaltiesandsettlementsbetweenJanuary2,2013andOctober25,
2013totaled$12,875,2784.Inarecentindustrypaper,KennethSimmons5analyzedBSAexaminationresultsof
137financialinstitutionsthatwereissuedreportsbetweenSeptember2009andMarch2013;theseresults
reflectedthat,asofApril2013,thereweremorethan202openMattersRequiringAttention(MRAs)thatrelated
tothefourpillarsofanAMLprogram(audit,internalcontrols,trainingandtheBSAofficer).OfallMRAsreviewed,
83.88%ofoutstandingMRAsreferencedinternalcontrolfailures.
Basedonareviewofregulatoryordersin2012and2013,frequentlycitedAMLprogramweaknessesincluded:
Inadequatecustomerduediligenceandenhancedduediligencepractices.
Incompleteidentificationofhighriskcustomers.
Insufficientpolicies,proceduresandtraining.
Failuresinmonitoringandidentifyingsuspiciousactivity.
Poorreportingandfilingpracticesrelatingtosuspiciousactivity.
Ineffectiveindependenttestingandauditfunctions.
TheunderlyingmessagesuggeststhattheexpectationforFIstobelessreactiveandmoreproactive(e.g.,by
enhancingriskmanagementpracticesandmaintaininganeffectiveregimetoaudittheirAMLcompliance
programs)hasbecomeaminimumstandardintheeyesofsupervisoryagencies.Thisincludesfurtherattentionto:
Aspartofthisenhancedscrutiny,regulatorsareemphasizingtheimportanceofindependenttestingandthe
evolvingroleoftheAMLauditorinhelpingtheirFItomanageriskandsustainanoperationalAMLprogram,such
asthroughadditionalfocusonrisktolerance,thelevelofassurance,thedepthandprecisionofcontrols,the
natureofsubstantivetestingandthedegreeofcrediblechallenge.Consequently,Audithasbecomeevenmore
criticalinpositioningitsFItoavoidcompliance,legalandreputationalrisksrelatingtoAMLfunctions.
2
Seehttp://www.bankersonline.com/security/bsapenaltylist.html.
3
SeetheMinorityStaffofthePermanentSubcommitteeonInvestigationsreportdatedJuly17,2012entitledU.S.VulnerabilitiestoMoney
Laundering,Drugs,andTerroristFinancing:HSBCCaseHistory.
4
Seehttp://www.treasury.gov/resourcecenter/sanctions/CivPen/Pages/civpenindex2.aspx.
5
KennethSimmonsisaBankExaminerandBSA/CompliancespecialistwiththeOfficeoftheComptrollerCurrency.SeeSimmons,Kenneth.
(2013,December).LearningfromtheMistakesofothersMattersRequiringAttention.
Inaddition,Auditsroleanditsrelationshipwithregulatorsmaybeimportantforanotherreason.Due
tothestrongfocusonAMLandtheextentofrelatedchallengeswithinthefinancialindustry,theneedfora
collaborativeapproachtocombatmoneylaunderingandterroristfinancinghasbecomemoreapparent.
Assuchsubjecttoareasonablelevelofcomfortthattheauditdepartmentiseffective,competentand
dependableexaminersmaygraduallyexpandtheirrelianceontheworkofAMLauditors.Thistrustwould
bemutuallybeneficialforbothparties.
Theauditdepartmentisthelastlineofdefense.Auditisresponsibleforconductingan
objectiveevaluationoftheAMLcomplianceprogramforsoundness,adequacyandsustainability
whilemaintainingindependencefromcomplianceandbusinessfunctions.Thisincludes
areviewoftheFIsriskassessmentforreasonablenessgiventheFIsriskprofile(e.g.,products,
services,customers,entities,geographiclocations).
TheauditplanreflectswhetherAuditisontrackintheeyesoftheregulatorsInordertomeet
regulatoryexpectationsandcomplywithfiduciaryresponsibilities,Auditisresponsibleforassemblinganaudit
planthatdemonstratesitsorganizationsknowledgeofitsBusinessUnits6andanunderstandingofthebusiness
associatedrisks.TheauditplandictateswhatareaswillbetestedinordertoensurethattheFIisprotectedbyway
ofcontrolsthatareoperatingeffectively.Iftheplanislacking,theFImaybeexposedtocontrolgapriskor
breachesinregulatorycompliance.Asufficientplanshould,ata
minimum,focusonthehighestriskareastoensurethateither
OVERVIEW OF PRIMARY AUDIT OBJECTIVES
theFIhasasoundcontrolenvironmentorthattheassessedrisks
DeterminewhethertheoverallAML/BSAcompliance
donotposeasignificantthreat.Thecornerstoneofanadequate programissuitablydesignedandoperatingeffectively.
auditplanisastrongriskassessmenttool.
Identifyanymaterialprogramweaknesses,control
deficienciesandcorrespondingopportunitiesfor
Auditsriskassessmentprocessdrivestheauditplan program,processandcontrolenhancements,andreport
themtoseniormanagementandtheboard(usually
Withoutaproperriskassessment,itwouldbeparticularlydifficult
theauditcommittee).
foralarge,complex,multinationalFItofigureoutwhattoaudit.
Assistmanagementwithidentifyingmoneylaundering,
AnauditplanthatincludeseverypossibleauditableBusinessUnit terrorismfinancingandotherfinancialcrimevulnerabilities.
isarguablynotaplanandismostlikelyanunrealisticapproach Performanddocumentproceduresandresultsthat
inaworldoffiniteresources.Theauditdepartmentisexpected maybeusefultoregulatorsinconductingtheir
toselectauditsusingariskbasedapproachthatprovidesa supervisoryexaminations.
reasonablebeliefthatcriticalriskssuchasthoserelatingto Assessandidentifypossiblegapsandopportunities
formanagementtocontinuallyimproveitssuspicious
moneylaunderingandeconomicsanctionsareidentifiedand activitydetection,investigation,analysis,escalation,
assignedadequatetestingcoverageinatimelyfashion.Assuch,a documentationandreportingprocessesandcontrols,
includingduediligencefeedbackandtheenterprisewide
successfulriskassessmentshouldresultinadetailedriskprofile AMLriskassessmentprocess.
foreachBusinessUnit,whichcansubsequentlydrivethelevelof
AssessmanagementsAMLstrategicplanningprocess.
auditcoverage,includingbothscope(e.g.,extentoftesting
Identifyopportunitiesandmethodstohelpmanagement
areas/testingsteps)andfrequency(e.g.,annually,biannually). makeprogramenhancementscontinuousandsustainable.
Further,awelldocumentedandthoroughassessmentcansupply
Assessandidentifyopportunitiestoenhancemanagements
therationaleforincludingorexcludingaspecificauditarea.The selfmonitoringandselftestingcompliancereviewprogram.
processofbuildingtheauditplanshouldinvolveconsiderationof AssesshowwellAMLcomplianceisintegratedinto
existingorpriorauditcoverage,uniquebusinessrisks,pre thebusiness.
existingissuesandtheseverityofAMLriskfactors. Adaptedfrom:TheSARActivityReviewTrends,Tipsand
Issues(Issue16),(October,2009).
6
Forthepurposesherein,allauditablebusinessareas,controlfunctions/utilitiesandlinesofbusinesses(LOBs)willbereferredtocollectively
asBusinessUnits.
ThereisadifferencebetweenanAuditAMLRAandotherAMLriskassessmentsMostrisk
assessmentexerciseshavethecommonobjectiveofidentifyingandassessingriskwiththepurposeofdetermining
howtoprioritizeandfocusresourcesbasedontheareasofmostconcern.Differencesbetweenriskassessment
toolsdoexist,however,andthesemaybeattributedtowhothetoolisdesignedforandhowtheresultswill
ultimatelybeused.Thedesignsetsthestageforwhattheoutputwilllooklike,andassuch,boththewhoand
thehowareimportantconsiderations.Understandingthisdistinctionattheonsetwillfacilitatethedevelopment
oftheriskassessmenttool.
AnAuditAMLRA,forinstance,targetsdifferentinformationfromalineofbusiness(LOB)AMLriskassessment.
LOBAMLRAsareusuallyapprovedbytheAMLofficerorotherAMLdepartmentdesigneeandthepredominant
objectiveistoidentifyandassessAMLriskwiththepurposeofresolvingissues,drivinginstitutionalactivities,
allocatingresourcesandinformingriskbasedbusinessdecisions.Thesedecisionscouldincludewhethertoexit
relationshipswithparticularclienttypes,whethertoeliminateparticularproductsorservices,orwhetherto
expanduponthecontrolenvironment.
ThepredominantobjectiveofanAuditAMLRAusuallycompletedbyanauditororotherauditdepartment
designeeistoidentifyandassesspotentialrisk(e.g.,controlgaps)withthepurposeofconstructinga
standaloneAMLriskassessmentthatcanpinpointareaswarrantingeitherimmediateescalation(suchasablatant
differenceinhowAudithasperceivedariskversusthebusinesslinesview)orareaswarrantingfurther
substantiationandtesting.Byconductingamoredetailedreview(anaudit)oflessapparentareas,thedepartment
isabletoperformindependentevaluation,substantiateconcernsandcommunicateissuestotherelevantbusiness
area(s)forthemtotakeappropriateaction.Auditmayalsoriskratecontrolgapsandweaknesstoassistthe
businesswithprioritizingandplanningitsactivities.Accordingly,itmaybemorereasonabletoexpecttheBusiness
UnitstoderivestatisticsandpullinformationfrombusinessspecificmetricsorreportsaspartofitsLOBAMLRA,
whileanAuditAMLRAmayreflectacombinedapproachofindependentlyderivingsomepiecesofinformationand
leveragingotherpieces,suchasbydiscussingpreexistinginformationfrompriorriskassessments(e.g.,country,
client,LOB,product)ormaterialfrompreviouslyidentifiedissues(e.g.,audit,regulatory)7.
Likewise,afirmwidecustomerriskassessmentprocessisgenerallyconductedbythebusinessline,complianceor
riskdepartmentsandfocusesondeterminingwhichindividualcustomersshouldberankedashighrisk(HR)
basedonthefirmsapprovedcustomerriskratingmodel.WhenAuditconductsanassessmentofcustomerriskfor
auditplanningpurposestheyarelikelyinterestedinassessingtheaggregatelevelofcustomerriskwithina
particularbusinessarea,andthusitmakessenseforanAuditAMLRAtofocusondeterminingtheproportionof
customersthatarecategorizedasHRaspertheexistingfirmwidecustomerriskassessment.
Ideally,aneffectiveAuditAMLRAshouldassistwithauditdecisionsrelatingto:a)whethertheFIsriskassessment
processesareeffective;b)whatBusinessUnitsshouldbeaudited;c)whatAMLcomponentswithinaBusinessUnit
7
WhilethebusinessriskassessmentsandcorrespondingdatashouldbetestedaspartofacomprehensiveAuditprogram,itmaynotalways
befeasibletosubstantiateandindependentlyvalidateallpiecesofinformationaspartoftheAuditAMLRAprocessduetotimingconstraints,
suchasannualplanningdeadlines,andotherchallenges,includingalargevolumeofassessmentsrequiringcompletionbyAudit.Assuch,rather
thantestingallreferencedfirmwideriskassessments(country,client,LOB,product,etc.)andindependentlyderivingallinformationusedfor
theAuditAMLRA,theAuditAMLRAmaybeconductedmoreefficientlyattheriskassessmentstagebyallowingforsomelevelofrelianceon
existinginformationwhendrawingconclusions.Intheseinstances,Auditshouldhaveareasonablelevelofcomfortthattheleveraged
informationisaccurateand/orreliable(suchasthroughpreviousvalidationexercises).Althoughnotencouraged,insituationswhereAuditmay
referenceorleverageinformationthathasnotbeenpreviouslyverifiedorthatrelatestoknownissuesorconcernsAuditshould
documentthisandflagforsubsequentsubstantiationandtesting.Ifforinstance,theAuditAMLRAreliesontheproductriskassessmentfor
supportthatremotedepositcaptureisaHRproductandthenreliesontheLOBriskassessmentforsupportthat50%ofcustomerswithinRetail
Bankinguseremotedepositcapture,thenAuditmaywanttoconsiderseparateauditsforboththeproductandLOBriskassessmentsto
supportitsinferences.
maywarranttestingcoverage;d)thefrequencyforwhichaBusinessUnitmayneedtobetested;e)prioritization
andtimingofauditcoverageacrossBusinessUnits;andf)potentialresourcingdemandsforconductingthe
resultingaudits.
ThesharingofAuditsAMLRAresultswiththebusinesslinemaybeawinwingain.
Theauditdepartmentmaywanttoconsiderwhetheritmakessensetoestablishavehiclefor
sharingrelevantresultswiththebusinessand,ifso,underwhatcircumstances.
Certainfindings,suchasdifferencesinopinions,potentialtestingareas,openquestions
regardingspecificdataorotherwisehelpfulinformation,mayonoccasionserve
usefultoprovidesoonerratherthanlatertoassistwithclarifyingissues,resolving
discrepanciesandexpeditingcorrectiveaction.
AssumptionsTheguidanceprovidedhereinisbasedonthefollowingassumptions:
Theauditdepartmenthasanexistingriskassessmentprocessforitsannualauditplanning.
Theauditdepartmenthasanexistingscoringmodel/methodology(e.g.,definitions,weightings,
numericalcriteria)8.
ForeachBusinessUnitwithintheFI,thereareoneormoreindividualswithintheauditdepartment
whounderstandthebusinessandarefamiliarwiththebusinessuniquerisks.
TheauditdepartmenthasoneormoreAMLsubjectmatterexpertsand/orwouldbewillingto
hireadditionalAMLresources.
OverviewThedevelopmentofarobustriskassessmentmodelislargely,ifnotcompletely,dependentupon
theindividualelementsthatarechosenastheriskandcontrolenvironmentfactorstobeassessedandevaluated.
BasedontheFederalFinancialInstitutionsExaminationCouncil(FFIEC)9andotherleadingindustrysources,
therearecertaincategoriesofinherentAMLriskthatapplybroadlyacrossthefinancialindustryandare
universallyacceptedasstandardrisksthatmustbeaddressed.AsexplainedbytheFederalDepositInsurance
Company(FDIC),[i]nherentrisksaretherisksthatexistbeforetheapplicationofcontrolsintendedtomitigate
thoserisks.Clearlyidentifyinginherentrisksisparticularlybeneficialinmakingdeterminationsforthescopeand
frequencyofauditandindependentreviewsdeterminationsthatshouldbebasedonafinancialinstitutions
assessmentofinherentriskwithoutassumingthatcontrolsarefunctioningasintended.Residualrisksarethose
thatexistaftertheapplicationofcontrols.Inthiscontext,riskscannotbecompletelyeliminated,eventhough
layeredsecuritymayreducerisktoanacceptablelevel.10
PrimaryinherentAMLrisksrelatebroadlytoanFI's:
PursuanttoanFI'sobligationtomaintainanadequateAMLcomplianceprogram,FIsareexpectedtoestablisha
controlenvironmentthatminimizesandwherepossiblesafeguardsagainstAMLrisks.FromanAudit
8
SeeAppendixDforhelpfulresourcesforratingandscoring.
9
See2010FFIECBankSecrecyAct/AntiMoneyLaunderingExaminationManual.
