anti money laundering - global survey 2007 - kpmg

FORENSIC

Global Anti-Money Laundering Survey 2007 How banks are facing up to the challenge

ADVISORY

Global Anti–Money Laundering Survey 2007 3

Contents

Foreword 4

Executive Summary 7

Detailed survey findings 11

- 1. The role of senior management 11

- 2. The costs of AML compliance 14

- 3. AML policies and procedures 19

- 4. Formal testing and monitoring of AML systems and controls 21

- 5. Risk-based approach to Know Your Customer activity 24

- 6. Politically Exposed Persons 29

- 7. Transaction monitoring 33

- 8. Training 39

- 9. Attitudes towards regulation 43

- 10. Sanctions compliance 46

Concluding remarks 50

Regional perspectives 51

© 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.

4 Global Anti–Money Laundering Survey 2007

Foreword

Estimated money laundering flows are reported to be in excess of US$1 trillion being laundered every year by drug dealers, arms traffickers and other criminals1. Recent years have seen rapid change in the financial services industry and growing regulatory expectations and pressures. Combating money laundering and terrorist financing continues to be a major challenge for the banking sector, as gatekeepers to the legitimate financial system.

Given this backdrop, KPMG International commissioned this Global Anti-Money Laundering (AML) Survey to build on the findings from our last survey in 2004. Three years on, we have sought to establish whether the significant changes in the financial and regulatory environment have led to increased focus on AML and new and improved ways of tackling the challenge. Our survey shows how significantly banks have responded to this challenge – in increased investment, senior management focus, and cooperation with governments, regulators and law enforcement. Despite this good intent and strong commitment, many banks continue to struggle to design and implement an effective AML strategy, and they believe that much more needs to be done internationally to combat money laundering more effectively.

Since our last survey in 2004, there has been unprecedented change in the financial market place and the regulatory environment, key developments include:

• Banks have a more international footprint, markets and products

have become more complex, there is greater investment in emerging markets, the amount of privately held wealth has vastly increased, and all alternative asset classes have undergone significant growth. These structural changes have deep implications for how banks tackle the challenges of AML and counterterrorist financing (CTF).

• At the same time, banks have had to come to terms with significant regulatory change across all of their activities and operations globally. This includes legislative changes (for example, those stemming from Basel II) but also increased focus on the wider responsibilities of financial institutions, and development of the right regulatory framework to deliver the outcomes governments and regulators seek. This has led to stronger emphasis on corporate governance and senior management accountability, and has led some governments, in particular the U.S. government, to seek to apply their standards globally through the extra-territorial reach of U.S. law.

• In addition to the wider regulatory changes, there have been enhancements in AML standards specifically, with changes in the requirements of the Financial Action Task Force (FATF) and Wolfsberg Group, together with new legislation at the national and supranational level (including the EU Third Money Laundering Directive). There has also been tougher enforcement of AML requirements, particularly in the U.S. but also internationally, reinforcing the message that money laundering remains a key priority for banks.

Our survey points towards significant investment and improvement in the AML systems and controls environment within individual financial institutions, together with an understanding and commitment to the role banks have to play in the overall AML and counter-terrorism effort. However, there is also more to be done to make the financial system less vulnerable to money laundering and terrorist financing. For banks, this means greater focus on the



effectiveness of their AML and CTF strategy, systems and controls. For the government, regulatory and law enforcement community, it means greater partnership with banks, including clearer and better information sharing. There are already signs of progress, with banks and the public sector moving in the right direction, but it will be important for this momentum to be maintained.

Set against this background, we are pleased to publish KPMG Forensic’s second Global AML Survey. Reflecting the themes that have driven financial markets in the past three years, our survey this year has looked in greater depth at emerging markets, with more

Brendan Nelson

Global Chairman

KPMG Financial Services

participants in the survey coming from these countries and more analysis of the underlying results. We have also added sections on each region to explain how the survey results relate more directly to them.

