WIXLIB

WELCOMEwww.bsacoalition.org1

The AML Risk ConundrumWhat Does AML Risk Really Mean?BSA Coalition Training EventNovember 17, 2016www.bsacoalition.org2

What does AML risk REALLY mean?Opening Remarks:Amanda Tucker,BSA Coalition Board MemberExecutive Vice President I Chief Risk OfficerOld Dominion National Bankwww.bsacoalition.org3

What does AML risk REALLY mean?Melinda Lytle, ModeratorFinancial Examiner and BSA Specialist,NC Office of the Commissioner of BanksDebra D’Arrigo, PanelistDirector, AML Compliance, Capital OneLisa G. Varner, PanelistSenior Risk Management Officer andSenior Vice President, United Bankshares, Inc.www.bsacoalition.org4

What does AML risk REALLY mean?The views and opinions expressed here are those of thespeakers. They do not represent an official position of theFederal Reserve Bank of Richmond or the Federal ReserveSystem.www.bsacoalition.org5

What does AML risk REALLY mean?Panel Objectives List and understand the challenges of implementing anddocumenting risk-based BSA/AML compliance programs Describe or implement ways to improve communicationacross business lines within your organizations Develop communication strategies with law enforcement andyour regulators to ensure understanding of BSA/AML risk atyour organizationwww.bsacoalition.org6

What does AML risk REALLY mean?Welcome and Introduction of SpeakersThe Challenges of Risk-Based ComplianceProgramsRisk Assessment ConsiderationsTucker, AmandaVarner, Lisa/MelindaLytleLisa Varner, DebraD’ArrigoVarner/D’Arrigo/LytleBest Practices for Communicating rrigoQuestion and Answer SessionVarner/Lytle/D’ArrigoClosing RemarksTucker, AmandaThe Definition of Risk - The Conundrumwww.bsacoalition.org7

What does AML risk REALLY mean?The Definition of Risk- The Conundrumwww.bsacoalition.org8

What does AML risk REALLY mean?A technical definition of AML risk:The risk to the institution of regulatory sanctions fines penalties or lossesresulting from the facilitation of moneylaundering or terrorist financingwww.bsacoalition.org9

What does AML risk REALLY mean?A regulator’s perspective of AML risk: Managing risks is fundamental to bankingFailure to establish a risk managementstructure is considered unsafe and unsoundwww.bsacoalition.org10-1

What does AML risk REALLY mean?What is risk?“ Exposure to the chance of loss, or injury, or dangerous hazardous chance.”www.bsacoalition.orgPage 10-2

What does AML risk REALLY mean?The components of risk sacoalition.orgPage 10-3

What does AML risk REALLY mean?What are threats?A person or group or object or activity that has potential to cause harmCriminals, terrorist groups, their facilitators and their fundsIdentifying threats is where understanding risk beginswww.bsacoalition.orgPage 10-4

What does AML risk REALLY mean?What are Vulnerabilities? ationsThose things that can be exploited by the threat or support or facilitate the activityEvaluate vulnerabilities distinct from threats by focusing on those factors that presentweaknesses in your AML systems and controls.Also focus on certain features of your products/services that make them attractive forAML purposeswww.bsacoalition.orgPage 10-5

What does AML risk REALLY mean?What are Consequences?Impact or harm financial crimes can causeRisks to the financial systemRisks to your institutionImpacts your community, your business environment and your reputationwww.bsacoalition.orgPage 10-6

What does AML risk REALLY mean?So, what’s the conundrum?AML Program definition of “risk based” is Very broad, inherently subjective in nature Risk is a function of three factors: Threat, Vulnerability, & Consequences Making judgments and everyone defines risk differently: Regulators, LawEnforcement, LOB, Management and Board Misunderstanding may lead to faulty controls or risk mitigants Mitigants can be difficult to “operationalize” Make sure to bridge the gap and require robust onboardingwww.bsacoalition.org11

What does AML risk REALLY mean?The Challenges ofRisk-Based Compliance Programswww.bsacoalition.org12

What does AML risk REALLY mean?Common Challenges of Risk-Based Compliance Programs Deciding the best way tomeasure and monitor risk in your institutionGetting your partners on the same page about riskImplementing controlsCommunicating risk effectively to your regulators, your business partners and law enforcementwww.bsacoalition.org13

What does AML risk REALLY mean?Challenges of Risk-Based Compliance ProgramsSmall Bank Perspective How do we get to “risk-based” if we don’t understand our risk? AML risk can be viewed from multiple perspectives and sourcesqReputational, operationalqProducts, customers, geography Proactively engage our business lines, our regulators, and ourlocal law enforcementwww.bsacoalition.org14

What does AML risk REALLY mean?Challenges of Risk-Based Compliance ProgramsSmall Bank PerspectiveBusiness line challengesqGetting the LOB to understand AML riskRegulatory challengesqGetting regulators on board with your AML risk evaluationqAsk for their inputLaw enforcement challengesqGetting the right LE officer/agent who willprovide information to help build your risk profilewww.bsacoalition.org15

What does AML risk REALLY mean?Challenges of Risk-Based Compliance ProgramsLarge Bank Perspective Defining how to measure, monitor, control and ultimately report on riskq Systems used, tools, defining roles and responsibilitiesq Scope and timing of reporting, policies and procedures Aligning with internal and external constituents on a common definition of riskq Ensuring a mutual understanding exists about the quantity of risk exposure Implementing commensurate controls to mitigate riskq Systemic or manualq Detective vs. preventive Communicating risk effectively to management, auditors, regulators and law enforcementwww.bsacoalition.org16

What does AML risk REALLY mean?Risk AssessmentConsiderationswww.bsacoalition.org17