10
SeeFromtheExaminer'sDesk:CustomerInformationRiskAssessments:MovingTowardEnterprisewideAssessmentsofBusinessRisk.
perspective,whenevaluatinganindividualBusinessUnit'scontrolenvironment,theauditdepartmentshould,at
aminimum,assessthecurrentstaterelatingto:
KnowYourCustomerPractices. ManagementandOversight.
Suspiciousand/orUnusualActivity. Policies,ProceduresandProcesses.
OFACandSanctions. OperationsandTechnology.
EmployeeAMLExpertiseandCoverage.
AccordingtotheAssociationofAntiMoneyLaunderingSpecialists(ACAMS)11,commonlycitedriskassessment
weaknessesbyregulatoryauthoritiesinclude:a)assessmentswerenotperformedand/ornotevidencedthrough
documentation;b)assessmentsdidnotincludealllinesofbusinessorentities;c)assessmentsdidnotconsiderall
majorriskcategories;d)therewasalackofmethodologyforassigningriskratings/levels;and/ore)policiesand
procedureswerenotcommensuratewiththeinstitution'sriskprofile.Thefollowingsectionswillexploretheart
andscienceofformingawellcraftedAMLriskassessment.
Auditorsandregulatorsmaybeconsideredtheprimaryaudience. COSOnotesthatariskassessmentallowsanentitytoconsiderthe
Thetwokeyplayerswhowillbeusingthetoolthemost extenttowhichpotentialeventshaveanimpactontheachievement
aretheauditorcompletingAuditsassessmentandtheAML ofobjectives.Managementassesseseventsfromtwoperspectives
examinerevaluatingAuditsassessment.Thisisahelpful likelihoodandimpactandnormallyusesacombinationof
considerationwhendesigningthetool. qualitativeandquantitativemethods.Thepositiveandnegative
impactsofpotentialeventsshouldbeexamined,individuallyorby
category,acrosstheentity.Risksareassessedonbothaninherent
andaresidualbasis.Inherentriskistherisktoanentityinthe
AcloserlookAttheveryleast,anALMRAtoolshouldbe absenceofanyactionsmanagementmighttaketoaltereitherthe
conducivetotheidentification,quantification,assessmentand riskslikelihoodorimpact.Residualriskistheriskthatremainsafter
managementsresponsetotherisk.
documentationofthelevelofriskwithinaBusinessUnit.A
strongdesignleads,directsandguidestheauditorsfocusand TheCOSOERMFrameworknotesthattheriskassessment
componentisacontinuousanditerativeinterplayofactionsthat
helpstheauditortosuccessfullyexecutethesefunctionswhile takeplacethroughouttheentity.Whilemanagersresponsiblefor
avoidinggeneralizations.Byhighlightingkeyfocalpointsand businessunit,function,process,orotheractivitiesdevelopa
compositeassessmentofriskforindividualunits,entitylevel
providingcleardescriptionsandexamplesofpertinentriskand managementshouldconsiderriskfromaportfolioperspective.
controlconsiderationswithinthedesignofthetoolitself(e.g., TheFDICsInternalRiskManagementProgram(November2007)
thetemplatecompletedbytheauditororaccompanying ReportNo.EVAL08001
guidance),thetoolcanpavethewayforamoreefficientassessment InternalControl IntegratedFramework(COSO,1992,2004)
thatreflectsstrongerquantitativeandqualitativeanalysis.
Thefollowingsectionisahighlevelillustrationofrelevantconsiderationsthatcanbeincorporatedinto,or
addressedaspartof,thedesigntoimprovetheconsistencyandqualityofriskassessmentresultsincluding
betternarratives(e.g.,writtenrationale,executivesummaries)andmoredetailedevaluationsoftherelevant
BusinessUnit(s).Whilethefollowingelementsdonotrepresentarestrictivelist,theframeworkisintendedto
broadlycaptureallfacetsofanAMLprogramandserveasacomprehensivesetofconsiderationswiththe
flexibilitytoaddressadditionalitemsthatmaynotbespecificallymentionedherein.
11
SeeSpotlightonLargeInstitutions:ConductingEnterpriseWideAMLRiskAssessmentsthatGoBeyondtheExpectationsofExaminersand
SeniorManagement,ACAMS;June26,2013.
InherentRisks
Theprocessofidentifyingandassessingthedegreeofinherentrisk
withinaBusinessUnitwillhelptoquantifytheextentofresidual
risk,whichinturncaninformauditplanningdecisionssuchaswhether
toincludeaBusinessUnitintheannualplan,andifso,atwhat
testingfrequencyandscope.
Potentialinherentriskareasinclude,butarenotlimitedto:
CustomersCertaincustomers12mayposeahigherriskofmoneylaunderingand/orterroristfinancingwith
respecttouniquecharacteristics,suchasthenatureoftheirbusiness(forlegalentities),theiroccupation(for
individuals),thedurationoftherelationshipwiththeFIand/orthenumberofaccountsacrossvariousbusiness
lines.ThefocusofAudit'sassessmentshouldbeonidentifyingtheextenttowhichtheBusinessUnit'scustomer
populationreflectshighriskcharacteristicsbasedontheriskattributesthathavebeenconsidered.
Potentialconsiderationsforassessingthelevelofrisk(i.e.,high,medium,low)include:
HRCustomerTypesMostlargemultinationalFIsmaintaincomplianceapprovedliststhatreflecttheFIs
agreeduponcategorizationsforHRcustomertypes.Thiscommonlyincludesparticularindustries/occupations
(e.g.,smallarmsmanufacturing,usedcardealers)orotherdesignatedcustomercategoriesthatmayrequire
specialduediligence(e.g.,nongovernmentalorganizations,bearershareentities,moneyservicesbusinesses
andforeignexchangehouses,thirdpartypaymentprocessors,politicallyexposedpersons[PEPS]).An
appearanceonsuchalistdoesnotnecessarilyindicatethatthecustomershouldbetreatedasaHRcustomer;
however,itdoessuggestthatthecustomerhasoneormoreHRcharacteristicsthatwarrantfurther
consideration.ThefinaldecisiontoassignaHRratingisgenerallygovernedbyaseparatecustomerrisk
assessmentmodelthatconsidersavarietyofcustomerspecificfactorssuchaslocation,productsused,
ownershipattributes,thepresenceofantimoneylaunderingsystems,extentofregulatoryoversightand/or
materialnegativeinformation(e.g.,associationswithenforcementactions,sanctions,criminalactivity,
governmentinquiries,knownmoneylaundering).WhenevaluatingaparticularBusinessUnitscustomerbase,
itmaybehelpfultoconsiderboththeFIsassignedriskratingforthecustomeraswellasotherindividualrisk
factorcomponentsthatmayinfluenceAMLrisk.
DurationofRelationshipThelengthofaclientrelationshipasindicatedbyaccountmaturity(i.e.,basedon
thedatethatthefirstaccountwasopenedwiththeFI)maybeanindicatorofhowwelltheFIknowsits
customer.FIstendtohaveabetterunderstandingoftheircustomers'expectedactivitiesandbehaviorwhen
theyhavehadtimetoobservethemandinteractwiththem.
Closed/BlockedAccountsFrequentbankinitiatedaccountclosuresand/oraccountblocksmaybe
indicativeofcustomercharacteristicsortransactionsthatareeitherunexplained,questionableorundesirable.
12
AccordingtotheFFIEC,[a]customerisaperson(anindividual,acorporation,partnership,atrust,anestate,oranyotherentityrecognized
asalegalperson)whoopensanewaccount,anindividualwhoopensanewaccountforanotherindividualwholackslegalcapacity,andan
individualwhoopensanewaccountforanentitythatisnotalegalperson(e.g.,acivicclub).Acustomerdoesnotincludeapersonwhodoes
notreceivebankingservices,suchasapersonwhoseloanapplicationisdenied.Asdefinedin31C.F.R.103.121(a)(1),[a]ccountmeansa
formalbankingrelationshipestablishedtoprovideorengageinservices,dealings,orotherfinancialtransactionsincludingadepositaccount,a
transactionorassetaccount,acreditaccount,orotherextensionofcredit.Accountalsoincludesarelationshipestablishedtoprovideasafety
depositboxorothersafekeepingservices,orcashmanagement,custodianandtrustservices.
NumberandNatureofAccountsCustomerswhohaveaccountsoraccesstoservicesacrossmultiple
BusinessUnits,aswellascustomerswithaccountsthatofferenhancedorflexiblefeatures(e.g.,higher
transactionslimits,minimalrestrictions),maypresentincreasedriskexposureduetotheirabilitytoconducta
widerrangeofactivitiessuchasthoseinvolvingadditionalproducts/services,deliverychannels,locationsor
accounttypes.Thesecustomersmayengageincomplex,frequentand/ordiversetransactionswithinthe
FIandmayposeadditionalmonitoringandcontrolchallenges.Inaddition,wherecustomershaveafootprint
acrossmultipleBusinessUnits,thereisahigherpotentialforconfusionoveraccountabilityandrespective
responsibilities.
Magnitudeprovidesperspective;besuretoconsidercontextwhenassessinganddocumenting
statisticsandothermetrics.Theuseofquantitativeinformationisinstrumentalinsignalingthe
qualityandcredibilityofariskassessment;however,numberswithoutcontextarejust
noise.Whencollecting,reviewinganddocumentingmetricsforassessingrisk,itisimportantto
considerboththeabsolutenumbersandchangesinthosenumberswithinthecontextofthe
BusinessUnit,includingcleardemonstrationoftherelativesignificancewithinthe
assessment.AcertainnumberofHRcustomerswithinoneBusinessUnitmayhaveaverydifferent
connotationthanthesamenumberofHRcustomersinanotherarea,dependingonfactorssuch
astheproportionoftheoverallpopulationrepresented.Similarly,twoBusinessUnits
mayhavethesamenumberofnewcustomerrelationships;however,oneofthesemayhave
rapidlyincreasedthenumberofnewcustomerswithinthepastyear.Material
increasesordecreasesshouldbeevaluatedanddocumentedwithintheassessment.
ProductsandServicesCertainproducts/servicesposeahigherriskofmoneylaunderingand/orterrorist
financingdependingonthenatureoftheproducts/servicesandthecapacityinwhichtheymaybeused.Particular
products/services,forinstance,maysupportahigherdegreeofanonymity(e.g.,prepaidcards,Internetbanking,
virtualcurrency),allowforthirdpartyengagement(e.g.,remotelycreatedchecks[RCCs],U.S.dollardrafts)or
facilitatethehandlingofhighvolumesofcurrencyorcurrencyequivalentsacrosslessregulatedjurisdictions(e.g.,
crossborderwiretransfers).Products/servicestraditionallyviewedaslowerriskmaywarrantacloserreview
shouldtheypossessmodificationsoraccommodationsthatallowforhigherriskactivity.Likewise,bynatureofthe
products/servicesoffered,aBusinessUnititselfmayposeenhancedsusceptibilitiesduetoitsinherent
relationshipwithacustomer(i.e.,iftheBusinessUnithascloseorpersonalizedinteractionwithwealthy,
influential,orotherwiseimportantcustomers)orifitisanticipatedthatsignificantprofitorbusinessmaybe
generatedbytheBusinessUnitbasedonitscustomertypes,suchaswhatmightbeexpectedfromhighnetworth
individuals.ThefocusofAudit'sassessmentshouldbeonevaluatingthetypesofproducts/servicesoffered
(includingassociatedbusinessstrategiesandrelationships)andtheextenttowhichtheBusinessUnit'scustomers
eitheruse,orhavetheabilitytouse,products/servicesthatpresenthighoruniqueAMLrisk.
Potentialconsiderationsforassessingthelevelofrisk(i.e.,high,medium,low)include:
HRProductsandServicesMostmultinationalFIsmaintaincomplianceapprovedliststhatreflecttheFI's
categorizationsforHRproducts/services.Thiscommonlyincludesparticularproducts/servicesthatare
complexinnatureorthatofferthepotentialforanonymity,speedortransferability(e.g.,remotedeposit
capture[RDC],tradefinance,payablethroughaccounts,prepaidcards,certaintypesofmobiletechnology).
Agreaternumberofcustomersthatuse,orareexpectedtouse,HRproducts/serviceswithinaparticular
businesscouldpresentadditionalchallengesinmonitoring,understandingand/ordetectingAMLrisks.In
addition,considerationshouldbegiventohowproducts/servicesarebeingusedandwhethertheremaybe
uniqueAMLrisksthatarenototherwisecapturedbytheproduct/serviceriskrating.Alowormediumrisk
product/servicemaypresenthigherAMLriskdependingonparticularcharacteristics,modificationsorthe
overallcapacityinwhichtheproduct/servicemaybeused(e.g.automatedclearinghouse[ACH]
transactionsmaynotnecessarilyberatedasHR,butthesetransactionmayoffertheopportunityfor
unidentifiednoncustomerstoaccesstheFIsinternalsystems).Ingeneral,thepotentialfornonHR
products/servicestobeusedasaconduitformoneylaunderingishigherinenvironmentswherecontrolsare
conventionallylooseoraltogetherabsent.
NewProductsandServicesABusinessUnitwithagreaternumberofnewproducts/servicesmay
poseahigherriskthanaBusinessUnitwithmoreestablishedandfamiliarproducts/servicesthathavebeen
previouslyevaluated,monitoredand/orused.Products/serviceswithshortershelflivestendtopresent
ahigherdegreeofuncertaintyastohoweachproduct/servicemaybeusedandthesubsequentpotential
formisuse.
DegreeofBusiness/SalesGeneratedfromHRProductsandServicesAlthoughaBusinessUnitmaynot
offerasignificantnumberofHRproducts/services(orhaveasignificantnumberofcustomerswho
useHRproducts/services),thisdoesnotnecessarilynegatetheriskofhavingarelativelyhighamountof
revenuegeneratedfromtheuseofHRproducts/services.Asmallerconcentrationofcustomerswith
enhancedusageorlargedollarvaluetransactionactivityderivingfromHRproducts/servicesmayalsobe
anindicatorofAMLrisk.
RiskToleranceandBusinessStrategiesBusinessUnitswithahighertoleranceforriskareinherentlymore
risky,regardlessofthecontrolsthatmaybeinplace.Indicatorsofahighriskappetite13mightinclude:a
willingnesstoaccepthigherriskcustomersortoprovideHRproducts/services,expansionofproducts/services
intoriskierjurisdictions,laxcommitmenttoimplementingcriticalAMLprocessesorcontrols(e.g.,throughan
approvalorexceptionprocessthatallowstheBusinessUnittodeviatefromnormalprotocol)orradicaland
frequentchangesinbusinessstrategies.
TransactionActivityCertaintransactionalbehaviorandpatterns,suchasahighvolumeoftransactions,large
aggregatedollaramountsofactivityortransactionsenteringandleavingaccountsathighspeeds(alsoknownas
velocity),maywarrantfurtherattentionasmoneylaunderingand/orterroristfinancingofteninvolves
transactionactivitycharacterizedbycomplexflows,higherspeedsandsometimeslargerdollaramountssoasto
obscureaudittrailsofselecttransactionsandaccumulatesufficientfundstosupportcriminalintentions.In
addition,ahighvolumeoftransactionsinvolvingHRjurisdictions,transactionsinvolvingindirectcustomersand/or
otherwiseunexplainedorunreasonablebehaviormaybeindicativeofpotentialmoneylaunderingand/orterrorist
financing.ThefocusofAuditsassessmentshouldbeonevaluatingthetransactionprofilefortheBusinessUnitand
theextenttowhichtheBusinessUnitreflectstransactionactivitythatmaybeindicativeofenhancedAMLrisk.
