Building and Maintaining a Correspondent Banking Risk Based Approach
Bachir El Nakib, Senior Consultant Compliance Alert (LLC)
9 February 2017
Know Your Customer "KYC" and Customer Due Diligence "CDD" are not one time events but an Ongoing activity throughout the period of a bank’s relationship with a customer/client. Consequently, the needed due diligence a bank conducts on a customer or client does not end once an account has been opened. Transaction monitoring according to the Wolfsberg Group (2009) is the automated or manual process of monitoring transactions after their execution in order to identify unusual transactions, including monitoring single transactions as well as transactions flows for subsequent review and where appropriate, reporting to the authorities.’’
A greater regulatory focus on the risks associated with correspondent banking has prompted the Wolfsberg Group, which is made up of the world's biggest banks, to release new anti-money laundering (AML) principles. The principles are designed to act as global guidance for the establishment and maintenance of foreign correspondent banking relationships. The group said that adherence to the principles would promote risk management and enable institutions to exercise sound business judgement with their clients.
The organisation ( the Group) said that all correspondent banking clients should be subjected to appropriate due diligence to satisfy the institution that it is comfortable conducting business with a particular client. It noted that banks can have some comfort if a correspondent client operates in an internationally recognised regulatory environment. Banks should review their relationships with correspondents on a periodic basis, the principles state.
When establishing a correspondent banking agreements, it’s recommended to take into consideration a number of risk factors, which include the following:
Geographic risk: It notes that some jurisdictions have inadequate AML standards and insufficient regulatory supervision, and thus present a greater risk. Banks should look at regulatory pronouncements from bodies such as the Financial Action Task Force (FATF) to evaluate the degree of risk presented by a location.
Branches and subsidiaries of correspondent banking clients: Banks need to consider the relationship between the correspondent banking client and its parent, if any, to determine the amount of due diligence needed. The paper notes that despite this some facts may be unique to the branch or subsidiary and should be considered.
The correspondent banking client's ownership and management structure: The paper states that the ownership and management structures of the correspondent banking client could present increased risks. These could include the domicile and reputation of the owners, whether it is state owned or privately held, and the transparency of the ownership structure. Banks should also consider whether any politically exposed persons (PEPs) are part of the management structure. Consideration of the ultimate beneficial owners of the institution and their source of wealth should also be considered.
The correspondent banking client's customer base: The types of businesses serviced by the correspondent could also be a relevant risk factor, the paper said. Firms that derive a substantial part of their business from clients engaged in risky activities might present a greater risk themselves.
Regulatory status and history: Banks need to take reasonable steps to verify that a banking client is subject to regulatory oversight in the jurisdiction in which the client operates. They should consider whether a client has been subject to any relevant regulatory action at all.
AML controls: Banks should consider the quality of a client's AML programme and evaluate whether it meets internationally recognised standards in order to mitigate any risks it might pose.
As part of their risk assessment, firms should pay particular attention to accounts for customers that are located, or incorporated, in certain countries or regions recognized by international organizations, such as the Financial Action Task Force (FATF), multilateral expert groups, or in governmental or industry publications as posing a heightened risk of money laundering or as non-cooperative in the fight against money laundering (an NCCT jurisdiction).
On December 2015 Wolfsberg Group released new Q & A Risk Assessments Questionnaire on Anti-Money Laundering (AML) best practice; this time, the global banking association has turned its attention to company-wide AML risk assessments. Current law and FCA regulation states that financial institutions should regularly assess the adequacy of their AML systems and controls in light of the financial crime risk they face.
What is the purpose of a risk assessment?
An AML risk assessment should be used to promote improvements in financial crime risk management by identifying the general and more specific risks faced by a firm and establishing an AML programme to mitigate those risks. The results of a risk assessment can be used to:
1- Identify weaknesses in, and improve, AML programmes
2- Inform decisions about risk appetite, resource allocation and technology spend
3- Help management better understand how the structure of a business aligns with its risk profile
4- Aid the development of risk mitigation strategies to lower a business' risk exposure
5- Ensure senior management are aware of key risks, control gaps and remediation efforts
6- Help senior management make strategic commercial exits and disposals decisions
7- Ensure regulators are aware of key risks, control gaps and remediation efforts
8- Help management ensure resources and priorities are aligned with risks
How often should an enterprise-wide risk assessment take place?
