Presentation is loading. Please wait.

Presentation is loading. Please wait.

Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology 20th June, 2013 Mark Dunn Market Planning Manager LexisNexis BIS Risk.

Similar presentations


Presentation on theme: "Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology 20th June, 2013 Mark Dunn Market Planning Manager LexisNexis BIS Risk."— Presentation transcript:

1 Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology 20th June, Mark Dunn Market Planning Manager LexisNexis BIS Risk

2 Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology
Technology highlighted as significant problem area US enforcement actions highlight management of technology as a primary problem within banks’ AML systems & controls “Many of the practical problems seen in recent years with respect to BSA compliance can be summed up within four areas: culture of compliance within the organization commitment of sufficient and expert resources strength of information technology and monitoring processes sound risk management.” Testimony of the Office of the Comptroller of the Currency Before the Permanent Subcommittee on Investigations of the Committee on Homeland Security and Governmental Affairs of the US Senate. July, 2012

3 Acquiring technology fit for purpose
Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology Acquiring technology fit for purpose Issues included: Transaction Monitoring Limitations of in-house AML system and need to rely heavily on manual transaction reviews reduced effectiveness of automated monitoring Led to 17,000+ unprocessed (“backlogged”) alerts as business lines increased Meant deployment of extra offshore and other reviewers to clear backlog Resulted in “deficiencies in the quality of the work,” and 34% of alerts supposedly resolved had to be re-done Replaced proprietary monitoring system with commercially available service In first month, new system detected 100,000+ transactions previously unchecked under older system Other Issues Array of problematic decisions on what clients and countries should be designated high risk and subject to enhanced monitoring What accounts and wire transfer activity should be subject to or excluded from routine AML monitoring What parameters should be used to trigger alerts, including dollar thresholds, key words or phrases, Scenario rules that combined specified elements What “negative rules” should be used to decrease the number of alerts that would otherwise be generated for review “HBUS did not acquire an automated system equal to the needs of the Bank, ie, a system with sufficient capacity to support the volume, scope, and nature of transactions conducted by and through HBUS, until April 2011…In sum, HBUS failed to dedicate sufficient human and technological resources to meet its AML/CFT obligations.” US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012) Sources: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012), US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012)

4 Ensuring a robust sanctions screening process
Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology Ensuring a robust sanctions screening process Issues included: OFAC Filter Each transaction had to be manually reviewed and resolved by two 4-person OFAC Compliance teams in New York and Delaware Introduction of new payment system and several adjustments made to OFAC filters led to backlog of alerts that took weeks to clear. Backlog of 700+ alerts accumulates Not enough personnel available to manage backlog. Compliance teams were under rigorous pressure to process alerts and determine a disposition in a timely manner leaving gaps for errors HBUS’s OFAC Compliance Program Internal bank documentation related to HBUS’ OFAC compliance efforts regarding OFAC sensitive transactions portrayed a variety of specific problems over the period reviewed by the Subcommittee For example: Prohibited transactions were not detected by HSBC’s WOLF filter or HBUS’ OFAC filter due to programming deficiencies that did not identify certain terms or names as suspicious For example: Transactions that had been properly blocked by the WOLF or OFAC filter were released by HSBC or HBUS employees in error, due to rushed procedures, inadequate training, or outright mistakes “At HBUS, documents provided to the Subcommittee indicate that, for years, some HSBC affiliates took action to circumvent the OFAC filter when sending OFAC sensitive transactions through their US dollar correspondent accounts at HBUS.” US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012) Sources: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012), US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012)

5 Aligning technology to changing business risks
Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology Aligning technology to changing business risks Issues included: Risk rating not updated Despite the overwhelming information available about substantial money laundering risks in Mexico, from 2002 until 2009, HBUS gave Mexico its lowest risk rating for AML purposes As a consequence, under HSBC Group policy, clients from Mexico were not subjected to enhanced monitoring by HBUS, unless they were also designated a Special Category Client (SCC), a relatively rare designation that indicates a client poses high AML risks. Had Mexico carried one of the two highest risk ratings, all Mexican clients at HBUS would have been subjected to enhanced due diligence and account monitoring. Instead, HBUS failed to conduct AML monitoring of most Mexican client account and wire transfer activity involving substantial funds HBMX’s History of Weak AML Safeguards Monitoring system did not have any capacity to aggregate transaction activity for any period other than a given day and did not identify high risk clients Proprietary monitoring system implemented but only applied to limited number of transactions Inadequate internal controls over the IT systems used to send information to the regulator on suspicious or relevant transactions to authorities. Failure to ensure monitoring parameters met local requirements and inadequate training “The Bank’s failure to adequately assess risk negatively impacted the effectiveness of its transaction monitoring, which already suffered from additional systemic weaknesses.” US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012) Sources: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012), US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012)