13
AccordingtotheInternationalOrganizationofSupremeAuditInstitutions(INTOSAI),"[r]iskappetiteistheamountofriskonabroadlevel
thatanentityiswillingtoacceptinseekingtoachieveitsobjectives.Itreflectstheriskmanagementphilosophyandinturninfluencesthe
entity'scultureandoperatingstyle.Riskappetitecanbeconsideredquantitativelyorqualitatively.Itshouldbeconsideredinstrategysetting,
wherethedesiredreturnfromastrategyshouldbealignedwiththeriskappetite,thatisthewillingnesstoacceptortoleraterisk[r]isk
tolerancesaretheacceptablelevelsofvariationrelativetotheachievementofobjectives.Theycanbemeasuredthroughperformancetargets.
Oftenperformancetargetsarebestmeasuredinthesameunitsastherelatedobjectives.Operatingwithinrisktolerancesprovides
managementgreaterassurancethattheentityremainswithinitsriskappetiteandwillachieveitsobjectives."
http://www.issai.org/media/13341/intosai_gov_9130_e.pdf
Potentialconsiderationsforassessingthelevelofrisk(i.e.,high,medium,low)include:
ActivityInvolvingHRProducts/ServicesABusinessUnitwithahighoverallvolumeand/ordollar
valueofactivityinvolvingproducts/servicesthatareconsideredtobeHRbytheBusinessUnitmaypose
higherriskthanaBusinessUnitthatreflectslessactivityinvolvingHRproducts/services.Incertain
circumstances,anincreaseintheabsolutevolumeand/ordollarvalue,aswellasanincreaseintheoverall
velocityofHRandnonHRtransactions,maybeindicativeofenhancedAMLrisk.Considerationshouldalsobe
giventothedollarvaluesizeofindividualtransactionsinvolvingHRproducts/servicesandthetotal
numberofaccounts(andanyidentifiedincreasesinthenumberofaccounts)withintheBusinessUnitthat
involveHRactivityasdescribedabove.
InternationalActivityAhighabsolutelevel(e.g.,volume)and/orhighabsoluteamount(e.g.,dollarvalue)
ofinternationalactivityand/orsignificantincreasesineitherthevolumeofinternationaltransactionsorthe
dollarvalueofinternationaltransactionsmaypresentadditionalmoneylaunderingand/orterroristfinancing
riskasparticularcountriesmaybemorevulnerabletomoneylaunderingand/orterroristfinancingduetolax
ornonexistentcontrols,lawsand/orregulations.Internationalactivityincludescrossborderandintra
countryactivityinvolvinginternationaljurisdictions.
TransactionsInvolvingIndirectPartiesTransactionsinvolvingpartieswhoarenotcustomersoftheFIor
transactionsroutedthroughthirdpartiesposeadditionalchallengesinmonitoring,understandingand/or
detectingAMLrisks,asthereisnodirectrelationshipwiththeFI.Thismayoccurwhencustomersare
correspondentbanksthatprovideaccesstothirdpartyforeignfinancialinstitutionsthroughnestedaccounts
orwherethecustomerisathirdpartypaymentprocessor(suchasPayPalorAmazon)thatprovidespayment
processingservicestomerchantsandotherbusinessentitiesthatdonothavearelationshipwiththeFI.As
such,duetotheabsenceofinformationsurroundingtheseoftenunidentifiedpersons,itismoredifficultto
identify,understandandassesstheirbehavior.
ReportableTransactionActivityActivityreportsareeffectivemechanismsforidentifyingpotentially
suspicious,questionableorunreasonablecustomerbehavior.ABusinessUnitthatreflectsasignificantlevelof
reportabletransactionactivitymayposeahigherriskthanaBusinessUnitthatdoesnotexhibitsuchbehavior.
Transactionactivityreportsincludesuspicioustransactionreports(STRs),suspiciousactivityreports(SARs)
andotherrelatedreportssuchascurrencytransactionreports(CTRs).
GeographicPresenceTherearecertainjurisdictionsthatarerecognizedasbeingmoresusceptibletomoney
launderingand/orterroristfinancingbasedontheirpotentialtofacilitatethemovement,concealmentanduseof
illicitfunds.Geographiescharacterizedbyweakerregulatoryenvironments,higherlevelsofcorruption,legal
uncertaintyandpoliticalandeconomicinstability,forinstance,presentdifficultiesindetectinganddeterringillegal
operations.Anextensiveamountofworkhasbeenperformedbyestablishedandinternationallyrecognized
organizations(e.g.,OFAC,FinancialCrimesEnforcementNetwork[FinCEN],FinancialActionTaskForce[FATF],
TransparencyInternational)toevaluateandriskratecountriesbasedontheircapacitytofostermoneylaundering.
AvailableinformationalsourcesandlistsincludetheFATFBlackList;theSection311designatedcountrieslist;
SpeciallyDesignatedNationals(SDN)andBlockedPersonsList;countriessubjecttoOFACsanctions;offshore
financialcenters(OFC);highintensitydrugtraffickingareas(HIDTA);highintensityfinancialcrimeareas
(HIFCA);aswellasothernonU.S.lists.Inaddition,manyFIswithaninternationalpresencetendtohavea
processinplaceforleveragingandconsolidatingtheavailablecountryriskinformationtodeveloptheirown
internalcountryliststhatarethentailoredfortheirspecificorganization.ThefocusofAuditsassessmentshould
beonevaluatingtheextenttowhichtheBusinessUnitisinvolvedwithhigherriskjurisdictionsasindicatedbythe
FIspreexistingcountryriskratings.
Potentialconsiderationsforassessingthelevelofrisk(i.e.,high,medium,low)include:
CustomersinHRLocationsAsignificantnumberofcustomerswithaknownpresenceinaHRlocationmay
poseincreasedmoneylaunderingand/orterroristfinancingriskduetotheirabilitytoaccumulateandroute
fundsthroughlesssecureregions.Apresencemaybeinferredbyanoperatingaddress,aresidentialaddress
oranyotherknownaddressthatmaybeindicatedinthecustomersprofile.
PhysicalPresenceinHRLocationsTheextenttowhichaBusinessUnitisinvolvedwithHRjurisdictions
may,tosomedegree,bereflectedbywhethertheBusinessUnithasaccesstoaphysicaloperatingbranchor
legalentitywithinaHRjurisdiction.
TransactionalActivitywithHRLocationsTheextenttowhichaBusinessUnitisinvolvedwithHR
jurisdictionsmay,tosomedegree,bereflectedbythenumberofcustomerswhoexhibitfrequenttransactions
withinHRjurisdictionsand/orthenumberofcustomerswithaccountfeaturesorproductsthatindicate
activitywithforeignlocations(e.g.,crossjurisdictionalwiretransfers,internationalACHtransactions).
Youmightnotowncustomersorproducts,butlookdeeperforpotentialAMLrisk.NotallAML
risksmaybeidentifiedthroughthesamelens.EachBusinessUnithasdifferentrisksdependingon
itsactivitiesandhowbusinessisconducted.AMLriskmightbemoreapparentforBusinessUnits
thatdirectlyowncustomers,suchasaninvestmentbankingdivision;however,forotherareas
suchastechnology,proprietarytradingdesksorBusinessUnitsthatsellordevelopproductson
behalfofotherbusinesses,itmaybelessobviousastohowinherentrisksshouldbe
identified,ratedanddiscussedwithintheAMLRA.
Intheseinstances,ithelpstoconsidertransactionalactivity(e.g.,withvendorsorcounterparties)
andtothinkholisticallyabouttheBusinessUnitspotential(e.g.,intheabsencecontrols)
toinfluenceAMLRisk,suchaswhethertheBusinessUnitaffectsriskinotherbusinessareas
withintheFI.Atechnologyfunction,forinstance,mayprovideAMLdatatoaretailbusinessto
assisttheminunderstandingitscustomersegmentation.Ifthisdataisincorrectandsubsequently
reliedupon,itmayleadtounintendedbusinessdecisions,suchasonboardingadditionalHR
customers.Likewise,ifaBusinessUnitsKYCsystemexperienceslostoralteredcustomer
informationasaresultofarequestforthetechnologyfunctiontoimplementsystemupdates,
customersmaywindupwithinaccurateriskratingsorimproperduediligence.Anassessment
thatisattentivetopotentialimpactandconsidersriskinisolationofthecontrolenvironment
canhelptodrawoutthoselessobviousinherentrisks.
ControlEnvironmentandRiskMitigants
Awelldesignedriskassessmenttoolshoulddemonstratethata
strongcontrolenvironmentisacontinuousfeedbackloopof
interconnectedareaswithintheAMLprogramrequiring
ongoingandenterprisewideevaluation.
Potentialcontrolenvironmentareasinclude,butarenotlimitedto:
KnowYourCustomer(KYC)KYCencompassesallpracticesrelatingtothecollection,reviewand
verificationofcustomerinformation.Theprocessofgatheringinformationisanongoingriskbasedcyclethat
beginswithverifyingthecustomer'sidentityandobtainingapreliminaryunderstandingastothepotentialrisks
associatedwiththecustomer.Thisinitialriskprofile,whichincludescustomerdetailssuchasidentifying
information(e.g.,legalname,address,governmentidentificationnumber)andbasicduediligence(e.g.,customer
type,anticipatedactivity,namescreeningresults)isoftenusedtoriskratethecustomer(i.e.,high,medium,low)
inaccordancewiththeFIscustomerriskscoringmethodology.Therelationshipbetweencustomerinformation
andperceivedriskisbidirectionalcustomerdetailsinformthelevelofriskandthelevelofriskgovernsthe
extentofrequiredcustomerinformation.
TheessenceofKYCistoenabletheFItoformareasonablebeliefastotheidentityofthecustomerandtoobtain
anunderstandingoverthecustomersexpectedbehavior,includingtheabilitytoidentifyabnormalities.The
informationaccumulatedthroughthisprocessfeedsandinformsallpillarsoftheAMLprogramand,assuch,
policies,proceduresandprocessesshouldbeinplaceforobtaining,validatingandupdatingcustomerinformation
inamannerthatallowsforeffectivedetection,monitoring,investigatingandreportingofsuspiciousactivity.KYC
requirementsandfunctions,includingcustomeridentificationprograms(CIP),customerduediligence(CDD),
enhancedduediligence(EDD)andspecialcircumstancesduediligenceshouldbeclearlydefinedandalignedto
customerattributesandrisks.Enhancedorspecializedcustomerduediligencepractices(e.g.,forcorrespondentor
privatebankingaccounts)shouldbeinplaceforcustomerswhoposeincreasedoruniqueAMLrisks.Thefocusof
Audit'sassessmentshouldbeonevaluatingthestrengthoftheBusinessUnit'sKYCpractices,itsabilitytocollect
andmaintaincompleteandrelevantinformation;andthecapacitytousethisinformationtomakeappropriate
decisionsregardingthelevelofcustomerrisk.
Potentialconsiderationsforassessingthestrength(i.e.,strong,adequate,weak)ofthecontrolinclude:
ExceptionsorWaiversThroughoutthefinancialservicesindustry,therehasbeenincreasedfocuson
developinginternalpolicies,proceduresand/orstandardsthatpromulgateaconsistentandcomprehensive
approachtoconductingKYC.Althoughdeviationsfromagreeduponpracticesmaybereasonableinspecific
circumstances,asignificantnumberofexceptionsorwaiversmayposeadditionalchallengesinmaintaining
adequateandconsistentinformationandmayweakenthecontrolenvironment.Inaddition,thenatureofthe
exceptionorwaivermayplayaroleinthelevelofrisk.Forinstance,relevantcharacteristicssuchasthe
duration(temporaryversuspermanent),thelocation(highriskcountryversuslowriskcountry)orthescope
(oneofforacrossaparticulargroup)shouldbeconsideredwhenassessingtherisk.Asabestpractice,a
processshouldbeinplacetoensurethatexceptions,waiversordeviationsareapproved,documentedand
supported.Ininstanceswheretemporaryexceptionsorwaiversarepermitted,formaltrackingandfollowup
processes(e.g.,automatedflagsorreports)shouldbeineffect.
RelianceRelianceonotherBusinessUnitsorthirdpartiestoperformKYCprocessesortoprovidecustomer
informationisattimesappropriate.Thismightapplytoinstanceswhereacustomerhasanaccountwith
anotherBusinessUnitthatmaintainsKYC,orwhereacentralutilityexecutesKYCfunctions.Despitethevalue
inleveragingpreexistingresources,theopportunityforoversightordeficienciesinmaintainingadequate
customerinformationmayariseininstanceswhereaBusinessUnitdoesnotfullyowntheprocessorpossess
propermanagementcontrols.Extensivereliance(particularlyininstanceswheregovernanceoverthereliance
isweak)maydiminishtheBusinessUnit'sabilitytodemonstratethatitunderstandsitscustomer.Instances
involvingrelianceshouldbedocumented,approvedandmonitoredtoensurethattheBusinessUnitis
effectivelymanagingKYCandisawareofrelevantrisks.Supplementalmeasuresonthepartofthebusiness,
suchasanoversightprogramthatincludesqualitycontrolchecksormonitoringprocessestosuperviseand
reportontheactivitiesperformedbyotherBusinessUnitsorthirdpartiescanhelptomaintainsustainability
andminimizereliancethreats.
CompletenessofCustomerInformationCustomerprofilesthatlacktherequiredKYCcomponentsfailto
adequatelyrepresentthecustomerandmayresultininaccurateriskratings.Amisalignmentbetweenthe
customer'scurrentriskratingandtheavailableKYCinformationcanhindertheBusinessUnitsabilityto
understandthecustomerandidentifyrisk.Frequentorrepetitiveoccurrencesofcustomeraccountswith
incompleteordeficientinformationmayindicatesystematicweaknessesintheKYCprocess.
Renewals,UpdatesandPeriodicReviewsPerformingperiodicriskbasedrenewalsandmaintainingupto
datecustomerinformationarecriticalcomponentsofunderstandingthecustomerbase.Thisinvolveslooking
forchangesinKYCinformation(e.g.,expectedaccountactivity,employmentorbusinessdetails,business
ownership,etc.)aswellasbeingcognizantofHRactivityinlowriskaccounts.Customerprofileswithoutdated
informationmayindicateadditionalriskexposureastheremaybeinstanceswhereacustomer'sriskrating
shouldbeelevatedand/oradditionalinformationcollected.Bestpracticesincludeupdatingcustomer
informationandreassessingcustomerriskratingsinaccordancewithestablishedpoliciesandprocedures.
