2018: the year ahead in aml compliance insights … · protiviti is not licensed or registered as a...

Internal Audit, Risk, Business & Technology Consulting

2018: THE YEAR AHEAD IN AML COMPLIANCEINSIGHTS ON THE AML AND SANCTIONS LANDSCAPE FOR U.S. FINANCIAL INSTITUTIONSProtiviti Webinar

January 11, 2018

© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

We are recording today’s webinar and it will be available for on-demand viewing following the live event.

If you are experiencing technical difficulties during the webcast, let us know by submitting a comment through the questions area in the attendee console.

We encourage you to submit questions throughout the webcast.

A REMINDER…

You are welcome to listen to the audio portion of the webinar on your phone by using these conference dial-in numbers:

Code #: 2549857

Participant (Toll-Free): (844) 566-0743

Participant (Toll): (442) 275-1714

2


CPE CREDITS

We are offering 1 CPE credit for this 60 minute webinar.

You will receive the CPE certificate via e-mail approximately 60 days after the webinar date.

To be eligible to receive this credit, please ensure that you answer at least three (3) of the polling questions.

You are welcome to listen to the audio portion of the webinar on your phone by using these conference dial-in numbers:

Code #: 2549857

Participant (Toll-Free): (844) 566-0743

Participant (Toll): (442) 275-1714

3


SPEAKERS

Shaun is a Managing Director within Protiviti's Risk and Compliance practice focused on regulatory matters for Financial Services Institutions. Shaun has a subject matter expertise in Anti-Money Laundering and Sanctions compliance. He has performed extensive work with top tier financial institutions to address regulatory enforcement actions and improve AML operations.

Carol is a Senior Managing Director within Protiviti’s Risk and Compliance practice. Prior to joining Protiviti, Carol was a Partner with Arthur Andersen where she led the Global Regulatory Practice; a founding member of The SecuraGroup and leader of the firm’s Risk Management practice; and a regulator with the Office of the Comptroller of the Currency, a bureau of the U.S. Treasury Department.

Vishal is a Managing Director with Protiviti in the firm’s Risk and Compliance practice. He has more than15 years of Process Reengineering and Business Transformation experience predominantly in the areas of Financial Services, Organizational Design & Strategic Planning. Vishal has advised Exec. Management in matters regarding Integrating Business and Technologies while taking a process centric view.

Carol Beaumier, Senior Managing Director

Shaun Creegan, Managing Director

Vishal Ranjane, Managing Director

Chetan is a Director within Protiviti’s Risk and Compliance practice. He has more than 17 years of experience in Financial Services Technology, seven of which were focused on Anti-Money Laundering (“AML”) Analytics. He has extensive Financial Data Analytics experience using various statistical techniques and related software, and a deep AML business and technology implementation experience with large financial institutions.

Chetan Shah, Director

Christine is an Associate Director within Protiviti’s Risk and Compliance practice focused on regulatory matters for Financial Services institutions. Christine’s experience focuses on performing Anti-Money Laundering and OFAC related independent assessments, audits, validation and remediation of US and non-US banking organizations.

Christine Bucy, Associate Director

Asa has over 15 years of experience in the financial services industry and maintains extensive experience with advising clients ranging from de novo to top-tier financial service companies on regulatory compliance matters including compliance with anti-money laundering (AML) and sanctions requirements.

Asa Sum, Associate Director

4


AGENDA

• Outlook on the AML Regulatory and Legislative Environment

• FinCEN’s Customer Due Diligence Rule

• Managing Through the Ever-Changing Sanctions Landscape

• NYDFS Part 504

• RegTech: Will this be the breakout year for AML?

This document focuses on some of the priority issues and opportunities that U.S.-based financial institutions will face in 2018.It is not intended to provide comprehensive coverage of all of the AML-related issues which U.S. financial institutions may encounter. The ideas and concepts included herein are intended to be helpful, but should not be considered legal advice.

5


Indications are that heightened regulatory scrutiny of anti-money laundering (AML) and sanctions programs will continue into 2018.

CURRENT U.S. REGULATORY ENVIRONMENT

BSA/AML• Regulators remain focused on financial institutions’ systems and processes for timely identification of suspicious activity

and filing of accurate suspicious activity reports (SARs). • Enforcement actions continue to require independent consultants and monitoring to assess compliance. • Compliance professionals continue to face personal liability. • Both Compliance Departments and Internal Audit Departments remain under pressure for their validation efforts to close

out regulator-identified issues.

