How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing REFERENCE GUIDE

Jonathan Estreich December 2014

174.27

918.56

182.97 Reference Guide Sections

89.00

247.42 2

81.20

Introduction

531.81

217.33

120.08

4

1944.31

Key Points

388.92

1678.0

204.5

10

Developing the Risk Assessment Tool

-0.97

3.13

77.2

326.2

30.2

22

The Support Framework

1.49

-1.3

450.2

12.7

166.59

24

421.95

223.54

470.16

119.75

53.84

229.32

557.88

32.29

318.36

86.61

The author is not necessarily representing

Interpreting and Using Results

the views or opinions of JPMorgan Chase or ACAMS. This document serves as a supplemental resource to the whitepaper published in December of 2013: How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing.

28

Takeaway

174.27

918.56

182.97

89.00

247.42

Objective

81.20

To provide specific considerations for how

531.81

a financial institution’s internal audit

217.33

department can “design” a firm-wide AML

120.08

risk assessment tool that:

1944.31

388.92

1678.0

204.5

-0.97

3.13

77.2

326.2

30.2

1.49

-1.3

450.2

Introduction “A strong and well-designed tool should equip the auditor to identify risk and to demonstrate and evidence how risk ratings and related conclusions were derived.”

Improves the auditor’s ability to identify relevant AML risks

Sets the foundation for thoughtful and supported risk determinations

12.7

166.59

421.95

Produces results that can assist

223.54

in the development of an audit plan that

470.16

satisfies regulatory expectations

119.75

53.84

229.32

557.88

32.29

318.36

86.61

3 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

174.27

918.56

182.97

89.00

1. Regulatory expectations are high and the auditor’s role is evolving

247.42

81.20

531.81

217.33

120.08

1944.31

388.92

1678.0

204.5

-0.97

3.13

77.2

326.2

30.2

1.49

-1.3

450.2

12.7

Key Points

Regulators are emphasizing the importance of

1 Regulatory expectations are high and the auditor’s role is evolving

auditor in helping to manage risk and sustain an

2 The audit plan indicates to regulators whether Audit is on track 3 Audit’s risk assessment process drives the audit plan

166.59

421.95

223.54

470.16

119.75

53.84

229.32

557.88

32.29

318.36

86.61

4 There “is” a difference between an Audit AMLRA and other AML risk assessments

independent testing and the role of the AML operational AML program.

“Audit is responsible for conducting an objective evaluation of the AML compliance program for soundness, adequacy and sustainability while maintaining independence from compliance and business functions.” Includes a review of the FI’s risk assessment for reasonableness given the FI’s risk profile:

Customers

Products and Services

Transaction Activity

Geographic Presence

Additional focus on: u Risk tolerance u The level of assurance uT  he depth and precision of controls uT  he nature of substantive testing uT  he degree of credible challenge

Regulatory Orders (2012, 2013) u Inadequate CDD and EDD practices u Incomplete identification of highrisk customers u Insufficient policies, procedures and training uF  ailures in monitoring and identifying suspicious activity uP  oor suspicious activity reporting and filing practices u Ineffective independent testing and audit functions

5 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

key points 2. The audit plan indicates to regulators whether Audit is on track

3. Audit’s risk assessment process drives the audit plan

“Audit is responsible for assembling an audit plan that demonstrates its organization’s knowledge of its Business Units and an understanding of the business’ associated risks.”

Audit is expected to select audits using

Overview Of Primary Audit Objectives uD  etermine whether the overall AML/BSA compliance program is suitably designed and operating effectively. u Identify any material program weaknesses, control deficiencies and corresponding opportunities for program, process and control enhancements, and report them to senior management and the board (usually the audit committee). uA  ssist management with identifying money laundering, terrorism financing and other financial crime vulnerabilities.

uA  ssess management’s AML strategic planning process. u Identify opportunities and methods to help management make program enhancements continuous and sustainable. uA  ssess and identify opportunities to enhance management’s selfmonitoring and self-testing compliance review program. uA  ssess how well AML compliance is integrated into the business. Adapted from: The SAR Activity Review—Trends, Tips and Issues (Issue 16), (October, 2009).