6 Lack of consistent process
Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology Lack of consistent process Issues included: Inconsistent adherence to internal policies and procedures, inadequate systems, the need to strengthen controls, and inconsistent monitoring processes HBUS did not apply its risk-rating methodology “in a consistent manner.” The OCC wrote that, in 2009, while the bank elevated the risk ratings versus the scores, the bank has not adopted a repeatable, standardized procedure. Compliance communicated repeatedly the need to consistently apply the policy and “enforce our policy on a consistent and Groupwide basis” “Failure to consistently gather reasonably accurate and complete customer documentation undermined the Bank’s ability to conduct customer risk assessments. “ Led to inconsistent adherence to internal policies and procedures, inadequate systems, the need to strengthen controls, and inconsistent monitoring processes “The bottom line is, our OFAC process is in disarray and in great risk of being noncompliant. We have multiple systems, inconsistent practices, limited communication between the various functions, and no oversight function” US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012) Sources: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012), US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012)

7 Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology
Server issues Issues included: Server Issues OFAC-sensitive transactions involved payment messages associated with non-U.S. dollar transactions that were sent through servers physically located in the US, but which were not processed by HBUS and were not screened by an OFAC filter Despite concern expressed by HBUS, the bank decided not to turn on the HBUS OFAC filter to screen these payment messages Transaction messages were still being routed through a US server “for a fraction of a second for later transfer to the UK,” which could be long enough for a “log file” to exist in the United States identifying the transactions. “HSBC Group knowingly put its US affiliate at regulatory and reputational risk by moving payment messages through a US server without scanning them against the OFAC filter.” US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012) Sources: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012), US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012)

8 Lessons from the UK Financial Conduct Authority Thematic Reviews and Reports
Focus on Technology

9 FCA Financial crime, a guide for firms
Financial services firms’ approach to UK financial sanctions April 2013

10 Screening during client take-on
Interpreting Lessons Learnt from Recent Enforcement Actions Financial services firms’ approach to UK financial sanctions Screening during client take-on Examples of good practice include Practical steps in using AML technology An effective screening system appropriate to the nature, size and risk of the firm’s business. Use RFI format to set out clearly your business requirements including geographic scope and future planning in order to help vendors recommend appropriate technology that is scaled to your business Screening against the Consolidated List at the time of client take-on before providing any services or undertaking any transactions for a customer. Screening directors and beneficial owners of corporate customers. Screening third party payees where adequate information is available. Where the firm’s procedures require dual control (e.g. a ‘four eyes’ check) to be used, having in place an effective process to ensure this happens. AML technology enables roles and permissions to be set that require activities to be acknowledged before additional actions can be taken by compliance staff. All actions fully audited automatically The use of ‘fuzzy matching’ where automated screening systems are used. Ensure any fuzzy matching functionality is tested and regularly reviewed with the vendor in line with your changing business requirements Where a commercially available automated screening system is implemented, making sure that there is a full understanding of the capabilities and limits of the system. Critical that you work closely with the vendor to deploy AML technology in line with your business requirements, that staff are trained and any upgrades are properly communicated Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013) Source: LexisNexis

11 Screening during client take-on
Interpreting Lessons Learnt from Recent Enforcement Actions Financial services firms’ approach to UK financial sanctions Screening during client take-on Examples of poor practice include: Practical steps in using AML technology Screening only on notification of a claim on an insurance policy, rather than during client take-on. Relying on other FSA-authorised firms and compliance consultants to screen clients against the Consolidated List without taking reasonable steps to ensure that they are doing so effectively. Assuming that AML customer due diligence checks include screening against the Consolidated List. Failing to screen UK-based clients on the assumption that there are no UK-based persons or entities on the Consolidated List or failure to screen due to any other misconception. Large global institutions with millions of clients using manual screening, increasing the likelihood of human error and leading to matches being missed. Ensuring that the system is calibrated correctly in line with business requirements to avoid high volumes of false positives being generated and requiring manual review IT systems that cannot flag potential matches clearly and prominently. Working with the vendor to ensure matching rules are aligned to business requirements and customised to company terminology Firms calibrating their screening rules too narrowly or too widely so that they, for example, match only exact names with the Consolidated List or generate large numbers of resource intensive false positives. As above. Working with vendor to test, implement and review appropriate matching rules to ensure the system is calibrated correctly in line with business requirements Regarding the implementation of a commercially available sanctions screening system as a panacea, with no further work required by the firm. Working with vendor to agree scheduled reviews, spot checks and MI reports to ensure AML technology continues to align to requirements Failing to tailor a commercially available sanctions screening system to the firm’s requirements As above. To work with vendor to ensure AML technology is customised and tailored to fit specific business requirements Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013) Source: LexisNexis

