search

alacer / cco-dashboard

0 stars 0 forks source link

AML Risk & Control Library #47

Open edsar opened 9 years ago

edsar commented 9 years ago

US - based

krseibel commented 9 years ago

List of key Controls.

BSA/AML Controls Effectiveness and Rating The following describes the controls (i.e., risk mitigants) and risk considerations associated with xxx BSA/AML Risk Assessment process, i.e., provides guidance on determining the effectiveness of xxx control environment related to BSA/AML risk. Weights and Ratings are assigned to each factor based on management analysis of the risk considerations for each risk factor.

Inherent Risk Factor: Management Oversight and Accountability Weighting: 5% Rating: 1 Score: 0.05 Comments: The assessment within this control category considers senior management’s responsibility to reasonably ensure that the organization’s control processes and procedures are appropriately designed and implemented and are operating effectively to reduce the risk of xxx being used in connection with ML/TF activities. Without the active involvement of all levels of management, a strong culture of compliance is not possible. This section of the assessment captures accountability and oversight of senior management including but not limited to: whether senior management supports the AML Officer and provides for adequate resources to support the AML Program, the adequacy of periodic reporting and metrics provided to senior management (content, distribution and reporting frequency) and how changes that impact the program (e.g., systems, processes, controls, policies and procedures, etc.) are shared with senior management.

Considerations: Based on the participation of management through in the Compliance Committee, management is involved, has evidenced commitment and support in fostering a culture of compliance and been kept abreast of any developments through enhanced MIS reporting. This category is rated STRONG.

Inherent Risk Factor: Policies and Procedures Weighting: 10% Rating: 2 Score: 0.2 Comments: The assessment within this control category considers whether there are appropriate and sufficient AML policies and procedures in place and whether they address all key areas and activities required under the AML program.
In addition, the process to keep the policies and procedures current, reviewed and approved is an important consideration in the strength of the control. Policies and procedures that are out of date or not properly approved may present a risk to the organization.
Distribution and communication of policies and procedures also needs to be considered. AML policies and procedures should be readily available and easily accessible by all employees.

Considerations: Based on the progress to date enhancements have been made and will continue to be made as part of the overall enhancement of the BSA/AML/OFAC Program. In particular, several enhancements are being made to the policies and procedure. This category is rated MEDIUM based on the ongoing nature of the improvements underway.

Inherent Risk Factor: Organizational Structure and Staffing Weighting: 10% Rating: 2 Score: 0.2 Comments: This control category considers whether the AML group has been structured appropriately, given xxx activities, and sufficient resources are in place to support the AML Program. Considerations should be given to whether a dedicated AML compliance function is in place which is responsible for coordinating and overseeing day-to-day AML compliance. In addition, consider whether there is a designated AML Officer who has the appropriate stature within the company as well as the knowledge experience and access to senior management. Further, assess whether there are clearly defined AML reporting lines, accountability as well as roles and responsibilities.

Considerations: Based on the review of staffing levels two additional full time staff have been added to the Compliance function. However as management continues to assess other processes, including transaction monitoring and surveillance, management will continue to assess staffing levels. This category is rated MEDIUM based on the ongoing nature of the evaluation underway.

Inherent Risk Factor: Record Keeping and Retention Weighting: 10% Rating: 2 Score: 0.2 Comments: This control category considers whether the organization has the proper procedures in place to meet applicable regulatory requirements for keeping paper and electronic records of pertinent information about clients and transactions.
Consideration should be given as to whether the record keeping methodologies and formats are appropriate in their particular circumstances and whether they could be made readily available upon request.
This control category will also assess whether a process has been implemented to deal with incomplete documentation with a view to making it complete and current. Several improvements have been made in this area to date, including enhancements to procedures and processes that were implemented in 2013.

Considerations: Based on the progress made, this category is rated MEDIUM.