All of this should help our firms’ clients and regulators to benchmark banks’ AML systems and controls against trends, peer comparisons and opportunities in a more precise way. Likewise for law enforcement and policymakers, the survey aims to provide an insight into how the industry is embedding new requirements and provides some thoughts for future AML policy direction.

Karen Briggs

Global Head of AML

KPMG Forensic

Our first Global AML Survey in 2004 was extremely well received by the industry, and helped to provoke discussion and debate among banks, practitioners, regulators, governments and law enforcement alike. We believe that this survey is one of the most detailed and authoritative reports on AML systems and controls undertaken in the market place, and we hope that you will take this opportunity to consider how to respond to the challenges in today’s financial services industry.

We would like to thank all the 224 banks and senior executives that participated in the survey.


224 respondents overall, up from 209 in 2004 Over 25% of the top 250 banks represented 55 countries covered 60% of the banks surveyed were multi-national


Executive Summary

KPMG’s Global AML Survey 2007 explores the range of challenges that banking institutions face in complying with global AML requirements. We have used the same methodology as the 2004 survey, to ensure comparability of results over the intervening three years.

KPMG International commissioned RS The survey covered the following topics:

Consulting, an independent research 1 The role of senior management in AML issues agency based in the United Kingdom,

2 The costs of AML compliance to conduct a telephone survey of banks across the major sectors (retail banking, 3 AML policies and procedures

corporate / business banking, private 4 Formal monitoring of AML systems and controls banking, investment banking and

5 Taking a risk-based approach to ‘Know Your Customer’ activity wholesale banking). These banks were drawn from the top 1,000 global banks 6 Politically Exposed Persons

by tier 1 capital, and the caliber of 7 Transaction monitoring respondents was high, with job titles

8 Training ranging from Group Money Laundering Reporting Officer (MLRO) to Head of 9 Attitudes towards regulation

Legal and Head of Risk. Details of the 10 Sanctions compliance survey methodology are in Appendix I: Survey Methodology

Strong senior management

engagement in AML efforts

Banks in our survey reported that senior management were more engaged in AML issues than they had been in 2004, with the percentage of respondents reporting that their senior management and their board of directors take an active interest in AML increasing by 10 percentage points to 71%. The result reflects a mix of regulatory and international pressure on senior management to take responsibility for the full range of risks in their business, including compliance, as well as continued focus on counter-terrorist financing. As the financial services industry becomes more complex, and AML risks become more pressing, it will be important that this heightened

interest in AML is directed towards ensuring systems and controls are effective in practice.

AML costs have grown well beyond

expectations

Average AML costs were reported by the participants in our survey to have increased by 58% over the last three years. This was more than banks had expected when we carried out our 2004 survey - at that time, banks predicted costs would only rise by 43% over the following three years. Despite the unexpectedly high increase in AML costs, respondents anticipate that growth will slow, with banks predicting an average increase of 34% in AML costs over the next three years.

The main drivers of the past and future increases in costs continue to be transaction monitoring and staff training, consistent with the 2004 survey. As banks develop more risk-based AML programs, the pressure will be to focus on using resources within compliance effectively and efficiently, and this may involve considerable reallocation of resources within compliance as well as cost reduction through outsourcing, offshoring or centralization of AML functions.

Setting a global standard

With growth in the proportion of income derived from international business, banks have become more global in their approach to managing AML risk. Nearly 85% of internationally active banks



reported that they had a global AML policy in place. As ever, though, the challenge is to ensure effective implementation of policies at the local level.

More monitoring and testing of AML

systems and controls

Greater regulatory focus on governance, and the resulting increase in the accountability of senior management for AML, appears to have driven up the amount of independent monitoring and testing of AML systems and controls. More banks report that they have a monitoring and testing program in place, and banks report that a wider range of functions within their organization are involved in this. The key to successful testing and monitoring, however, relies on a strong drive from senior management as well as effective and timely follow-up and feedback of improvements into current systems and controls.