Sanctions• While the total number of cases and volume of penalties announced in 2017 is off the highs seen in 2013 and 2014,

sanctions compliance remains a high priority.

6


A CALL FOR REFORM

In February 2017, The Clearing House (TCH) released a report analyzing the current effectiveness of the U.S. AML regime. The report called for significant immediate and longer term reforms.

Areas for Immediate Reform

Rationalization of the

Supervisory Framework

1

Greater Innovation

3

Improved Data Flow

5Enhanced

Guidance on the Use and

Disclosure of SARs

7

Improved Transparency of Beneficial Ownership

2

De-Prioritization of SAR

Reporting Activities

4

MoreInformation

Sharing

6

7


THE LEGISLATIVE AGENDA

As 2017 closed, Congressional proposals to overhaul AML/CFT rules was being discussed, though future passage of any of these proposals remains uncertain. Key provisions of the proposals include:

Raising the thresholds for CTR and SAR reporting to from > $10,000 to > $30,000 and from $5,000 to $10,000, respectively.

Tasking FinCEN with obtaining beneficial ownership of legal entities at the time of incorporation and delaying and revising the CDD (Beneficial Owner) rule to reflect this change in responsibility.

Allow for the sharing of information on suspicious activity with overseas affiliates in jurisdictions that are FATF members and have adequate data privacy and security protections.

8


FINCEN’S CUSTOMER DUE DILIGENCE RULEFinal Rule OverviewFinCEN’s Customer Due Diligence for Financial Institutions applies to banks, broker-dealers, mutual funds, future commissions merchants, and commodity introducing brokers, effective May 11, 2018.

Key Principles

Excludes collection of beneficial ownership information for, among others, certain U.S. financial institutions (as well as foreign financial institutions for which a home country regulator maintains beneficial ownership information), U.S. governmental agencies and U.S. listed companies.

2

Requires prospective identification of up to four natural persons who, directly or indirectly, owns 25 percent or more of the equity interests of a legal entity customer and of a single individual with significant responsibility to control the legal entity customer.

1

Requires updating of beneficial ownership information on an event-driven basis. 3

Formalizes existing practice to establish Customer Due Diligence as the Fifth Pillar of an AML Program.4

9


FINCEN’S CUSTOMER DUE DILIGENCE RULEPractical Implications and Compliance Challenges

• Determining the Right Threshold

• Unwrapping Ownership Structures and Drilling Down

• Understanding Triggers and Defining Event Driven Reviews

• Aggregating for Reporting and Transaction Monitoring

• Establishing a Single, Consistent View of a Customer

• Adjusting Technology and Data Analysis

• Managing the Client Experience

• Understanding Enforcement Implications of the Fifth Pillar

10


August 2, 2017RussiaSanctions on entities doing business with Russian military or intelligence agencies.These sanctions were in response to the 2016 US election, Russia’s annexation of Crimea and its military operations in eastern Ukraine.Signed into law in August. The administration will identify which Russian entities would be penalized with new sanctions by January 29, 2018.

RECENT SANCTIONS

September 21, 2017North KoreaEconomic sanctions against any bank or other company doing business with North Korea.These sanctions were in response to Pyongyang's renegade nuclear program and intended to curb North Korea's nuclear efforts.This new executive order went into effect on September 21, 2017.

October 24, 2017BelarusSanctions relief to allow most transactions with nine sanctioned entities in Belarus for the next six months.The sanctions relief was part of an effort to engage with Belarus and its veteran leader, President Alexander Lukashenko and open the door to expanded commercial ties.This authorization expires on April 30, 2018, unless extended or revoked.

November 9, 2017CubaThese regulatory changes restrict travel and trade with Cuba.The restrictions are aimed at preventing the military, intelligence and security arms of Cuba's Communist government from benefiting from American tourists and trade.The restrictions went into effect on November 9, 2017.

August 25, 2017VenezuelaSanction banning dealings in new debt and equity issued by the government, and also by the state-run oil company, Petróleos de Venezuela SA.These measures are the first sanctions aimed at the government and state-owned institutions. The sanctions represent an ongoing effort by U.S. officials to put pressure on the regime of Venezuelan President Nicolás Maduro.

