A risk-based approach to your AML/CTF strategy

Since 2016, the Anti-Money Laundering Council (AMLC) and its supervisory agencies have issued significant updates and tightened anti-money laundering (AML) and counter terrorist financing (CTF) regulations in the Philippines, aligning them closer with international standards.

Regulatory trends are leading to greater pressure on senior management of covered entities to ensure adequate AML/CTF controls. Recent regulatory enforcement actions show significant fines and penalties imposed on top of formal notice of charges to get senior management’s attention, highlighting the need for covered entities to take AML/CTF seriously.

Most covered entities have been heavily focused on building controls and remediating gaps which are considerably reliant on people and rules-based technology. A significant amount of resources has been spent on systems and people, particularly on new systems for customer due diligence with significant additional resources mainly in compliance functions.

How does senior management see these investments? Are they effective and sustainable? Senior management knows the risk is real and significant, but are they enabled to make a comprehensive assessment of their company’s exposures to ML/TF? Can they determine whether resources are invested in the right controls that mitigate the more significant and imminent risks? Did management evaluate all the relevant risks and make targeted investment decisions, or were all these investments made mainly for compliance?

INSTITUTIONAL RISK ASSESSMENT (IRA) IN RISK-BASED APPROACHES (RBA) TO AML/CTF CONTROLS
In 2012, one of the most important changes made by the Financial Action Task Force (FATF), an inter-governmental policy-making body that develops international standards for AML/CTF in its “Recommendations” was the increased emphasis on applying RBA to AML/CTF programs. One of the key elements of the RBA is the IRA.

WHAT COMPRISES AN IRA?
An IRA is a framework that helps covered entities identify their high-risk areas in relation to ML and TF. IRA assesses the key risk areas including customers, geography, products and services provided, and delivery channels. It considers the covered entity’s current controls and assesses the level of residual risk. It should be designed to assess whether the risk taken by the covered person is commensurate with its risk appetite and to form the basis of an RBA approach to AML/CTF controls. Investments and resources should be focused on higher risk areas because these need stronger controls.

IRAS CONDUCTED FOR COMPLIANCE ONLY
Without the specific expertise to develop an in-house IRA, the people in charge at the covered entities are left with no recourse but to look to peers and regulators in other jurisdictions for additional guidance in structuring their own IRA. This may result in inappropriate outcomes or IRA models that are not commensurate to an entity’s business. Others turn to off-the-shelf application systems that may not be ideal or sustainable as AML/CTF risks are dynamic and AML/CTF control assessments may differ among covered entities. No one model fits all.

Some studies suggest that some IRAs are conducted for compliance only. Some of the telling signs are:

(a) The IRA is carried out by the compliance team.

(b) No or insufficient resources are allocated to support the IRA exercise.

(c) The IRA results seem optimistic (i.e. it shows less risk than it should).

(d) The IRA neither results in changes or improvements in the AML/CTF program nor influences the investment decisions of senior management.

The second and most recent National Risk Assessment (NRA) of the Philippines (a self-assessment conducted by the Philippine Government led by the AMLC covering 2015 to 2016) has resulted in a national ML threat level of ‘high risk’ and a national ML vulnerability level of ‘medium risk.’ There were no significant changes from the first NRA, which covered 2012 to 2014. ML threats remain high in the Philippines on smuggling, violation of intellectual property rights, illegal manufacture and possession of firearms, ammunition and explosives, violation of environmental laws, investment scams and estafa, illegal drugs-related crimes and plunder and corruption-related crimes. Additionally, the second NRA has added tax crimes to ML threats. Banks and money service businesses were identified as the sectors primarily and widely used by criminals, while casinos were used to launder larger amounts. The NRA is a comprehensive process of identifying the ML/TF risks of covered entities in a jurisdiction, thus it is expected that covered entities of the jurisdiction should reflect the identified ML/TF risks in their respective IRAs.

However, recent IRA results of covered entities are mostly low-risk. This implies a divergence in the perceived risks between the regulators and the covered entities. A low IRA is possible, however, and covered entities should be able to demonstrate how they assessed their inherent risks as other than ‘high’ and why they are comfortable that their current controls have mitigated the entity’s ML/TF risks.

Some reasons why IRAs results are optimistic may be due to:

(a) Inappropriate or incorrect IRA models used.

(b) Insufficient data or information to identify and assess inherent risks.

(c) Control assessments are not based on the operating effectiveness of AML/CTF controls but rather on control designs which may not be implemented as intended.

(d) Controls considered are not necessarily mitigating the identified inherent risks.

(e) Lack of AML/CTF expertise to determine AML/CTF risks such as on employees, correspondent banks, third-party reliance, etc. and to interpret results of the IRA.

(f) Lack of involvement of business and senior management.

IRA AS SENIOR MANAGEMENT’S TOOL IN ITS OVERSIGHT OVER THE AML/CTF PROGRAM
Is the AML/CTF genuinely part of senior management’s objectives and business strategy? If so, does senior management have a clear strategy on its AML/CTF program? Is senior management still seeing its AML/CTF program as part of their cost or barrier to their business? Given that some IRAs are still conducted for compliance only, how is senior management enabled with timely information to have targeted decisions or improvements in their AML/CTF program and controls?

The challenge now facing senior management in covered institutions is how to truly, seamlessly and effectively enable IRA in their business. Not only do they need to genuinely align AML/CTF with their business objectives and strategy, they need to see AML/CTF as an ongoing and continually evolving program that should go beyond mere compliance.

Senior management should demand and support the exercise of conducting the IRA. Given the emerging and dynamic ML/TF risks, senior management who don’t have the IRA are left to decide blindly or turn to the common practices of their peers, which may not necessarily be right for the entity’s business. This may lead to improper allocation of resources where investments are wasted on irrelevant controls or inadequate investments are made on controls that mitigate higher risks.

An effective IRA provides senior management with the information about the risks so they can make informed decisions about where resources should be invested. It also needs support to invest in talent or experts and implement changes in the processes of an entity to regularly generate the required data. Changes in sourcing data and data management may be aligned with current initiatives of other parts of the entity such as marketing or credit risk management. More importantly, support is needed to drive the involvement of the executives who primarily own the risks.

With the greater emphasis on combating Money Laundering and Terrorist Financing, senior management should understand that a risk-based approach to implement an effective AML/CTF program is actually a significant way to gain competitive advantage in a fluid and uncertain market.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.

 

Veronica Mae Arce Balisi is a Partner in the Financial Services of SGV & Co.