Broader acceptance of a risk-based

approach

Our survey shows an increase in the number of banks using a risk-based approach to determine the level of due diligence performed on clients at account-opening stage (‘Know Your Customer’ or KYC processes). In addition, a wider range of risk factors are taken into account than was the case in our 2004 survey, recognizing the evolving international best practice in this area and greater focus on reputational risk among banks. Going forward, banks in many regions are likely to be under pressure to extend a risk-based approach to other areas of their AML strategy and – where they are given more flexibility in the design of AML processes – they will be under pressure to document the rationale for their approach so that they have an audit trail for the decisions they have made.

More focus on Politically Exposed

Persons (PEPs)

Increased regulatory and industry focus has led more banks to seek to apply additional scrutiny to PEPs. In our 2004 survey, a surprisingly low number of banks performed enhanced due diligence on PEPs at account-opening (55%); this year, the figure has increased to 81%. Moreover, significant numbers of banks have put in place specific procedures to identify and monitor PEPs on an ongoing basis (71% of all banks in our survey). However, with no universal definition of a PEP, there are likely to be substantial differences between individual banks’ interpretation of the requirements in practice. With greater sensitivity to the reputational consequences of dealing with PEPs, banks are likely to be under pressure to examine how robust their procedures for PEPs really are. This is even more relevant in markets where business and politics are closely intertwined.

Continued strong investment in

transaction monitoring

Virtually all respondents rely heavily on their people to spot suspicious activity, and with banking becoming more electronically based, many are investing in sophisticated IT monitoring systems. Transaction monitoring continues to be the single greatest area of AML expenditure for banks, and is expected to remain so over the next three years. Despite this, many banks want to improve the quality of their transaction monitoring, with many looking to invest in enhancing system capacity, functionality and coverage. Banks need to understand, however, that IT systems are only one component of an effective AML strategy and that they are no substitute for well-trained and vigilant staff.

Vigilant staff are the first line of

defense but focus is now on

effectiveness of training

The proportion of banks training over 60% of their staff has grown by 9 percentage points since 2004, with face-to-face training, the most commonly used mechanism and the method regarded as the single most effective. Banks continue to report that properly trained staff is the best AML control, and this is reflected in continued high spending on training programs.

The regulatory focus now is moving to the effectiveness of all this training, with pressure to implement more tailored training and testing, and evidence that staff have the level of AML understanding they need to carry out their role.

Broad-based support for regulatory

AML efforts, but more needs

to be done

The survey shows continued support for global AML efforts by regulators, governments and law enforcement, with 93% of banks saying the burden of regulation is either acceptable or should be increased. However, a 51% majority of banks still believe that AML regulation could be focused more effectively, through clearer legislation, better feedback to the industry and a greater endorsement of a risk-based approach. While some banks have called for wider acceptance of a risk-based approach to AML, there is concern over whether regulators are willing to accept all of the consequences that flow from this. Even so, banks, governments, regulators and law enforcement agencies are united in seeking more collaboration and information-sharing although banks are uncertain as to how such a public-private partnership will really work in practice.



Sanctions compliance a key

challenge for banks

Sanctions compliance was a major driver of AML costs over the past three years, being ranked the third greatest area of AML expenditure after transaction monitoring and staff training. This reflects increased focus on counterterrorism, the long arm of the U.S. law, and growth in the number of lists that banks need to monitor against, as well as the tougher enforcement of sanctions requirements by regulators. Despite the progress made so far, there is more to do in this area, as banks work to ensure they design operational processes that are equal to the task

of complying with sanctions rules that are detailed, complex and potentially broad in scope. A particular challenge is the design and implementation of a sanctions compliance program that can support this goal.

Looking ahead

The survey results show significant investment in AML systems and controls, and increased engagement from senior management. The challenge for many banks will be to maintain this focus as they enter a new phase of regulatory initiatives (Basel Il, EU regulatory change and the extraterritorial effects of U.S. legislation being

some of the more high-profile examples). Banks may also find it challenging to adapt to many of the key changes that are taking place in the financial services market, with increased product complexity, greater involvement with emerging markets, and integration of mergers that have taken place on a new scale. All of these mean future challenges in relation to AML compliance going forward.

Overall, although much has been achieved, there is still much to do to make the financial system more robust in the fight against money laundering.


