• Maintaining an AML/CFT Risk Model
    Why is it important to continue to update and revisit risk assessments?

    Risk is dynamic and needs to be continuously managed. It should also be noted that the environment in which each organization operates is subject to continual change. Externally, the political changes of a jurisdiction or whether economic sanctions are imposed or removed may impact a country-risk rating. Internally, organizations respond to market and customer demands by introducing new products and services and implementing new delivery systems. The combination of these changes makes it critical that the ML/TF risk model is subject to regular review. In some countries, there is a legislative obligation for such reviews to be undertaken on a regular basis — usually annually or when new products, delivery channels or customer types are introduced.

  • AML/CFT Risk Scoring
    What does FATF recommend considering when assessing risk?

    When assessing risk, FATF recommends considering:

    • Customer risk factors such as non-resident customers, cash-intensive businesses, complex ownership structure of a company, and companies with bearer shares.
    • Country or geographic risks such as countries with inadequate AML/CFT systems, countries subject to sanctions or embargos, countries involved with funding or supporting of terrorist activities, or those with significant levels of corruption.
    • Product, service, transaction or delivery channel risk factors such as private banking, anonymous transactions, and payments received from unknown third parties.)
  • Assessing the Dynamic Risk of Customers
    What are some factors an institution should consider when assessing the dynamic risk of its customers?

    As every financial institution develops transaction history with customers, it should consider modifying the risk rating of the customer, based on:

    • Unusual activity, such as alerts, cases and suspicious transaction report (STR) filings.
    • Receipt of law enforcement inquiries, such as subpoenas.
    • Transactions that violate economic sanctions programs.
    • Other considerations, such as significant volumes of activity where it would not be expected, such as a domestic charity engaging in large international transactions or businesses engaged in large volumes of cash where this would not normally be expected.
  • AML/CFT Risk Identification – Geographic Location
    What are some sources of identifying countries that pose heightened geographic risk?

    • The US State Department issues an annual “International Narcotics Control Strategy Report” rating more than 100 countries on their money laundering controls
    • Transparency International publishes a yearly “Corruption Perceptions Index,” which rates more than 100 countries on perceived corruption
    • FATF identifies jurisdictions with weak AML/CFT regimes and issues country-specific Mutual Evaluation Reports
    • In the United States certain domestic jurisdictions are evaluated based on whether they fall within government-identified higher-risk geographic locations such as High Intensity Drug Trafficking Areas (HIDTA) or High Intensity Financial Crime Areas (HIFCA).
  • System of Internal Policies, Procedures and Controls
    What are some examples of internal controls, outside of policies and procedures?

    While policies and procedures provide important guidance, the AML/CFT program also relies on a variety of internal controls, including management reports and other built-in safeguards that keep the program working. These internal controls should enable the compliance organization to recognize deviations from standard procedures and safety protocols. A matter as simple as requiring a corporate officer’s approval or two signatures for transactions that exceed a prescribed amount could be a critical internal control element that if ignored seriously weakens an institution’s AML/CFT program and attracts unwanted attention from supervisory authorities.

  • The Compliance Function
    What factors should be considered when determining the sophistication of a compliance function within an institution?

    The sophistication of the compliance function should be based upon the institution’s nature, size, complexity, regulatory environment, and the specific risk associated with the products, services, and clientele. No two institutions will have exactly the same compliance structure because the risk facing each institution is going to be different, as identified in their respective risk assessments.

  • Designation and Responsibilities of a Compliance Officer – Communication
    Why is it critical that the Compliance Officer have good communications skills?

    The compliance officer must also have the means to communicate at all levels of the organization — from front-line associates all the way up to the CEO and Board of Directors. It is critical for a compliance officer to be capable of articulating matters of importance to senior and executive management, particularly significant changes that may present risk to the organization, such as a sudden or substantial increase in STRs or currency transaction reports (CTRs). Other items of concern that need to be escalated to management may include changes to laws or regulations that may require immediate action. A compliance officer must have the skills necessary to be able to analyze and interpret these ongoing changes, determine what effect they may have on the institution, and suggest an action plan when appropriate.

  • Designation and Responsibilities of a Compliance Officer – Delegation of AML Duties
    What controls should a Compliance Officer consider over an AML duty that has been delegated?

