How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing REFERENCE GUIDE
Jonathan Estreich December 2014
174.27
918.56
182.97 Reference Guide Sections
89.00
247.42 2
81.20
Introduction
531.81
217.33
120.08
4
1944.31
Key Points
388.92
1678.0
204.5
10
Developing the Risk Assessment Tool
-0.97
3.13
77.2
326.2
30.2
22
The Support Framework
1.49
-1.3
450.2
12.7
166.59
24
421.95
223.54
470.16
119.75
53.84
229.32
557.88
32.29
318.36
86.61
The author is not necessarily representing
Interpreting and Using Results
the views or opinions of JPMorgan Chase or ACAMS. This document serves as a supplemental resource to the whitepaper published in December of 2013: How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing.
28
Takeaway
174.27
918.56
182.97
89.00
247.42
Objective
81.20
To provide specific considerations for how
531.81
a financial institution’s internal audit
217.33
department can “design” a firm-wide AML
120.08
risk assessment tool that:
1944.31
388.92
1678.0
204.5
-0.97
3.13
77.2
326.2
30.2
1.49
-1.3
450.2
Introduction “A strong and well-designed tool should equip the auditor to identify risk and to demonstrate and evidence how risk ratings and related conclusions were derived.”
Improves the auditor’s ability to identify relevant AML risks
Sets the foundation for thoughtful and supported risk determinations
12.7
166.59
421.95
Produces results that can assist
223.54
in the development of an audit plan that
470.16
satisfies regulatory expectations
119.75
53.84
229.32
557.88
32.29
318.36
86.61
3 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
174.27
918.56
182.97
89.00
1. Regulatory expectations are high and the auditor’s role is evolving
247.42
81.20
531.81
217.33
120.08
1944.31
388.92
1678.0
204.5
-0.97
3.13
77.2
326.2
30.2
1.49
-1.3
450.2
12.7
Key Points
Regulators are emphasizing the importance of
1 Regulatory expectations are high and the auditor’s role is evolving
auditor in helping to manage risk and sustain an
2 The audit plan indicates to regulators whether Audit is on track 3 Audit’s risk assessment process drives the audit plan
166.59
421.95
223.54
470.16
119.75
53.84
229.32
557.88
32.29
318.36
86.61
4 There “is” a difference between an Audit AMLRA and other AML risk assessments
independent testing and the role of the AML operational AML program.
“Audit is responsible for conducting an objective evaluation of the AML compliance program for soundness, adequacy and sustainability while maintaining independence from compliance and business functions.” Includes a review of the FI’s risk assessment for reasonableness given the FI’s risk profile:
Customers
Products and Services
Transaction Activity
Geographic Presence
Additional focus on: u Risk tolerance u The level of assurance uT he depth and precision of controls uT he nature of substantive testing uT he degree of credible challenge
Regulatory Orders (2012, 2013) u Inadequate CDD and EDD practices u Incomplete identification of highrisk customers u Insufficient policies, procedures and training uF ailures in monitoring and identifying suspicious activity uP oor suspicious activity reporting and filing practices u Ineffective independent testing and audit functions
5 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
key points 2. The audit plan indicates to regulators whether Audit is on track
3. Audit’s risk assessment process drives the audit plan
“Audit is responsible for assembling an audit plan that demonstrates its organization’s knowledge of its Business Units and an understanding of the business’ associated risks.”
Audit is expected to select audits using
Overview Of Primary Audit Objectives uD etermine whether the overall AML/BSA compliance program is suitably designed and operating effectively. u Identify any material program weaknesses, control deficiencies and corresponding opportunities for program, process and control enhancements, and report them to senior management and the board (usually the audit committee). uA ssist management with identifying money laundering, terrorism financing and other financial crime vulnerabilities.
uA ssess management’s AML strategic planning process. u Identify opportunities and methods to help management make program enhancements continuous and sustainable. uA ssess and identify opportunities to enhance management’s selfmonitoring and self-testing compliance review program. uA ssess how well AML compliance is integrated into the business. Adapted from: The SAR Activity Review—Trends, Tips and Issues (Issue 16), (October, 2009).