Compliance starts at the top. It will be most effective in a corporate

culture that emphasises standards of honesty and integrity and in

which the board of directors and senior management lead by

example. It concerns everyone within the bank and should be

viewed as an integral part of the bank’s business activities. A bank

should hold itself to high standards when carrying on business, and at

all times strive to observe the spirit as well as the letter of the law.

Basel Committee on Banking Supervision, ‘Compliance and the compliance function in banks’, April 2005.


Detailed survey findings

1. The role of senior management

AML remains a high priority

for senior management

AML remains a high profile issue for the senior management of banks globally. In our 2007 survey, 71% of banks reported that their most senior levels of management – including their boards of directors – take an active interest in AML compliance, up from 61% in our 2004 survey. Of the remaining banks, the majority stated that senior management took “some interest” in AML issues.

Only 1% of banks reported that senior management took little interest in the subject.

Moreover, over 40% of respondents said that their main board of directors

Figure 1

formally discussed AML issues at least quarterly, with an additional 25% saying they did so at least monthly.

The increased profile of AML as an issue is part of a broader shift in the governance of the world’s major banks, with boards of directors being held more directly accountable by shareholders and regulators for the full range of risks run by their banks.

However, anecdotal evidence suggests that it may also reflect the extra-territorial effects of U.S. legislation. The U.S.A. PATRIOT Act 2001 requires due diligence, and in some cases enhanced due diligence, for correspondent banking relationships and international private banking customers. The practical

High-profile enforcement action, regulatory emphasis on senior management accountability, legislative change, and increased business with countries with higher AML risk has pushed AML up the senior management agenda

Profile of AML at senior management level

% o

f res

pond

ents

(Percentages may not add up to 100% due to rounding) Source: KPMG International, 2007



effect of this is to require the international community to provide information sufficient to meet U.S. standards, which in the case of high risk correspondent banking clients may include providing information on the client’s customers.

Within the global results, a marked shift has taken place in the Asia Pacific region. This year, 72% of banks reported that senior management took an active interest in AML, up from only 49% in 2004. This appears to be a response to increased regulatory focus in the region, and new legislation introduced or implemented in several countries, including Australia, India and China.

Terrorist financing continues to be an area of focus for senior management, regulators, law enforcement and governments, and the issues and challenges arising from this have been closely bound up with AML issues.

Responsible and accountable

Since our last survey in 2004, AML controls have not only remained a high profile issue for senior management, but have become more so.

Many regulatory regimes have for a long time imposed potential personal liability on directors of banks for shortcomings in systems and controls, including AML.

However, the responsibility of senior management for AML controls is likely to become more real, and less abstract, as global regulation moves towards more principles-based and risk-based approaches.

At the core of the principles-based approach is the obligation for senior management of banks to meet high-level regulatory objectives using their own judgment and evaluation

of the risks in their business, rather than by meeting multiple rules. This raises difficult questions about the level of engagement that regulators expect senior management to have in each of the processes underlying this approach, from risk assessment through to design, implementation, monitoring and oversight of controls.

As the FATF recommendations, which form the bedrock of global anti-money laundering standards, have moved toward a risk-based agenda, many regulators are moving in the same direction, including those in the EU and Australia.

One of the clearest examples of principles-based regulation and strongest endorsements of a risk-based approach has been in the UK, where the Financial Services Authority (FSA) has replaced fifty-seven pages



of detailed AML rules with two pages of principles, backed up by industry guidance. Both the new material from the Financial Services Authority and the industry guidance (the Joint Money Laundering Steering Group guidance notes) place particular emphasis on the responsibility and accountability of senior management for AML systems and controls.

In addition, a number of high-profile AML and sanctions enforcement cases in the U.S., and outside the U.S. by U.S. regulators, have concentrated senior management’s attention on the reputational, legal and financial risks of AML violations. In addition to fines, the costs of remediating deficiencies are high, in terms of the direct costs of new systems, training, “look-back”

reviews, and in the indirect costs of management distraction. This points to the need for senior management to focus not just on the costs of AML compliance, but the associated risks if they fail to meet regulatory expectations in respect of AML policies, procedures, culture and oversight.