12 Interpreting Lessons Learnt from Recent Enforcement Actions Financial services firms’ approach to UK financial sanctions Ongoing screening Examples of good practice include Practical steps in using AML technology Screening of the entire client base within a reasonable time following updates to the Consolidated List. Agree and set automated schedule with vendor to both receive list updates and run screening process aligned to risk based approach Ensuring that customer data used for ongoing screening is up to date and correct. Implement and maintain CDD reviews and reports refresh aligned to risk based approach Processes that include screening for indirect as well as direct customers and also third party payees, wherever possible Processes that include screening changes to corporate customers’ data (e.g. when new directors are appointed or if there are changes to beneficial owners). Regular reviews of the calibration and rules of automated systems to ensure they are operating effectively. Key requirement to schedule regular spot tests and reviews with vendor to ensure calibrated rules remain aligned to business requirements Screening systems calibrated in accordance with the firm’s risk appetite, rather than the settings suggested by external software providers. As above. Important that business requirements are clearly communicated to enable vendor to calibrate AML technology with appropriate settings Systems calibrated to include ‘fuzzy matching’, including name reversal, digit rotation and character manipulation. Ensures name and other variants are found. However, extent of calibration should be aligned to business requirement and risk based approach Flags on systems prominently and clearly identified. Controls that require referral to relevant compliance staff prior to dealing with flagged individuals or entities. As above. AML technology enables roles and permissions to be set that require activities to be acknowledged before additional actions can be taken by compliance staff. All actions can be fully audited automatically. Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013) Source: LexisNexis

13 Interpreting Lessons Learnt from Recent Enforcement Actions Financial services firms’ approach to UK financial sanctions Ongoing screening Examples of poor practice include Practical steps in using AML technology No ongoing screening of customer databases or transactions. As above. Agree and set automated schedule with vendor to both receive list updates and run screening process aligned to risk based approach Failure to screen directors and beneficial owners of corporate customers and/or third party payees where adequate information is available. Failure to review the calibration and rules of automated systems, or to set the calibration in accordance with the firm’s risk appetite. As above. A Key requirement to schedule regular spot tests and reviews with vendor to ensure calibrated rules remain aligned to business requirements Flags on systems that are dependent on staff looking for them. Controls on systems that can be overridden without referral to compliance. As above. Implement clear risk flags and configure AML technology with roles and permissions that require activities to be acknowledged before additional actions can be taken by compliance or other staff. All actions fully audited automatically Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013) Source: LexisNexis

14 Treatment of potential target matches
Interpreting Lessons Learnt from Recent Enforcement Actions Financial services firms’ approach to UK financial sanctions Treatment of potential target matches Examples of good practice include Practical steps in using AML technology Procedures for investigating whether a potential match is an actual target match or a false positive. Work with vendor to implement clear workflow rules that cover alert and investigation process with set permissions, escalation and audit Procedures for freezing accounts where an actual target match is identified. As above. Work with vendor to ensure roles and permissions are implemented that require activities to be acknowledged before additional actions can be taken Procedures for notifying the Treasury’s AFU promptly of any confirmed matches. Procedures for notifying senior management of target matches and cases where the firm cannot determine whether a potential match is the actual target on the Consolidated List. As above. Work with vendor to ensure roles and permissions are implemented that require activities to be acknowledged before additional actions can be taken including escalation rules A clear audit trail of the investigation of potential target matches and the decisions and actions taken, such as the rationale for deciding that a potential target match is a false positive. Ensure AML technology captures all key audit data, that data is easily accessible and attributable to customer records and that this database is future proof were the screening technology to change Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013) Source: LexisNexis

15 Treatment of potential target matches
Interpreting Lessons Learnt from Recent Enforcement Actions Financial services firms’ approach to UK financial sanctions Treatment of potential target matches Examples of poor practice include Practical steps in using AML technology No procedures in place for investigating potential matches with the Consolidated List. Discounting actual target matches incorrectly as false positives due to insufficient investigation. As above. Set clear workflow rules to capture via audit why target matches were discounted. Schedule regular MI report and review No audit trail of decisions where potential target matches are judged to be false positives. Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013) Source: LexisNexis

16 Summary

17 Appendices

18 Interpreting Lessons Learnt from Recent Enforcement Actions Financial services firms’ approach to UK financial sanctions Risk Assessment Examples of good practice include: Conducting a comprehensive risk assessment, based on a good understanding of the financial sanctions regime, covering the risks that may be posed by clients, transactions, services, products and jurisdictions Taking into account associated parties, such as directors and beneficial owners A formal documented risk assessment with a clearly documented rationale for the approach Examples of poor practice include: Not assessing the risks that the firm may face of breaching financial sanctions Risk assessments that are based on misconceptions Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013)