Risk Profile
Audit Coverage
nc y
u Should, at a minimum, focus on the highest-risk areas
uA ssess and identify possible gaps and opportunities for management to continually improve its suspicious activity detection, investigation, analysis, escalation, documentation and reporting processes and controls, including due diligence feedback and the enterprise-wide AML risk assessment process.
in a timely fashion.
e
u If the plan is lacking, the FI may be exposed
and assigned adequate testing coverage
op Sc
u Primary roadmap for AML testing activities
u Perform and document procedures and results that may be useful to regulators in conducting their supervisory examinations.
reasonable belief that critical risks are identified
Fr eq ue
The Audit Plan:
a risk-based approach that provides a
A successful risk assessment should: uR esult in a detailed risk profile for each Business Unit uD emonstrate the rationale and inform decisions for including or excluding a specific audit area in the plan
“An audit plan that includes every possible auditable Business Unit is arguably not a ‘plan’ and is most likely an unrealistic approach in a world of finite resources.” The process of building the audit plan should involve consideration of: Existing or Prior Audit Coverage
Unique Business Risks
Pre-existing issues
Severity of AML risk factors
7 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
key points 4. There “is” a difference between an Audit AMLRA and other AMLRAs Differences between risk assessment tools do exist, and these may be attributed to who the tool is designed for and how the results will ultimately be used.
An effective Audit AMLRA should assist with audit decisions relating to: u Whether the FI’s risk assessment processes are effective u What Business Units should be audited
AUDIT AMLRA IDENTIFY AND ASSESS RISK WITH THE PURPOSE OF:
1
Pinpointing areas warranting immediate escalation
2
Pinpointing areas warranting further substantiation and testing Usually completed by an auditor or other audit department designee
“It is reasonable for Audit to reflect a combined approach of independently deriving some pieces of information while leveraging other pieces— granted a reasonable level of comfort.”
u What AML components within a Business Unit may warrant testing coverage u The frequency for which a Business Unit may need to be tested u Prioritization and timing of audit coverage across Business Units u Potential resourcing demands for conducting the resulting audits
9 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
174.27
918.56
182.97
89.00
1. Overview
247.42
81.20
531.81
217.33
120.08
1944.31
388.92
1678.0
Developing The Tool
3.13
77.2
326.2
30.2
1.49
-1.3
450.2
12.7
223.54
470.16
119.75
53.84
229.32
557.88
32.29
318.36
86.61
assess risk while avoiding generalizations.
Commonly cited risk assessment weaknesses:
2 Basic Factors
uA ssessments did not consider all major risk categories
3 Risk Factors 4 Control Factors
166.59
421.95
auditor’s focus and helps the auditor to successfully
1 Overview
204.5
-0.97
A strong AMLRA design leads, directs and guides the
5 General
uA ssessments were not performed and/or not evidenced through documentation uA ssessments did not include all lines of business or entities
uT here was a lack of methodology for assigning risk ratings/levels uP olicies and procedures were not commensurate with the institution’s risk profile
An AMLRA tool should be conducive to: u Identification of Risk u Quantification of Risk u Assessment of Risk uD ocumentation of the Level of Risk
Adapted from: “Spotlight on Large Institutions: Conducting Enterprise-Wide AML Risk Assessments that Go Beyond the Expectations of Examiners and Senior Management,” ACAMS; June 26, 2013
“The two key players who will be using the tool the most are the auditor completing Audit’s assessment and the AML examiner evaluating Audit’s assessment. This is a helpful consideration when designing the tool.” 11 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
developing THE TOOL
2. Basic Factors The development of a robust risk assessment model is largely dependent upon the individual elements that are chosen as the Risk and Control Environment Factors to be assessed and evaluated.
“FIs are expected to establish a control environment that minimizes and—where possible—safeguards against AML risks.”
“[i]nherent risks are the risks that exist before the application of controls intended to mitigate those risks. Clearly identifying inherent risks is particularly beneficial in making determinations for the scope and frequency of audit and independent reviews— determinations that should be based on a financial institution’s assessment of inherent risk without assuming that controls are functioning as intended. Residual risks are those that exist after the application of controls. In this context, risks cannot be completely eliminated, even though layered security may reduce risk to an acceptable level.”1 FDIC.(2007). From the Examiner’s Desk: Customer Information Risk Assessments: Moving Toward Enterprise
1
Primary Inherent AML risks relate broadly to an FI’s:
Customers
Products and Services
SUSPICIOUS AND/OR UNUSUAL ACTIVITY
OFAC AND SANCTIONS
KNOW YOUR CUSTOMER
Audit should assess the current state of controls relating to:
MANAGEMENT AND OVERSIGHT
POLICIES, PROCEDURES AND PROCESSES
EMPLOYEE AML EXPERTISE AND COVERAGE OPERATIONS AND TECHNOLOGY
Transaction Activity
Geographic Presence
wide Assessments of Business Risk.