CustomerNameScreening(seetheOFACandSanctionscontrolsectionfordetailsonOFACscreening)
Anessentialaspectof"knowingyourcustomer"lieswithperformingcustomernamescreeningandlist
comparisonsearches.Thisfunctionusuallyoccursataccountopeningandrenewalstagesandincludesthe
identificationofPEPs,customerswhomayappearinsection314(a)searchrequests,customerswhoare
subjectsofadverseinformationorcustomerswhoappearoninternalbadguylists(e.g.,customerswith
whomtheFImaynotwanttoconductbusiness).Processesforcontinualscreeningofcustomernamesagainst
relevantinternalandexternaldatabasesorlistsshouldbeinplace.Inaddition,policiesandprocedures
should,ataminimum,definematerialversusimmaterialmatches,articulatethescreeningprocess(including
escalationorreferralpoints)andclearlyindicateexpectedscreeningrequirementsbycustomertypeand
relatedparties(e.g.,beneficialowners,authorizedsigners,powersofattorney,personswithauthorityto
influencetheaccountorrespectivefunds).Whereautomatedscreeningmechanismsareemployed,ata
minimum,testingproceduresshouldbedocumentedandfollowed,andalgorithms,suchasfuzzylogic,should
besupported(e.g.,rationaleforhowthresholdlevelswereselected).Asabestpractice,internalandexternal
sources(e.g.,LexisNexis,Worldcheck,Internetsearches)shouldbeaccompaniedbyinstructionsforusage
andreviewsshouldbeconducted(anddocumented)periodicallytoconfirmthatpracticesareconsistentand
thatdatasourcesremaineffectiveandreliable.Ininstanceswherethisfunctionisperformedbyacentral
screeningunitorequivalentutility,auditors(throughdiscussionswiththebusiness)shouldillustratean
understandingoverthecontrolenvironmentanddiscussadditionalconsiderations,suchastheriskimpactofa
controlfailureorthedegreeofcommunicationbetweenthebusinessandthecentralscreeningunit.
KYCmetricsareinstrumentalinprovidingacollectiveviewofrisk.Inadditiontobeingusedtoderive
individualcustomerriskprofiles,KYCinformationcanbeaggregatedatvariouslevels(suchasbybusinessorlocation)
tocompareactualrisktoapredeterminedriskappetite.If,forinstance,aparticularBusinessUnithasa
lowriskappetiteforPEPs,butKYCmetricsindicatethat20%ofthecustomerbaseiscomprisedofPEPs,theBusiness
UnitmaywishtoadjustitsrisktoleranceorreducethenumberofPEPs.Collectiveviewsof
KYCcanassistwithmanagingriskandassessingthecurrentstateofthecustomerportfolio(e.g.,bycustomer
types,products/services,geographiesortransactionactivity).Assuch,reportingprocessesshouldbein
placeandalignedwithriskmanagementobjectives.
PotentiallySuspiciousand/orUnusualActivityFIsarerequiredundertheBSAtomonitor,detectand
reportsuspicioustransactions.Assuch,FIsareexpectedtobevigilantandtoestablishformalmethodsfor
effectivelyevaluatingcustomeractivity,managingalerts,conductinginvestigationsanddeterminingwhetherto
fileaSARoranSTR(nonU.S.suspicioustransactionsreport).Thisincludes
recognizingandescalatingactivitywhereappropriate.Arobustcontrol Financialinstitutionsareresponsiblefor
environmentshouldincludewelldefinedandeffectiveprocessesforpromptly apprisingfederallawenforcementauthorities
detecting,monitoring,escalating,investigating,decisionmakingandfiling ofanyknownorsuspectedviolationofa
federalcriminalstatuteandofanysuspicious
potentiallysuspiciousand/orunusualactivity(referredtocollectivelyas
financialtransaction.Suspiciousfinancial
PSUAforthepurposesherein).Certainaspectsofthesefunctionsmayapply transactionscanincludetransactionsthatthe
totheBusinessUnitand/orseparatededicatedareasthatspecializein banksuspectsinvolvedfundsderivedfrom
activities,suchasmonitoring,escalationorinvestigating.Whereactivitiesare illicitactivities,wereconductedforthe
purposeofhidingordisguisingfundsfrom
fragmentedorsharedamongseveralareas,allpartiesshouldmaintainanopen
illicitactivity,otherwiseviolatedthemoney
andcontinuousdialogueandtherolesandresponsibilitiesamongallfunctions launderingstatutes(18U.S.C.1956and1957),
shouldbeclearandestablished.ThisallowsBusinessUnitstomoreefficiently werepotentiallydesignedtoevadethe
shareinformation,reduceredundanciesandmanageactivitythatrequires reportingorrecordkeepingrequirementsof
theBankSecrecyActortransactions
attention.InallaspectsoftheSARprocess,controlsshouldbeinplaceto
thebankbelievesweresuspiciousfor
ensureconfidentialityandsecurity.ThefocusofAuditsassessmentshouldbe anyotherreason.
onevaluatingtheBusinessUnitsabilitytocomplywithregulationsandlaw
enforcementrequests,aswellasitscapabilityformanagingPSUAwith FederalRegister/Vol.60,No.178
attentiongiventotechnology,processesandcontrols.
Potentialconsiderationsforassessingthestrength(i.e.,strong,adequate,weak)ofthecontrolinclude:
DetectionandMonitoringFIshaveanumberofchannelsforwhichtoidentifyPSUA.Atahighlevel,these
include:activitiesconductedaspartofnormaloperations(e.g.,manualmonitoring,suchasactivityobserved
andreferredbyemployees);activitiesconductedasaresultoflawenforcementandgovernmentrequests
(e.g.,subpoenas,nationalsecurityletters,section314(a)and314(b)informationsharing);andinformation
obtainedviasurveillancemonitoringsystems.TheBusinessUnitisresponsibleforensuringthatithasaccess
totransactionreportsandsystemoutputasnecessarytoidentifyrelevantPSUAandsatisfyreporting
obligations.Ataminimum,thefollowingreportsshouldbereliable,completeandroutinelyavailable:
currencyactivityreports,fundstransferreports,velocityoffundsreports,wiretransferrecords,monetary
instrumentreports,largeitemreports,significantbalancechangereportsandnonsufficientfundsreports.
Automatedmonitoringmechanismsandrelatedtechnology(e.g.,commercialproductssuchasFiserv,Oracle
orSASaswellasinhousesolutions)areoftenusedtocapture,monitorandalertonPSUAonacontinuous
basis.Asabestpracticeforensuringthatthesesystemsareeffective,parametersandfiltersshouldbe
designedandsubsequentlytailoredtofocusonactivitythatisrelevanttotheBusinessUnitandthatreflects
anindepthunderstandingofthecustomerbase.
Aperiodicreviewofparametersandfilters,includingtestingforgaps,applyingstatistical/correlationanalysis
toresults(e.g.,toassessforreasonableness),determiningwhethermonitoringscenariosarecomprehensive
andperformingfinetuningtoaccountforknownrisksandredflags(e.g.,Uturntransactions,activitywith
sanctionedcountries,wiretransfersinvolvingfinancialsecrecyhavens,transactionsinvolvingcasasde
cambios,unusualfundtransfersbetweenrelatedaccountsortransactionsthatexceedpredefinedthresholds)
shouldbeinplacetofurtherenhancetheeffectivenessofthemonitoringtool(s).Inaddition,thisreview
shouldevaluatetheappropriatenessofanyexistingexceptionstomonitoringrules,suchasparticular
transactiontypes(e.g.,intercompanytransfers)orcustomers(e.g.,goodguylistscompiledbytheFI)that
mayhavebeenapprovedtobypassmonitoringchannels.Toassistwithcalibratingandbenchmarkingthe
effectivenessoffilters,existingmanagementinformationsystem(MIS)data,suchasperformanceratios
(e.g.,alerttocasemetrics),shouldbereviewedtodeterminewhethertheresultsmakesenseandappear
meaningful.Thismayinvolvetestingaboveandbelowmonitoringthresholdstoobserveresultingoutcomes.
Althoughthirdpartyvendorsmayhavebeenused(e.g.,forsystemimplementationorforestablishingrules),
testingandfinetuningactivitiesshouldbeperformedeitherinconjunctionwithorindependentofthethird
partytoavoidoverreliance.Further,byensuringthattestingisconductedinaconsistentfashionthroughout
theFI,asopposedtoperforminginisolation,theFIisbetterpositionedtomanagerisk.
SourceDataandInternalReportsRelatingtoPSUATheabilitytoproduceeffectiveandtimelyreportsthat
assistinidentifyingPSUA(e.g.,manualMISorsurveillancemonitoringreports)andthatadheretoU.S.and
nonU.S.reportingrequirementsisdependentuponboththequalityandcompletenessofthesourcedata.If
theunderlyinginformationreviewedformonitoringpurposeswhetheritbetransactiondataorKYCis
questionable,orifthereareflawsinhowtheinformationflowstoreportingmechanisms,theresultswillnot
bereliable.TheBusinessUnitshouldpossesscontrolsforensuringthatallrelevantdata(e.g.,thecomplete
populationofcustomers,accountsortransactions)arebeingcapturedandfedappropriately.Theprocesses
associatedwithpulling(orfeedingdatatoautomatedreportingsolutions)areinfluencedbythenumberof
datasourcesinvolvedandwhethertheprocessesarewellintegratedorwhethertheyaremanualand
disparate.Inaddition,thecleanlinessofthedatabywayofappropriatesegmentation(e.g.,customerrisk
ratings,customertypes,transactiontypes)isanessentialcomponentinpromotingreportingefficiency.A
formalprocessforconfirmingthatallrelevantsourcedataisaccurate,completeandtimelywillimprovethe
usefulnessandreliabilityofresultingreports.
EscalationandReferralofActivityPolicies,proceduresandprocessesshouldbeinplaceforreferringPSUA
fromallareasoftheBusinessUnittothepersonnelordepartmentresponsibleforevaluatingPSUA.This
includesestablishinganddocumentingaclearanddefinedescalationprocessfromthepointofinitial
detectiontothecompletionoftheinvestigation.AdditionalchannelsforemployeestoreferPSUAprivately
(suchasananonymouscallcenter)shouldbeavailableandcommunicatedinpoliciesandprocedures.Ifthe
BusinessUnitdoesnotperformtheinvestigativefunctionitself,thereisanexpectationthatitshouldmaintain
adequateinteractionandcommunicationwithallpartiesinvolvedintheprocess.Inaddition,proceduresand
guidanceshouldberegularlyreviewedandupdatedtoensurethatrelevantandspecificexamplesareusedto
demonstratepotentialescalationpoints.
AlertManagementInvestigativeunits,orsimilardistinctgroups,areoftentaskedwithmanagingand
researchingactivityidentifiedasbeingpotentiallysuspiciousanddeterminingwhethertheywarrantfurther
investigation.Thisisoftenreferredtoasthealertmanagementprocess.Asabestpractice,thisprocess
shouldensurethatallapplicableinformation(e.g.,criminalsubpoenas,nationalsecurityletters,section314(a)
requests)iseffectivelyevaluated.Policies,proceduresandprocessesforthetimelyreviewof,andresponseto,
alertsusedtoidentifyunusualactivitiesmayassistinfacilitatingthereview.Toreduceriskexposure,staffing
levelsshouldbesufficienttoreviewreportsandalertsinatimelymannerandthestaffshouldpossess
specializedknowledgewithadequateexperienceandresearchtools.
InvestigationAsabestpractice,theprocessofinvestigatinganalertanddeterminingwhetheraSARshould
befiled(oftenreferredtoascasemanagement),shouldincludecleardecisionmakinganddocumentation
standards.Designateddecisionmakers(whetheritbeacommitteeorspecificindividuals)shouldpossess
sufficientauthorityandcompetencetomakefinalSARfilingdecisions.SARdocumentationshouldbe
thoroughandincludethereasonforfiling(ortherationalefornotfiling),aswellasadditionalconsiderations,
suchaswhethertocloseanaccountasaresultofcontinuoussuspiciousactivity.Althoughthedecisiontofile
aSARmaybesubjectivelydetermined,BusinessUnitsshouldestablishaneffectiveinvestigativeandSAR
decisionmakingprocessthatappropriatelyconsidersallavailableCDDandEDDinformation.Ininstances
whereinvestigativeprocessesorSARdecisionsliewithintheBusinessUnit,additionalexternalreviewsand
approvalsshouldexisttoensureindependence.
SAR/STRCompletionandFilingNumerousSARusers,suchasintelligenceagencies,lawenforcement,
regulatoryauthoritiesandFinCEN,allrelyonthedetailsprovidedinSARs.InformationprovidedbyFIsisused
toexecuteinvestigations,gatherintelligenceaboutemergingmoneylaunderingtactics,identifyillegal
activitiesandprosecutecriminals.WhereadecisionismadetofileaSAR,thequalityoftheSARcontentis
criticaltotheeffectivenessofthesuspiciousactivityreportingsystem.AwellwrittenanddetailedSARwill
allowtheFItomoreeffectivelymanagelargevolumesoffilingsandconductmorefruitfulexaminationsof
suspectcustomersoractivity.Policies,proceduresandprocessesshouldreflectstandardsandguidelinesfor
ensuringthatSARsaretimely,completeandaccurate,andthatnarrativessufficientlydescribethereported
activityaswellasthebasisforfiling.ThisincludesretainingSARsandtheirsupportingdocumentation,
reportingSARstotheboardofdirectors(oracommitteethereof)informingseniormanagementandsharing
SARswithheadofficesasnecessary.ByappointingdedicatedandqualifiedindividualstoreviewSARsthrough
aforumthatallowsfordiscussingandsharingbestpractices(e.g.,foraddressingessentialelementsof
informationwho?what?when?where?andwhy?),SARqualitymaybesignificantlyuplifted.Inaddition,a
controlmechanism(suchasaSARlogintheformofasimplespreadsheetoramoreadvanceddatabase)to
monitor,trackandreportonthestatusofalldecisions(e.g.,whethertofileaSARorcloseanaccount)is
typicallyexpectedandcanhelptoensurethatdecisionsarefollowedthroughasintended.
OFACandSanctionsOFACregulationsandotherregionalandinternational Definiteexpectationsexistwithregard
mandates(e.g.,UnitedNationssanctions)includerequirementstoblockaccountsand totheprocessingoftransactions
involvingcountriesundersanctions.
otherpropertyortoprohibitorrejecttransactionswithspecificcountries,entities Banksarerequiredtoreportallblockings
andindividualsasappropriate.AsstatedintheFFIECmanual,AllU.S.personsmust toOFACwithintendaysofoccurrence.If
yourbankdoesnotblockandreporta
complywithOFACregulations,includingallcitizensandpermanentresidentaliens
transferandanotherbankdoes,then
regardlessofwheretheyarelocated,allpersonsandentitieswithintheUnitedStates, yourbankisintrouble.Abankin
allU.S.incorporatedentitiesandtheirforeignbranches.Inthecaseofcertain noncompliancemaybeopeningitselfto
adversepublicity,fines,andeven
programs,suchasthoseregardingCubaandNorthKorea,foreignsubsidiariesowned criminalpenalties(ifviolationsareother
orcontrolledbyU.S.companiesalsomustcomply.Certainprogramsalsorequire thaninadvertent)[w]hileeveryfinancial
institutionmustcomplywiththesame
foreignpersonsinpossessionofU.S.origingoodstocomply.14 lawsandregulations,noonecompliance
programcanbeprepackagedfor
Withfrequentlychangingandgrowinglists,progressivelycomplexsanctionsterms, everyoneintheopenmarketplace.Every
programmustbetailoredtomeetthe
varyingguidanceforhowtointerpretrequirementsandthecontinualriseofnewand needsandstructureofindividual
cleverevasiontactics,compliancewithOFAC,sanctionsandembargoregulations financialinstitutions.