What does AML risk REALLY mean?Risk Assessment ConsiderationsSmall Bank PerspectiveWorking with your business lines Resources might be limited Methods to evaluate riskq Utilization of the FFIEC BSA/AML Examination Manual– expanded sections and regulatory communicationsq Periodic meetings to gather and discuss those identified risks– BSA Action Team discussionsq Assess risk separately or together – ML/TFq Looking at trends – Key Risk Indicatorswww.bsacoalition.org18

What does AML risk REALLY mean?Risk Assessment ConsiderationsSmall Bank Perspective Preparing your written risk assessment Identifying specific risk categories, i.e. products, services,customers, entities, transactions and geographic locations Analysis, controls and risk rating Keeping your risk assessment updatedwww.bsacoalition.org19

What does AML risk REALLY mean?CustomersRisk Assessment ConsiderationsLarge Bank PerspectiveProductsServicesThe risk assessment provides aperfect opportunity to clearlydefine the inherent risks to bemanaged throughout the Other Qualitative FactorsEmergingEconomic Sanctionswww.bsacoalition.org20

What does AML risk REALLY mean?Internal ControlsRisk AssessmentConsiderationsPillar 1 - Designated Chief AML and Sanctions OfficerPillar 2 - Independent Testing and OversightPillar 3 - TrainingPillar 4 - Internal Controls, further defined as:Large Bank PerspectiveThe risk assessmentalso provides contextabout the controls inplaceto mitigate the risk Policies and Procedures Customer IdentificationProgram (CIP)Customer Due Diligence(CDD)Enhanced Due Diligence(EDD) Politically ExposedPersons (PEP)Risk-BasedApproach (RBA) Suspicious ActivityReport (SAR) FilingTransaction Monitoring MIS / Reporting Regulatory Specific Record Keeping andRetention Sanctions Monitoringwww.bsacoalition.org21

What does AML risk REALLY mean?Risk Assessment ConsiderationsLarge Bank PerspectiveMeasure Inherent RiskAssess Internal ControlsCalculate Residual RiskThe risk assessment measures risk and assesses controls to arrive at a residual risk ratingwww.bsacoalition.org22

What does AML risk REALLY mean?Risk Assessment ConsiderationsLarge Bank PerspectiveResults of the risk assessment should be documented in a formalreport. Elements to consider when utilizing the report as a tool tocommunicate risk:q Broad distribution to all key stakeholdersq Report should tell the “risk story” of the organizationq Align with the functional organization but also consider legalentity nuanceswww.bsacoalition.org23

What does AML risk REALLY mean?Risk Assessment ConsiderationsLarge Bank PerspectiveKey elements of a comprehensive risk assessmentq Identifies areas of heightened riskq Covers all risks (products, services, customers, entities,transactions, channels, geographies)q Considers forward-looking/emerging risksq Uses a formulaic approach to derive resultsq Aggregates and prioritizes risksq Provides enhanced risk reportingwww.bsacoalition.org24

What does AML risk REALLY mean?Best Practices for Communicating Riskwww.bsacoalition.org25

What does AML risk REALLY mean?Best Practices for Communicating RiskSmall Bank PerspectiveWith business lines:qShould be shared and communicated with all business linesacross the bank as well as board of directors, management,and appropriate staffqOrganizational awareness, knowledge and understandingqDocument in a concise and organized mannerqImportance of front line staffwww.bsacoalition.org26

What does AML risk REALLY mean?Best Practices for Communicating RiskSmall Bank PerspectiveWith law enforcement:qKey in the fight against money laundering and terroristfinancingqIdentifies significant relationships, patterns and trendsqCan help your institution protect itselfwww.bsacoalition.org27

What does AML risk REALLY mean?Best Practices for Communicating RiskSmall Bank PerspectiveWith regulators: Risk assessment is shared during the examination recommendations from examiners are considered forincorporation into the assessment Ongoing communication of key risk issues through quarterlycalls “One-off” phone calls with regulator about significant AML riskeventswww.bsacoalition.org28

What does AML risk REALLY mean?Best Practices for Communicating RiskLarge Bank PerspectiveAll aspects of the compliancemanagement program can be leveraged toimplement, document and communicaterisk-based AML programs to ensure risksare well understood and managed withinthe risk tolerance of the organizationwww.bsacoalition.org29

What does AML risk REALLY mean?Best Practices for Communicating RiskLarge Bank PerspectiveGovernance, Risk Management, and Compliance (GRC) systems can beleveraged to communicate risk. GRC systems can provide comprehensive documentation of risks andrequirementsqInventory of all laws & regulations (risks) to manageqAssociate applicable risks to business areasqDemonstrate control coverageqGRC typically forms a basis for compliance monitoring andtestingwww.bsacoalition.org30

What does AML risk REALLY mean?Best Practices for Communicating RiskLarge Bank PerspectivePolicy and Procedures (P&Ps) are another way to communicate risk. Enterprise P&Ps provide Program-level guidance Businesses should implement subordinate proceduresqClear articulation of roles and responsibilitiesqDelineate risk takers vs. risk managersqEnd-to-end coverage (onboarding through the accountlife cycle)www.bsacoalition.org31

What does AML risk REALLY mean?Best Practices for Communicating RiskLarge Bank PerspectiveTechnology strategy should be prioritized to cover top risksand ensure:qConsistent and accurate customer data collection occursqData is available for use in downstream AML processesqMeaningful management reporting can be producedwww.bsacoalition.orgDataCollection2nd Line 1st LineManagement Information Systems (MIS) can facilitate management’sability to effectively measure, monitor, control and report on risk.DataUsageInternal/ExternalReporting32