An appropriate frequency should be decided on to maintain the relevance of a firm’s findings and its risk mitigation programme. They will generally be required to submit an annual report on the status of the money laundering risk environment.
1- Trigger-based risk assessment: This highlights whether there has been any significant change to the previous risk assessment by assessing changes to the internal or external business environment. Changes should then be dealt with by the initiation of additional action plans or by undertaking more in-depth assessment of problem areas.
2- Ad hoc risk assessment: This focuses on higher risk areas and specific controls implemented to deal with such risks. This can then be incorporated into the firm’s next risk assessment.
3- Methodology review: Firms should conduct these annually to ensure changes in internal or external factors are appropriately incorporated to create an accurate picture of possible risks. Any changes should be clearly documented and approved by senior management or the Financial Crime Executive Committee (if applicable).
How should a risk assessment be organised?
The approach a firm chooses to take should be clearly documented and the methodology clearly articulated including what factors are being assessed, the criteria used to score, the weightings used in the scoring methodologies, scoring overrides such as the rationale for them and any business line/business unit specific parameters.
1- Who should manage it? The individual who manages the risk assessment should be best positioned to have accountability for ensuring the action is carried out. The assessment may focus on a particular line of business, or take in a wider scope, such as by country or region. For enterprise-wide assessments, a number of assessments may be aggregated to a single level.
2- What should the scope be? This should be clearly articulated to define whether it is independently conducted by compliance or integrated to capture issues identified by both the business generally and the compliance department.
3- Form of risk assessment: The type of questions posed may change depending on what area of the business is being assessed to allow for a greater level of focus and analysis to be applied to that particular area.
4- Collating the assessment: Firms may use a bespoke internal system to log answers and generate risk ratings, electronic spreadsheet programmes or manual calculation of risk ratings. The approach should be appropriate for the size and complexity of the firm.
5- Consistency: If using different approaches, the principles of the methodology should be followed consistently so that any changes made would still allow comparisons to be made to previous results.
Whose responsibility is it to undertake a risk assessment?
A firm’s senior management are ultimately responsible for the risk environment, but may delegate to the legal/financial crime compliance/ AML unit for the initiation and delivery of the assessment.
This would include methodology development, maintenance, periodic refresh, process/activity initiation and record keeping of completed assessments – business line heads, information technology, operational risk and payments departments may also be required to contribute.
The purpose and contribution from each party should be clearly outlined with appropriate guidance and training provided to any staff involved and adequate resources allocated to the management of the risk assessment.
Should the scope of a ML risk assessment encompass Bribery & Corruption along with other notable financial crimes?
When considering scope, firms may choose to evaluate multiple activities within a single risk assessment, either through separate assessment processes or a combination.
- Sanctions: This can be performed in conjunction with a ML risk assessment but requires sanctions-specific and (often only centrally available) data and information feeds. According to guidance issued by regulators, higher risk factors that should be considered in a sanctions risk assessment are:
- international funds transfers;
- so called, ‘non-resident alien accounts’, or ‘non-domiciled individual accounts’;
- foreign client accounts;
- cross-border automated clearing house (ACH) transactions; commercial letters of credit and other trade finance products; transactional electronic banking; foreign correspondent bank accounts; payable through accounts; international private banking; overseas branches or subsidiaries; investments in foreign securities; omnibus accounts / use of intermediaries and third-party introduced business.
- Bribery & Corruption: Factors used to assess ML risk can also be relevant to B&C risk such as jurisdictional risk and aspects of a firm’s client base. Some specific B&C risk factors to consider:
- third parties acting on a firm’s behalf;
- hiring practices;
- charitable giving; and
- business gifts and entertainment.
What is the conventional/standard ML risk Assessment methodology?
The most common approach used by firms, known as the “conventional/standard methodology” involves the following:
- Phase 1 – Inherent risk assessment: This includes exposure to money laundering, sanctions or bribery and corruption across five risk categories.
- Clients: Each client type is given a risk score based on expected ML risk and the volume of clients that fall within each type for the business division in question should be determined. This data can be used to work out what percentage of each division is rated according to the risk classification and determine overall client risk – e.g. low risk versus moderate, versus high versus higher risk.
- Products and services: Any products or account types should be assigned an inherent risk score and the volume of products or account types offered by each division estimated. This data can then be used to discern the overall inherent product risk.
