Annual AML/CFT Risk Assessment & Investigations

Md. Sahadul Hoque

Principal Officer
Islami Bank Bangladesh Limited
Risk Management Wing
 Agenda of the Session

AML Risk Management Framework

Why & What Risks to be assessed?

How to assess AML/CFT Risk?

Implications of AML Risk Assessment

AML Investigations
Lets Refresh our Concept of Risk

Intention of the man is to suicide.

Jumping from the top of the building
Loss of life is certain
Is the event a Risky One?

Risk is the uncertainty of an expected

objective (ISO 31000).
Risks can be seen as a combination
of the chance that something may
happen and the degree of damage or
loss that may result if it does occur
 Why Banks are Vulnerable in ML/CFT

Definition: The process of disguising the proceeds of crime in an effort to

conceal their illicit origins and legitimize their future use.
Objective: To conceal true ownership and origin of the proceeds, a desire to
maintain control, a need to change the form of the proceeds.

Money is Laundered Through

Banks Brokerage firms Financial services

Other Examples: Insurance companies, Money remitters, Cash intensive

businesses, Brokerage firms, LAWYERS and ACCOUNTANTS
 Is Money Laundering a Risk?

Regulatory Fines/Penalty

Attention from other Regulators Reputational damage

Consultancy fees
Increased headcount

Loss of partners, clients

Increased technology budget

Long periods of Regulatory oversight
 Risk Management

"Narrated Aisha, Ummul Mu'minin:

The Apostle of Allah (peace_be_upon_him) said: Profit follows responsibility
of bearing loss.
(Sunan e Ibn Majah Book 23, Number 3501)
 AML/CFT Risk Management Framework
Risk Identification
Business Risk
Customers
Products & Services
Delivery Methods or Channel
Country or Jurisdiction
Regulatory Risk
Failure to report SARs/STRs
Inappropriate customer verification
Inappropriate record keeping
Lack of AML/CFT Program
Risk Treatment
Business Risk
Minimize & Manage the Risks
Apply strategy, policy & procedures
Regulatory Risk:
Put in place systems and controls
Carry out risk plan and AML/CFT program
Risk Assessment
Size & Importance of Risk
likelihood chance of the risk
happening
impact the amount of loss or
damage if the risk happened
likelihood X impact = level of risk (risk
score)
Monitoring & Review
Develop & carry out monitoring process
Keep necessary records
Review risk plan and necessary AML/CFT
Program
Do internal audit and assessment
Do AML & CFT Compliance Report
Why and What AML Risks to be Assessed?
 Risk Assessment

According to Business Dictionary, Risk Assessment is

Identification
Evaluation and
Estimation of the levels of Risks

And comparison against standards of an acceptable level of Risk.

 Is Risk Assessment Obligatory?
FATF Recommendations No. 1
FATF Recommendations No. 15
AML Rule 2013, Rule No. 21
BFIU Circular Letter No. 01/2015 dated 08.01.2015
September 2015
To identify ML & TF Risk
To assess ML & TF Risk
To take action
To mitigate ML & TF Risk
To assess ML & TF Risk for new products,
business techniques and delivery mechanisms
Using technology to asses new and existing
products
RO-FI shall conduct periodic assessment
Report to BFIU for vetting
Assessment report to be utilized by RO-FI after
vetting
EDD for HIGH Risk
ML & TF Risk Assessment Guideline for Banking
Sector
Money Laundering and Terrorist Financing Risk
Management Guideline. A Risk Register is
enclosed.
 Uses of Risk Assessment

Identify gaps and improve policy & procedures

Develop Risk Based Framework
Aware Sr. Management about key risks, exits and disposals
Informed decision about Risk Appetite on the basis of Residual Risk
Alignment of compliance with Risk Profile
Risk mitigation strategies and resource allocation
Regulatory reporting for remediation efforts across the FIs
 Steps of Risk Assessment

