ENTERPRISE-WIDE RISK ASSESSMENT - Monetary Authority of ...

1 ENHANCINGROBUSTNESSOFENTERPRISE-WIDE RISK ASSESSMENT ONMONEYLAUNDERINGANDTERRORISMFINANCINGI nformation PaperAugust outcomes and key observationsOutcome 1:Banks senior management maintain active oversight of EWRA frameworks and processes, including ensuring compliance with relevant MAS Notices and Guidelines. Outcome 2:Banks have sound and systematic frameworks and processes to assess inherent risks, control effectiveness, and residual risks for each business 3:Banks perform adequate and accurate qualitative and quantitative analyses in assessing 4:Banks assess effectiveness of controls, taking into account policies and procedures, control testing results, as well as insights from the banks assessments of their 5:Banks have systematic processes to establish and implement control measures to address areas for improvement identified from the EWRA 6:Banks have structured processes to perform gap analysis against guidance papers, and incorporate lessons learnt and good industry practices in their own thematic inspections on (ML/TF)riskassessment(EWRA)assessesafina ncialinstitution s(FI)inherentML/TFrisks,theeffectiveness ofthecontrolenvironmentdesignedtomitigat ethoserisks, of inspectionThisinformationpapersetsoutMAS , Management oversight of EWRAA dequacy of management s oversight of frameworks and processes, and quality of deliberation on EWRA2.

2 EWRA framework3. EWRA implementationSoundness of banks frameworks and methodologies to assess and rate inherent risks, control effectiveness, and residual risksRobustness of both quantitative and qualitative analyses in the EWRAW hilethepaperisbasedonMAS thematicinspectionsofbanks, ,therefore,incorporatethelearningpointsf romthispaperinarisk-basedandproportionat emanner, ASSESSMENT ,however, ,suchasutilisinggoodquantitativeanalysis toolstodetectML/TFrisks, ,therobustnessofEWRA methodologies, , sunderlyingintent,staffmayadoptaperfunct oryandmechanicalapproachtowardstheEWRA, expectation of the Board and senior management 4 Banks senior management maintain active oversight of EWRA frameworks and processes, including ensuring compliance with relevant MAS Notices and have sound and systematic frameworks and processes to assess inherent risks, control effectiveness, and residual risksfor each business perform adequate and accurate qualitative and quantitative analyses in assessing outcomesBanks assess effectiveness of controls, taking into account policies and procedures, control testing results, as well as insights from the banks assessments of their have systematic processes to establish and implement control measures to address areas for improvement identified from the EWRA exercise.

3 Banks have structured processes to perform gap analysisagainst guidance papers, and incorporate lessons learnt and good industry practices in their own ,establishclearrolesandresponsibilitiesp ertainingtoEWRA acrossthethreelinesofdefence, seniormanagementmaintainactiveoversighto fEWRA frameworksandprocesses,includingensuring compliancewithrelevantMASN oticesandGuidelines LackofrobustdiscussionsonEWRA bymanagement(althoughmostbankstabledtheE WRA tomanagementcommittees) ,managementwasunabletoprovideresponsesto questionsonEWRA ratingsinsomeinstances. DiscussiononEWRA heldoutsideofcommitteemeetingsanddidnotb enefitfromwiderviewsfromcommitteedeliber ation. Failuretomaintaindocumentationforaccount abilityandaudittrail. Processesestablishedformanagementtoovers eeanddirecttheimplementationofcontrolmea surestoaddressgapsnotedfromtheEWRA,andre gularlymonitorthestatusagainsttargetdate s. Processesinplaceforvalidationofeffective nessofcontrolsbyinternalaudit/compliance andescalationofoverdueitems,ifany,tomana gement.