- Channels: For this category the division will determine the percentage of accounts or clients that are rated against the risk classification to determine the overall inherent channels risk.
- Geography/ country: Firms should identify the number of clients within each country deciding whether this is based on all or some of the following: domicile, incorporation, nationality. A country’s risk rating can then be mapped onto a firm’s own country risk model.
- Other qualitative risk factors: these can directly or indirectly affect inherent risk factors and require a review of existing or the establishment of new, internal controls. Qualitative risk factors might include: client base stability integration of IT systems, expected revenue growth etc.
- Phase 2 – Assessment of internal controls: Following assessment of inherent risks, internal controls must be evaluated to establish how effective they are at offsetting overall risks. Controls are also used to ensure compliance with regulators. AML controls are usually assessed using the following control categories:
1- AML Corporate Governance; Management Oversight and Accountability;
2- Policies and Procedures;
3- Know Your Client (“KYC”); Client Due Diligence (“CDD”); Enhanced Due Diligence (“EDD”);
4- Previous Other Risk Assessments (local and enterprise-wide);
5- Management Information/Reporting;
6- Record Keeping and Retention;
7- Designated AML Compliance Officer/Unit;
8- Detection and SAR filing;
9- Monitoring and Controls;
11- Independent Testing and Oversight (including recent Internal Audit or Other Material Findings);
12- Other Controls/Others;
AML Unit override: Risk assessment methodologies should evolve with a firm’s view of risk. A data quality review should be conducted following completion of the assessment of the risk and control categories and consider whether it is appropriate to override the inherent risk rating or control effectiveness rating of any factor or category.
- Phase 3 – Arriving at the ‘residual risk’: This is the risk that remains after controls are applied to the inherent risk and is determined by balancing the level of inherent risk against the overall strength of the activities or controls. This can be done with the application of a three tier rating scale:
- Low residual risk: The overall inherent risk of the firm based on clients, products, channels, geographies and other qualitative factors is low to moderate and the mitigating controls are sufficient to manage the risk.
- Moderate residual risk: The overall inherent risk of the firm based on clients, products, channels, geographies and other qualitative factors is low to moderate and the mitigating controls are not sufficient to manage the level of risk or The overall inherent risk of the firm based on clients, products, channels, geographies and other qualitative factors is low to moderate and the mitigating controls are sufficient to manage this risk.
- High residual risk: The overall inherent risk of the firm based on clients, products, channels, geographies and other qualitative factors is low to moderate and the mitigating controls are not sufficient to manage this risk.
- Weighting and scoring: Each factor should be assigned a risk score and then assigned a weight reflecting the level of importance in the overall risk calculation relative to other risk areas.
- Reporting & communicating of results: Results of the ML risk assessment should be communicated to relevant clients and business divisions and regulatory authorities should be told as appropriate.
What should a firm do with the issues highlighted during a risk assessment?
Any gaps or deficiencies in the control environment should be met with appropriate actions which are prioritised appropriately. Compliance should oversee the completion of these actions.
- Impact on residual risk rating: Actions may affect the residual risk once completed and should be remediated, where possible, before the next risk assessment is carried out to check whether the position has improved.
- Strategic actions: These are likely to be owned by a group or global business line as opposed to tactical actions, which are more likely to be locally owned. Business line acceptance of the money laundering, sanctions, bribery and corruption face is imperative as they are in the strongest position to change the inherent risk profile and effectiveness of the internal control environment.
What impact should a firm’s Risk Assessment have on its Risk Appetite?
Banks and Financial Institutions are highly recommended to determine whether the residual risk is equal to a firm’s risk appetite for Money Laundering risk or whether the residual risk exceeds its risk appetite. In the case of the latter, firms should implement measures to reduce the inherent risk or strengthen the control environment to bring the residual risk back in line with risk appetite.
What software/systems can be used to conduct a risk assessment?
It may be useful to utilise systems or software when conducting a risk assessment. Firm’s should assess the strengths and weaknesses of different tools based on the size and complexity of the firm, the number and geographic distribution of participants in the assessment process, the metrics underlying the assessment and the level of changes to the assessment that are anticipated.
The Wolfsberg Group’s Q & A on Anti-Money Laundering Risk Assessments can be found here.