Identification of Risk Assessment Categories

Detailed Analysis of the Gathered Data

Evaluation of AML Program

 Money Laundering Risks in Banks

Operational Risk

Legal Risk

Reputational Risk

Concentration Risk
 Krolls Findings on Risk Assessment of IBBL

Risk Assessment is Partial

Risk rating is done on clients net-worth, occupation & transaction profile only

Inadequate tools, technology and methodology

Poor data quality

Inadequate actionable information in in Risk Assessment Report

Inadequate SoP & SoD

Krolls Findings on Risk Assessment of IBBL
 Business Risks Arises to and from

Customer Country/Jurisdiction

New customer
New customer but wants to conduct large any country which is unidentified by
transaction credible sources as having significant level
of corruption and criminal activity
Transaction to the same individual or group
any country subject to economic or trade
Cash intensive business sanctions
Identification is difficult to check any country known to be a tax haven and
Large but small denominated transactions unidentified by credible sources as
Distance between business and location of providing funding or support for terrorist
the customer activities or that have designated terrorist
organizations operating within their country
Non resident customer
any country unidentified by FATF or FATF
Complex corporate ownership
Style Regional Bodies (FSRBs) as not having
PEPs & IPs adequate AML&CFT system
Unreliable documents any country indentified as destination of
Inconsistent transaction with source of illicit financial flow
income etc.
 Business Risks Arises to and from (Contd)

Product & Services Delivery Channel

private banking i.e., prioritized or direct to the customer

privileged banking online/internet
credit card phone
anonymous transaction fax
non face to face business relationship email
or transaction third-party agent or broker.
payment received from unknown or
unrelated third parties
any new product & service developed
service to walk-in customers
mobile banking
Regulatory Risks Arises to and from

Regulatory Risks

customer/beneficial owner identification and verification not

done properly
failure to keep record properly
failure to scrutinize staffs properly
failure to train staff adequately
not having an AML&CFT program
failure to report suspicious transactions or activities
not submitting required report to BFIU regularly
not having an AML&CFT Compliance Officer
failure of doing Enhanced Due Diligence (EDD) for high risk
customers (i.e., PEPs, IPs)
not complying with any order for freezing or suspension of
transaction issued by BFIU or BB
not submitting accurate information or statement requested by
BFIU or BB.
 Other Qualitative Risk Factors

Other Risk Factors

Client base stability

Integration of IT system
Expected account/client growth
Expected revenue growth
Recent AML Compliance Employee turnover
Reliance on 3rd party providers
Recent introduction of new products and services
Recent project and initiatives related to AML Compliance matters
Recent relevant enforcement actions
National risk assessment
How to Assess Risk?
Standard Risk Assessment Methodology
 Risk Assessment Scales

Likelihood Scale
Frequency Likelihood of an ML/FT Risk
Very Likely Probably occur several times in a year
Likely High probability that it will happen once in a year
Unlikely Unlikely, but not impossible

Impact Scale
Consequence Impact of an ML/FT Risk
Major major damage or effect. Serious terrorist act or large-
scale money laundering
Moderate Moderate level of money laundering or terrorism
financing impact
Minor Minor or negligible consequences or effects
Risk Matrix
 Risk Score Table

Rating Impact of an ML&TF risk

4 Extreme Risk almost sure to happen and/or to have very serious consequences.
Response:
Do not allow transaction to occur or reduce the risk to acceptable level.

3 High Risk likely to happen and/or to have serious consequences.

Response:
Do not allow transaction until risk reduced.

2 Medium Possible this could happen and/or have moderate consequences.

Response:
May go ahead but preferably reduce risk.

