Anti-Money Laundering (AML) Risk Assessment Process

Anti-Money Laundering Risk Assessment ProcessAugust 2016

A robust risk assessment process is central to maintaining a strong Anti-Money Laundering (AML) compliance program. The assessment should provide a comprehensive analysis of AML risks associated with the products and services offered by the lines of business, and act as an aggregated estimate of the AML risks across the enterprise.

• Banks are periodically required to evaluate the AML risks of their individual business units and across the enterprise. The objective of the risk assessment is to determine the risk profile of the bank and evaluate the adequacy of the controls in place to mitigate risks. The risk assessment should identify areas of vulnerability to money laundering, identify weaknesses or gaps in the existing control environment, support informed decisions on risk appetite, and highlight the bank’s AML risk and control environment for all key stakeholders, including senior management and regulators.

• The risk assessment is bank-specific with particular risk-factors and categories unique to a bank’s products, services, customers, entities and geographic locations. Banks should favour a sustainable, effective, and cost efficient AML risk assessment process that leverages a data-driven approach to risk scoring. A mature risk assessment process should be executed cyclically, and when triggered by a significant event, using a Factory Model to decrease costs, increase efficiency, and heighten delivery certainty through the use of dedicated resources.

• A mature risk assessment process evolves with the organization, increasing in impact, sophistication and maturity. Financial institutions should take a pragmatic approach to implementing a high-performing enterprise-wide risk assessment program and approach.

• To develop an enterprise-wide risk assessment program, a structured approach is encouraged so the appropriate rigor is practiced to identify, document and validate AML risks and controls. As an output from the risk assessment process, a control testing approach should be developed to monitor AML risks.

Executive summary

Copyright © 2016 Accenture All rights reserved. 2

An AML risk assessment identifies (i) a bank’s inherent risks across a range of categories, (ii) gaps and the level of risk that is acceptable and in line with the bank’s risk appetite, and (iii) the required controls to mitigate risk.

What is an AML risk assessment?


Identify Mitigate

AML Risk Assessment

AnalyzeProducts

Geographies Transactions

Entities

Define and agree on the risk appetite and the risk factors being assessed.Identify specific products, services, customers, entities, and geographic locations unique to the bank and that should be appropriately weighted to the bank’s business model.

Communicate and report findings on identified issues.Formulate action plans to resolve issues. Implement or strengthen controls to avoid, mitigate or reduce the inherent risks faced by the firm.

Customers

Services

Assess

Determine the inherent risk to the firm through detailed analysis of the data obtained on the specific risk factors.Augment findings on inherent risk with outputs from internal audits and regulatory exams. Assess the data to determine whether sufficient controls exist to address the inherent risk of the firm, thereby aligning with its risk appetite.

Define

Banks are required to periodically determine the AML risks of their individual business units and, when banks have a consolidated AML compliance program, this needs to be done enterprise-wide. A bank’s AML compliance program should be structured and enhanced to adequately address its risk profile and align to its risk appetite, as identified through the risk assessment. Appropriate policies, procedures, standards and processes to monitor and control AML risks should be developed or updated based upon the outputs of the risk assessment.

A mature AML risk assessment program helps provide banks with the opportunity to identify and plan for emerging risks and changes in the bank’s risk profile. The program should leverage a clear, consistent, data-driven methodology across the enterprise to quantify AML risks in an easily reportable way.

How should an AML risk assessment program be structured?


People • Include a variety of

subject matter specialists (SMSs) across the business and Financial Crimes Compliance to allow for a broader view on risk and issue management across the firm.

• Leverage a dedicated team, and, where possible, utilize a center of excellence (CoE) and / or the factory model with offshore capability to reduce costs.

Governance and Framework• A single enterprise-

wide operating model, consistent across lines of business and geographies, with ownership within the business.

• Formally defined structures, taxonomies, and reporting forums for senior management review of risk assessment outputs.

North America

Asia PacificEurope

Latin America

Governance and Framework

People

Process

Technology and Data

AML Risk

Assessment

Retail Banking

Commercial Banking

Private Banking

Corporate & Investment Banking

A mature AML risk assessment program helps provide banks with the opportunity to identify and plan for emerging risks and changes in the bank’s risk profile. The program should leverage a clear, consistent, data-driven methodology across the enterprise to quantify AML risks in an easily reportable way.

How should an AML risk assessment program be structured?


Process• A clear globally

consistent and standardized methodology or process across all lines of business and geographies.

• The process should include standard language or taxonomies to describe risk factors across all lines of business.

• Where possible, incorporate both automated scoring and judgmental decisioning.

Technology and Data • Implement the AML risk

assessment within a strategic technology to support automation of data feeds, thus reducing ad hoc data requests and data collation periods.

