NRA – World Bank or IMF?

fatf-nraNational Risk Assessments have again been the topic of the week for me in the AML/CFT world with presentations and discussions galore.

One of the highlights was listening to Richard Walker at the GACO presentation discussing Guernsey’s NRA in more detail. Richard, who is the Director of Financial Crime and Regulatory Policy for the Policy & Resources Committee and an excellent speaker, was able to provide a very interesting update.  As some of you were not able to attend, I thought I would summarise the bits I found most illuminating.

Unlike the IMF and MoneyVal visits, the NRA is considered to be a different type of evaluation of a country’s AML/CFT risks and controls and it is up to the country to decide how best to complete the task.  Guernsey has chosen to ask the IMF to support the process unlike other jurisdictions who may have chosen to go it alone or use the World Bank.  Richard then proceeded to explain why it had been agreed that either the World Bank or the IMF’s involvement was necessary and then why the decision had been made to chose the IMF.

Whilst there is enough experience in the jurisdiction to decide upon the risks, it was felt that there would be disagreement on the methodology which should be used.  It was also felt that, as we will be under a great deal of external scrutiny to show the NRA was not open to bias, an independent evaluator would do the trick.  So, rather than spend too much time on the question of who does what, it was agreed that either the IMF or the World Bank would be asked to help.

The IMF was chosen despite the extra initial expense because it was felt the World Bank’s methodology was not suited to a jurisdiction like Guernsey but more suited to the bigger countries where corruption was the main concern. Whilst the World Bank model could and was adapting to be relevant to the type of business we have on Guernsey, the IMF’s methodology was already able to deal with trust and company services, cross border issues and e-gaming to name a few.

Richard went on to say that the World Bank’s methodology did not separate the three elements of risk – threat, vulnerability and consequence – so not clearly dealing with the impact.  The IMF methodology is considered much simpler and more structured and we are advised that it already has resulted in the need to spend less time on the work in Guernsey reducing its cost.

Having amassed a great deal of information from many sources such as annual returns, MLAs and STRs, the process moves from the on-island agencies to the completion of a survey by 65 firms.   Those being asked to participate are from a broad cross-section of business and international NPOs whose activity is funded in the Bailiwick.  The surveys are completed on an online platform used by the IMF and anonymous.  The pattern of the responses has been analysed and already the results have proved interesting.  Richard gave the example that the survey is saying that businesses think there is a threat from the UK, US and Russia yet up until now information had only indicated a high level of business from Russia but not an equivalent level of threat.  It is felt that, using the IMF, is showing that an independent evaluation methodology is proving its worth.

The survey is not an easy task – apparently some have said it is impossible to complete.  However, using  Francis Galton’s 1906 proposition of collective wisdom, Richard believed that, overall, the survey will be a useful measure of Guernsey’s AML/CFT risk.

So after the survey and the analysis will be further discussions and IMF workshops with authorities.  It is hoped that there will be two separate NRAs, one looking at the risks of money laundering and one at terrorist financing, and they will be issued in the autumn of 2017.   The reports will also include an annual statistical digest and will need to be reviewed every few years.

To be of value, it is essential that those risks identified in the NRAs filter down into the business and relationship risk assessments completed by firms.  Together with the new combined Handbook due out for consultation later in the year, it will result in a large body of work for you and your compliance teams.  That work can start now as the basis for the changes are already in the public domain.  As I have said, understanding the FATF Recommendations, reading the EU 4MLD and knowing your own business and customers thoroughly will be half, if not most, of the battle.

Risk Assessments – the Importance of Being Thorough

Hello – my name is Dawn Tindall and I am from Triangle Compliance Services and I provide advice and training on anti-money laundering.  Today I am talking about Risk Assessments and the importance of being thorough.

A Risk Assessment is a means of evaluating risks.  It can be an assessment of a single scenario or a set of possibilities.  It should be thorough and based on a fixed method.

Risk Assessments are the back bone of the compliance programme and take various forms.  In this presentation I discuss the types of assessment and also an addition to the armoury – the Compliance Risk Assessment.

There are three main ones for AML/CFT purposes: the National Risk Assessment (NRA), the Business Risk Assessment (BRA) and the Relationship Risk Assessment.  I believe each one builds upon the other.

In the first of FATF’s 2012 Recommendations, it states that “countries should identify, assess and understand the money laundering and terrorist financing risks for the country”.  Whilst the UK issued their NRA in October 2015, Guernsey proposes to issue their NRA this year, having received the IMF’s model and had industry input.

The idea of the NRA is that it informs the next level namely the BRA or business risk assessment.  Guernsey’s Regulations require businesses to “carry out and document a suitable and sufficient money laundering and terrorist financing business risk assessment which is specific to the … business”.  The GFSC issued a detailed answer to FAQs on its website in September 2014 advising that the BRA “should identify the potential financial crime risks to which the business could be exposed”.  They also reiterated that it is best practice to review the BRA whenever changes to the business or financial crime risks occur and at least on an annual basis.  Due to the multitude of changes in these areas, the BRA is, therefore, a living document needing almost constant review.