4 FollowingpastEWRA templatesmechanicallywithoutagoodunderst andingofunderlyingobjectivesandinternalp olicyrequirements. Relyingonsystem-generatedresultsforEWRA ratings, can be betterGood practices observed3. Insufficient deliberation by senior management1. Inadequate understanding of EWRA methodology Inadequateattentionpaidbymanagementtothe qualityoftheEWRA,resultinginundetecteder rorsforseveralyearsandincompleteanalyses . Forexample, process for management to direct and monitor the implementation of control measures 2. Undetected errors and omissions6 Outcome2-Bankshavesoundandsystematicfram eworksandprocessestoassessinherentrisks, controleffectiveness,andresidualrisksfor eachbusinesslineBanksshoulddevelopsounda ndsystematicEWRA methodologiestoeffectively(i)identifyand analyseinherentML/TFrisks,(ii)assessthea dequacyofAML/CFTcontrols,and(iii) , Structuredmethodologiestoassessandscorei nherentrisks,controlfactors, Staffprovidedwithadequateguidancetocondu ctEWRA consistently,acrossbusinesslinesandovert ime.

5 Inapplicablefactorsincludedorrelevantfac torsomittedintheassessmentsofinherentris ksandcontroleffectiveness. Forexample, ,thebankusedthesameEWRA templateacrossitsbusinesslines, Detailedrationaleforassigningweightagest oriskandcontrolfactorsinthemethodologies . Forexample,banksconsideredfactors,suchas natureofrisk,operatingenvironment,typeso fproductsoffered,andimplicationonotherri skfactors, Flaws in the design of EWRA rating methodology2. Inclusion of inapplicable factors / omissions of relevant factors1. Structured methodologies2. Detailed rationale for weightages Scoringmethodologiesthatarebiasedtowards morebenignratingsforinherentrisks,contro leffectiveness, (refertocasestudy1). EWRA methodologieswithmathematicallyflawedmet rics(refertocasestudy1).What can be betterGood practices observed?Case study 1 -Flaws in EWRA rating IRLowIR4 MediumIR5 HighIR6 LowThe residual risk rating methodology allowed the residual risk to be Medium , when inherent risk (IR) was High and control effectiveness Deficient.

6 TheIRratingmethodologyallowedtheoverallI Rtobe Low whenonlyoneIRfactorwasassessedtobe Low .Residual Risk Mediuma1 AbIRHighControlsDeficient 89 Re-calibratetheEWRA methodologytoensurethatitissoundandprude nt. Re-assesstheEWRA andrectifydownstreamimpactifany. ,banksshould:These%rangesarebeyondthemax imumpossible% ,theratingforsegmentB(0to20newclients) (toratetheriskarisingfromclientgrowth) study 1 -Flaws in EWRA rating methodologiesStep 1 ClientSegmentTotalClientsMin(>=)TotalCli entsMax(<=)A1100B1011,000 Identify the client segmentNo. of new clientsTotal no. of clientsx 100% = % ofnew clientsCalculate the actual % of new clients# of newclientsRisk RatingLowMediumHigh% of newclients0to20<20%20%-30%>30%>20<15%15%-20%>20%Segment BStep 2 Step 3 Map %ofnewclients calculatedinstep2toaratingofLow,Medium,o rHighviaaratingmatrixcalibratedbasedonpr e-assignedclientsegment( ). ,amongothers, sactivitiessuchascustomers transactions,inflowsto,andoutflowsfrom,s pecificgeographicallocations, can be better Relyingprimarilyonqualitativeanalysis,wi thlimitedquantitativeanalysis, in-depthunderstandingofML/TFrisks.

7 Lackofrobustquantitativeanalysisattribut edtodifficultiesinextractingstructuredda taacrossdifferentsystems. MASencouragesbankstoleveragedataanalytic toolstoenhancetheirassessments(refertoca sestudies2and3). ErrorsandincompleteassessmentnotedinEWRA . Forexample,therewerecomputationalerrorsd uetowrongformulas,datainputerrors, Limited quantitative analysis1. Errors and omissions in EWRAGood practices observed11 ExtensiveuseofquantitativemetricsinEWRA formorein-depthunderstandingofML/TFriske xposure. Forexample,banksanalysednumberand%ofclie ntswhowerepoliticallyexposedpersons(PEP) ,numberofhigh-riskcustomerson-boardeddur ingtheyear,volumeandvalueoftransactionsi nvolvinghigh-riskcountries,%ofcustomersh oldinghigh-riskproducts,etc.(Refertocase studies2and3) Assessingemployeesasaseparateriskfactort oprovidebetterfocus,takingintoaccount,am ongothers,pre-employmentchecks,ongoingna mescreeningandadequacyofAMLtrainings. Assessingrisksarisingfromsuppliers, Good use of quantitative analysis3.