Inherent Risk Factor: Monitoring and Surveillance Weighting: 15% Rating: 3 Score: 0.45 Comments: This control category assesses whether and how effectively transaction monitoring is used to identify unusual/suspicious transactions, and whether the monitoring process is performed in conformity with certain minimum standards, including a risk based approach and identification. Also, assess whether the level of monitoring is commensurate with xxx assessment of risk, with particular emphasis on high-risk customers, transactions and geographic locations. In addition, consider “industry standard” red flags designed to identify potentially suspicious activity. Management has identified, based on the number of unproductive alerts, that this area requires further enhancement. In 3Q of 2013 management took several steps to enhance transaction monitoring process including: (i) staff increase to support alert analysis and disposition, (ii) upgrades of various monitoring systems, (iii) identification of vendor to provide more functional transaction monitoring solution for implementation in 2Q 2014, and (iv) review of profiles and processes to optimize the toll now and going forward.

Consideration: Although the further progress has been made according to the enhancement plan, this category is rated WEAK.

Inherent Risk Factor: Transaction Investigation and Suspicious Transaction Reporting Weighting: 10% Rating: 2 Score: 0.2 Comments: This control category assesses the internal reporting processes that are designed to reasonably ensure compliance with regulatory reporting requirements as they relate to transaction reporting processes and systems. Consideration should be given to the ability of xxx to identify, research, escalate suspicious/unusual transactions (both those raised in the normal course of business as well as those identified via automated processes), who was involved, when and where it occurred, what products & services were involved and how the transaction was designed.
This category assesses the monitoring and reporting system capability to detect suspicious trends and patterns typically associated with money laundering. Policies, procedures, and processes should indicate the persons responsible for the identification, research, and reporting of suspicious activities. Considerations: Based on the customer base and transaction experience, while procedural controls will continue to be enhanced, this category is rated MEDIUM.

Inherent Risk Factor: Training Weighting: 5% Rating: 1 Score: 0.05 Comments: This control category includes an assessment of the nature, content and appropriateness of AML training and awareness materials provided to employees and senior management. Consideration should be given to whether there is training that is tailored to the specific activities/responsibilities of individuals/departments so that they can effectively perform their AML/CTF functions. The process for developing and presenting AML training materials throughout the organization should also be included in the assessment. Consideration should be given to who is involved in creating AML training and any review or approval process when it comes to creating AML training. In addition, assess the process and the parties responsible for monitoring and reporting on the status of whether employees have completed AML training.

Considerations: Based on the significant training programs established in 2013, this category is rated STRONG.

Inherent Risk Factor: Service Providers and Vendors Weighting: 15% Rating: 3 Score: 0.45 Comments: This control category includes an assessment of the internal policies, procedures and processes in place to identify and monitor material vendor arrangements that impact AML/CTF and the effectiveness of the processes in place to monitor the policies and procedures of the third party service provider to determine whether they meet or exceed xxx standards. in Q3 established a Vendor Risk Management Policy which is enforced through Accounting, Compliance and Legal.

Considerations: Based on the perceived vendor risk, this category is rated WEAK.

Inherent Risk Factor: NPP/Change Management Weighting: 10% Rating: 2 Score: 0.2 Comments: The control category considers whether there are appropriate controls in place to reasonably ensure that ML/TF risks and their impact are considered as part of the processes in place to review the development of new products, services, or system/process changes. xxx in Q3 implemented an enhanced NPP process to specifically identify any AML risks associated new or changed products.

Considerations: Based on this enhancement, this category is MEDIUM.

Inherent Risk Factor: Compliance Testing and Oversight Weighting: 10% Rating: 2 Score: 0.2 Comments: This control category considers all AML-related testing, including the existence of internal audit testing, any periodic compliance monitoring and testing, or other independent testing/examinations that has occurred since the last risk assessment. The assessment should include a description of the scope of coverage, any information on specific transaction testing conducted, and the results. Consider noting the rating (if assigned) and, specific recommendations or corrective actions. If an action plan was required for any specific finding(s), describe progress made to date in meeting the goals of the plan.
Management instituted a risk-based compliance testing program for staff and senior management to support the Corporate and BSA/AML/OFAC risk programs. This program resulted in the review of 5 areas, primarily involving BSA/AML/OFAC, in 2013.

Considerations: Based on the work done in this area to date, this category is rated MEDIUM.