(referredtocollectivelyasOFACherein)isanincreasinglydifficultresponsibilitythat
DepartmentoftheTreasury,OFAC
requiressignificantresources,ongoingattentionandspecializedknowledge.Even Brochure:OFACRegulationsforthe
withassistancefromsophisticatedautomatedsolutionsandadvancedtechnology, FinancialCommunity
thereisoftenaneedtoimplementmanualprocesses,suchasindividualizedreviews
fordoublecheckingalerts,confirmingfalsepositives,managingdataoradjustingandtestingscreening
mechanisms.ForFIswithavastnumberoftransactionsandatransnationalpresence,thedemandsandpotential
forerrorarehigh.Duetotheserecognizedchallenges,includingtheintricaciesofdeterminingwhichrequirements
applytowhatcustomersunderwhatscenarios,OFACcontrolsrequireenhancedscrutinyandevaluation.Asa
minimumstandardforsecuringastrongcontrolenvironment,theBusinessUnitshouldmaintainaformaland
writtenOFACprogramwithnecessaryinternalcontrols(screening;reporting;testing;OFACspecificrisk
assessments;OFACspecifictraining;dedicatedresourceswithspecializedOFACknowledge;qualitycontrol
mechanismsforensuringappropriateactions[e.g.,blocking/prohibiting]foraccountsandrelatedproperty).The
focusofAuditsassessmentshouldbeontheBusinessUnitsabilitytocomplywithexistinglawsandregulationsby
effectivelyblockingandrejectingaccountsand/orpaymentsandscreeningagainstOFACandothergovernment
lists.
Potentialconsiderationsforassessingthestrength(i.e.,strong,adequate,weak)ofthecontrolinclude:
OFACScreeningandProcessingOFACscreeningcontrolsrelatebroadlytothefunctionsassociatedwith
maintainingOFACrelatedlistsandidentifyingaccountsorpropertythatmayneedtobeblockedor
transactionsthatmayneedtobeprohibitedorrejected,suchasthoseinvolvingBurma,Cuba,Iran,Sudan
and/orSyria.Ataminimum,formalanddocumentedprocessesshouldbeestablishedformanagingalerts,
developingeffectivescreeningmechanisms(e.g.,realtimescreening),updatingandreviewingOFAClistsand
escalatingalertswhereappropriate.Thisincludes,butisnotlimitedto:checkingaccountsagainstOFAClists
priortoinitialaccountopening(e.g.,fornoncustomertransactions),orshortlythereafter;identifyingand
investigatingpotentiallyrelevanttransactions;managingblockedfundsandaccounts(e.g.,status,amount,
ownershipdetails,interest,etc.);regularlytestingfilteringcriteriaforissues(e.g.,misspellingsandname
derivations);developingandadjustingparametersasappropriatetoaccountforknownrisks(e.g.,false
positives,truncatedpaymentinstructions,incorrectlycodedorcharacterizedtransactions,coverpayments,
14
See2010FFIECBSA/AMLExaminationManual,OfficeofForeignAssetsControlOverview,Page148.
straightthroughprocessing15);andmaintainingeffectiveprocessesforinvestigatingandescalating
potentialmatches.
Inaddition,asabestpractice,theBusinessUnitmayhavedocumentedanalyses(e.g.,formalgap
analyses/reports)thatreflectpotentialOFACrisksrelatingtoeachproduct/service(e.g.,transactionsthat
involveunknownthirdparties)andasubsequentplanforscreeningandmonitoringfortheserisks.These
assessmentsandcorrespondingscreeningprocessesshouldlinktogovernanceandriskmanagementforums
thatupdateandeducatetheBusinessUnitonOFACrelatedmattersanddevelopments(suchasthatofIran
turningtotheautomotivesectortoevadesanctionslegislationandattractrevenue).
OFACPoliciesandProceduresInordertomaintainaneffectiveOFACcomplianceprogram,OFACspecific
policiesandproceduresshouldbedocumented,regularlyupdatedandtailoredtotheBusinessUnitsrisk
profile,customerbase,products/services,transactionactivityandgeographicpresence.Ataminimum,
policiesandproceduresshouldaddressallaspectsofOFACcomplianceandcontrols,includingcustomer
onboarding,screeningandtransactionreviewprocesses;managementofblockedaccounts;recordkeeping
requirements;maintainingOFAClicenses;independenttestingfunctions;rolesandresponsibilitiesforOFAC
compliance;openlinesofcommunication;specializedtraining;andreportingrequirements.
OFACLicensesSubjecttospecificprovisionsandclearlydocumentedconditions,OFAClicensesallowfor
certainexceptionstoOFACrequirementsforselecttransactionsthataredeemedtobeinlinewithU.S.policy
objectives.Inaddition,OFACmaygrantagenerallicensethatappliestoagrouporacategoryoftransactions
withoutrequiringoneoffapprovalsfromOFAC.TheBusinessUnitshouldensurethataneffectiveprocessisin
placeforverifyingthatthesetransactionscomplywithalltermsandconditionsofanOFACissuedlicenseprior
toprocessingthem.Inaddition,copiesofallOFAClicensesshouldbecollectedandkeptonfileasappropriate.
OFACReportingandRelatedMetricsInaccordancewithOFACregulations,theBusinessUnitisrequiredto
reportallblockedpaymentstoOFACwithintendaysoftheoccurrenceandannuallybySeptember30;once
thoseassetsorfundsareblocked,theyaretobeplacedinablockedaccount.Prohibitedtransactionsthatare
rejectedmustalsobereportedtoOFACwithintendaysoftheoccurrence.TheBusinessUnitshouldestablish
effectivereportingandrecordkeepingprocesses,includingmaintainingcompleteandaccuraterecordsforall
rejectedtransactionsforaminimumoffiveyearsafterthedateofthetransactionandfortheentireperiod
duringwhichthepropertyisblockedandforfiveyearsafterthedatethepropertyisunblockedforblocked
propertyortransactions.InadditiontotheBusinessUnitsexternalOFACreportingobligations,theBusiness
UnitshouldhaveaccesstoallinternalOFACrelatedmetricsthatexistwithintheFI.ThismightincludeOFAC
specificdatathatinformscustomerrisk(e.g.,customersassociatedwithOFACcountries/entities),productrisk
(e.g.,products/services,suchasRDC,prepaidaccess,ebankingorcorrespondentaccountsthatpresent
enhancedOFACrisk)andtransactionalrisk(e.g.,transactionswithOFACcountries/entities).Further,this
informationshouldcontainappropriatedetails,suchasvolumeanddollarvalues.
15
AccordingtoaJuly17,2012U.S.SenateReport,coverpaymentsaretransfersbetweencorrespondentbanksinnonsanctionedjurisdictions
whichlackunderlyingpaymentdetailsandcanbeusedasadisguiseforfacilitatingtransactionswithsanctionedcountriesorpersons.Likewise,
anothertacticknownasstraightthroughprocessingcouldbeemployedtodisguisetransactionsasbanktobanktransfersandcircumvent
OFACfiltersviaautomatedprocessingproceduresthatbypasshumaninterventionormanualreview.Thiswasamethodthatevolveddueto
theallowancethatMT202/203SWIFTmessages(orpaymentinstructions)previouslydidnotrequireidentificationoftheunderlyingoriginator
orultimatebeneficiaryforbanktobanktransactions.
EmployeeAMLExpertiseandCoverageDespitesignificantadvancesin Thefollowingareextractedreferencesto
informationtechnologyformanagingAMLoperationsandcontrolprocesses,the staffingandtrainingasreflectedin
accountabilityandsuccessovertheAMLprogramultimatelylieswiththepeople enforcementactionsfromtheyear2013:
andtherespectiveexpertisewithintheorganization.Regulatorybodies,suchas
theOfficeoftheComptrollerCurrency(OCC),havehighlightedthismessageby didnotensureappropriatecompliance
staffingandtraining,andexercisedinadequate
alludingtoinadequatestaffingasarootcauseforcompliancefailuresinseveral oversightforcomplianceresponsibilities.
enforcementactions.Todaysenvironment,characterizedbyincreasedattention (CMPFinCEN,September24,2013)
tocompliancewithAMLlawsandtheadventofsophisticatedtoolsand Alackofadequatetrainingforboththe
technologyrequiringenhancedexpertise,mayhaveaccentuatedtheneedto businessandBankSecrecyAct/AntiMoney
Launderingstaffcontributedtothefailureto
focusmorenarrowlyonthepeople.Inordertopreventstaffrelatedissuesand recognizethissuspiciousactivity.
minimizetheriskofhumanerror,AMLfunctionsandresponsibilitiesshould,ata (CMPFinCEN,September22,2013)
minimum,encompassanadequatenumberofresources,asufficientlevelof
Trainingmustbesufficientforstaffand
aggregateAMLexpertiseamongthestaffandanappropriateallocationoftimeto officialstoperformtheirresponsibilitiesand
AMLtasksbyseasonedpersonnel.Staffingcoverageandtrainingshouldbe ensurecompliance...
(C&DNCUA,September6,2013)
alignedtoAMLresponsibilities.ThefocusofAudit'sassessmentshouldbeon
evaluatingtheextenttowhichtheBusinessUnit'sAMLfunctionsarestaffed TheBankshallensurethatithassufficient
appropriatelyasindicatedbyfactorssuchasthenumberofdedicatedemployees, processes,personnel,andcontrolsystems
and...[t]heBSA/AMLActionPlanmustspecify
thelevelofexpertiseofassignedpersonnelandexistingstaffingplans(e.g., indetailbudgetoutlaysandstaffing
(C&DOCC,January14,2013)
allocationofhourswithaconsiderationforsharedresources).
Potentialconsiderationsforassessingthestrength(i.e.,strong,adequate,weak)
ofthecontrolinclude:
AMLStaffingCoverageInaccordancewithcurrentexpectation,AMLrelatedfunctionsshouldreflectan
appropriatelevelofattentionfromdedicatedresourcescommensuratewiththerelativedegreeofrisk.In
instanceswhereresourcesaresharedorpartiallyallocated,considerationshouldbegiventotheextentofthe
staffstimeandavailabilityasitrelatestoeachAMLfunctiontoensurethatstaffingplacementisappropriate.
Asabestpractice,aBusinessUnitshouldbeabletodemonstratethatithasastaffingplanorstrategyinplace
toaccountforproperAMLcoverageparticularlyinHRareas.Thisincludes,butisnotlimitedto,afocuson:
a)totalnumberofavailableresources;b)AMLcompetencyamongthoseresources;andc)distributionoftime
andeffortamongthepoolofavailableAMLresources.
EmployeeKnowledgeandCapabilitiesAstrongawarenessofthelevelofcompetencyamongthestaffis
criticalinensuringthatstaffexpertiseandexperienceisappropriatelyalignedtoexistingAMLfunctions.
Formalmethodsforevaluatingstaffcompetency(includingestablishingcriteriathatmayberepresentativeof
AMLproficiencyandperformingsomelevelofanalysis,suchasthroughasurveyorleveragingexisting
employeeinformation)isoftenessentialforaccuratequantification.Relevantindicatorsofexpertiseinclude:
a)theextentoftechnicalknowledgeoverthetools/systemsthatarerequiredfortherelevantjobfunction(s);
b)thelevelofspecializedknowledgefortherelevantAMLarea(e.g.,products/services);c)AMLrelated
certificationsandtraining;andd)thenumberofyearsofAMLrelatedjobexperience.Otherusefulattributes
maybeavailableinexistinghiringplansorinpreviouslydocumentedperformanceexpectationsforthe
respectiveBusinessUnit.
TrainingandAwarenessAstheexpectationforskilledAMLresourcescontinuestorise,thereisagrowing
needfortrainingplansandcurriculatobetailored,relevant,frequentandmandatory.Inadditiontobasic
AMLtrainingrelatingtoregulatory,legalandpolicyrequirements,staffshouldreceivetrainingin:a)allcritical
AMLtopics;b)BusinessUnitspecificinformation(e.g.,products/services,customers,riskprofiles,policiesand
procedures,etc.);andc)targetedandmoreadvancedtrainingthatisrelevanttorolesandresponsibilities.
Moneylaunderersareconstantlyevolvingandrefiningtheirstrategies.Assuch,trainingshouldexplorerecent
trendssuchasthroughcasestudiesandalsoincludeafocusondetectingpotentialriskinlessapparent
areassuchasinconventionallylowriskproducts,businessesoractivity(e.g.,intercompanytransfersor
travelerchecksthatmaybemaskingtheflowoffundstothirdparties).Theintensity,scopeandfrequencyof
trainingshouldbecommensuratewitheachemployeesjoblevelandrespectiveduties.Someinstitutionsalso
riskrankemployeestoassistwithdisseminatingtraining.Adiversetrainingandawarenessprogrammay
employmultiplemethodsofdelivery,suchaslunchandlearns,computerbasedplatforms,webinars,live
sessionsoremailupdates/newsletters,toofferbothformalizedtrainingandproactivecommunicationof
lessonslearned.Trainingshouldbecontinuallyupdatedandperformedasnecessarytoincorporatecurrent
developmentsandchanges,suchasthoserelatingtotheregulatoryenvironmentorinternalsystemsand
processes.Inordertoensurethattrainingisadequate,trainingprogramsshouldbedocumented,approved
andtested.Further,aspartofaneffectiveprogram,recordkeepingandtrackingmechanisms(including
reportabletrainingmetrics)canbeemployedtocaptureemployeeattendance
andlearninghistory.
...[B]ankingorganizationshavegreatly
OverallAMLInfrastructure,FrameworkandPractices(policies,procedures expandedthescope,complexityandglobal
andprocesses;managementandoversight;technologyandoperations) natureoftheirbusinessactivities.Atthe
sametime,compliancerequirements
ThechallengeofmanagingandoverseeingabroadrangeofAMLactivitiesand associatedwiththeseactivitieshave
functionsforalargeandcomplexorganizationrequirescarefulattentiontothe becomemorecomplex.Asaresult,
strengthanddesignoftheFIsAMLinfrastructure,frameworkandrelatedpractices.
organizationshave confrontedsignificant
riskmanagementandcorporate
Ataminimum,thesearegenerallyinfluencedby,andcomprisedof,thefollowing governancechallenges,particularlywith
interconnectedcomponents:policies,proceduresandprocesses;managementand respecttocompliancerisksthattranscend
businesslines,legalentities and
oversight;andtechnologyandoperations.Eachareaisinterdependentand jurisdictionsofoperation.Toaddressthese
contributestoacollectivesystemofchecksandbalances.ThefocusofAudits challenges,manybankingorganizations
haveimplementedorenhancedfirmwide
assessmentshouldbeonevaluatingthefundamentalsoundnessoftheBusiness complianceriskmanagementprograms
UnitsoverallAMLinfrastructure,frameworkandpractices,andwhetherthese andprogramoversight.
factorsareconducivetoaneffectiveandhealthyAMLprogram. BoardofGovernorsoftheFederal
ReserveSystem
Potentialconsiderationsforassessingthestrength(i.e.,strong,adequate,weak)of
thecontrolinclude:
ManagementandOversightTheAMLprogramandassociatedinitiativesshouldbecommensuratewiththe
FIsriskprofileinordertomaintainefficientoperations,regulatorycomplianceandriskmanagement.Assuch,
theBusinessUnitsapproachandtoneshouldbealignedtotheoverallfirmwidegovernancepolicy;together,
theyshouldpromotecooperationbetweenAMLcompliancefunctionsandtheBusinessUnit.Foramore
completepictureoftheFIsoverallframework,anAuditAMLRAshouldevaluatebothfirmwideandBusiness
UnitspecificoversightandgovernancepracticesformanagingandidentifyingAMLrisk.Thisincludesareview
of:businessstrategy;operatingcontrols;reportingandescalation;rolesandresponsibilities;resource
management;responsivenesstoissues;andtheBusinessUnitsorganizationalstructure(including
coordinationwithanexecutiveandmanagementcommitteeoracorporatecompliancefunction).