1 Low Unlikely to happen and/or have minor or negligible consequences.

Response:
Okay to go ahead.
 Risk Registrar
Risk Likelihood Impact Risk Score Treatment/ Action
Retail Banking Customer
A new customer Unlikely Minor i) CDD shall be applied properly.
ii) EDD shall also be applied for high
risky clients & accounts opened
without physical presence of the
clients.
Walk-in customer (beneficiary is Unlikely Minor Obtaining proper KYC of the Remitter
government/semi
government/autonomous body/ bank &
NBFI
Walk-in customer (beneficiary is other Likely Moderate i) Obtaining proper KYC of the remitter/
than government/semi beneficiary
government/autonomous body/ bank & ii) Reporting STR/ SAR if suspicious
NBFI anything found.
Non-Resident customer (Bangladeshi) Likely Major i) CDD shall be done
ii) verification of necessary papers/
documents including work permit,
passport & visa.
iii) Transaction shall be allowed with
constant monitoring of the account in
case of High Risk nature.
iv) STR shall be submitted to CCU if any
transaction found suspicious.
A new customer who wants to carry out a Likely Moderate i) CDD shall be applied properly.
large transaction (i.e. transaction above ii) Verifying the genuineness of the data/
CTR threshold or below the threshold) information of the client.
iii) Transaction monitoring shall be done.
iv) STR shall be submitted to CCU if any
transaction found suspicious.
 Risk Registrar
Risk Likelihood Impact Risk Score Treatment/ Action
Retail Banking Customer
A new customer Unlikely Minor 1 i) CDD shall be applied properly.
Low ii) EDD shall also be applied for high
risky clients & accounts opened
without physical presence of the
clients.
Walk-in customer (beneficiary is Unlikely Minor 1 Obtaining proper KYC of the Remitter
government/semi Low
government/autonomous body/ bank &
NBFI
Walk-in customer (beneficiary is other Likely Moderate 2 i) Obtaining proper KYC of the remitter/
than government/semi Medium beneficiary
government/autonomous body/ bank & ii) Reporting STR/ SAR if suspicious
NBFI anything found.
Non-Resident customer (Bangladeshi) Likely Major 3 i) CDD shall be done
High ii) verification of necessary papers/
documents including work permit,
passport & visa.
iii) Transaction shall be allowed with
constant monitoring of the account in
case of High Risk nature.
iv) STR shall be submitted to CCU if any
transaction found suspicious.
A new customer who wants to carry out a Likely Moderate 2 i) CDD shall be applied properly.
large transaction (i.e. transaction above Medium ii) Verifying the genuineness of the data/
CTR threshold or below the threshold) information of the client.
iii) Transaction monitoring shall be done.
iv) STR shall be submitted to CCU if any
transaction found suspicious.
 Risk Register (Summary)
Sl. Risk Aspects Particulars # Questions
1 ML & TF Risk Register for Customers Retail Banking Customer 35
Wholesale Banking Customer 8
Khidmah Card Customer 4
International Trade Customer 10
Sub-total= 57
2 ML & TF Risk Register for Products & Services Retail Banking Product 15
Retail Privilege Facilities 2
SME Banking Product 7
Wholesale Banking Product 9
Khidmah Card Product 4
International Trade 5
Sub-total= 42
3 Risk Register for Businesses Practice/delivery Online/BEFTN/BACH 4
methods or channels Mobile Banking 3
Alternate Delivery Channel 6
International Trade 2
Sub-total= 15
4 Risk Register for Country/Jurisdiction 15
5 Register for Regulatory Risk 42
Grand Total= 171
Consolidated Risk Assessment Report (example)
Consolidated Risk Assessment Report (example)
Consolidated Risk Assessment Report (example)
Risk Assessment (Examples: Factor Weights)
Risk Assessment (Exapmles: Factor Weights)
 Dependants of Risk Assessment Frequency

Methodology
Type & extent of interim validation
Result of the Risk Assessment
Material Change to the Risk Environment
Regulatory intervention
Trigger based