Risk Profile

Audit Coverage

nc y

u Should, at a minimum, focus on the highest-risk areas

uA  ssess and identify possible gaps and opportunities for management to continually improve its suspicious activity detection, investigation, analysis, escalation, documentation and reporting processes and controls, including due diligence feedback and the enterprise-wide AML risk assessment process.

in a timely fashion.

e

u If the plan is lacking, the FI may be exposed

and assigned adequate testing coverage

op Sc

u Primary roadmap for AML testing activities

u Perform and document procedures and results that may be useful to regulators in conducting their supervisory examinations.

reasonable belief that critical risks are identified

Fr eq ue

The Audit Plan:

a risk-based approach that provides a

A successful risk assessment should: uR  esult in a detailed risk profile for each Business Unit uD  emonstrate the rationale and inform decisions for including or excluding a specific audit area in the plan

“An audit plan that includes every possible auditable Business Unit is arguably not a ‘plan’ and is most likely an unrealistic approach in a world of finite resources.” The process of building the audit plan should involve consideration of: Existing or Prior Audit Coverage

Unique Business Risks

Pre-existing issues

Severity of AML risk factors

7 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

key points 4. There “is” a difference between an Audit AMLRA and other AMLRAs Differences between risk assessment tools do exist, and these may be attributed to who the tool is designed for and how the results will ultimately be used.

An effective Audit AMLRA should assist with audit decisions relating to: u Whether the FI’s risk assessment processes are effective u What Business Units should be audited

AUDIT AMLRA IDENTIFY AND ASSESS RISK WITH THE PURPOSE OF:

1

Pinpointing areas warranting immediate escalation

2

Pinpointing areas warranting further substantiation and testing Usually completed by an auditor or other audit department designee

“It is reasonable for Audit to reflect a combined approach of independently deriving some pieces of information while leveraging other pieces— granted a reasonable level of comfort.”

u What AML components within a Business Unit may warrant testing coverage u The frequency for which a Business Unit may need to be tested u Prioritization and timing of audit coverage across Business Units u Potential resourcing demands for conducting the resulting audits

9 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

174.27

918.56

182.97

89.00

1. Overview

247.42

81.20

531.81

217.33

120.08

1944.31

388.92

1678.0

Developing The Tool

3.13

77.2

326.2

30.2

1.49

-1.3

450.2

12.7

223.54

470.16

119.75

53.84

229.32

557.88

32.29

318.36

86.61

assess risk while avoiding generalizations.

Commonly cited risk assessment weaknesses:

2 Basic Factors

uA  ssessments did not consider all major risk categories

3 Risk Factors 4 Control Factors

166.59

421.95

auditor’s focus and helps the auditor to successfully

1 Overview

204.5

-0.97

A strong AMLRA design leads, directs and guides the

5 General

uA  ssessments were not performed and/or not evidenced through documentation uA  ssessments did not include all lines of business or entities

uT  here was a lack of methodology for assigning risk ratings/levels uP  olicies and procedures were not commensurate with the institution’s risk profile

An AMLRA tool should be conducive to: u Identification of Risk u Quantification of Risk u Assessment of Risk uD  ocumentation of the Level of Risk

Adapted from: “Spotlight on Large Institutions: Conducting Enterprise-Wide AML Risk Assessments that Go Beyond the Expectations of Examiners and Senior Management,” ACAMS; June 26, 2013

“The two key players who will be using the tool the most are the auditor completing Audit’s assessment and the AML examiner evaluating Audit’s assessment. This is a helpful consideration when designing the tool.” 11 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

developing THE TOOL

2. Basic Factors The development of a robust risk assessment model is largely dependent upon the individual elements that are chosen as the Risk and Control Environment Factors to be assessed and evaluated.

“FIs are expected to establish a control environment that minimizes and—where possible—safeguards against AML risks.”

“[i]nherent risks are the risks that exist before the application of controls intended to mitigate those risks. Clearly identifying inherent risks is particularly beneficial in making determinations for the scope and frequency of audit and independent reviews— determinations that should be based on a financial institution’s assessment of inherent risk without assuming that controls are functioning as intended. Residual risks are those that exist after the application of controls. In this context, risks cannot be completely eliminated, even though layered security may reduce risk to an acceptable level.”1 FDIC.(2007). From the Examiner’s Desk: Customer Information Risk Assessments: Moving Toward Enterprise

1

Primary Inherent AML risks relate broadly to an FI’s:

Customers

Products and Services

SUSPICIOUS AND/OR UNUSUAL ACTIVITY

OFAC AND SANCTIONS

KNOW YOUR CUSTOMER

Audit should assess the current state of controls relating to:

MANAGEMENT AND OVERSIGHT

POLICIES, PROCEDURES AND PROCESSES

EMPLOYEE AML EXPERTISE AND COVERAGE OPERATIONS AND TECHNOLOGY

Transaction Activity

Geographic Presence

wide Assessments of Business Risk.