AformalreportingprocessiscriticalformeasuringandmonitoringAMLriskandtheeffectivenessofrelated
controls,andshouldbecontinualandcomprehensive.Reportdataandmetricsshouldspeaktoallcritical
areasofanAMLprogramwithappropriatedetail(e.g.,ongoingOFACinvestigations,customernamescreening
matches,pastdueemployeetraining,quantityofagingalerts,monthlyaccountclosures,casemanagement
escalations,weeklySARfilings,openenforcementrequests,etc.)andbereviewedwiththebusinesslines,
operationsdepartment,compliancedepartmentandseniorexecutivesasappropriate.Aneffectivereporting
vehiclewillallowtheBusinessUnittoidentifyandmeasureriskaswellassubsequentrisktrends(e.g.,
whetherriskisincreasingordecreasing).Rolesandresponsibilitiesshouldbedocumented,transparentand
defined.Thisincludesindicatingaccountability(andpossiblylinkingtoperformanceevaluation)aswellas
designatingspecificindividualstocoordinateandmanagedaytodayoversightovertheAMLprogramandthe
BusinessUnitsAMLactivities;wherethisisperformedbyanindependentcompliancefunction,suchasa
governancecommittee,thereshouldbeaformalandopenlineofcommunicationbetweenthebusinessand
compliance.Inallcases,theBusinessUnitshouldpossessawarenessofrelevantAMLissues,suchasthrough
formalrepresentationatimportantfirmwideAMLmeetingsandforums.
PersonnelinmanagementandoversightrolesshouldstayabreastofexternalAMLrelatedeventsand
topicsandhaveaccesstonecessaryresources(e.g.,employees,information,tools)andtheabilitytoescalate
issuespromptly.Inaddition,selfassessmentandcompliancetestingfunctionsshouldbeongoingand
allowfortimelyidentificationandmonitoringofissuesandanycorrectiveactionsthatensueincluding
aformalizedprocessfordocumenting,communicatingandrespondingtoresults.Compliancetestingin
particularshouldreflectindependencefromthebusiness,sufficienttransactiontesting,tailoredtesting
proceduresandworkpapersthatdemonstrateaconnectionbetweenthecompliancedepartmentsrisk
assessmentresultsandrespectiveactionplans.
Policies,ProceduresandProcessesAspartofdevelopingacomprehensiveAMLprogram,FIsareexpected
todeveloppolicies,proceduresandprocessestomonitorandmitigateAMLrisksrelativetoregulatory
expectations,compliancerequirementsandbusinessspecificconsiderations.Whereappropriate,policies,
proceduresandprocessesshouldaddresstheuniqueattributesoftheBusinessUnit,includingsize,structure,
customerbaseandproductusage.Althoughthesophisticationoftheinternalcontrolenvironmentmayvary
toalignwithrisk,eachBusinessUnitshould,ataminimum,havewrittenpoliciesandprocedures,quality
managementfunctionsandriskassessmentprocesses.
Policies(thewhat)andprocedures(thehow)shouldbedocumented,approved(e.g.,byboardof
directors,seniormanagement,AMLgovernancecommittees),comprehensive,consistentwithbestpractices
andregularlyupdatedtoaddressandremaincurrentwithcriticalAMLareas(e.g.,KYC,
suspicious/unusualactivity,OFACandsanctions,training).Exceptionprocesses(suchasfordeviatingfrom
globalAMLpolicies)shouldbeclearlydocumentedwithnecessarydetails(e.g.,theapprovalsthatneedtobe
obtained).Ingeneral,policyandproceduraldocumentsthatapplyonaglobalandfirmwidebasis(andthat
describeprocessesinathoroughmannerthatcanbeeasilyunderstood)aremorelikelytopromote
consistencyandquality.Thismightinvolvetheinclusionofexamples,illustrations,astrongflow,references
andlinkstohelpfulresourcesandcontactdetailsforadditionalinformation.Ifpoliciesandproceduresdonot
providetheappropriatelevelofgranularity,thereshouldbeaccompanyingguidancetoaddresshowthey
shouldbeapplied.
AriskassessmentprocessshouldbeinplacetoevaluatetheBusinessUnitsinherentrisks(e.g.,clients,
products,transactions,geography)andcontrolenvironmentfactors(e.g.,KYC,screening,training,reporting,
monitoring,etc.)atleasteverytwelvetoeighteenmonths(preferablyannuallywithinterimassessment
exercisesasappropriate,suchasfortheintroductionofnewproducts/servicesorbusinesschanges).The
resultsoftheBusinessUnitsriskassessmentshouldbeconsistentwithitsriskappetiteanditsrespective
businesspractices(e.g.,transactionmonitoringscenariosshouldbealignedtoHRareasanduniquerisksnoted
intheassessment).Asacomplementarymeasure,theBusinessUnitmaywanttoformalizeaprocessfor
documenting,evaluatingandadjustingitsriskappetite.Qualitymanagementfunctionsforensuringquality,
consistencyandadherencetotheBusinessUnitspolicies,proceduresandprocessesshouldbedocumented,
approvedandembeddedindaytodayoperationswhereappropriate.Inaddition,specificlimitationsmaybe
appropriateforparticularcustomeroraccounttypes(e.g.,minimumassetsizesforthirdpartypayment
processorstoopenaccounts;restrictionsforMSBstooffernomorethanoneproductline,suchascheck
cashing;fundstransferlimitsforpayablethroughaccounts;yearlylimitsonthenumberofinternationalwires
thatcanbeinitiatedfromcorporatecheckingaccounts).Ininstanceswhereoutsideproviders(e.g.,vendorsor
consultants)areusedtoassistwithpolicies,proceduresorprocesses,theFImaintainsaccountabilityand,as
such,isresponsiblefordemonstratingtightoversight,suchasthroughduediligence,reportinglines,sample
testing,reviewandapprovalofitsworkandstringentdocumentationrequirements.
OperationsandTechnologyThenatureofaBusinessUnitsoperationsanditsassociatedtechnological
capacityarestrongindicatorsofwhetheraBusinessUnitiscapableofsustaininganeffectiveandwell
balancedAMLprogramthatcandefendagainsteverydayAMLrisksandadheretoapplicableregulationsand
responsibilities.FIsareresponsibleforensuringthatAMLfunctionsarewellconnected,thatevents(e.g.,
resultsfromFIsystemsorprocesses)areviewedholistically,andthatproperfeedbackloopsareinplace
acrosstheAMLprogram(e.g.,thatKYCinformationinformsthenatureoftransactionmonitoringandthat
transactionmonitoringresultsfeedbackintotheKYCprocessestoinformthelevelandtypeofinformation
needed).Inadditiontoreinforcingtheflowbetweencontrolenvironmentcomponents,theFIandBusiness
Unitshouldensurethatoperationalprocessesandautomatedsolutionsareeffectiveandworkingasintended
forallrelevantriskareas.RoutineandstandardAMLoperationsandfunctions(e.g.,currencytransaction
reporting,recordkeepingactivities,datamanagement,monetarylogs,Section314(b)informationsharing,
compliancewithOFACandsanctionsreporting)shouldaddressregulatoryrequirementsandaligntotheFIs
globalAMLpolicy.Documentedprocedures,adequatestaffingandperiodictestingfunctionswithformalized
resultsmaybeadditionalsignsofastrongoperatingenvironment.Technologydrivenmechanismsshould
havetheflexibilitytoadapttochangesandthecapacitytosupportallrequiredbusinessactivitiesand
controls,suchasthoserelatingtoreporting,datamining,recordretention,businessrecovery,information
securityandmonitoring.DatamanagementandanalyticspracticesrelatingtoAMLinformationshouldbe
consistentacrossthebusinessandallowforappropriateaccessibility,interpretationandstorage.
Alargenumberoftechnologyplatformsorsystemsthataredisconnectedfromeachothermayleadto
operationalchallengesandinconsistencies(e.g.,discrepantretrievalandanalysisofcustomerinformation).A
portionofthisburdenmaybeminimizedthroughaprocessthatlooksatwhetherthesamereferencecodes
forcustomer,productandtransactiontypesarebeingapplied(e.g.,consistentlabelingofPEPs)orreconciled
(e.g.,differentcodesareidentifiedandassignedacommonidentifier)orwhetherthesamesourcedatais
beingreferencedforsimilaractivitiesorreports(e.g.,onboardingofPEPsacrosstheBusinessUnit).Further,
thepresenceofnumerousorlargescaleprojects(e.g.,lookbacks,KYCremediations,proceduralupdates)
orchanges(e.g.,movingtoanewmonitoringsystem,mergingofbusinesslines)maypresentvulnerabilitiesin
thecontrolenvironmentduetoresourceexhaustionorrisksassociatedwithemployingchange,suchas
learningnewsystems,managingdataorerrorsthatgoundetected.
Centralunitsmayownparticularcontrols,buttherespectivebusinessareaownstherisk.Aspartofa
comprehensiveriskassessment,eachBusinessUnitshouldpossessanunderstandingoftherisksandcontrols
thataffectitsbusinessindependentofwhetherthesecontrolsareeitherpartiallyorfully
ownedbyaseparateBusinessUnit.IninstanceswhereanAMLserviceisprovidedcentrally(e.g.,customer
onboarding,screening,training,monitoring,investigating),itisimportantforAuditto:1.evaluatetheBusiness
Unitsunderstandingoverthecentralunitsprocesses,controleffectivenessandpotentialriskimpactofacontrol
failure;and2.determinewhethertheBusinessUnithassupplementalcontrolsinplacetoeithermanage
theriskonitsownortominimizerelianceonthecentralfunction.
Theimpactofacontrolfailurewithinacentralfunctionmayvarydependingon:a)aBusinessUnits
underlyingsusceptibilitytotheriskbeingmitigated(i.e.,aBusinessUnitwithalowriskcustomerbase
maybelessimpactedbyaKYCcontrolfailurethanaBusinessUnitwithahighriskcustomerbase);
orb)whethertheBusinessUnitownsadditionalcontrols(i.e.,aBusinessUnitthatmaintainsQuality
Assurance[QA]processesoveracentralunitsactivitiesandperformsperiodicsampletestingmaybeless
susceptiblethanaBusinessUnitthatisfullyreliantanddetachedfromthecontrolprocesses).
Inadditiontoprovidingauditorswithguidancebydefininganddescribingriskandcontrolenvironmentfactorsand
supplyinghelpfulconsiderations,astrongsupportframeworkinvolvesadequateresourcingandeducation;
identifyingandaddressingcommonchallenges;andpromotinghealthypractices.ThisinvestmentinAudit'srisk
assessmentprocesscanprovidevaluabledividendsintheformofexecutionefficiencies,betterqualityresultsand
potentiallyreducedexposuretoadverseregulatoryfeedback.Afewcriticalelementsinthisareainclude:
Subject TheidentificationandanalysisofAMLriskcanbecomplex.Anaccurateassessmentof
AMLriskoftentimesrequiresspecializedknowledgeinAMLaswellasastrong
Matter understandingovertheBusinessUnit(e.g.,activities,products/services,customers,
geographicalpresence)andanyregionspecificconsiderations(e.g.,laws,regulations,
Expertise countryrisk)thatmaybeapplicable.Inaperfectworld,theauditorcompletingthe
andKeeping assessmentwouldbeknowledgeableinallthreeareas;however,thismaynotalways
befeasible.ByestablishinganetworkofAMLsubjectmatterexpertsanddesignated
Assessments individualsorgroupstorepresenteachregionandbusinessarea,theauditorhasaccess
Current toavaluablepoolofinformationandisbetterpositionedtoidentifyandassessunique
AMLrisks.Attheveryleast,eachriskassessmentshouldinvolveinputandoversight
fromindividualswiththerequisiteAMLcredentials,experience,trainingandsubject
matterexpertisepriortocompletion.
Keepinmindthat:Assessinganddocumentingpotentialrisksisanongoingprocess
thatrequiresacontinuousflowofinformationbetweenthosewithvisibilityand
accountabilityoverAMLmattersandthosewhoareresponsibleforAudit'srisk
assessments.Assuch,riskassessmentsshouldberevisitedasnecessaryorperiodically
(e.g.,quarterlyorsemiannually)toreflectrelevantcurrentevents,suchasinternal
developments(e.g.,mergers,acquisitions,divestitures,technology/systems
enhancements,newproducts/services,emergingrisks/issuesandotherchangesin
businessactivities)orexternaldevelopments(e.g.regulations,industryexpectations).
Onemethodtoassistwiththisincludesestablishingacultureofcommunicationand
outreach,suchasaforumforsharinginformationanddiscussingrecenteventsamong
businessrepresentatives,regionalrepresentatives,AMLsubjectmatterexpertsand
Auditmembers.
Continual Thedevelopmentanddistributionofformaltraining,policies/proceduresandequivalent
guidancepromotesconsistencyandenhancestheauditdepartmentsabilitytoassess
Trainingand AMLrisk.Ataminimum,documentedandapprovedmaterialsshoulddescribetherisk
assessmentprocess,theriskscoring/ratingmethodology,documentationstandards,
Guidance rolesandresponsibilitiesandtheidentificationandanalysisofAMLrisk.Forbestresults,
Specific materialsshouldbeeasilyaccessibleandreviewedforclarity,relevanceand
completeness.
toRisk
Keepinmindthat:Foradditionalsupport,aseparatefunctionorrolecanbetaskedwith
Assessments providingcontinualfeedbackandguidance,suchasthroughtheuseofcasestudies,live
examplesand/orperiodicgroupdiscussions.Thisrolemaysupplement,orinclude,a
formalqualitycontrol("QC")processforreviewingAuditscompletedriskassessments
andprovidinghelpfulfeedback.Bygatheringandreviewingcurrentassessmentsthrough
QCprocesses,pilottesting,samplingmethodsorequivalentmechanisms,theaudit
departmentcancompileandcompareresults,whichcanthenbeusedtocreatetraining
tools,suchas"lessonslearned."Relevantandcarefullycraftedguidancematerials(as
wellasthedeliverychannels)canbeinstrumentalinaddressingfrequentlyasked
questions,maintainingconsistency,instillingbestpracticesandeducatingthose
responsibleforcompletingriskassessments.
Supporting Tofacilitatethetaskofobtainingsupportingdataandinformationforcompletingthe
riskassessment,aformalfirmwideprocesscanbedevelopedpriortothelaunchofthe
Data riskassessment.Thismightincludedevelopingastrategyforcollectinginformation,
understandingwherethedataresides,ascertainingthequalityofthedata,assigning
oneormoreprojectmanagers/coordinatorstooverseetheprocess,identifying
commondatathatcanbesharedacrossBusinessUnits,establishingarelationshipwith
personnelthatcanprovideinformationanddesignatingacentrallocationforstoring
andaccessingmaterials.Duetotheextensivelaborinvolvedwiththisexercise,itis
helpfultoviewandmanagethisprocessasastandaloneproject.
Aspartofestablishingcriticalrelationshipsandmaintainingastrongsupportnetwork,
theauditdepartmentshouldengagethebusinessleadershipfromeachlineofbusiness
aswellasthetechnologydepartmenttoassistwithaccessingandprocuringdata.The
useofatool(e.g.,adocumentlist)thatindicatespotentiallyhelpfulsourcesaswellas
thelikelihoodofobtainingthemandtheparticularareaswheretheyaremostuseful,
mayfurtherminimizethecollectionburden.Thisshouldbeaccompaniedbyatracking
mechanismforcapturingandreportingonrequestedinformationthroughtheprocess.