    The compliance function may establish risk-based quality assurance reviews and monitoring and testing activities to ensure the functions are being performed appropriately. This may include a review of the CDD collected to ensure completeness, monitoring reports of CDD completeness or defects to ensure the systems are working as expected, and performing testing to assess whether the monitoring and the business performance are satisfactorily measuring and ensuring compliance.

  • AML/CFT Training – Who to Train
    What are some of the target audiences for training?

    • Customer-facing staff
    • Operations personnel
    • AML/CFT compliance staff
    • Senior management and board of directors
    • Independent testing staff
  • AML/CFT Training – How to Train
    Why is it important to have a test at the end of a training session?

    Tests should be considered as a means to evaluate how well the training is understood with a mandatory passing score.

  • AML/CFT Training – When to Train
    When should an institution conduct training?

    An institution’s training should be ongoing and on a regular schedule. Existing employees should at least attend an annual training session. New employees should receive appropriate training with respect to their job function and within a reasonable period after joining or transferring to a new job. Situations may arise that demand an immediate session. For example, an emergency training session may be necessary right after an examination or audit that uncovers serious money laundering control deficiencies. A news story that names the institution or recent regulatory action, such as a Consent Order, might also prompt quick-response training. Changes in software, systems, procedures or regulations are additional triggers for training sessions.

  • Know Your Customer/CDD
    According to FATF, when should an institution conduct CDD?

    FATF recommends that financial institutions should be required to undertake CDD measures when:

    • Establishing business relationships.
    • Carrying out occasional transactions under certain circumstances.
    • There is a suspicion of money laundering or terrorist financing.
    • The financial institution has doubts about the veracity or adequacy of previously obtained customer identification data.
  • EDD
    According to FATF, when should an institution conduct enhanced due diligence on a customer?

    FATF indicates that when there are circumstances where the risk of money laundering or terrorist financing is higher, enhanced CDD measures should be taken.

  • EDD for Higher Risk Customers
    What are some examples of enhanced due diligence for higher risk customers?

    A financial institution should consider obtaining additional information from high-risk customers such as:

    • Source of funds and wealth.
    • Identifying information on individuals with control over the account, such as signatories or guarantors.
    • Occupation or type of business.
    • Financial statements.
    • Banking references.
    • Domicile.
    • Proximity of the customer’s residence, place of employment, or place of business to the bank.
    • Description of the customer’s primary trade area and whether international transactions are expected to be routine.
    • Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers.
    • Explanations for changes in account activity.
  • Account Opening, Customer Identification and Verification
    According to FATF, when should the identity of a customer be verified?

    A bank should not establish a banking relationship, or carry out any transactions, until the identity of the customer has been satisfactorily established and verified in accordance with FATF Recommendation 10.

  • Consolidated CDD
    How should a global financial institution address the performance of CDD across its various operations?

    Financial institutions should aim to apply their customer acceptance policy, procedures for customer identification, process for monitoring higher risk accounts and risk management framework on a global basis to all of their offices, branches and subsidiaries. The firm should clearly communicate these policies and procedures through ongoing training and regular communications, as well as conduct monitoring and testing to ensure compliance with the policies and procedures.

  • Economic Sanctions
    What are the three primary categories of economic sanctions?

    Sanctions can generally fall into one of the following categories:

    • Targeted Sanctions — aimed at specifically named individuals, such as key leaders in a country or territory, named terrorists, significant narcotics traffickers and proliferators of weapons of mass destruction. These sanctions often include the freezing of assets and travel bans where possible.
    • Sectoral Sanctions — aimed at key sectors of an economy to prohibit a very specific subset of financial dealings within those sectors to impede future growth.
    • Comprehensive Sanctions — generally prohibit all direct or indirect import/export, trade brokering, financing or facilitating against most goods, technology and services. These are often aimed at regimes responsible for gross human rights violations, and nuclear proliferation.
  • Economic Sanctions – US
    What is the Office of Foreign Assets Control’s (OFAC) list of sanctions persons known as?

    The Specially Designated Nationals and Blocked Persons (SDN) list

  • Sanctions List Screening
    When should institutions conduct economic sanctions screening?

    Before a financial institution starts doing business with a new customer or engaging in certain transactions (e.g., international wire payments), it should review the various country sanction program requirements as well as published lists of known or suspected terrorists, narcotics traffickers, and other criminal actors for potential matches.

  • Politically Exposed Persons Screening
    What are some of the limitations on screening customers against lists of Politically Exposed Persons?