13 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
developing THE TOOL
3. Risk Factors The process of identifying and assessing the degree of inherent risk will help to quantify the
Inherent Risk Considerations (Example) — CUSTOMERS
extent of residual risk, which in turn can inform
u HR Customer Types
audit planning decisions.
The Business Unit reflects a significant number of accountholders categorized as HR per the FI’s pre-existing customer risk rating model.
INHERENT RISK CONSIDERATIONS
Customers
Products and Services
Transaction Activity
u Duration of Relationship
Geographic Presence
The Business Unit reflects a significant number of accounts (those representative of establishing a new customer relationship) that have been opened within the past twelve months.
u Closed/Blocked Accounts Activity Involving HR Products/ Services
Customers in HR Locations
Duration of Relationship
New Products and Services
International Activity
Physical Presence in HR Locations
Closed/ Blocked Accounts
Business/ Sales from HR Products and Services
Transactions Involving Indirect Parties
Transactional Activity with HR Locations
Number and Nature of Accounts
Risk Tolerance and Business Strategies
Reportable Transaction Activity
HR Customer Types
HR Products and Services
The Business Unit reflects a significant number of customer accounts or relationships that have been closed or blocked at the direction of the FI.
u Number and Nature of Accounts The Business Unit reflects a significant number of customers with open (e.g., active and/or dormant) accounts in, or having access to, other Business Units within the FI.
“The focus of Audit’s assessment should be on identifying the extent to which the Business Unit’s customer population reflects high-risk characteristics such as those outlined here.” 15 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
developing THE TOOL
Guidance & Training Tips (Example)
3. Control Factors “Magnitude provides
A well-designed risk assessment tool should
perspective; be sure
demonstrate that a strong control environment
to consider context
is a continuous feedback loop of interconnected
when assessing and documenting statistics and other metrics.” uA certain number of HR customers within one Business Unit may have a very different connotation than the same number of HR customers in another area. uT wo Business Units may have the same number of new customer relationships; however, one of these may have rapidly increased the number of new customers within the past year.
areas within the AML program requiring “You might not own customers or products,
ongoing and enterprise-wide evaluation.
but look deeper for
CONTROL ENVIRONMENT CONSIDERATIONS
potential AML risk.” uF or areas such as technology or Business Units that sell or develop products on behalf of other businesses, it may be less obvious as to how inherent risks should be identified, rated and discussed. uC onsider transactional activity (e.g., with vendors or counterparties) and think holistically about the Business Unit’s “potential” (e.g., in the absence controls) to influence AML Risk, such as whether the Business Unit affects risk in other business areas within the FI.
KYC
Suspicious and/or Unusual Activity
OFAC and Sanctions
Employee AML Expertise and Coverage
Overall AML Infrastructure, Framework and Practices
Exceptions or Waivers
Detection and Monitoring
OFAC Screening and Processing
AML Staffing Coverage
Management and Oversight
Reliance
Source Data and Internal Reports Relating to PSUA
OFAC Policies and Procedures
Employee Knowledge and Capabilities
Policies, Procedures and Processes
Completeness of Customer Information
Escalation and Referral of Activity
OFAC Licenses
Training and Awareness
Operations and Technology
Renewals, Updates and Periodic Reviews
Alert Management
OFAC Reporting and Related Metrics
Customer Name Screening
Investigation
SAR/STR Completion and Filing
17 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
Control Environment Considerations (Example) — KYC
developing THE TOOL
u Renewals, Updates and Periodic Reviews The Business Unit reflects a significant number of accounts that have not been renewed or updated in accordance with its renewal cycle.
u Customer Name Screening The Business Unit reflects deficiencies in identifying name matches; there are inconsistencies in screening practices or there is poor interaction between Business Unit and central function.
u Exceptions or Waivers The Business Unit reflects a significant number of exceptions or waivers to internal KYC policies, procedures or standards.
u Reliance The Business Unit reflects reliance on other parties for KYC functions and does not receive metrics/status reporting, does not own controls for monitoring or managing the reliance, does not reflect accountability or does not demonstrate an understanding over the process and potential risk impact.
u Completeness of Customer Information The Business Unit reflects a significant number of active accounts with missing or incomplete KYC information.