AlthoughparticularmetricsandreportsmaybespecifictoaBusinessUnit,theremaybe
commonsourcesofinformationthatareeasiertoobtainandthatserveusefulacross
multipleBusinessUnits.(Examplesincluderegulatoryexaminationfeedback,audit
findings,compliancetestingresults,selfassessmentsperformedbythebusiness,prior
riskassessments,meetingminutes/agendas,managementreports,processflowcharts,
jobaidsandrelatedmanuals,firmwidepoliciesandprocedures,etc.).Forbestresults,
individualswithworkingknowledgeovertheFI'ssourcedataandinternalsystems
shouldbeleveragedasmuchaspossible.
Keepinmindthat:Theuseofsupportingdataisinfluential(andincreasinglyexpected)
indemonstratinghowriskdecisionsandconclusionswerederived.Quantitative
information(suchastransactionvolumesandtypesandcustomerpopulation
demographicsbyriskcategoryandlocation)shouldbeusedanddocumentedasmuch
aspossiblewhenmakinginferences.However,carefulconsiderationshouldbeapplied
whendetermininghowandwhensupportinginformationshouldbeleveragedandwhat
adeficitofsuchinformationmaysuggestfortheriskrating.Abusinessinabilityto
providekeydatamaybereflectiveofacontrolfailure,particularlyiftheinformationis
necessaryfordaytodayoperationsorisexpectedbyfirmpolicy.
Direction Aclear,conciseandconsistentnarrativeiscriticalforevidencingratingdecisionsand
articulatingpotentialrisks.Althoughtheabilitytoeffectivelycommunicateanddescribe
forCrafting one'sfindingsthroughawrittenanalysismayseemmorelikeanartformthananexact
aStrong science,thereareparticularstrategiesthatcanbeleveragedtoenhancetheoverall
assessment.Theseinclude,butarenotlimitedto:startingwithanintroductory
Narrative descriptionoftheBusinessUnit(e.g.,generaloverviewofwhattheBusinessUnitdoes
andtheAMLrelatedfunctionsorservicesthatitprovidesorsupportseitherdirectlyor
indirectly);linkingto,andreferencing,supportingsourcesofinformationwhere
possible(e.g.,particulardocuments,data,reports,contacts);representingquantitative
supportinthecontextoftheBusinessUnit(e.g.,explainingwhatthenumbersmean
andtherespectiveimpact);avoidinginformationoverload(e.g.,usingcommentsthat
arerelevanttotheassessmentandfocusonthesinglemostimportantfactorsthat
substantiatetheratings);managingtheflowandorganizationofresponses(e.g.,
bundlingcommentsinamannerthatclearlyalignsto,andaddresses,eachriskand
controlfactor);indicatingdirectionalrisktrends;andincludingabriefconclusionthat
summarizestherationaleforthefinalBusinessUnitriskrating.
Keepinmindthat:ThirdpartiesandthosewhoareunfamiliarwiththeBusinessUnit
shouldbeabletoreadthroughthenarrativeandreachthesameconclusionsasthe
auditorthatconductedtheassessment.Forthisreason,theassessmentshouldbe
craftedasaselfsufficientevaluationoftheBusinessUnitwithadequatedetail.
Exampleforillustrationpurposesonly
SubsequenttocompletingAuditsriskassessmentprocess,theauditdepartmenthasaccesstoahighquality
toolboxwithwhichtocorroborateresults,assembleacomprehensiveriskbasedplanandillustrateabirdseye
viewofAMLriskwithintheenterprise.Priortopreparingtheauditplan,theresultingratingsandscoresforeach
BusinessUnit(whichmaybedevelopedinconjunctionwiththefirmsexistingriskscoringandratingmodel)canbe
usedtodriveatargetedreviewofselectriskassessmentsbasedonfactorssuchaswhetherratingsappear
reasonable,whetherinconsistenciesarepresentorwhetherthereareoutrightconflictswithcurrentauditfindings
and/orperception.AfterevaluatingAMLRAresultsandobtainingareasonablelevelofcomfortastothedata
quality,Auditwillpossessavaluablesetofdatapointsthatcanbeusedtocompileanauditplanthatevaluatesrisk
fromavarietyofangles,suchasoverallrisk,changesinrisks,businessarea,geography,centralfunctions/process
orpriorcoverage.
Withproperanalysis,AMLRAdatacanbedissectedandstratifiedtoassistinrankingandprioritizingpotential
auditsinrelationtoeachother.Ifforinstance,twoBusinessUnitsinasimilarareaappeartopresentsimilarrisk,
thedecisiontoincludeoneBusinessUnitintheplanovertheothermaybebasedonwhetheroneoftheBusiness
Unitshasrecentauditcoverage,orwhetheranotherauditintheplancoversthesameregionasoneofthetwo.
AMLRAoutputcanalsobeusedto
identifyrelevanttrendsorthemesthat
maywarrantfurtherreview.Ifmultiple
BusinessUnitshavecitedacommon
weaknessorriskwithintheirAMLRA
(e.g.,aspecificprocess,function,product
orcustomertype)thismaycallforan
auditthatlookshorizontallyacrossthe
organizationatthisparticularelement.
Inadditiontoassistingwithaudit
planning,theresultsoftheAMLRA
enabletopdownviewswithinthe
organizationandprovideperiodic
snapshotsofAMLrisk,whichallowfor
meaningfulyearoveryearcomparisons.
Auditcanusetheseviewstoidentify
whetherAMLRAresultsdeviatefrom
currentexpectation.Wherevariances
exist,theavailabledatasetcanthenbefurtherexaminedforreasonableexplanations.Ifforinstance,anidentified
patternindicatesthatriskrelatingtoOFACscreeninghasdecreasedsincethepriorperiodacrossfiveBusiness
Unitsallofwhichhaveshiftedtousingaspecializedscreeninghubthatwasrecentlylaunchedthismight
suggestthatthehubiseffective.Alternatively,ifavariancecannotbeexplained,thismightwarrantescalationto
thebusinessandfurtherexploration.
Throughitsroleastheeyesandearsoftheenterprise,theauditdepartmentisuniquelypositionedto
independentlyidentifyAMLrisksandtrends,toinspectthecontrolenvironment,totestthesustainabilityofthe
AMLprogram,toassistthebusinessfunctionsinmaintainingeffectiveriskmanagementbehaviorsandto
interveneasnecessarytoensurethatpotentiallymaterialissuesarerecognized,understoodandaddressed.As
such,AuditisavitalplayerandanessentiallineofdefenseinprotectingtheFIandensuringcompliancewith
regulatorymattersandsafebusinesspractices.Inaccordancewiththisresponsibility,Auditsriskassessment
processisanintegralcomponentinevaluatingthenatureandextentofAMLriskandsupportingAuditsplanning
decisions.Althoughthereiscurrentlynospecificmodel,methodorformatforframingtheriskassessment,the
designofanAMLRAtool,includingthesupportingframework,hasasignificantimpactontheresultingoutputthat
willbeusedtodriveAuditstestingactivities.
RegardlessofwhetherthetooliswebbasedordesignedinMSWord,MSExcelorthroughaproprietaryvendor,
thedevelopmentoftheAMLRAtoolshouldencompasscoreAMLprinciplesandcriteriathatcanbeusedasa
benchmarkforguidingtheassessmentprocesswithoutendorsingacheckliststyleapproach.Thiscanbeachieved
throughastructurethatpointsauditorstowardsrelevantconsiderations,yetfacilitatesthoughtfulanalysisand
supporteddecisionmakingwithintheassessment.Amultifaceteddesignthatiscomprehensive,dynamicand
sustainableinnatureisavaluablecontrolthathelpswithproducingmeaningfulresultsthatcanbeusedtodirect
Auditanditstestingfocus.Thisincludesdedicatingsufficientresourcestotheriskassessmentprocessand
promotinganemphasisondetailedcommentary,documentingwhetherriskisincreasing/decreasinginparticular
areas,demonstratingtherationalebehindratingdecisionsandevidencingconclusionsviasupportingdata.
AlthoughtheactofenhancingthedesignofanAuditriskassessmenttoolmaysoundlikeasmallstep,theeffect
maybesubstantialifitleadstoamoreaccurate,substantiveandreliableauditplanningandtestingprogram.Asof
now,therelationshipbetweenregulatorandauditormayleanmoretowardthatofexaminerandexaminee;
however,byinstillingtheproperconfidence,thisrelationshipmayshifttoapartnershiponewhich,between
theregulatorswealthofaggregateindustryknowledgeandtheauditorsinsideoperationalandtechnical
knowledge,isamuchmorepowerfulforceforCombatingMoneyLaunderingandTerroristFinancing.
*************************************************************************************
APPENDICES
A - Overview of considerations
ActivityInvolving
HRCustomer HRProductsand CustomersinHR
HR
Types Services Locations
Product/Services
Physical
Durationof NewProducts International
PresenceinHR
Relationship andServices Activity
Locations
Business/Sales
Transactions Transactional
Closed/Blocked fromHR
InvolvingIndirect ActivitywithHR
Accounts Productsand
Parties Locations
Services
Completenessof Escalationand
Trainingand Operationsand
Customer Referralof OFACLicenses
Awareness Technology
Information Activity
Renewals, OFACReporting
Alert
Updatesand andRelated
Management
PeriodicReviews Metrics
CustomerName
Investigation
Screening
SAR/STR
Completionand
Filing
B - Examples of considerations
InherentRisksExamplesofHigherRisks
Customers
HRCustomerTypes
TheBusinessUnitreflectsasignificantnumberofaccountholderscategorizedasHRpertheFI'spreexisting
customerriskratingmodel.
DurationofRelationship
TheBusinessUnitreflectsasignificantnumberofaccounts(thoserepresentativeofestablishinganewcustomer
relationship)thathavebeenopenedwithinthepasttwelvemonths.
Closed/BlockedAccounts
TheBusinessUnitreflectsasignificantnumberofcustomeraccountsorrelationshipsthathavebeenclosedor
blockedatthedirectionoftheFI.
NumberandNatureofAccounts
TheBusinessUnitreflectsasignificantnumberofcustomerswithopen(e.g.,activeand/ordormant)accountsin,
orhavingaccessto,otherBusinessUnitswithintheFI.
ProductsandServices
HRProductsandServices
TheBusinessUnitoffersasignificantnumberofHRproducts/servicesorreflectsasignificantnumberofcustomers
thatuseHRproducts/services.
NewProductsandServices
TheBusinessUnitoffersasignificantnumberofrecentlyintroducedproducts/servicesorreflectsasignificant
numberofcustomersthatusetheseproducts/services.
DegreeofBusiness/SalesGeneratedfromHRProductsandServices
TheBusinessUnitstotalbusinessportfolioreflectsasignificantdollaramountofrevenuethatisattributedtothe
saleofnewproducts/services.
RiskToleranceandBusinessStrategies
TheBusinessUnithasselfevaluated(orhasindicatedelsewhere)ahighrisktoleranceortheBusinessUnithas
requestedtoforegofirmwideAMLrequirementsorprocessesdespiteknownrisks.
TransactionActivity
ActivityInvolvingHRProducts/Services
TheBusinessUnitreflectsasignificantlyhighvolumeordollaramountofactivityinvolvinghighrisk
products/services.
InternationalActivity
TheBusinessUnitreflectsasignificantlyhighvolumeordollarvalueofinternationalactivity.
TransactionsInvolvingIndirectParties
TheBusinessUnitreflectsasignificantlyhighnumberofcustomersand/oraccountswiththecapabilitytoconduct
transactionswith(oronbehalfof)nonFIcustomersthroughtheFI.
ReportableTransactionActivity
TheBusinessUnitreflectsasignificantlyhighnumberofcustomerswithtransactionactivityreporting.
GeographicPresence
CustomersinHRLocations
TheBusinessUnitreflectsasignificantnumberofcustomerswithknownaddressesinHRlocations.
PhysicalPresenceinHRLocations
TheBusinessUnithasanoperatingbranchinasignificantnumberofHRlocations.
TransactionalActivitywithHRLocations
TheBusinessUnitreflectsasignificantnumberofcustomerswithaccountsthatexhibittransactionswithHR
locations.
ControlEnvironmentandRiskMitigantsExamplesofControlWeaknesses
KYC
ExceptionsorWaivers
TheBusinessUnitreflectsasignificantnumberofexceptionsorwaiverstointernalKYCpolicies,proceduresor
standards.
Reliance
TheBusinessUnitreflectsrelianceonotherpartiesforKYCfunctionsanddoesnotreceivemetrics/status
reporting,doesnotowncontrolsformonitoringormanagingthereliance,doesnotreflectaccountabilityordoes
notdemonstrateanunderstandingovertheprocessandpotentialriskimpact.
CompletenessofCustomerInformation
TheBusinessUnitreflectsasignificantnumberofactiveaccountswithmissingorincompleteKYCinformation.
Renewals,UpdatesandPeriodicReviews
TheBusinessUnitreflectsasignificantnumberofaccountsthathavenotbeenrenewedorupdatedinaccordance
withitsrenewalcycle.
CustomerNameScreening
TheBusinessUnitreflectsdeficienciesinidentifyingnamematches;thereareinconsistenciesinscreeningpractices
orthereispoorinteractionbetweenBusinessUnitandcentralfunction.
PotentiallySuspiciousand/orUnusualActivity
DetectionandMonitoring
TheBusinessUnitisnotappropriatelyequippedtoidentifyandmonitorPSUA(e.g.,lackoftraining,proceduresor
accesstoreports)ortheBusinessUnitreflectsfrequentlyidentifiedsystemdeficienciesandissues,suchas
parametersthatarenotworkingasintendedorfailurestoeffectivelydetectdeviationsbetweenexpectedand
actualactivity.
SourceDataandInternalReportsRelatingtoPSUA
TheBusinessUnitdoesnothaveanapprovalprocesstoensurethatdataisaccurate,completeandtimely,orthe
reportsbeingproducedcontainerrorsand/orrelateddeficiencies.
EscalationandReferralofActivity
TheBusinessUnitcannotproduceevidenceofadocumentedanddefinedescalationandreferralprocess.
AlertManagement
TheBusinessUnitreflectsalargeorincreasingnumberofopenalerts,ordecisionsonwhethertofurther
investigatealertsarenotclearlydocumentedorapproved.
Investigation
TheBusinessUnitdoesnothaveproceduresthatdetaildocumentationstandardsordescribetheprocessfor
closingofaccountsduetocontinuoussuspiciousactivity.
SAR/STRCompletionandFiling
TheBusinessUnithasasignificantnumberofSARsthathavebeencorrected,reversedoridentifiedasbeing
incomplete,weakoroutstanding.
OFACandSanctions
OFACScreeningandProcessing
TheBusinessUnitcontainsasignificantnumberofalertsthathavenotyetbeenreviewed;thereareasignificant
numberofmanualorinterimprocessesinplace;ortransactionsflaggedasrequiringspecificactions(e.g.,blocking)
arenotcompliantwiththeappropriatemeasures.
OFACPoliciesandProcedures
TheBusinessUnitdoesnotadequatelyupdatepoliciesandprocedurestoaccountforcontinualOFACrelated
developments;doesnotmaintainwritten,comprehensiveandapprovedpoliciesandproceduresforallcritical
OFACprogramareas;anddoesnotexhibitOFACpracticesthatareconsistentwiththosedocumentedinand
requiredbyinternalOFACpoliciesandprocedures.