11


BEST PRACTICES FOR SANCTIONS MANAGEMENT

Focal Point Common Issues Observed with Sanctions Programs Best Practices

Policies & Procedures• Policies and procedures do not meet

legal and regulatory requirements• Policies & procedures align to the unique risks of the organization• Review and approval on an annual basis

Internal Monitoring• Lack of robust internal and management

reporting• Reporting is complete and accurate• Evidence of involvement with Senior Management and Board of

Directors

Effectiveness of Internal Controls

• Lack of well-documented controls• Testing of controls to assess

effectiveness are not performed

• Review and testing of controls to evaluate effectiveness • Controls are robust and well-documented• Timely remediation of control deficiencies

Voluntary Disclosure and Cooperation with Regulators

• Inadequate reporting of information to regulators

• Periodic communications with regulators• Timely remediation of issues identified by regulators • Reporting and timely voluntary self disclosures

Continuous Improvement of Sanctions Compliance Program

• Sanctions issues management program do not incorporate adequate governance and reporting processes

• Timely validation of remediation efforts• Tracking and escalation of missed timelines• Participation in working groups and committees

12


Focal Point Common Issues Observed with Sanctions Programs Best Practices

Wire Stripping• AML transaction monitoring rules

provide incomplete coverage of transactions

• End-to-end review of transaction details from receipt through execution• Review and testing of resubmitted transactions or transactions that are

missing critical information

Customer Due Diligence

• Inadequate procedures to identify ultimate beneficial ownership information

• Identification and verification of customers including beneficial owners • Review of any onboarding exception(s) • Review of customer due diligence of correspondent banking

relationships

White List Management • Use of outdated white lists• Access rights are not restricted• Lack of periodic testing of white lists

• Proper review of items included and removed from white lists • Review of user rights and access • Periodic testing on the effectiveness of the white list

System Validation and Data Integrity

• Monitoring rules and threshold settings are not routinely reviewed

• Data integrity issues

• Review of data feeds from lines of business into applicable systems• Review of monitoring rules and threshold settings • Validation of models and scenarios

Training

• Lack of current, customized training for target audience

• Inadequate monitoring of training attendance

• Periodic annual review of training content for completeness, relevance and accuracy.

• Tracking and escalation and review of attendance for non-compliance

BEST PRACTICES FOR SANCTIONS MANAGEMENT

13


NY DEPARTMENT OF FINANCIAL SERVICES

NY State takes a leading role in shaping requirements for transaction monitoring and filtering programs.

DFS Part 504

Transaction Monitoring and Filtering Program Requirements and Certification

First Certification Due: April 15, 2018

14



• Must be subject to adequate governance and oversight, including, but not limited to well-defined change management processes, adequate funding and adequate staffing.

• Must be subject to adequate third party risk

management when outside providers are used.• Must identify all data sources and design and

implement data extraction and loading processes to ensure complete and accurate transfer of data.

• Must provide periodic training for all key stakeholders.

Applies to Both Transaction Monitoring and Filtering Programs

The basic requirements track generally to the FRB’s Model Governance Guidance (SR 11-7) and to various FFIEC technology issuances, but Part 504 is a regulation and requires annual certification.

TransactionMonitoring Program

Requirements

Risk-based Calibrated Documented Tested Supported by Investigation Protocols

Filtering Program Requirements

Risk-based Calibrated Documented Tested Supported by Adjudication Procedures

15


At the option of the institution, either a board resolution or senior officer finding is required to be signed and delivered to the DFS by April 15th of each year to certify:

The board of directors or senior officer has reviewed documents, reports, certifications and opinions of officers, employees, and outside parties as necessary to adopt the resolution or finding.1The board of directors or senior officer has taken all steps necessary to confirm that the institution has a transaction monitoring and filtering program that meets the requirements of the regulation.2To the best of the knowledge of the board of directors or senior officer, the transaction monitoring and filtering program complies with the requirements of the regulation.3

This regulation will be enforced pursuant to the DFS’s authority under all applicable laws.