Usually requires to submit assessment report annually

Implication of Risk Assessment
`e: KYC mv`bKvix KgKZv MvnKi eemvqi ev ckvi cKwZ, eemvqi GjvKv, eemvqi AvKvi, wnmvei cKZ myweavfvMx cfwZ welqmg~n weePbvq wbq MvnKf` 27-46 wgK Djw

Implications
wgK cKwZ SuywKi gvv vi
26 dBU/wkwcs/KvMv GRU DP 3
27 wjwRs dvBbv Kvvbx gag 3
28 Byi/evKviR GRx gag 3
29 agxq cwZvb/msv gag 3
30 webv`bKvix cwZvb/cvK gag 3
31 gvUi cvUm Gi eemv gag 3
32 ZvgvK I wmMviUi eemv gag 3
33 Drcv`bKvix cwZvb gag 3
34 PvKzix (eZb wnmve evZxZ Ab wnmve) gag 3
35 Qv gag 3
36 MwnYx gag 3
37 AUv cvBgvix (bZzb Mvox) gag 2
38 `vKvbi gvwjK (LyPiv) wb 2
39 eemv-GRU wb 2
40 z` eemvqx (evwlK UvbIfvi 50 j UvKvi bxP) wb 2
41 evox wbgvY mvgMxi eemv wb 2
42 md&UIqvi eemv wb 2
43 PvKzix (aygv eZb wnmve) wb 1
44 PvKzix nZ AemiMnYKvix wb 1
45 KwlRxex wb 1
46 Abvb.....(aiY Abymvi evsK wi vi c`vb Kie)

KYC mv`bKvix KgKZv MvnKi eemvqi ev ckvi cKwZ, eemvqi GjvKv,

eemvqi AvKvi, wnmvei cKZ myweavfvMx cfwZ welqmg~n weePbvq
 Implications

Improve policy & procedures

Effective Risk Based Framework
Informed decision about Risk Appetite on the basis of Residual Risk
Alignment of compliance with Risk Profile
Risk mitigation strategies and resource allocation
Regulatory reporting for remediation efforts across the FIs
Charging 1.5% of MCR for risk rating below satisfactory under SRP
Investigation of Risk Assessment
 Considerations of Investigations

Identification of all areas of business and responsibilities of business units

Effectiveness of systems and internal controls
Inherent risk of existing, new, potential class of customers, geographies,
products, services and systems
Reflection of changed events like expansion, new markets, new products, new
core data processing and systems
Whether crossed the assets size of defined large bank
Whether assessment has been done on qualitative and quantitative data
Frequency of risk assessment review
Whether risk assessment is communicated to the business units and the
Board of Directors
Whether regulatory changes have been warranted
 Major Areas of Investigation

AML Corporate Governance; Management Oversight and Accountability

Policies and Procedures
Know Your Client (KYC); Client Due Diligence (CDD); Enhanced Due
Diligence (EDD)
Previous Other Risk Assessments (local and enterprise-wide)
Management Information/Reporting
Record Keeping and Retention
Designated AML Compliance Officer/Unit
Detection and SAR filing
Monitoring and Controls
Training
Independent Testing and Oversight (including recent Internal Audit or Other
Material Findings)
Other Controls/Others
 Report Contents of Internal Control

Key Risk Indicators (KRIs)

High Risk Processes
Compliance Initiatives
AML Program Deficiencies
Volume SAR, STR & CTR filed
Accounts closed due to suspicious activity
Customer Identification Program (CIP) Violations
High Risk Accounts
Completed and outstanding training
Source of alerts reported and investigations completed
 Technical Considerations

Configuration of the AML Software

Logics behind the alert generation
Alert Management
Change Control Procedure
How data is imported from the CBS
Independent validation of the software
Gap analysis of the AML software
Volume of false positive and false negative
Risk of failure of the AML software, hardware and data
 Kaffara-e-Majlish

Glory is to You, O Allah, and praise is to You. I bear witness that

there is none worthy of worship but You. I seek Your forgiveness
and repent to You.