1 / 24

Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology

Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology 20 th June, 2013 Mark Dunn Market Planning Manager LexisNexis BIS Risk. Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology Technology highlighted as significant problem area

megan-lucas
Télécharger la présentation

Interpreting Lessons Learnt from Recent Enforcement Actions Focus on Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Interpreting Lessons Learnt from Recent Enforcement ActionsFocus on Technology20th June, 2013Mark DunnMarket Planning ManagerLexisNexis BIS Risk

  2. Interpreting Lessons Learnt from Recent Enforcement ActionsFocus on Technology Technology highlighted as significant problem area US enforcement actions highlight management of technology as a primary problem within banks’ AML systems & controls “Many of the practical problems seen in recent years with respect to BSA compliance can be summed up within four areas: culture of compliance within the organization commitment of sufficient and expert resources strength of information technology and monitoring processes sound risk management.” Testimony of the Office of the Comptroller of the Currency Before the Permanent Subcommittee on Investigations of the Committee on Homeland Security and Governmental Affairs of the US Senate. July, 2012

  3. Interpreting Lessons Learnt from Recent Enforcement ActionsFocus on Technology • Acquiring technology fit for purpose • Issues included: • Transaction Monitoring • Limitations of in-house AML system and need to rely heavily on manual transaction reviews reduced effectiveness of automated monitoring • Led to 17,000+ unprocessed (“backlogged”) alerts as business lines increased • Meant deployment of extra offshore and other reviewers to clear backlog • Resulted in “deficiencies in the quality of the work,” and 34% of alerts supposedly resolved had to be re-done • Replaced proprietary monitoring system with commercially available service • In first month, new system detected 100,000+ transactions previously unchecked under older system • Other Issues • Array of problematic decisions on what clients and countries should be designated high risk and subject to enhanced monitoring • What accounts and wire transfer activity should be subject to or excluded from routine AML monitoring • What parameters should be used to trigger alerts, including dollar thresholds, key words or phrases, • Scenario rules that combined specified elements • What “negative rules” should be used to decrease the number of alerts that would otherwise be generated for review “HBUS did not acquire an automated system equal to the needs of the Bank, ie, a system with sufficient capacity to support the volume, scope, and nature of transactions conducted by and through HBUS, until April 2011…In sum, HBUS failed to dedicate sufficient human and technological resources to meet its AML/CFT obligations.” US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012) Sources: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012), US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012)

  4. Interpreting Lessons Learnt from Recent Enforcement ActionsFocus on Technology • Ensuring a robust sanctions screening process • Issues included: • OFAC Filter • Each transaction had to be manually reviewed and resolved by two 4-person OFAC Compliance teams in New York and Delaware • Introduction of new payment system and several adjustments made to OFAC filters led to backlog of alerts that took weeks to clear. Backlog of 700+ alerts accumulates • Not enough personnel available to manage backlog. Compliance teams were under rigorous pressure to process alerts and determine a disposition in a timely manner leaving gaps for errors • HBUS’s OFAC Compliance Program • Internal bank documentation related to HBUS’ OFAC compliance efforts regarding OFAC sensitive transactions portrayed a variety of specific problems over the period reviewed by the Subcommittee • For example: Prohibited transactions were not detected by HSBC’s WOLF filter or HBUS’ OFAC filter due to programming deficiencies that did not identify certain terms or names as suspicious • For example: Transactions that had been properly blocked by the WOLF or OFAC filter were released by HSBC or HBUS employees in error, due to rushed procedures, inadequate training, or outright mistakes “At HBUS, documents provided to the Subcommittee indicate that, for years, some HSBC affiliates took action to circumvent the OFAC filter when sending OFAC sensitive transactions through their US dollar correspondent accounts at HBUS.” US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012) Sources: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012), US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012)

  5. Interpreting Lessons Learnt from Recent Enforcement ActionsFocus on Technology • Aligning technology to changing business risks • Issues included: • Risk rating not updated • Despite the overwhelming information available about substantial money laundering risks in Mexico, from 2002 until 2009, HBUS gave Mexico its lowest risk rating for AML purposes • As a consequence, under HSBC Group policy, clients from Mexico were not subjected to enhanced monitoring by HBUS, unless they were also designated a Special Category Client (SCC), a relatively rare designation that indicates a client poses high AML risks. • Had Mexico carried one of the two highest risk ratings, all Mexican clients at HBUS would have been subjected to enhanced due diligence and account monitoring. Instead, HBUS failed to conduct AML monitoring of most Mexican client account and wire transfer activity involving substantial funds • HBMX’s History of Weak AML Safeguards • Monitoring system did not have any capacity to aggregate transaction activity for any period other than a given day and did not identify high risk clients • Proprietary monitoring system implemented but only applied to limited number of transactions • Inadequate internal controls over the IT systems used to send information to the regulator on suspicious or relevant transactions to authorities. • Failure to ensure monitoring parameters met local requirements and inadequate training “The Bank’s failure to adequately assess risk negatively impacted the effectiveness of its transaction monitoring, which already suffered from additional systemic weaknesses.” US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012) Sources: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012), US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012)