13 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

developing THE TOOL

3. Risk Factors The process of identifying and assessing the degree of inherent risk will help to quantify the

Inherent Risk Considerations (Example) — CUSTOMERS

extent of residual risk, which in turn can inform

u HR Customer Types

audit planning decisions.

The Business Unit reflects a significant number of accountholders categorized as HR per the FI’s pre-existing customer risk rating model.  

INHERENT RISK CONSIDERATIONS

Customers

Products and Services

Transaction Activity

u Duration of Relationship

Geographic Presence

The Business Unit reflects a significant number of accounts (those representative of establishing a new customer relationship) that have been opened within the past twelve months.  

u Closed/Blocked Accounts Activity Involving HR Products/ Services

Customers in HR Locations

Duration of Relationship

New Products and Services

International Activity

Physical Presence in HR Locations

Closed/ Blocked Accounts

Business/ Sales from HR Products and Services

Transactions Involving Indirect Parties

Transactional Activity with HR Locations

Number and Nature of Accounts

Risk Tolerance and Business Strategies

Reportable Transaction Activity

HR Customer Types

HR Products and Services

The Business Unit reflects a significant number of customer accounts or relationships that have been closed or blocked at the direction of the FI.  

u Number and Nature of Accounts The Business Unit reflects a significant number of customers with open (e.g., active and/or dormant) accounts in, or having access to, other Business Units within the FI.

“The focus of Audit’s assessment should be on identifying the extent to which the Business Unit’s customer population reflects high-risk characteristics such as those outlined here.” 15 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

developing THE TOOL

Guidance & Training Tips (Example)

3. Control Factors “Magnitude provides

A well-designed risk assessment tool should

perspective; be sure

demonstrate that a strong control environment

to consider context

is a continuous feedback loop of interconnected

when assessing and documenting statistics and other metrics.” uA  certain number of HR customers within one Business Unit may have a very different connotation than the same number of HR customers in another area. uT  wo Business Units may have the same number of new customer relationships; however, one of these may have rapidly increased the number of new customers within the past year.

areas within the AML program requiring “You might not own customers or products,

ongoing and enterprise-wide evaluation.

but look deeper for

CONTROL ENVIRONMENT CONSIDERATIONS

potential AML risk.” uF  or areas such as technology or Business Units that sell or develop products on behalf of other businesses, it may be less obvious as to how inherent risks should be identified, rated and discussed. uC  onsider transactional activity (e.g., with vendors or counterparties) and think holistically about the Business Unit’s “potential” (e.g., in the absence controls) to influence AML Risk, such as whether the Business Unit affects risk in other business areas within the FI.

KYC

Suspicious and/or Unusual Activity

OFAC and Sanctions

Employee AML Expertise and Coverage

Overall AML Infrastructure, Framework and Practices

Exceptions or Waivers

Detection and Monitoring

OFAC Screening and Processing

AML Staffing Coverage

Management and Oversight

Reliance

Source Data and Internal Reports Relating to PSUA

OFAC Policies and Procedures

Employee Knowledge and Capabilities

Policies, Procedures and Processes

Completeness of Customer Information

Escalation and Referral of Activity

OFAC Licenses

Training and Awareness

Operations and Technology

Renewals, Updates and Periodic Reviews

Alert Management

OFAC Reporting and Related Metrics

Customer Name Screening

Investigation

SAR/STR Completion and Filing

17 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

Control Environment Considerations (Example) — KYC

developing THE TOOL

u Renewals, Updates and Periodic Reviews The Business Unit reflects a significant number of accounts that have not been renewed or updated in accordance with its renewal cycle.  

u Customer Name Screening The Business Unit reflects deficiencies in identifying name matches; there are inconsistencies in screening practices or there is poor interaction between Business Unit and central function.  

u Exceptions or Waivers The Business Unit reflects a significant number of exceptions or waivers to internal KYC policies, procedures or standards.  

u Reliance The Business Unit reflects reliance on other parties for KYC functions and does not receive metrics/status reporting, does not own controls for monitoring or managing the reliance, does not reflect accountability or does not demonstrate an understanding over the process and potential risk impact.

u Completeness of Customer Information The Business Unit reflects a significant number of active accounts with missing or incomplete KYC information.