19 Policies and procedures
Interpreting Lessons Learnt from Recent Enforcement Actions Financial services firms’ approach to UK financial sanctions Policies and procedures Examples of good practice include: Documented policies and procedures in place, which clearly set out a firm’s approach to complying with its legal and regulatory requirements in this area. Group-wide policies for UK financial sanctions screening, to ensure that business unit-specific policies and procedures reflect the minimum standard set out in group policy. Effective procedures to screen against the Consolidated List that are appropriate for the business, covering customers, transactions and services across all products and business lines. Clear, simple and well understood escalation procedures to enable staff to raise financial sanctions concerns with management. Regular review and update of policies and procedures. Regular reviews of the effectiveness of policies, procedures, systems and controls by the firm’s internal audit function or another independent party. Procedures that include ongoing monitoring/screening of clients. Examples of poor practice include: No policies or procedures in place for complying with the legal and regulatory requirements of the UK financial sanctions regime. Internal audits of procedures carried out by persons with responsibility for oversight of financial sanctions procedures, rather than an independent party. Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013)

20 Staff training and awareness
Interpreting Lessons Learnt from Recent Enforcement Actions Financial services firms’ approach to UK financial sanctions Staff training and awareness Examples of good practice include: Regularly updated training and awareness programmes that are relevant and appropriate for employees’ particular roles. Testing to ensure that employees have a good understanding of financial sanctions risks and procedures. Ongoing monitoring of employees’ work to ensure they understand the financial sanctions procedures and are adhering to them. Training provided to each business unit covering both the group-wide and business unit-specific policies on financial sanctions. Examples of poor practice include: No training on financial sanctions. Relevant staff unaware of the firm’s policies and procedures to comply with the UK financial sanctions regime. Changes to the financial sanctions policies, procedures, systems and controls are not communicated to relevant staff. Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013)

21 Governance and senior management responsibility
Interpreting Lessons Learnt from Recent Enforcement Actions Financial services firms’ approach to UK financial sanctions Governance and senior management responsibility Examples of good practice include: Senior management involvement in approving and taking responsibility for policies and procedures. A level of senior management awareness of the firm’s obligations regarding financial sanctions sufficient to enable them to discharge their functions effectively. Appropriate escalation in cases where a potential target match cannot easily be verified. Adequate and appropriate resources allocated by senior management. Appropriate escalation of actual target matches and breaches of UK financial sanctions. Examples of poor practice include: No senior management involvement or understanding regarding the firm’s obligations under the UK financial sanctions regime, or its systems and controls to comply with it. No, or insufficient, management oversight of the day-to-day operation of systems and controls. Failure to include assessments of the financial sanctions systems and controls as a normal part of internal audit programmes. No senior management involvement in any cases where a potential target match cannot easily be verified. Senior management never being made aware of a target match or breach of sanctions for an existing customer. Inadequate or inappropriate resources allocated to financial sanctions compliance with our requirements. Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013)

22 FCA Financial crime, a guide for firms
Banks’ management of high risk money laundering situations April 2013

23 Customer take-on (Selected extracts)
Interpreting Lessons Learnt from Recent Enforcement Actions Banks management of high risk money laundering situations Customer take-on (Selected extracts) Examples of good practice include: Clear processes for escalating the approval of high risk and all PEP customer relationships to senior management or committees which consider AML risk and give appropriate challenge to RMs and the business. Using, where available, local knowledge and open source internet checks to supplement commercially available databases when researching potential high risk customers including PEPs. Where money laundering risk is very high, supplementing CDD with independent intelligence reports and fully exploring and reviewing any credible allegations of criminal conduct by the customer. Examples of poor practice include: Failing to ensure CDD for high-risk and PEP customers is kept up-to-date in line with current standards. Relying exclusively on commercially-available PEP databases and failure to make use of available open source information on a risk-based approach. No formal procedure for escalating prospective customers to committees and senior management on a risk based approach. Failing to take account of credible allegations of criminal activity from reputable sources. Concluding that adverse allegations against customers can be disregarded simply because they hold an investment visa. Accepting regulatory and/or reputational risk where there is a high risk of money laundering. Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013)

24 Interpreting Lessons Learnt from Recent Enforcement Actions Useful Links
US Homeland Security and Governmental Affairs US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012) FinCEN US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012) UK Financial Conduct Authority: Financial crime: a guide for firms Consolidates and updates thematic reviews JMLSG Part III Guidance Contains practical guidance on sanctions screening technology FSA Decision Notice RBS Decision Notice concerning sanctions screening process LexisNexis White paper guide to reducing false positives


Download ppt "Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology 20th June, 2013 Mark Dunn Market Planning Manager LexisNexis BIS Risk."

Similar presentations


Ads by Google