  6. Interpreting Lessons Learnt from Recent Enforcement ActionsFocus on Technology • Lack of consistent process • Issues included: • Lack of consistent process • Inconsistent adherence to internal policies and procedures, inadequate systems, the need to strengthen controls, and inconsistent monitoring processes • HBUS did not apply its risk-rating methodology “in a consistent manner.” The OCC wrote that, in 2009, while the bank elevated the risk ratings versus the scores, the bank has not adopted a repeatable, standardized procedure. • Compliance communicated repeatedly the need to consistently apply the policy and “enforce our policy on a consistent and Groupwide basis” • “Failure to consistently gather reasonably accurate and complete customer documentation undermined the Bank’s ability to conduct customer risk assessments. “ • Led to inconsistent adherence to internal policies and procedures, inadequate systems, the need to strengthen controls, and inconsistent monitoring processes “The bottom line is, our OFAC process is in disarray and in great risk of being noncompliant. We have multiple systems, inconsistent practices, limited communication between the various functions, and no oversight function” US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012) Sources: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012), US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012)

  7. Interpreting Lessons Learnt from Recent Enforcement ActionsFocus on Technology • Server issues • Issues included: • Server Issues • OFAC-sensitive transactions involved payment messages associated with non-U.S. dollar transactions that were sent through servers physically located in the US, but which were not processed by HBUS and were not screened by an OFAC filter • Despite concern expressed by HBUS, the bank decided not to turn on the HBUS OFAC filter to screen these payment messages • Transaction messages were still being routed through a US server “for a fraction of a second for later transfer to the UK,” which could be long enough for a “log file” to exist in the United States identifying the transactions. “HSBC Group knowingly put its US affiliate at regulatory and reputational risk by moving payment messages through a US server without scanning them against the OFAC filter.” US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012) Sources: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012), US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012)

  8. Lessons from the UK Financial Conduct Authority Thematic Reviews and Reports Focus on Technology

  9. FCA Financial crime, a guide for firms Financial services firms’ approach to UK financial sanctions April 2013

  10. Interpreting Lessons Learnt from Recent Enforcement ActionsFinancial services firms’ approach to UK financial sanctions Screening during client take-on

  11. Interpreting Lessons Learnt from Recent Enforcement ActionsFinancial services firms’ approach to UK financial sanctions Screening during client take-on

  12. Interpreting Lessons Learnt from Recent Enforcement ActionsFinancial services firms’ approach to UK financial sanctions Ongoing screening

  13. Interpreting Lessons Learnt from Recent Enforcement ActionsFinancial services firms’ approach to UK financial sanctions Ongoing screening

  14. Interpreting Lessons Learnt from Recent Enforcement ActionsFinancial services firms’ approach to UK financial sanctions Treatment of potential target matches

  15. Interpreting Lessons Learnt from Recent Enforcement ActionsFinancial services firms’ approach to UK financial sanctions Treatment of potential target matches

  16. Summary

  17. Appendices

  18. Examples of good practice include: Conducting a comprehensive risk assessment, based on a good understanding of the financial sanctions regime, covering the risks that may be posed by clients, transactions, services, products and jurisdictions Taking into account associated parties, such as directors and beneficial owners A formal documented risk assessment with a clearly documented rationale for the approach Examples of poor practice include: Not assessing the risks that the firm may face of breaching financial sanctions Risk assessments that are based on misconceptions Interpreting Lessons Learnt from Recent Enforcement ActionsFinancial services firms’ approach to UK financial sanctions Risk Assessment Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013)

  19. Examples of good practice include: Documented policies and procedures in place, which clearly set out a firm’s approach to complying with its legal and regulatory requirements in this area. Group-wide policies for UK financial sanctions screening, to ensure that business unit-specific policies and procedures reflect the minimum standard set out in group policy. Effective procedures to screen against the Consolidated List that are appropriate for the business, covering customers, transactions and services across all products and business lines. Clear, simple and well understood escalation procedures to enable staff to raise financial sanctions concerns with management. Regular review and update of policies and procedures. Regular reviews of the effectiveness of policies, procedures, systems and controls by the firm’s internal audit function or another independent party. Procedures that include ongoing monitoring/screening of clients. Examples of poor practice include: No policies or procedures in place for complying with the legal and regulatory requirements of the UK financial sanctions regime. Internal audits of procedures carried out by persons with responsibility for oversight of financial sanctions procedures, rather than an independent party. Interpreting Lessons Learnt from Recent Enforcement ActionsFinancial services firms’ approach to UK financial sanctions Policies and procedures Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013)