KPMG comment Setting the tone from the top to take responsibility for financial involved in each of the processes that Senior management has a critical role crime risk (including AML), and underpin the bank’s AML strategy, in managing an institution’s AML risk, ensuring the audit committee is from risk appetite, through to policy and with increasing focus on sufficiently focused on AML as design, implementation and ongoing reputational risk, senior management an issue. monitoring. have taken on board the need to set the right tone at the top of the bank • They have to align incentives for staff There are additional complications for and push this down throughout the to ensure better direct management internationally active banks in defining organization. A number of steps may be of AML and compliance risks. which layers of senior management necessary for this to happen in practice: need to be involved in the bank’s AML

• They also need to foster a culture strategy, with regulatory obligations • Senior management have to be of cooperation between the various attaching to senior management in the

visible in the AML process, through functions within the bank, and in local region, but also board communications to staff, in-person particular between the front-office responsibility for the bank’s global AML or video introductions to training and compliance, so that there is approach. In a number of instances, sessions, and ongoing awareness proper dialogue between them, regulators are focusing on AML risk in and sensitivity to AML issues. clear accountability for tasks, and a the branches of the global banks that

heightened willingness to cooperate operate in their country, and this raises • They have to articulate an approach and assist one another in combating particular risks where deficiencies in

to compliance, including AML money laundering. AML controls have resulted from the compliance, that focuses on absence of a clear articulation of the substance over form – making sure The strong impact senior management responsibilities of local and global that employees follow the spirit as can have on an organization’s culture senior management. well as the letter of policies and means that regulators internationally procedures. are becoming more focused on the Senior management at the global level

attitude and approach taken by them should ensure that there is clear • They must put in place the towards risk management, including accountability throughout the

appropriate corporate governance compliance risk and AML risk organization for AML compliance, mechanisms to ensure effective management. The challenge for banks and that there is effective oversight management of AML risk. This is how to engage with regulators on and cultural sensitivity to AML at all means training for the board of these issues, in particular identifying levels of the bank. directors, nominating a director what level of management needs to be


% in

crea

se in

AM

L in

vest

men

t


2. The costs of AML compliance

Costs are up substantially, far more than participants in the survey anticipated in 2004. As costs continue to increase, there will be pressure to innovate and streamline costs through outsourcing, offshoring and process re-engineering

AML costs far exceed expectations

With growing regulatory expectations and strong demand for experienced compliance professionals, the costs of AML compliance have increased substantially over the past three years – well ahead of the expectations of the banks that we surveyed in 2004. At that time, banks predicted that their AML costs would rise by 43% over the following three years; our survey this year shows banks reported that their actual costs had increased by 58% over the period.

Unsurprisingly, the regions that recorded the highest increase in costs were North America and the Middle East / Africa. This reflects the significant legal

Figure 2

and regulatory changes in the U.S., and the wider impact of the extra-territorial provisions of U.S. law around the world.

In many regions, the rate of growth is surprisingly consistent in the 2004 and 2007 surveys, implying that AML costs may continue to grow at a similar rate (see figure 3 on page 15).

Despite the strong, sustained rate of growth in AML costs, banks internationally continue to predict that costs over the next three years will grow at a slower rate, and are even more optimistic about the anticipated slowdown in costs than they were three years ago (in 2004, banks expected the growth rate to fall by

Banks’ estimates of average % increase in AML investment over the past three years and the next three years

Source: KPMG International, 2007



18 percentage points; this year they expect the growth rate to fall by 24 percentage points).

North American banks were particularly optimistic in 2004, and remain so in 2007. In our last survey they reported that, despite a 66% rise in AML costs over the previous three years, they expected the rate of growth for the next three years to slow to 46%. The actual rate of growth according to our 2007 survey was closer to 71%, and these banks, in spite of under-estimating costs in 2004, still expect the growth rate to slow over the next three years to 28%.