The third level of assessment is the relationship risk assessment which is also made up of three stages – the risk profile, the risk assessment and the risk rating.  The risk profile should set out the information regarding the specific relationship with the customer noting all financial crime risk indicators which include those that are compulsory, inherent, high or, if none, low.  The risk assessment is the method by which a business assesses the profile, considering all the risks identified including the accumulation of those risks.  If the high risk indicators are not compulsory ones, the business can decide not to assess the overall risk as high because of strong and compelling mitigating factors which should be identified and documented.

The third step is to give the relationship a risk rating and apply the appropriate level of CDD.

Under the Handbook the Board must take responsibility for the policy on reviewing compliance.  The Compliance Risk Assessment, or compliance monitoring programme, is a means of assessing the appropriateness and effectiveness of compliance.  With the FSB Handbook in its 10th year, a question also which needs to be asked is how mature is your compliance?

The term “maturity” refers to the degree to which an organisation’s processes have been formalised and integrated in the organisation’s operations.

The Director of Enforcement at the GFSC, Simon Gaudion, said in their 2015 Annual Report “One of the major topics for compliance professionals currently is regarding ‘compliance maturity’ which clearly needs to be set by the board and encompasses ethics, culture and corporate governance.”

A well thought through Compliance Risk Assessment should look at whether your compliance policies and procedures have embedded within your firm’s culture.  If it has it will spread the ownership of compliance and result in the increase in effectiveness. Which can only be a good thing.

Thank you for listening to this short presentation.  Please contact me if you wish to know about Risk Assessments or how Triangle Compliance Services can help your firm.

The Regulator’s Regulator?

tindalldawn-1-e1454075780950Next week, the States of Guernsey will be asked to note the annual report and accounts of the Guernsey Financial Services Commission for the year ended 31st December, 2015.  Under Rule 3(24) of the Rules of Procedure this means I will not be asked to agree or disagree with the contents of the Report as “to note” is construed as a neutral motion neither approving or disapproving.  So, having read the Report and wanting to make a few comments on its contents, I thought I’d put some thoughts down in my blog as the role of Regulator is such an important function for our industry.

What struck me initially was not their stated objectives; it was what was not  – the Commission does not seek to run a zero-failure regime. To quote the Director General, William Mason,

“Were we to set ourselves up to run a zero failure regime we would unduly constrain innovation, limit growth and seek to act in a risk averse fashion which would ultimately ensure little other than the impoverishment of the people of the Bailiwick as the financial services sector became a shadow of its former self.”

From an AML perspective, this means that, with the Commission using PRISM’s risk based approach to supervision, there will still be attempts by criminals to misuse the financial system.  Naturally, therefore, it is for businesses to follow the requirements of the legislation and the Handbooks to ensure those attempts fail.

It is good to hear that innovation is very much being encouraged by the GFSC and their open-door policy is often complimented especially when talking FinTech.  However, there is still the grumble in the AML world that there is insufficient consistency in the application of CDD requirements.  So, whilst there is a focus on providing data management to collate a customer’s identification information for KYC and CRS purposes, there is still a lack of clarity of how to get the documents which verify the customer’s identity such that they satisfy not only the different country regimes but the requirements of different institutions within each country.

Some companies seek to comply with the standard which satisfies the most respected country regimes which is a good starting point.  However, I found that, when submitting the documents, the approaches of institutions varied so much that the easiest way was to deal with each institution and get agreement on what they will accept.  Quite often they asked for more than their own country’s requirements resulting in me firmly pointing out that they were not complying with their own country’s legislation, that their policies were not based on that legislation and that they should vary their requirements to accept a consistent standard in line with FATF requirements.  I am pleased to say that this proved successful on all but one occasion and that failure was with a London branch of a Swiss bank with whom I had already had success.  The branch was not for seeing the light!

You might well say – and I would agree with you – that this was a time consuming method of getting a customer’s verification documents accepted.  However, the main theme with the client facing teams I dealt with was they wanted to ask their customers to provide only one set of documents and not to have to keep going back to the client for more information just because each different institution wanted something else.  So whilst you can collate in accordance with the main countries’ requirements, there will always be differences in interpretation until we have common standards for AML.

To compliment my approach, I always thought it best to advise our clients on the expense of certain relationships before willingly embarking on a painful account opening process.  Instead, client relationship managers should recommend going with those institutions which take a pragmatic approach with whom the firm has had a good relationship and saving their client’s money (and your time!).  I also believe a comprehensive checklist covering all the information and verification required which is fully complied with, checked for accuracy and, most importantly, not signed-off until it is complete in all respects should do the trick.

Some also say that the GFSC does not adhere to such common standards quoting other countries’ different rules as being more lenient.  My response is always that, in my experience, other countries apply the FATF common standards (almost) but do not enforce those standards to the same extent the GFSC does.  So results this misunderstanding. People believe the GFSC requires higher standards than others, higher than required by FATF but actually I believe it just has the right standards (well almost) but the difference is that they are fully enforced.  As such enforcement means we received a superb MoneyVal evaluation which brings in business, the argument that we should be more lax with those requirements is, in my mind, counter-productive.

The review of the Handbooks should iron out some of those annoying differences and should bring clarity to ambiguities that exist but leniency in respect of the requirements I do not agree with as, after all, getting it right is not that difficult if you are conversant with all the legislation and guidance and take advice as appropriate.

 

Link to the annual report and accounts of the Guernsey Financial Services Commission for the year ended 31st December, 2015 is   https://www.gov.gg/CHttpHandler.ashx?id=102816&p=0