  20. Examples of good practice include: Regularly updated training and awareness programmes that are relevant and appropriate for employees’ particular roles. Testing to ensure that employees have a good understanding of financial sanctions risks and procedures. Ongoing monitoring of employees’ work to ensure they understand the financial sanctions procedures and are adhering to them. Training provided to each business unit covering both the group-wide and business unit-specific policies on financial sanctions. Examples of poor practice include: No training on financial sanctions. Relevant staff unaware of the firm’s policies and procedures to comply with the UK financial sanctions regime. Changes to the financial sanctions policies, procedures, systems and controls are not communicated to relevant staff. Interpreting Lessons Learnt from Recent Enforcement ActionsFinancial services firms’ approach to UK financial sanctions Staff training and awareness Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013)

  21. Examples of good practice include: Senior management involvement in approving and taking responsibility for policies and procedures. A level of senior management awareness of the firm’s obligations regarding financial sanctions sufficient to enable them to discharge their functions effectively. Appropriate escalation in cases where a potential target match cannot easily be verified. Adequate and appropriate resources allocated by senior management. Appropriate escalation of actual target matches and breaches of UK financial sanctions. Examples of poor practice include: No senior management involvement or understanding regarding the firm’s obligations under the UK financial sanctions regime, or its systems and controls to comply with it. No, or insufficient, management oversight of the day-to-day operation of systems and controls. Failure to include assessments of the financial sanctions systems and controls as a normal part of internal audit programmes. No senior management involvement in any cases where a potential target match cannot easily be verified. Senior management never being made aware of a target match or breach of sanctions for an existing customer. Inadequate or inappropriate resources allocated to financial sanctions compliance with our requirements. Interpreting Lessons Learnt from Recent Enforcement ActionsFinancial services firms’ approach to UK financial sanctions Governance and senior management responsibility Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013)

  22. FCA Financial crime, a guide for firms Banks’ management of high risk money laundering situations April 2013

  23. Examples of good practice include: Clear processes for escalating the approval of high risk and all PEP customer relationships to senior management or committees which consider AML risk and give appropriate challenge to RMs and the business. Using, where available, local knowledge and open source internet checks to supplement commercially available databases when researching potential high risk customers including PEPs. Where money laundering risk is very high, supplementing CDD with independent intelligence reports and fully exploring and reviewing any credible allegations of criminal conduct by the customer. Examples of poor practice include: Failing to ensure CDD for high-risk and PEP customers is kept up-to-date in line with current standards. Relying exclusively on commercially-available PEP databases and failure to make use of available open source information on a risk-based approach. No formal procedure for escalating prospective customers to committees and senior management on a risk based approach. Failing to take account of credible allegations of criminal activity from reputable sources. Concluding that adverse allegations against customers can be disregarded simply because they hold an investment visa. Accepting regulatory and/or reputational risk where there is a high risk of money laundering. Interpreting Lessons Learnt from Recent Enforcement ActionsBanks management of high risk money laundering situations Customer take-on (Selected extracts) Source: Financial crime, a guide for firms (Financial Conduct Authority, April 2013)

  24. Interpreting Lessons Learnt from Recent Enforcement ActionsUseful Links • US Homeland Security and Governmental Affairs • US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History Majority and Minority Staff Report Permanent Subcommittee on Investigations United States Senate (July, 2012) • FinCEN • US Department of the Treasury Financial Crimes Enforcement Network in the Matter of HSBC Bank USA N.A. (FinCEN, November, 2012) • UK Financial Conduct Authority: Financial crime: a guide for firms • Consolidates and updates thematic reviews • http://fshandbook.info/FS/html/handbook/FC/link/PDF • JMLSG Part III Guidance • Contains practical guidance on sanctions screening technology • http://www.jmlsg.org.uk/industry-guidance/article/jmlsg-guidance-current • FSA Decision Notice • RBS Decision Notice concerning sanctions screening process • http://www.fsa.gov.uk/pubs/other/rbs_group.pdf • LexisNexis • White paper guide to reducing false positives • http://www.lexisnexis.org.uk/creo_files/upload/risk/matching_algorithm_whitepaper.pdf

More Related