16


Transaction Monitoring Filtering

Data Integrity, Quality, and Assessment• Data Lineage• Accuracy

Data Integrity, Quality, and Assessment• Data Lineage• Accuracy • Reconciliation and Transformation Process

Scenario Coverage (Red Flag Analysis)• Products and Services• Geography• Customer Base/Types

Watch-List Selection• Applicable Watch-List• White List Management

Scenario Logic Validation• Specification and Parameters• Logic Replication• Output Comparison

Scenario Logic Validation• Specification and Parameters• Name Matching Algorithm/Fuzzy Logic• Masked Names Hit Percentage

Scenario Optimization (Threshold Tuning)• Below and Above the Line Testing• Quantitative Analysis• Qualitative Analysis

Scenario Optimization (Threshold Tuning)• Name Masking Algorithm Output Analysis• Threshold Recommendation


Part 504 requires that applicable AML models are subject to model validation. The validation process for transaction monitoring and sanction screening model are as follows:

17


TRANSACTION MONITORINGThe validation process for a transaction monitoring model should include:


Scenario Coverage (Red Flag Analysis)• Products and Services• Geography• Customer Base/Types

Scenario Logic Validation• Specification and Parameters• Logic Replication• Output Comparison

Scenario Optimization (Threshold Tuning)• Below and Above the Line Testing

˗ Quantitative Analysis˗ Qualitative Analysis

18


SANCTION SCREENINGThe validation process for sanction screening model should include:


Watch-List Selection• Applicable Watch-List• White List Management

Scenario Logic Validation• Specification and Parameters• Name Matching Algorithm/Fuzzy Logic• Masked Names Hit Percentage

Scenario Optimization (Threshold Tuning)• Name Masking Algorithm Output Analysis• Threshold Recommendation

19


“Regtech is the application of new technology to regulation-related activities to shift them from analog to digital and computational models for dramatic gains in effectiveness, efficiency and scalability”.

20


THE STATE OF REGTECH

Source: CB Insights

21


APPLYING REGTECH ACROSS AML PROCESSES

Reporting, Visualization and Dashboards

Know Your Customer (CDD/EDD), Customer Screening (incl. OFAC, PEPs, etc.)

Transaction Monitoring & Detection

Data Integration

Customer Risk Ranking

(CRR)

KYC Lifecycle Mgmt.

(CDD/EDD)

Entity Resolution

Customer Screening (OFAC,

PEPs, etc.)

Transactions feeding in Monitoring systems

Alert Generation (Factoring

Segments & Thresholds

Case Management

SAR Reporting process

Internal Data Third Party Data Public/Social Data

• Network Analysis and Link analysis / auto-discovery of linkages within an organization’s data (assists in TM as well)

• Leverage Robotic Process Automation

• Leveraging Blockchain technology

• Data Enrichment

• Data Governance

• Compilation of 360 customer view using various internal/external sources

• Data visualization/ reporting tools

• Predictive Analytics

• Improvements in analyzing SAR results lead to a monitoring feedback loop

• Leveraging Robotic Process Automation

• Leverage Machine Learning to Identify segmentation patterns, prioritize alerts and review false positives and false negatives

• Feedback loops to detection algorithms.

• Generating investigation narratives, going beyond boilerplate templates

22


AML DEVELOPING AND FUTURE TRENDS

Blockchain Capabilities AI and Machine Learning

Enhance Data Governance Tools Partnership with RegTech Firms

• KYC Applications• Trade Finance

• Transaction Monitoring • OFAC and KYC• Model Validation

• Data Lineage• Model Validation support • Data Visualization / Dashboards• Enhanced Reporting

• Banks partnering with RegTechs• Innovation Ecosystem between AML

functions and RegTechs• Third Party Risk Management

23


Protiviti’s Guide to U.S. Anti-Money Laundering Requirements, Frequently Asked Questions

For more information and to download the guide visit Protiviti.com/aml.

THANK YOU!

24


CONTACT INFORMATION

Chetan ShahDirector [email protected]

Office: (704) 916 6591

Carol M. BeaumierSenior Managing Director [email protected]

Office: (212) 603 8337

Shaun CreeganManaging Director [email protected]

Office: (212) 708 6336

Vishal RanjaneManaging Director [email protected]

Office: (704) 998 0778

Asa SumAssociate Director [email protected]

Office: (267) 256 8747

Christine BucyAssociate Director [email protected]

Office: (314) 656 1739

25

2018: the year ahead in aml compliance insights … · protiviti is not licensed or registered as a...

Documents