• Define standard risk factors and identify the data elements required to measure risk factors. Conduct trend analysis around control environments to allow control improvements to be made.

North America

Asia PacificEurope

Latin America

Governance and Framework

People

Process

Technology and Data

AML Risk

Assessment

Retail Banking

Commercial Banking

Private Banking

Corporate & Investment Banking

What is the path to a mature AML risk assessment program?


RudimentaryLimited formal governance,

fragmented infrastructure and inconsistent processes

OperationalCentralized governance with

partially consolidated infrastructure and processes

High-PerformingMarket leading AML risk assessment

practices, enterprise-wide methodology, with formally defined

and adopted infrastructure and processes

Governance and

Framework

• Limited or no formally defined governance structures or decision-making bodies to provide oversight and approvals.

• Geography or line of business specific operating model, with limited integration.

• No clear articulation or risk appetite, risk factors, or control categories.

• No clear ownership of AML risk components.

• Defined governance structures in place for approval of AML risk assessment results.

• Enterprise-wide standards for risk and control taxonomies.

• Identified key-risk factors, and risk appetite.

• Fragmented operating model covering major lines of business.

• Formally defined governance structures and decision-making bodies for approvals, planning, and read-outs to senior management.

• Enterprise-wide operating model, consistent across lines of business and geographies.

• Established risk and control taxonomies, risk factors, and risk appetite.

• Business ownership of most AML risk components.

A mature risk assessment program evolves with the organization, increasing in impact, sophistication and maturity. Financial institutions should take a pragmatic approach to implementing an enterprise-wide risk assessment program and approach.










People

• Senior management aware of AML risk assessment needs, but no dedicated risk resources.

• AML risk assessment performed by line resources on a part time basis.

• Senior management aware of AML risk assessment, structured review conducted leveraging line resources and compliance personnel.

• Management has adequate industry experience in executing AML risk assessments.

• Senior management view AML risk assessment as integral component of AML compliance program.

• AML risk assessment has dedicated resources leveraging the factory model for operational activities, with oversight from highly trained AML specialists.

Process

• Ad-hoc AML risk assessment processes.

• Limited enterprise-wide methodology or approach.

• Bespoke AML risk assessment methodologies per line of business or geography.

• Mainly manual processes, no automation.

• Partially standardized processes across lines of business and geographies.

• AML risk assessment viewed as a requirement but applied superficially and focused on fulfilling regulatory expectations.

• Ad-hoc risk assessments conducted on higher risk areas.

• A defined globally consistent process across lines of business and geographies, supported by workflow.

• Standardized AML risk assessment methodology and approach.

• Automated risk scoring coupled with judgmental decisioning.










Technology and Data

• Little or no technology used to facilitate the AML risk assessment.

• Limited data availability and no agreed upon system of record.

• Static reporting without analysis or action orientation.

• Technology may or may not be used to drive AML risk assessment routines.

• Limited data availability. • Reporting is proactive and

analyzed to drive organizational improvements.

• AML risk assessment process implemented within a strategic technology tool.

• Agreed data sources and systems of record for data extraction.

• Central repository and standards data dictionary leveraged.

• Automated and dynamic reporting allowing for on-going and periodic assessment.

To develop a robust AML risk assessment program, a structured approach is suggested to give the firm a proper understanding of its risks and the effectiveness of the controls over those risks.

What is the approach for an effective AML risk assessment program?


Deliver executive summary

Mobilize and prepare data

points

Document key AML risks and

controls

Identify improvement opportunities

Obtain SMS validation /

approval

Define and agree on risk appetite

Identify systems of record for extracting

data

Agree on specific risk factors and data

elements needed

Identify and document AML risks and controls

Conduct risk scoring to identify critical focus

areas

“Sense check” data outputs with business and compliance SMSs

Map focus areas against current state catalogs

and processes

Map focus areas against current controls

framework

Document risk and control matrix

Aggregate evidence for baseline controls test

Validate risk and control matrix with SMSs

Conduct stakeholder workshops to identify additional pain points

Develop dashboards presenting risk

assessment outcomes

Document executive summary of AML risk assessment findings

AML Risk Assessment Program

Stakeholder communications

Traceability to controls and monitoring and testing plans

Planning and program governance

Agree on standardized templates and

taxonomies

Agree on weights for risk factors

Develop action plans to address gaps and high

risk areas

Incorporate audit findings and prior risk assessment findings

The AML risk assessment is central to maintaining a robust AML compliance program. However, many banks face regulatory scrutiny as well as difficulties in executing such a review due to process, data, talent and time constraints.

What common challenges do firms face in executing AML risk assessments?


Limitations with current processes

Timeline pressures

Limited availability of data

Limited availability of experienced AML talent at scale in local markets.