“The focus of Audit’s assessment should be on evaluating the strength of the Business Unit’s KYC practices, its ability to collect and maintain complete and relevant information; and the capacity to use this information to make appropriate decisions regarding the level of customer risk.” 19 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
developing THE TOOL 4. General
Guidance & Training Tips (Example)
Guidance & Training Tips (Example)
“KYC metrics are instrumental in
“While business
providing a ‘collective’
provided data should
view of risk.” u In addition to being used to derive individual customer risk profiles, KYC information can be aggregated at various levels (such as by business or location) to compare actual risk to a predetermined risk appetite. u If a particular Business Unit has a low-risk appetite for PEPs, but KYC metrics indicate that 20% of the customer base is comprised of PEPs, the Business Unit may wish to adjust its risk tolerance or reduce the number of PEPs.
be tested, it may not “Central units may own particular controls, but the respective business area owns the risk.” u In instances where an AML service is provided centrally (e.g., customer onboarding, screening, training, monitoring, investigating), it is important for Audit to: 1. evaluate the Business Unit’s understanding over the central unit’s processes, control effectiveness and potential risk impact of a control failure; and 2. determine whether the Business Unit has supplemental controls in place to either manage the risk on its own or to minimize reliance on the central function.
always be feasible to substantiate and independently validate all pieces of information as part of the Audit AMLRA process.” uA t the risk assessment stage, there may be instances where it is reasonable for Audit to allow for some level of reliance on existing information when drawing conclusions.
u In situations where Audit may reference or leverage information that has not been previously verified—or that relates to known issues or concerns— Audit should document this and flag for subsequent substantiation and testing.
uA udit should have a reasonable level of comfort that the leveraged information is accurate and/or reliable (such as through previous validation exercises).
21 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
174.27
918.56
182.97
Subject Matter Expertise
89.00
247.42
u Specialized knowledge in AML u Strong understanding over the Business Unit u Region-specific familiarity
“Each assessment should involve input and oversight from individuals with the requisite AML credentials, experience, training and subject matter expertise.”
81.20
531.81
217.33
120.08
Continual Training and Guidance Specific to Risk Assessments
1944.31
388.92
1678.0
-0.97
77.2
326.2
30.2
The Support Framework
Supporting Data
u Roles and responsibilities
u Develop strategy for collecting information u Understand where the data resides u Ascertain the quality of the data u Assign project managers/coordinators u Designate a central location for storage/access
-1.3
12.7
u Documentation standards
“The development and distribution of formal training, policies/ procedures and equivalent guidance promotes consistency and enhances Audit’s ability to assess AML risk.”
1.49
450.2
u Risk scoring/rating methodology
u Identification and analysis of AML risk
204.5
3.13
u Risk assessment process
“Due to the extensive labor involved with obtaining data, it is helpful to view and manage this process as a standalone project and formalize as much as possible.”
166.59
421.95
223.54
470.16
119.75
53.84
229.32
557.88
32.29
318.36
86.61
Direction for Crafting a Strong Narrative
u Including an introductory description of the BU u Referencing supporting sources of information u Representing quantitative support in context of the BU u Avoiding information overload u Managing the flow and organization of responses u Indicating directional risk trends
“A clear, concise and consistent narrative is critical for evidencing rating decisions and articulating potential risks.”
23 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
174.27
918.56
182.97
89.00
247.42
Data Quality Checks
81.20
Results can be reviewed for whether: u Risk and control ratings make sense at a high level
531.81
uF inal risk ratings align with individual risk and control ratings
217.33
u Ratings are consistent with auditor knowledge u Any noticeable outliers or anomalies are present
120.08
uP articular assessments appear less supported than others
1944.31
388.92
1678.0
204.5
-0.97
3.13
77.2
326.2
30.2
1.49
-1.3
450.2
12.7
166.59
421.95
223.54
470.16
119.75
53.84
Interpreting and Using Results “Collective risk assessment results can be used to corroborate conclusions, assemble a comprehensive risk-based plan and illustrate a bird’s eye view of AML risk within the enterprise.”