This points to the need for banks in this region in particular, and banks internationally, to give careful thought

to the degree of optimism in their compliance budgets going forward.

The difficulty of estimating AML costs is that cost may be spread across many different functions (operations, compliance, risk) or regions, involve direct and indirect costs, and overlap with processes that are embedded in normal business practice (e.g. credit risk or customer relationship management). These factors, together with the unexpectedly sharp increase in AML costs over the past three years, meant that a substantial proportion of respondents felt unable to predict their future AML costs (10% of respondents).

Where banks are not aware of the full costs of AML compliance, they may not

Figure 3

necessarily be well positioned to consider how they can better apply their resources to focus on the major areas of AML risk. Although there may be difficulties in identifying and quantifying all of the drivers of AML costs, there can be ancillary benefits to doing so. It can, for example, improve a bank’s understanding of the full range of AML processes that exist across its organization and - through this - can highlight enhancements required in processes, unjustified variations in these, or learning points that can be applied elsewhere in the bank.

Banks’ estimates of average % increase in AML investment over the past three years, 2004 and 2007 surveys

2004 2007 Estimate of increase Estimate of increase in AML investment in AML investment Increase / decrease

over prior three years over prior three years (percentage points)

Total 61% 58% -3%

Europe 63% 58% -5%

North America 66% 71% 5%

ASPAC 36% 37% 1%

C/S America / Caribbean 73% 59% -14%

Russia / CIS 66% 60% -6%

Middle East / Africa 68% 70% 2%

Source: KPMG International, 2004 and 2007



Areas of greatest AML expenditure

The AML activities requiring the largest investment over the previous three years have not changed markedly from 2004, with transaction monitoring and training topping the survey. Sanctions compliance was a new activity included in this year’s survey, and it has already been ranked as the third largest area of expenditure over the last three years.

The drivers of higher expenditure appear to be greater expenditure on transaction monitoring capabilities and upgrades

Figure 4

to existing systems, and the provision of additional tailored training to staff.

As in 2004, we asked banks to estimate their absolute costs of AML compliance. Not many respondents felt able to do this, and the few estimates that we did receive seemed to be fairly low, suggesting that perhaps these banks had only included the direct costs of AML compliance. This helps to underscore the difficulties of estimating the wide range of costs associated with AML compliance.

Banks’ estimates of greatest additional AML spending over the last and next three years

Score out of 5 Source: KPMG International, 2007



Outsourcing or offshoring

of AML functions

As banks review their costs, a topical issue is the use of outsourcing or offshoring. Internationally active banks appear to have been reluctant in the past to consider moving AML functions offshore or to a third party. This reluctance appears to stem from legitimate concerns among banks about their accountability for a function they may cease to have day-to-day control or oversight over.

Globally, 73% of banks reported they had never considered the outsourcing or offshoring of AML functions.

As well as concern over potential loss of control, the low number of banks that have outsourced or offshored AML activities may also reflect the wide

range of different functions involved in AML processes. This makes it more difficult to coordinate outsourcing or offshoring projects, and may also mean that no single function has the ability to begin such a project on their own initiative.

Within the global result, banks from the North Americas reported a slightly higher willingness to consider or use outsourcing or offshoring as a solution (13% of banks had outsourced or offshored some AML functions, and 20% were considering doing so, or had considered doing so but put their plans on hold).

ASPAC and Russia & CIS were the two regions with the least appetite to consider outsourcing or offshoring: 94% and 95% of banks respectively

Figure 5

had never considered either or had considered and rejected doing so. This is likely to be because many of the countries in these regions are themselves low cost centers, and therefore the relative attractiveness of outsourcing or offshoring is diminished.

Where banks have outsourced or offshored AML functions, our understanding is that functions have mainly moved to low cost centers in Asia, and so far have consisted of ‘vanilla’ AML processes, for example initial KYC gathering or initial screening of transaction monitoring reports to clear ‘false positives’.