OFACLicenses
TheBusinessUnitexhibitsineffectiveprocessesorproceduresforverifyingOFACissuedlicensesordoesnot
adequatelyretaincopiesoflicenseswhereappropriate.
OFACReportingandRelatedMetrics
TheBusinessUnitdoesnotreportallblockedand/orprohibitedtransactionstoOFAConatimelybasis;recordsare
notfullandaccuratewhereapplicable;orOFACmanagementreportsreflectdeficienciesincontent,distributionor
frequency.
EmployeeAMLExpertiseandCoverage
AMLStaffingCoverage
TheBusinessUnitdoesnotreflectasufficientlevelofcompetentstaffamongcriticalAMLfunctionsordoesnot
conductAMLspecificcapacityplanningorequivalentstaffinganalyses.
EmployeeKnowledgeandCapabilities
TheBusinessUnitreflectsalowlevelofstaffwithadvancedoradequateAMLcompetenciesrelativetothe
requiredAMLfunction.
TrainingandAwareness
TheBusinessUnitstrainingcontentisnotaccurate,relevantorcomplete;employeesarenotcompletingrequired
trainings;attendanceisnotbeingtracked;ortrainingfrequencyisinadequate.
OverallAMLInfrastructure,FrameworkandPractices
ManagementandOversight
TheBusinessUnithasinconsistentmanagementreports,reflectsinaccuraciesinmetrics,doesnotreportoncritical
AMLmatters(e.g.,numberofopenaccountsassociatedwithPEPs)orhastestingfunctionsthatareinfrequentand
ineffectiveinidentifyingissues,includingthoseknowntoAudit.
Policies,ProceduresandProcesses
TheBusinessUnitsriskratingmethodologiesforitsriskassessmentsareundefinedandratingdecisionsdonot
reflectadequatesupport;orqualitymanagementprocessesareinconsistent,undocumentedordeficientfor
criticalareas,suchasforSARfilingorcustomeronboarding.
OperationsandTechnology
TheBusinessUnitreflectsdeficienciesinexecutingdaytodayoperations,suchasmaintainingadequatemonetary
logsorreportingoncurrencytransactions;thetechnologicalenvironmentisincapableofmonitoringthevolume
andcomplexityofcustomertransactions;thereislackofmanagementoverthirdpartyprocessing;ormethodsfor
interpretinganddefiningdataareinconsistent.
C - References (hyperlinksaresubjecttochange)
1. ComptrolleroftheCurrencyAdministratorofNationalBanks.(2012).LargeBankSupervisionOCCBooklet:
ComptrollersHandbook(EP).
http://www.occ.gov/publications/publicationsbytype/comptrollershandbook/lbs.pdf
2. OfficeoftheComptrolleroftheCurrency.(2002).MoneyLaundering:A BankersGuidetoAvoiding
Problems. Washington,DC.
http://occ.gov/topics/bankoperations/financialcrime/moneylaundering/moneylaundering2002.pdf
3. TheWolfsbergGroup.(2006).WolfsbergStatement:GuidanceonaRiskBasedApproachforManagingMoney
LaunderingRisks.
http://www.wolfsbergprinciples.com/riskbasedapproach.html
4. BankforInternationalSettlements.(2012).BaselCommitteeonBankingSupervisionCorePrinciplesfor
EffectiveBankingSupervision.
http://www.bis.org/publ/bcbs230.htm
5. BoardofGovernorsoftheFederalReserveSystem.(2008).FRBSupervisoryLetter:SR088/CA0811
ComplianceRiskManagementProgramsandOversightatLargeBankingOrganizationswithComplex
ComplianceProfiles.Washington,DC.
http://www.federalreserve.gov/boarddocs/srletters/2008/SR0808.htm
6. TheInternationalBankforReconstructionandDevelopment/TheWorldBank/TheInternationalMonetary
Fund.(2006).ReferenceGuidetoAntiMoneyLaunderingandCombatingtheFinancingofTerrorism(Second
EditionandSupplementonSpecialRecommendationIX).Washington,DC:PaulAllanSchott.
http://siteresources.worldbank.org/EXTAML/Resources/396511
1146581427871/Reference_Guide_AMLCFT_2ndSupplement.pdf
7. UnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredToInterceptandObstruct
Terrorism(USAPATRIOTACT)ACTOF2001.272PUBLICLAW10756OCT.26,2001.
http://www.gpo.gov/fdsys/pkg/PLAW107publ56/pdf/PLAW107publ56.pdf
8. Gladstone,Rick.(2013,June).U.S.AddstoItsListofSanctionsAgainstIran.TheNewYorkTimes.
http://www.nytimes.com/2013/06/04/world/middleeast/usaddstoitslistofsanctionsagainst
iran.html?_r=0
9. FinancialCrimesEnforcementNetwork.(2013).TheSARActivityReview:TrendsTips&Issues(Issue23).
http://www.fincen.gov/news_room/rp/files/sar_tti_23.pdf
10. FinancialCrimesEnforcementNetwork.(2009).TheSARActivityReview:TrendsTips&Issues(Issue16).
http://www.fincen.gov/news_room/rp/files/sar_tti_16.pdf
11. FinancialCrimesEnforcementNetwork.(2003).TheSARActivityReview:TrendsTips&Issues(Issue6).
http://www.fincen.gov/news_room/rp/files/sar_tti_06.pdf
12. CongressionalResearchService.(2013).CRSReportforCongress:IranSanctions.(RS20871).KennethKatzman.
http://www.fas.org/sgp/crs/mideast/RS20871.pdf
13. FederalRegister/Vol.60,No.178/Thursday,September14,1995/ProposedRules/47719/Suspicious
ActivityReporting.
http://www.gpo.gov/fdsys/pkg/FR19950914/pdf/9522750.pdf
14. MinorityStaffofthePermanentSubcommitteeonInvestigationsreportdatedJuly17,2012.U.S.
VulnerabilitiestoMoneyLaundering,DrugsandTerroristFinancing:HSBCCaseHistory.
http://www.hsgac.senate.gov/subcommittees/investigations/hearings/usvulnerabilitiestomoney
launderingdrugsandterroristfinancinghsbccasehistory
15. FederalFinancialInstitutionsExaminationCouncil.(2010).BankSecrecyAct/AntiMoneyLaundering
ExaminationManual.
http://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2010.pdf
16. AMLEssentialsExaminingtheKeyComponentsofanEffectiveAMLRiskAssessmentModelPartIII,
ACAMS;May1,2013.
www2.acams.org/webinars
17. FederalDepositInsuranceCompany.(2007).TheFDICsInternalRiskManagementProgram.ReportNo.EVAL
08001.
http://www.fdicoig.gov/reports08/eval08001508.shtml
18. COSO.(1992,2004).InternalControlIntegratedFramework.
http://www.coso.org/ic.htm
19. TheInternationalStandardsofSupremeAuditInstitutions.GuidelinesforInternalControlStandardsforthe
PublicSectorFurtherInformationonEntityRiskManagementINTOSAIGOV9130.
http://www.issai.org/media/13341/intosai_gov_9130_e.pdf
20. SpotlightonLargeInstitutions:ConductingEnterpriseWideAMLRiskAssessmentsthatGoBeyondthe
ExpectationsofExaminersandSeniorManagement,ACAMS;June26,2013.
www2.acams.org/webinars
21. DepartmentoftheTreasury,OFACBrochure:OFACRegulationsfortheFinancialCommunity(2012,January).
http://www.treasury.gov/resourcecenter/sanctions/Documents/facbk.pdf
22. FederalDepositInsuranceCompany.(2007).FromtheExaminer'sDesk:CustomerInformationRisk
Assessments:MovingTowardEnterpriseWideAssessmentsofBusinessRisk.
http://www.fdic.gov/regulations/examinations/supervisory/insights/siwin09/From_Examiners_Desk.html
23. Simmons,Kenneth.(2013,December).LearningfromtheMistakesofothersMattersRequiringAttention.
http://www.acamsglobal.org/assets/materials/0924/9.24_3.15PM_Audit_Audit_Thought_Leadership_Forum_
Final_Combined.pdf
EnforcementActions
1. UnitedStatesofAmericaDepartmentoftheTreasury.ComptrolleroftheCurrency.ConsentOrder.#2013
002.AAEC1304.
www.occ.gov/newsissuances/newsreleases/2013/nrocc20138a.pdf
2. UnitedStatesofAmericaDepartmentoftheTreasury.ComptrolleroftheCurrency.ConsentOrder.#2012
232.AAEC12114.
www.occ.gov/static/enforcementactions/ea2012232.pdf
3. UnitedStatesofAmericabeforetheBoardofGovernorsoftheFederalReserveSystem.ConsentOrder.#13
004BHC.
http://www.federalreserve.gov/newsevents/press/enforcement/enf20130326a1.pdf
4. UnitedStatesofAmericaDepartmentoftheTreasury.ComptrolleroftheCurrency.ConsentOrder.#2012
262.AAEC12112.
http://www.occ.gov/newsissuances/newsreleases/2012/nrocc2012173b.pdf
5. UnitedStatesofAmericaDepartmentoftheTreasury.ComptrolleroftheCurrency.ConsentOrder.#2013
003.AAEC2012155.
http://www.occ.gov/newsissuances/newsreleases/2013/nrocc201318a.pdf
6. UnitedStatesofAmericaDepartmentoftheTreasury.FinancialCrimesEnforcementNetwork.Assessmentof
CivilMoneyPenalty.#20131.
http://www.fincen.gov/pdf/TD_ASSESSMENT_09222013.pdf
7. UnitedStatesofAmericaDepartmentoftheTreasury.ComptrolleroftheCurrency.ConsentOrder.#2013
142.AAEC201367.
http://www.occ.gov/static/enforcementactions/ea2013142.pdf
ERMRiskAssessmentinPractice(2012)
http://www.coso.org/documents/COSOAnncsOnlineSurvy2GainInpt4Updt2IntrnlCntrlIntgratdFrmwrk%20
%20for%20merge_files/COSO
ERM%20Risk%20Assessment%20inPractice%20Thought%20Paper%20OCtober%202012.pdf
RatingtheAdequacyofRiskManagementProcessesandInternalControlsatStateMemberBanksandBank
HoldingCompaniesSR9551(SUP)November14,1995
http://www.federalreserve.gov/boarddocs/srletters/1995/sr9551.htm
FederalReserveSystemFrameworkforRiskFocusedSupervisionofLargeComplexInstitutions
http://www.federalreserve.gov/boarddocs/SRletters/1997/sr9724a1.pdf
ACAMSAssociationofAntiMoneyLaunderingSpecialists.
Account(term)Aformalbankingrelationshipestablishedtoprovideorengageinservices,dealingsorother
financialtransactionsincludingadepositaccount,atransactionorassetaccount,acreditaccountorother
extensionofcredit.Accountalsoincludesarelationshipestablishedtoprovideasafetydepositboxorother
safekeepingservices,orcashmanagement,custodianandtrustservices.
ACHautomatedclearinghouse.
AMLantimoneylaundering.
AML(term)EncompassestheBankSecrecyAct,antimoneylaundering,OfficeofForeignAssetsControland
sanctions.
AMLRAAMLriskassessment.
Audit(term)Theinternalauditdepartment.
BSABankSecrecyAct.
BusinessUnit(term)Anauditablebusinessarea,controlfunction/utilityand/orlinesofbusiness.
CDDcustomerduediligence.
CIPcustomeridentificationprogram.
COSOCommitteeofSponsoringOrganizations.
CTRcurrencytransactionreports.
Customer(term)A"person"(anindividual,acorporation,partnership,atrust,anestateoranyotherentity
recognizedasalegalperson)whoopensanewaccount,anindividualwhoopensanewaccountforanother
individualwholackslegalcapacity,andanindividualwhoopensanewaccountforanentitythatisnotalegal
person(e.g.,acivicclub).Acustomerdoesnotincludeapersonwhodoesnotreceivebankingservices,suchasa
personwhoseloanapplicationisdenied.
EDDenhancedduediligence.
FATFFinancialActionTaskForce.
FDICFederalDepositInsuranceCompany.
FFIECFederalFinancialInstitutionsExaminationCouncil.
FIFinancialinstitution.
FinCENFinancialCrimesEnforcementNetwork.
HIDTAhighintensitydrugtraffickingarea.
HIFCAhighintensityfinancialcrimearea.
HRhighrisk.
INTOSAIInternationalOrganizationofSupremeAuditInstitutions.
KYCKnowYourCustomer.
LOBlinesofbusiness.
MISmanagementinformationsystem.
MRAmatterrequiringattention.
OCCOfficeoftheComptrollerCurrency.
OFACOfficeofForeignAssetsControl.
OFCoffshorefinancialcenter.
PEPSpoliticallyexposedpersons.
PSUApotentiallysuspiciousand/orunusualactivity.
QAqualityassurance.
QCqualitycontrol.
RCCsremotelycreatedchecks.
RDCremotedepositcapture.
RiskAppetite(term)Theamountofriskonabroadlevelthatanentityiswillingtoacceptinseekingtoachieve
itsobjectives.
SARsuspiciousactivityreport.
SDNspeciallydesignatednationals.
STRsuspicioustransactionsreport.
Tool(term)Themechanism(suchasabasictemplateorsystem)usedtoorganize,record,assessandrateAML
risks.Atoolcanbeasophisticatedsystemorasimplespreadsheet,aswellasanyaccompanyingguidance.
JonathanEstreichiscurrentlyavicepresidentwithintheinternalauditdepartmentatJPMorganChase.
WithovereightyearsofexperienceworkingwithfinancialservicesfirmssuchasDeloitteFinancial
AdvisoryServicesLLPandUBSInvestmentBank,Mr.Estreichspecializesinprovidingantimoney
launderingandcounterterroristfinancingserviceswithafocusonAMLpolicies,proceduresand
internalcontrols,includingthoserelatingtotransactionmonitoring,KnowYourCustomerinitiatives,
customerduediligenceandriskassessments.Byservicingmanydifferentfinancialinstitutionswithin
thebankingsectorinmultiplecapacities,hehasaccumulatedabroadrangeofindustryknowledgeand
expertiseindiverseareassuchasglobalAMLcomplianceandOfficeofForeignAssetsControlaswellas
inworkingwithcomplexproductandcustomertypes.Hehashadconsiderableinvolvementinleading,
managingandadvisingonBSA/AMLrelatedmatters,includingauthoringseveralworkswithThomson
ReutersComplinet,ACAMSToday,InsideCounselandCorporateComplianceInsights.
Professionalcredentialsinclude:
CertifiedFraudExaminer(CFE)
CertifiedAntiMoneyLaunderingSpecialist(CAMS)
AdvancedAntiMoneyLaunderingAuditdesignation(CAMSAudit)
CertifiedAssociateinProjectManagement(CAPM)
Relatedworksbytheauthor
1. Enhancedduediligenceprogramforcorrespondentbanking:Minimizingtheriskofmoney
launderinganddrugtrafficking,ThomsonReutersComplinet,(August2011).
2. Understandingrecentdevelopmentsinprepaidaccess:Considerationsfordeterringmoney
laundering,ACAMSToday,(March2012).
3. "Knowing"yourLatinAmericancustomer:Enhancedduediligencepracticestomitigatetherisksof
moneylaunderingandterroristfinancing,InsideCounsel,(March2012).
4. CISADASection104(e):Aglanceintothefinalrulescounterterroristfinancingrequirementsand
challengesforU.S.FinancialInstitutions,CorporateComplianceInsights,(October2012).