8 Analysis of future outlook in EWRA2. Inclusion of factors beyond industry practice InclusionoffutureoutlookintheEWRA toaidassessmentsofpotentialsignificantde velopmentsandnecessaryenhancementstoaddr essthesedevelopments. Forexample,abankanalysedtheemergingtrend ofFintechcompaniesseekingtoestablishbank ingrelationshipswiththebank,anddiscussed theestablishmentofaspecificAML/CFTcompli anceframeworktomanagethesepotentialFinte chcustomers( sriskappetite,levelofduediligence,redfla gsforanymisuseofaccounts).Outcome3-Banks performadequateandaccuratequalitativeand quantitativeanalysesinassessingrisksCase study 2 -Examples of factors considered in the reference,andisnotmeanttobeanexhaustivel istoffactors. Significantfindingsfromauditsandcomplian cetesting Organisationalcultureandcompliancecultur e( ,completenessofinformationreceivedbycomp liance) OutsourcedAML/CFTfunctions Changestobusinessstrategies,customersegm ents,andproductsandservicesinnearfuture( ) channelsProducts and transactions Nature, complexity and diversity of products ( cash-intensive, structured products) % of customers/high-risk customers holding high-risk products Volume, value, and % of transactions involving high-risk productsGeography Number and % of customers from high-risk jurisdictions Volume and value of cross-border transactions to/from high-risk jurisdictions Volume and value of transactions to/from a jurisdiction that presents higher risk of tax evasion.

9 Number and % of high-risk customers by industry, occupation, geography, ownership structure Analysis of customers based on other factors such as PEP categorisation, adverse news, overdue KYC review Volume and value of transactions for each type of delivery channel ( transactions conducted via branches or via internet banking) Analysis of face-to-face and non-face-to-face channels 1213 Case study 3 -Good use of data analyticsNetwork linked analysis to uncover hidden or common links amongst customers and detect large or complex networks Macro-analysis of payment flows by jurisdictions to detect disproportionately large or unusual inflows to, or outflows from, a made use of data analytics tools and techniques to perform AML/CFT risk surveillance more , ,thebankfurtherdetectedsuspiciousentitie sandcounterpartiesthathadunusualflowsfro mortobanksinthesejurisdictions, application of such tools and analysis enabled the bank to identify higher risk areas, which would enrich the bank s ASSESSMENT of risk exposures as part of the EWRA.

10 Theassessmentofcontroleffectivenessevalu atesabank , ,ascultureandsharedvaluesareimportantdri versofstaff sbehaviour, ,takingintoaccountpoliciesandprocedures, controltestingresults,aswellasinsightsfr omthebanks assessmentsoftheircultures RegulartestingofAML/CFTcontrolsnotalways performedbyanindependentfunctionfromthes econdlineofdefence. Importantforthesecondlineofdefence( )toperformregulartestingfortimelyidentif icationofhotspotsoremergingML/TFrisks,to complementanytestingperformedbythefirstl ineofdefenceorin-businesscontrolfunction . Controltestingresultsnotincorporatedinth eassessmentofcontroleffectiveness. can be better2. Regular testing not conducted by second line of defence1. Control testing results not included in EWRA1. Systematicinclusion of testing results in control assessment2. Structured consideration of formalisation of controlsGood practices , ,whicharecommensuratewiththerisksassesse dintheEWRA,improvestherobustnessofbanks Formalisedrequirementstoimplementadditio nalcontrolmeasures, Structuredprocessestomonitortheimplement ationofmeasurestoaddressareasforimprovem entidentifiedfromtheEWRA exercise,includingidentificationofaction parties,settingoftargetcompletiondates,a ndprovidingregularstatusupdatestoseniorm anagementforums.