“The focus of Audit’s assessment should be on evaluating the strength of the Business Unit’s KYC practices, its ability to collect and maintain complete and relevant information; and the capacity to use this information to make appropriate decisions regarding the level of customer risk.” 19 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

developing THE TOOL 4. General

Guidance & Training Tips (Example)

Guidance & Training Tips (Example)

“KYC metrics are instrumental in

“While business

providing a ‘collective’

provided data should

view of risk.” u In addition to being used to derive individual customer risk profiles, KYC information can be aggregated at various levels (such as by business or location) to compare actual risk to a predetermined risk appetite. u If a particular Business Unit has a low-risk appetite for PEPs, but KYC metrics indicate that 20% of the customer base is comprised of PEPs, the Business Unit may wish to adjust its risk tolerance or reduce the number of PEPs.

be tested, it may not “Central units may own particular controls, but the respective business area owns the risk.” u In instances where an AML service is provided centrally (e.g., customer onboarding, screening, training, monitoring, investigating), it is important for Audit to: 1. evaluate the Business Unit’s understanding over the central unit’s processes, control effectiveness and potential risk impact of a control failure; and 2. determine whether the Business Unit has supplemental controls in place to either manage the risk on its own or to minimize reliance on the central function.

always be feasible to substantiate and independently validate all pieces of information as part of the Audit AMLRA process.” uA  t the risk assessment stage, there may be instances where it is reasonable for Audit to allow for some level of reliance on existing information when drawing conclusions.

u In situations where Audit may reference or leverage information that has not been previously verified—or that relates to known issues or concerns— Audit should document this and flag for subsequent substantiation and testing.

uA  udit should have a reasonable level of comfort that the leveraged information is accurate and/or reliable (such as through previous validation exercises).

21 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

174.27

918.56

182.97

Subject Matter Expertise

89.00

247.42

u Specialized knowledge in AML u Strong understanding over the Business Unit u Region-specific familiarity

“Each assessment should involve input and oversight from individuals with the requisite AML credentials, experience, training and subject matter expertise.”

81.20

531.81

217.33

120.08

Continual Training and Guidance Specific to Risk Assessments

1944.31

388.92

1678.0

-0.97

77.2

326.2

30.2

The Support Framework

Supporting Data

u Roles and responsibilities

u Develop strategy for collecting information u Understand where the data resides u Ascertain the quality of the data u Assign project managers/coordinators u Designate a central location for storage/access

-1.3

12.7

u Documentation standards

“The development and distribution of formal training, policies/ procedures and equivalent guidance promotes consistency and enhances Audit’s ability to assess AML risk.”

1.49

450.2

u Risk scoring/rating methodology

u Identification and analysis of AML risk

204.5

3.13

u Risk assessment process

“Due to the extensive labor involved with obtaining data, it is helpful to view and manage this process as a standalone project and formalize as much as possible.”

166.59

421.95

223.54

470.16

119.75

53.84

229.32

557.88

32.29

318.36

86.61

Direction for Crafting a Strong Narrative

u Including an introductory description of the BU u Referencing supporting sources of information u Representing quantitative support in context of the BU u Avoiding information overload u Managing the flow and organization of responses u Indicating directional risk trends

“A clear, concise and consistent narrative is critical for evidencing rating decisions and articulating potential risks.”

23 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

174.27

918.56

182.97

89.00

247.42

Data Quality Checks

81.20

Results can be reviewed for whether: u Risk and control ratings make sense at a high level

531.81

uF  inal risk ratings align with individual risk and control ratings

217.33

u Ratings are consistent with auditor knowledge u Any noticeable outliers or anomalies are present

120.08

uP  articular assessments appear less supported than others

1944.31

388.92

1678.0

204.5

-0.97

3.13

77.2

326.2

30.2

1.49

-1.3

450.2

12.7

166.59

421.95

223.54

470.16

119.75

53.84

Interpreting and Using Results “Collective risk assessment results can be used to corroborate conclusions, assemble a comprehensive risk-based plan and illustrate a bird’s eye view of AML risk within the enterprise.”