Over reliance and key-man risk on longstanding AML managers’ experience and subjective analysis.

AML risk assessment perceived as a “tick-box” activity.

Regulators are increasingly demanding more frequent and periodic AML risk assessments.

The time between requesting AML data and completing the risk assessment is often significantly long. This often results in stale or outdated results.

Limited availability of data required to complete the AML risk assessment.

Non-repeatable processes to collect quantitative data.

Limited data granularity impacting the appropriateness and suitability of the data in the AML risk assessment.

Resource constraints with competing

priorities

AML risk assessment process may not be adequately defined and documented to support robust analysis.

Risk categories and factors not defined or weighted appropriate to the bank.

Complexities and risk in business processes not adequately defined.

In light of these and other challenges, financial institutions are looking for better approaches to manage their AML risk assessment programs and deliver repeatable, scalable, and cost efficient execution of AML risk assessments on a cyclical basis.

There are a number of common challenges that impact the effectiveness of an AML risk assessment. Potential solutions to these challenges have been developed via key lessons learned from AML risk assessment programs.

How can the common challenges be addressed?

11

Challenges Potential SolutionsTimeline pressures Automate or partially automate risk scoring to facilitate an ongoing view of the bank’s

risk profile based on geographies, lines of business, products and services, and customer segments.

Implement data feeds from systems of record to automated tools that perform ongoing risk scoring to reduce elapsed time between data requests and generation of risk assessment results.

Adopt a risk-based approach to scheduling AML risk assessments so that high risk areas are more frequently monitored and reviewed.

Resource constraints with competing priorities

Leverage a center of excellence model to reduce resource demands by centralizing repeatable, resource-intensive activities, and implementing a change management process to help schedule AML risk assessments throughout the year without undue demands being placed on line managers.

Require lines of business to assume accountability by formally accepting or presenting detailed plans to mitigate high / critical risk events.

Prioritize the AML risk assessment as an important tool in risk identification and regulatory reporting. Risk culture should be supported by senior leadership, and staffing and budgeting plans should reflect the needs of the AML risk assessment program.

Copyright © 2016 Accenture All rights reserved.

There are a number of common challenges that impact the effectiveness of an AML risk assessment. Potential solutions to these challenges have been developed via key lessons learned from AML risk assessment programs.

How can the common challenges be addressed?

12

Challenges Potential SolutionsLimitations with current processes

Implement the AML risk assessment methodology via a tool (vendor solution or custom build) and create standardization across regions and lines of business. Leverage case management to create additional efficiencies as well as supporting audit and reporting capabilities.

Utilize standardized taxonomies to identify risks and controls and a standard rating scale to determine impact, likelihood, and effectiveness measures.

Limited availability of data

Incorporate all available information into the assessment. Firms should leverage internal and external data and compare risk and controls to internal metrics (key performance indicators / key risk indicators).

Develop standard data dictionary that can be consistently used by all stakeholders including the lines of business, Operations, Compliance and Technology.

Recognize the subjective nature of the AML risk assessment, but drive consistency through standardized terminology and the overall assessment process.

Copyright © 2016 Accenture All rights reserved.

13Copyright © 2016 Accenture All rights reserved.

For More Perspectives on AML

Accenture Fraud & Financial Blog:– Anti-Money Laundering (AML) Risk Assessment Process

• http://fsblog.accenture.com/finance-and-risk/building-a-strong-anti-money-laundering-risk-assessment-process

Accenture Point of View:– Reducing the Cost of Anti-Money Laundering

• https://www.accenture.com/AMLCompliance

– Building a Sustainable Back Secrecy Act and Anti-Money Laundering Program• https://www.accenture.com/us-en/insight-anti-money-

laundering-and-bank-secrecy-act

https://www.accenture.com/us-en/insight-reducing-the-cost-of-anti-money-laundering-compliance.aspx?c=fs_frdfincrmsldshr_10000006&n=smc_0815

https://www.accenture.com/us-en/insight-anti-money-laundering-and-bank-secrecy-act?c=fs_frdfincrmsldshr_10000005&n=smc_0815

http://fsblog.accenture.com/finance-and-risk/building-a-strong-anti-money-laundering-risk-assessment-process?c=fs_frdfincrmsldshr_10000008&n=smc_0815

Anti-Money Laundering Risk Assessment Process

14Copyright © 2016 Accenture All rights reserved.

Disclaimer

This presentation is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.

About Accenture

Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 375,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com

Accenture, its logo, and High Performance Delivered are trademarks of Accenture.

Anti-Money Laundering (AML) Risk Assessment Process

Economy & Finance

Transcript of Anti-Money Laundering (AML) Risk Assessment Process