The landscape of financial crime risk has been transformed in recent years with ever-increasing lapses in the anti money laundering (AML) risk controls of global financial institutions. In 2017, the UK Financial Conduct Authority (FCA) imposed its largest financial penalty ever (£163,076,224) on a bank for AML controls failings.[1] In the same year, the Monetary Authority of Singapore (MAS) shut down two banks and imposed financial penalties on eight banks in relation to weaknesses in customer due diligence (CDD) and inadequate monitoring of customers’ transactions and activities during the 1MDB review.[2]
The attention of law enforcement does not stop short at institutions. In one recent case, an AML Compliance Officer was fined for failure to file hundreds of Suspicious Activity Reports (SARs) for security transactions with red flags indicators.[3]
Going further
The conventional approach (i.e. where risk governance is performed via the ‘three of lines of defence’ [LoD]) may not be sufficient for proactive financial crime risk management purposes, and banks are recognising the need to go further. Subsets of the LoDs – namely the 1.5 LoD and 2.5 LoD – have evolved in order to address the dynamic financial crime environment. The 0.5 line demarcation is significant, as conducting independent assurance on the first and second LoDs respectively should provide early warning indicators to business units before risk events crystallise.
Depending on the size of the institution, the 1.5 LoD may refer to the Business Risk Controls Management or Risk Controls function that sits within the first LoD. This function typically carries out controls monitoring and testing to validate that the first LoD’s processes and controls are operating as intended. The 2.5 LoD refers to the assurance reviews of the first and second LoDs.
In the area of financial crime risk compliance, the 2.5 LoD (i.e. the Financial Crime Assurance – or FCR Assurance – function) is gradually gaining momentum. But is FCR Assurance a fad or ‘the new kid on the block’? This article examines the essence of FCR Assurance and challenges the view that it is ‘just another gimmick’, where a watchman watches the watchman.
A different approach, different outcome
An FCR Assurance model may cover annual review plans in relation to the monitoring and testing of Financial Crimes Risks’ controls and, where there are observations from such test(s), work to ensure that appropriate action plans are proposed by the business to mitigate risks. Additionally, the action plans are validated, post-mortem, to ascertain the effectiveness of the controls and their implementation.
Generally, assurance reviews involve historical testing based on procedural requirements over a specific period; a proactive approach (i.e. focusing on the prevailing financial crime climate and whether the current control mechanisms are able to mitigate such risks). Such reviews are thematic in nature and seek to detect risk control gaps based on the present (and changing) risks, as opposed to mere testing of adherence to procedures (i.e. a ‘check-box’ mentality).
Let us take an example of a review of CDD for offshore customers. The reviewer made the following observations of the sampled customer:
- The customer resides in Indonesia and has declared himself as a self-employed consultant whose company is established in Indonesia, earning an annual income of approximately SGD500,000.
- In the last six months, the customer’s account has had multiple inward remittances of varying amounts (e.g. £20,000-35,000 and US$10,000-15,000) from two UK companies, with the reference ‘Salaries’. These were followed by outward remittances to the customer’s Indonesia bank account with the reference ‘Expenses’.
- During account opening, the customer had explained that he would be receiving salaries from these two UK companies for consultancy work provided and there are no changes to his profile.
- The CDD reviewer reviewed the account’s transactional activities and passed the account as non-suspicious on the basis that the transactions were commensurate with the client’s declared income and declared activities.
If the sample testing was reviewed based purely on the process and procedural requirements, it would likely be noted as a ‘pass’ since the CDD was carried out with the Know Your Customer (KYC) checklist being fulfilled and transactions were consistent with the KYC information obtained. In contrast, if a pro-active, risk-focused review approach is adopted, the result could be a ‘fail’ due to the combination of several red flags detected in the account that resembled traces of potential tax evasion and potential money-laundering based on off-shoring of income under the guise of salary through unknown source of funds of the cross-border funds received from UK shell companies and intermediating funds through an offshore account.
Put differently, the same review (albeit with different testing approaches, i.e. with the latter focusing on the underlying risks) would make a difference in the risk identification process. Only when the risks are duly identified and the magnitude quantified can the appropriate risk control measures be evaluated to address the inadequacies.
Independence
Further, to implement an effective assurance review, independence is of the utmost importance. Independence carries two elements. Firstly, the reviewer is freed from conditions that threaten the assurance review and/or to execute the tasks in an unbiased manner. Secondly, the reviewer has direct and unrestricted access to senior management. From a functional reporting perspective, the FCR Assurance function should stay independent of the business as well as the mainstream financial crime compliance to avoid potential conflicts of interest. The independence in reporting lines, however, does not denote that FCR Assurance should maintain an iron rod, rather it can exist as a ‘co-pilot’ with the business and/or Compliance function to steer the bank towards effective FCR controls.
Using the case illustrated above, the root cause of the risk identified could be a lack of plausibility assessment at customer onboarding and during the CDD review. That is, while the client may have provided information to the bank, there ought to be further assessment of that information rather than taking it at face value. FCR Assurance could provide views on the control measures to be implemented from a business improvement perspective rather than appearing as a censure i.e. a control lapse.
Approach and skillsets
An effective 2.5 LoD requires a cultural shift in mindset, a focus on outcomes through risk-based thematic reviews, and, most importantly, FCR Assurance reviewers with appropriate skillsets.
Moreover, an outcome-based review, differentiated by clear objective outcomes, should focus on the substance of risk rather than the form. Given the limited resources for each review, for each test step that is undertaken and any potential issue that is being observed the reviewer could consider whether there is any substantive impact to the objective outcome of the review. The value of each review is to identify the critical gaps that could have adverse impacts on the bank if not resolved in a timely manner.
Last but not least, staff competency is essential. Traditionally, a reviewer with a background in audit and/or assurance would fit the role. Another approach is to consider hiring an all-rounder (i.e. with practical experience in areas such as onboarding, business risk controls design/execution, or AML system and process experience).
The practical challenge in a review is not centred on checking whether a procedural requirement is being followed, it is the ability to identify relevant FCR issues and how potential control gaps could be resolved. Each risk issue should be considered against multi-faceted variables such as controls design, process efficiency, the viability of control-execution, and so forth, which could have client impact implications. As such, diverse skillsets may bring FCR Assurance to a higher plane. In addition, reviewers must be able to manage different – and possibly conflicting – stakeholder interests, and should be courageous enough to stand firm amid differing views and pressure.
This article was written by Sherin Han for inCOMPLIANCE® magazine.
_________________________________________________________________
Sherin Han has over 10 years experience in FCR assurance, AML investigation, risk controls, process and operational risk within retail, private banking and wealth management. Currently, Sherin is working in FCR assurance for a foreign bank. Jee Meng Chen is MLRO of Commerzbank Singapore.
The original version of this article was published in inCOMPLIANCE®, ICA's exclusive member-only magazine. To find out more about membership and inCOMPLIANCE®, take a look here.
_________________________________________________________________
Are you aware of a problem but unsure as to the cause? ICA Audit helps you drill down to the heart of the issue and highlight the key areas which require attention.
Find out more about ICA Audit: Company certification for your firm
_________________________________________________________________
References:
[1] https://www.fca.org.uk/news/press-releases/fca-fines-deutsche-bank-163-million-anti-money-laundering-controls-failure
[2] https://www.straitstimes.com/business/banking/1mdb-review-is-over-but-the-effects-are-long-term
[3] https://www.lexology.com/library/detail.aspx?g=1b5e08b9-04e4-4604-8dff-f46edd1c60f7