ENTERPRISE-WIDE RISK ASSESSMENT

1 ENHANCINGROBUSTNESSOFENTERPRISE-WIDE RISK ASSESSMENT ONMONEYLAUNDERINGANDTERRORISMFINANCINGI nformation PaperAugust outcomes and key observationsOutcome 1:Banks senior management maintain active oversight of EWRA frameworks and processes, including ensuring compliance with relevant MAS Notices and Guidelines. Outcome 2:Banks have sound and systematic frameworks and processes to assess inherent risks , control effectiveness, and residual risks for each business 3:Banks perform adequate and accurate qualitative and quantitative analyses in assessing 4:Banks assess effectiveness of controls, taking into account policies and procedures, control testing results, as well as insights from the banks assessments of their 5:Banks have systematic processes to establish and implement control measures to address areas for improvement identified from the EWRA 6.

2 Banks have structured processes to perform gap analysis against guidance papers, and incorporate lessons learnt and good industry practices in their own thematic inspections on (ML/TF)riskassessment(EWRA)assessesafina ncialinstitution s(FI)inherentML/TFrisks,theeffectiveness ofthecontrolenvironmentdesignedtomitigat ethoserisks, of inspectionThisinformationpapersetsoutMAS , Management oversight of EWRAA dequacy of management s oversight of frameworks and processes, and quality of deliberation on EWRA2. EWRA framework3. EWRA implementationSoundness of banks frameworks and methodologies to assess and rate inherent risks , control effectiveness, and residual risksRobustness of both quantitative and qualitative analyses in the EWRAW hilethepaperisbasedonMAS thematicinspectionsofbanks, ,therefore,incorporatethelearningpointsf romthispaperinarisk-basedandproportionat emanner, ASSESSMENT ,however, ,suchasutilisinggoodquantitativeanalysis toolstodetectML/TFrisks, ,therobustnessofEWRA methodologies, , sunderlyingintent,staffmayadoptaperfunct oryandmechanicalapproachtowardstheEWRA.

3 Expectation of the Board and senior management 4 Banks senior management maintain active oversight of EWRA frameworks and processes, including ensuring compliance with relevant MAS Notices and have sound and systematic frameworks and processes to assess inherent risks , control effectiveness, and residual risksfor each business perform adequate and accurate qualitative and quantitative analyses in assessing outcomesBanks assess effectiveness of controls, taking into account policies and procedures, control testing results, as well as insights from the banks assessments of their have systematic processes to establish and implement control measures to address areas for improvement identified from the EWRA exercise.

4 Banks have structured processes to perform gap analysisagainst guidance papers, and incorporate lessons learnt and good industry practices in their own ,establishclearrolesandresponsibilitiesp ertainingtoEWRA acrossthethreelinesofdefence, seniormanagementmaintainactiveoversighto fEWRA frameworksandprocesses,includingensuring compliancewithrelevantMASN oticesandGuidelines LackofrobustdiscussionsonEWRA bymanagement(althoughmostbankstabledtheE WRA tomanagementcommittees) ,managementwasunabletoprovideresponsesto questionsonEWRA ratingsinsomeinstances. DiscussiononEWRA heldoutsideofcommitteemeetingsanddidnotb enefitfromwiderviewsfromcommitteedeliber ation.

5 Failuretomaintaindocumentationforaccount abilityandaudittrail. Processesestablishedformanagementtoovers eeanddirecttheimplementationofcontrolmea surestoaddressgapsnotedfromtheEWRA,andre gularlymonitorthestatusagainsttargetdate s. Processesinplaceforvalidationofeffective nessofcontrolsbyinternalaudit/compliance andescalationofoverdueitems,ifany,tomana gement. FollowingpastEWRA templatesmechanicallywithoutagoodunderst andingofunderlyingobjectivesandinternalp olicyrequirements. Relyingonsystem-generatedresultsforEWRA ratings, can be betterGood practices observed3. Insufficient deliberation by senior management1.

6 Inadequate understanding of EWRA methodology Inadequateattentionpaidbymanagementtothe qualityoftheEWRA,resultinginundetecteder rorsforseveralyearsandincompleteanalyses . Forexample, process for management to direct and monitor the implementation of control measures 2. Undetected errors and omissions6 Outcome2-Bankshavesoundandsystematicfram eworksandprocessestoassessinherentrisks, controleffectiveness,andresidualrisksfor eachbusinesslineBanksshoulddevelopsounda ndsystematicEWRA methodologiestoeffectively(i)identifyand analyseinherentML/TFrisks,(ii)assessthea dequacyofAML/CFTcontrols,and(iii) , Structuredmethodologiestoassessandscorei nherentrisks,controlfactors, Staffprovidedwithadequateguidancetocondu ctEWRA consistently,acrossbusinesslinesandovert ime.

7 Inapplicablefactorsincludedorrelevantfac torsomittedintheassessmentsofinherentris ksandcontroleffectiveness. Forexample, ,thebankusedthesameEWRA templateacrossitsbusinesslines, Detailedrationaleforassigningweightagest oriskandcontrolfactorsinthemethodologies . Forexample,banksconsideredfactors,suchas natureofrisk,operatingenvironment,typeso fproductsoffered,andimplicationonotherri skfactors, Flaws in the design of EWRA rating methodology2. Inclusion of inapplicable factors / omissions of relevant factors1. Structured methodologies2. Detailed rationale for weightages Scoringmethodologiesthatarebiasedtowards morebenignratingsforinherentrisks,contro leffectiveness, (refertocasestudy1).

8 EWRA methodologieswithmathematicallyflawedmet rics(refertocasestudy1).What can be betterGood practices observed?Case study 1 -Flaws in EWRA rating IRLowIR4 MediumIR5 HighIR6 LowThe residual risk rating methodology allowed the residual risk to be Medium , when inherent risk (IR) was High and control effectiveness Deficient .TheIRratingmethodologyallowedtheoverall IRtobe Low whenonlyoneIRfactorwasassessedtobe Low . residual Risk Mediuma1 AbIRHighControlsDeficient 89 Re-calibratetheEWRA methodologytoensurethatitissoundandprude nt. Re-assesstheEWRA andrectifydownstreamimpactifany.

9 ,banksshould:These%rangesarebeyondthemax imumpossible% ,theratingforsegmentB(0to20newclients) (toratetheriskarisingfromclientgrowth) study 1 -Flaws in EWRA rating methodologiesStep 1 ClientSegmentTotalClientsMin(>=)TotalCli entsMax(<=)A1100B1011,000 Identify the client segmentNo. of new clientsTotal no. of clientsx 100% = % ofnew clientsCalculate the actual % of new clients# of newclientsRisk RatingLowMediumHigh% of newclients0to20<20%20%-30%>30%>20<15%15%-20%>20%Segment BStep 2 Step 3 Map %ofnewclients calculatedinstep2toaratingofLow,Medium,o rHighviaaratingmatrixcalibratedbasedonpr e-assignedclientsegment( ).

10 ,amongothers, sactivitiessuchascustomers transactions,inflowsto,andoutflowsfrom,s pecificgeographicallocations, can be better Relyingprimarilyonqualitativeanalysis,wi thlimitedquantitativeanalysis, in-depthunderstandingofML/TFrisks. Lackofrobustquantitativeanalysisattribut edtodifficultiesinextractingstructuredda taacrossdifferentsystems. MASencouragesbankstoleveragedataanalytic toolstoenhancetheirassessments(refertoca sestudies2and3). ErrorsandincompleteassessmentnotedinEWRA . Forexample,therewerecomputationalerrorsd uetowrongformulas,datainputerrors, Limited quantitative analysis1.