Comprehensive Risk-based Coverage for Audit Planning

Results can be used to inform planning decisions based on: u Risk ratings & scores (e.g., highest risks areas) u Identified risk trends (e.g. areas of increasing risk) u Line of business or other organizational structures u Geography u Central functions/utilities u Common risks and control weaknesses u Prior coverage (e.g., audit testing, regulatory exams)

Enterprise Views of AML Risk

Results can be aggregated and viewed at various levels to: u See whether results align with current expectations u Identify explanations for any deviations from expectations uD  etermine whether unexplained results warrent further escalation and/or exploration

229.32

557.88

32.29

318.36

86.61

25 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

Simplified Example—for illustration purposes only

AML SCORE

Policies, Procedures, Processes

Operations and Technology

Oversight and Governance

Staffing and Training

OFAC and Sanctions

Suspicious and/or Unusual Activity

control environment

Know Your Customer

Geographic Presence

Transaction Activity

Products and Services

Inherent Risks

Customers

Prior Coverage

AML Risk Trend

Country

Line of Business

Collective risk assessment data can be organized, stratified and dissected in a number of ways to create a variety of views for reporting and analysis.

Business Unit A

"_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_"

Business Unit B

"_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_"

Business Unit C

"_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_"

Business Unit D

"_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" 27 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

174.27

918.56

182.97

89.00

247.42

“The development of the AMLRA tool should encompass core AML principles and criteria that can be used as a benchmark for guiding the assessment process without endorsing a checklist-style approach.”

81.20

531.81

217.33

120.08

1944.31

388.92

1678.0

204.5

-0.97

3.13

77.2

326.2

30.2

1.49

Takeaway

En

ha

nc ed

The risk assessment design can better equip Audit.

Design the tool to: uD  irect auditors towards relevant considerations

as se

ss m

en

tr es

12.7

166.59

421.95

Establish a Support Framework with: uS  ubject matter expertise

119.75

e tiv

53.84

229.32

318.36

86.61

lan

tp

470.16

32.29

ts

Risk Assessment Design

223.54

557.88

uE  ncourage supported conclusions

ul

-1.3

450.2

uF  acilitate thoughtful analysis

e or

ec ff e

a

i ud

uC  ontinual training and guidance uP  lanning for supporting data uD  irection for crafting strong narratives

M

29 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing

174.27

918.56

182.97

89.00

Bio

247.42

81.20

531.81

217.33

120.08

1944.31

388.92

1678.0

204.5

-0.97

3.13

77.2

326.2

30.2

1.49

-1.3

450.2

12.7

166.59

421.95

About the Author

Jonathan Estreich is currently a vice president within the internal audit department at JPMorgan Chase. With over nine years of experience working with financial services firms such as Deloitte Financial Advisory Services LLP and UBS Investment Bank, Mr. Estreich specializes in providing anti-money laundering and counterterrorist financing services with a focus on AML policies, procedures and internal controls, including those relating to transaction monitoring, Know Your Customer initiatives, customer due diligence and risk assessments. By servicing many different financial institutions within the banking sector in multiple capacities, he has accumulated a broad range of industry knowledge and expertise in diverse areas such as global AML compliance and Office of Foreign Assets Control as well as in working with complex product and customer types. He has had considerable involvement in leading, managing and advising on BSA/AML-related matters, including authoring several works with Thomson Reuters Complinet, ACAMS Today, InsideCounsel and Corporate Compliance Insights.

223.54

470.16

Professional Credentials Include:

119.75

uA  dvanced Anti-Money Laundering Audit designation (CAMS-Audit)

53.84

uC  ertified Anti-Money Laundering Specialist (CAMS)

229.32

uC  ertified Fraud Examiner (CFE)

557.88

uC  ertified Associate in Project Management (CAPM)

32.29

318.36

86.61

Related Works by Author uH  ow to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing—Equipping Your Last Line of Defense, ACAMS, (December 2013). uC  ISADA Section 104(e): A glance into the final rule’s counter terrorist financing requirements and challenges for U.S. Financial Institutions, Corporate Compliance Insights, (October 2012). uU  nderstanding recent developments in prepaid access: Considerations for deterring money laundering, ACAMS Today, (March 2012). u “ Knowing” your Latin American customer: Enhanced due diligence practices to mitigate the risks of money laundering and terrorist financing, InsideCounsel, (March 2012). uE  nhanced due diligence program for correspondent banking: Minimizing the risk of money laundering and drug trafficking, Thomson Reuters Complinet, (August 2011).