    The information contained in them — and the ability to positively match your customer with a PEP on a database — can be a challenge. These lists do not always provide all relevant information related to PEPs that would assist in identifying them. For instance, there is no unique identifier, such as a date of birth or address.

  • Assessing Risk and Developing a Risk-Scoring Model
    Why is the risk-based approach more preferable than a prescriptive approach in the area of anti-money laundering and counter-terrorist financing?

    • Flexible — as money laundering and terrorist financing risks vary across jurisdictions, customers, products and delivery channels, and over time,
    • Effective — as companies are better equipped than legislators to effectively assess and mitigate the particular money laundering and terrorist financing risks they face, and
    • Proportionate — because a risk-based approach promotes a common sense and intelligent approach to fighting money laundering and terrorist financing as opposed to a “check the box” approach. It also allows firms to minimize the adverse impact of anti-money laundering procedures on their low-risk customers.
  • The Elements of an AML Program – Controls
    What are the basic elements of financial institution’s anti-money laundering program?

    • A system of internal policies, procedures and controls,
    • A designated compliance officer with day-to-day oversight over the AML program,
    • An ongoing employee training program, and
    • An independent audit function to test the AML program.
  • The Elements of an AML Program – Compliance Officer
    Identify the responsibilities of the anti-money laundering compliance officer.

    A person should be designated as the anti-money laundering compliance officer. This individual should be responsible for designing and implementing the program, making necessary changes and disseminating information about the program’s successes and failures to key staff members, constructing anti-money laundering-related content for staff training programs and staying current on legal and regulatory developments in the field.

  • The Elements of an AML Program – Training
    What are some characteristics of a successful anti-money laundering compliance training program?

    Regulations and laws require financial institutions to have formal, written AML compliance programs that include “training for appropriate personnel.” A successful training program not only should meet the standards set out in the laws and regulations that apply to an institution, but should also satisfy internal policies and procedures and should mitigate the risk of getting caught up in a money laundering scandal. Training is one of the most important ways to stress the importance of anti-money laundering efforts, as well as educating employees about what to do if they encounter potential money laundering.

  • The Elements of an AML Program – Training
    Identify the basic elements behind the development of an effective anti-money laundering compliance training program.

    • Who to train,
    • What to train on,
    • How to train,
    • When to train, and
    • Where to train.
  • The Elements of an AML Program – Audit
    Describe how the independent audit should review Suspicious Transaction Reporting (STR) systems.

    The independent audit should review Suspicious Transaction Reporting (STR) systems, which should include an evaluation of the research and referral of unusual transactions. Testing should include a review of policies, procedures and processes for referring unusual or suspicious activity from all business lines (e.g., legal, private banking, foreign correspondent banking) to the personnel or department responsible for evaluating unusual activity.

  • The Elements of an AML Program – Audit
    What steps should the independent audit take to evaluate the bank’s transaction monitoring software’s ability to identify unusual activity?

    • Reviewing policies, procedures, and processes for suspicious activity monitoring,
    • Evaluating the system’s methodology for establishing and analyzing expected activity or filtering criteria,
    • Evaluating the appropriateness of the monitoring reports, and
    • Comparing the transaction monitoring typologies to the AML/CFT risk assessment for reasonableness.
  • What Risks Do Your Products or Services Pose?
    What banking functions or products are considered high-risk?

    • Private banking,
    • Offshore international activity,
    • Deposit-taking facilities,
    • Wire transfer and cash-management functions,
    • Transactions in which the primary beneficiary is undisclosed,
    • Loan guarantee schemes,
    • Travelers checks,
    • Official bank checks,
    • Money orders,
    • Foreign exchange transactions,
    • Trade-financing transactions with unusual pricing features, and
    • Payable Through Accounts (PTAs).
  • What Risks Do Your Customers Pose?
    When categorizing risks, what are the four general levels of risk?

    • Prohibited — The company will not tolerate any dealings of any kind given the risk. Countries subject to economic sanctions or designated as state sponsors of terrorism, such as Sudan or Iran, are prime candidates for prohibited transactions. Prohibited customers would include shell banks,
    • High-Risk – The risks here are significant, but are not necessarily prohibited. To mitigate the heightened risk presented, the firm should apply more stringent controls to reduce the risk, such as conducting enhanced due diligence and more rigorous transaction monitoring. Countries that are noted for corruption or drug trafficking are generally deemed high risk. High-risk customers may include PEPs; high-risk products and services may include correspondent banking and private banking,
    • Medium-Risk — Medium risks are more than a low- or standard-risk of money laundering, and merit additional scrutiny, but do not rise to the level of high-risk, and
    • Low- or Standard-Risk — This represents the baseline risk of money laundering; normal business rules apply.
  • What Risks Do Your Customers Pose?
    What types of customers might be considered high-risk for money laundering?