Comprehensive Risk-based Coverage for Audit Planning
Results can be used to inform planning decisions based on: u Risk ratings & scores (e.g., highest risks areas) u Identified risk trends (e.g. areas of increasing risk) u Line of business or other organizational structures u Geography u Central functions/utilities u Common risks and control weaknesses u Prior coverage (e.g., audit testing, regulatory exams)
Enterprise Views of AML Risk
Results can be aggregated and viewed at various levels to: u See whether results align with current expectations u Identify explanations for any deviations from expectations uD etermine whether unexplained results warrent further escalation and/or exploration
229.32
557.88
32.29
318.36
86.61
25 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
Simplified Example—for illustration purposes only
AML SCORE
Policies, Procedures, Processes
Operations and Technology
Oversight and Governance
Staffing and Training
OFAC and Sanctions
Suspicious and/or Unusual Activity
control environment
Know Your Customer
Geographic Presence
Transaction Activity
Products and Services
Inherent Risks
Customers
Prior Coverage
AML Risk Trend
Country
Line of Business
Collective risk assessment data can be organized, stratified and dissected in a number of ways to create a variety of views for reporting and analysis.
Business Unit A
"_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_"
Business Unit B
"_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_"
Business Unit C
"_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_"
Business Unit D
"_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" "_" 27 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
174.27
918.56
182.97
89.00
247.42
“The development of the AMLRA tool should encompass core AML principles and criteria that can be used as a benchmark for guiding the assessment process without endorsing a checklist-style approach.”
81.20
531.81
217.33
120.08
1944.31
388.92
1678.0
204.5
-0.97
3.13
77.2
326.2
30.2
1.49
Takeaway
En
ha
nc ed
The risk assessment design can better equip Audit.
Design the tool to: uD irect auditors towards relevant considerations
as se
ss m
en
tr es
12.7
166.59
421.95
Establish a Support Framework with: uS ubject matter expertise
119.75
e tiv
53.84
229.32
318.36
86.61
lan
tp
470.16
32.29
ts
Risk Assessment Design
223.54
557.88
uE ncourage supported conclusions
ul
-1.3
450.2
uF acilitate thoughtful analysis
e or
ec ff e
a
i ud
uC ontinual training and guidance uP lanning for supporting data uD irection for crafting strong narratives
M
29 How to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing
174.27
918.56
182.97
89.00
Bio
247.42
81.20
531.81
217.33
120.08
1944.31
388.92
1678.0
204.5
-0.97
3.13
77.2
326.2
30.2
1.49
-1.3
450.2
12.7
166.59
421.95
About the Author
Jonathan Estreich is currently a vice president within the internal audit department at JPMorgan Chase. With over nine years of experience working with financial services firms such as Deloitte Financial Advisory Services LLP and UBS Investment Bank, Mr. Estreich specializes in providing anti-money laundering and counterterrorist financing services with a focus on AML policies, procedures and internal controls, including those relating to transaction monitoring, Know Your Customer initiatives, customer due diligence and risk assessments. By servicing many different financial institutions within the banking sector in multiple capacities, he has accumulated a broad range of industry knowledge and expertise in diverse areas such as global AML compliance and Office of Foreign Assets Control as well as in working with complex product and customer types. He has had considerable involvement in leading, managing and advising on BSA/AML-related matters, including authoring several works with Thomson Reuters Complinet, ACAMS Today, InsideCounsel and Corporate Compliance Insights.
223.54
470.16
Professional Credentials Include:
119.75
uA dvanced Anti-Money Laundering Audit designation (CAMS-Audit)
53.84
uC ertified Anti-Money Laundering Specialist (CAMS)
229.32
uC ertified Fraud Examiner (CFE)
557.88
uC ertified Associate in Project Management (CAPM)
32.29
318.36
86.61
Related Works by Author uH ow to Build an Audit Risk Assessment Tool to Combat Money Laundering and Terrorist Financing—Equipping Your Last Line of Defense, ACAMS, (December 2013). uC ISADA Section 104(e): A glance into the final rule’s counter terrorist financing requirements and challenges for U.S. Financial Institutions, Corporate Compliance Insights, (October 2012). uU nderstanding recent developments in prepaid access: Considerations for deterring money laundering, ACAMS Today, (March 2012). u “ Knowing” your Latin American customer: Enhanced due diligence practices to mitigate the risks of money laundering and terrorist financing, InsideCounsel, (March 2012). uE nhanced due diligence program for correspondent banking: Minimizing the risk of money laundering and drug trafficking, Thomson Reuters Complinet, (August 2011).