    • Casinos,
    • Offshore corporations and banks located in tax/banking havens,
    • MSBs, including currency exchange houses, money remitters, check cashers,
    • Car, boat and plane dealerships,
    • Used-car and truck-dealers and machine parts manufacturers,
    • Travel agencies,
    • Brokers/dealers in securities,
    • Jewel, gem and precious metals dealers,
    • Import/ export companies, and
    • Cash-intensive businesses (restaurants, retail stores, parking).
  • Compliance Culture and Senior Management’s Role
    Where does the ultimate responsibility for the AML compliance program rest with?

    The ultimate responsibility for the AML compliance program rests with the board of directors. Members must set the tone from the top by openly voicing their commitment to the program, ensuring that their commitment flows through all service areas and lines of business, and holding responsible parties accountable for compliance.

  • Customer Due Diligence
    What are the seven elements of a sound customer due diligence (CDD) program?

    • Full identification of customer and business entities, including source of funds and wealth when appropriate,
    • Development of transaction and activity profiles of each customer’s anticipated activity,
    • Definition and acceptance of the customer in the context of specific products and services,
    • Assessment and grading of risks that the customer or the account present,
    • Account and transaction monitoring based on the risks presented,
    • Investigation and examination of unusual customer or account activity, and
    • Documentation of findings.
  • Know Your Employee
    Describe a sound Know Your Employee program.

    A Know Your Employee (KYE) program means that the institution has a program in place that allows it to understand an employee’s background, conflicts of interest and susceptibility to money laundering complicity. Policies, procedures, internal controls, job descriptions, code of conduct/ethics, levels of authority, compliance with personnel laws and regulations, accountability, monitoring, dual control, and other deterrents should be firmly in place.

  • Suspicious or Unusual Transaction Monitoring and Reporting
    Identify several types of internal reports financial institutions may use to discover money laundering and terrorist financing.

    • Daily cash activity in excess of the country’s reporting threshold,
    • Daily cash activity just below the country’s reporting threshold (to identify possible structuring),
    • Cash activity aggregated over a period of time (e.g., individual transactions over a certain amount, or totaling more than a certain amount over a 30-day period) to identify possible structuring,
    • Wire transfer reports/logs (with filters using amount and geographical factors),
    • Monetary instrument logs/reports,
    • Check kiting/drawing on uncollected funds (significant debit/credit flows),
    • Significant change reports, and
    • New account activity reports.
  • Suspicious or unusual transaction monitoring and reporting
    Describe a typical suspicious or unusual transaction reporting process within a financial institution.

    While reporting procedures vary from country to country, a typical suspicious or unusual transaction reporting process within a financial institution includes:

    • Procedures to identify potential suspicious transactions or activity,
    • A formal evaluation of each instance, and continuation, of unusual transactions or activity,
    • Documentation of the suspicious transaction reporting decision, whether or not filed with the authorities,
    • Procedures to periodically notify senior management or the board of directors of suspicious transaction filings, and
    • Employee training on detecting suspicious transactions or activities.
  • BMPE
    According to the 1999 U.S. Customs "trade advisory" titled "The Black Market Peso Exchange," what are the three red flags as indicators of BMPE?

    • Payment made in cash by a third party with no connection to the underlying transaction,
    • Payment made by wire transfers from third parties unconnected to the underlying transaction, and
    • Payment made with checks, bank drafts or money orders not drawn on the account of the purchaser.
  • Electronic Anti-Money Laundering Solutions
    Identify the four ways that good technology can equip organizations with improved defenses in the fight against financial crime.

    • Transaction monitoring: scanning and analyzing data for potential money laundering activity,
    • Watch list filtering: screening new accounts, existing customers, beneficiaries and transaction counterparties against terrorist, criminal and other blocked-persons watch lists,
    • Automation of regulatory reporting: filing suspicious transaction reports (STRs), currency transaction reports (CTRs), or other regulatory reports with the government, and
    • A detailed audit trail: demonstrates compliance efforts to regulators.