Consideration of outsourcing or offshoring of any AML functions

% of respondents




KPMG comment Understanding AML costs

and processes

Banks have long been applying Activity Based Costing and Six Sigma techniques across a range of functions to identify the drivers of costs and embed operational effectiveness. However, this does not appear to have happened often in relation to compliance or AML, perhaps because of the complexity of the exercise, or because of the mandatory nature of these functions. In practice, though, banks have discretion over how they direct their resources, and there are steps they can take to improve efficiency and effectiveness.

Without this focus on costs, banks risk losing many of the opportunities offered by process improvements made elsewhere in the bank, for example, the benefits of increased automation of payments processing are undermined if AML controls within the process continue to be manual and cause downstream disruption.

However, as other functions have been outsourced or offshored, some banks have had success in moving components of the AML process as well, for example alerts management or customer due diligence data

Outsourcing /

Stre

amlin

ing

of A

ML

proc

esse

s

Offshoring

Shared Service Centers

Over time, globally active banks may move towards a combination of Shared Service

Diverse AML Centers and outsourcing or offshoring.

processes spread over multiple locations

Most banks are at a stage where diverse AML processes are spread over multiple locations, or some combination of this and Shared Service Centers

Time

gathering. In general, banks have had more success where they have moved AML functions along with accompanying operational processes, rather than AML functions in isolation. But it is important to recognize that banks retain ultimate responsiblity for AML risk irrespective of where processes are based. Accordingly, in practice, many banks are moving toward a ‘global’ or ‘group’ AML and financial crime function which operates as a ‘center of excellence’ in providing proactive AML risk management.



3. AML policies and procedures

Increasing use of global AML policies

and procedures

As capital flows have become more international and cross-border mergers and acquisitions of banking institutions have driven consolidation in the industry, banks must assess whether to apply a single set of AML policies and procedures across borders. We asked banks which of three approaches they used to set their policies and procedures: a global approach, a local approach, or some combination of the two.

Nearly 85% of internationally active banks reported that they had a global AML policy in place, up from 83% in our 2004 survey. Whilst this is a relatively modest increase, it is from a high base, and reflects growing acceptance and adoption of international best practices.

Figure 6

In making decisions about which approach to adopt, banks need to balance the simplicity of a single set of global policies and procedures against the potential competitive disadvantage of applying higher standards in local markets around the world. Our survey results, however, suggest that, in general, concerns about the potential reputational damage of inadequate AML policies and procedures has led most banks to adopt global minimum standards.

There are, however, regional variances in the results. Notably, banks from North America, Europe and Russia & CIS all have a strong bias towards global policies and procedures, even if in some instances detailed procedures are set at a local or regional level.

Growing ‘internationalization’ of banking is pushing institutions towards the use of global AML policies to ensure they manage their AML risk using a consistent and comprehensive approach

Statement best describing respondents' AML policies and procedures (excluding respondents only operating in one country)




In the case of the U.S., it is apparent that all internationally active banks have a global component to their policies and procedures, reflecting the need to implement the extra-territorial components of domestic legislation on a global basis, principally the Office of Foreign Assets Control (OFAC) requirements and the requirements of the U.S.A. PATRIOT Act 2001 with respect to, for example, correspondent banking and international private banking relationships.

In Europe, there appears to be a greater willingness to apply global policies and procedures on a more consistent basis, with less delegation to local operations. This is likely to reflect the high-level, principles-based nature of AML requirements in this region, which makes it easier to design policies and procedures that are flexible enough to be

implemented outside the home country. It may also reflect the fact that a common legislative framework applies in Europe and so many of the European respondents may find it feasible and economic to implement one set of global policies and procedures.

In Russia, a very high proportion of banks reported using global policies and procedures. This is likely to reflect regulatory pressure, where AML policies need the approval of the local regulator (the Central Bank of Russia, or CBR) and a number of banks have had, and continue to have, their banking licenses revoked for failure to comply with AML regulations. Whilst there is no requirement to have a global policy, it is a common way for banks in the region to demonstrate that their approach to AML is comprehensive and aligned with regulatory expectations.

By contrast, significant numbers of banks in the Middle East and Africa regions have adopted a “local approach” to setting AML policies and procedures. There is a reluctance among banks in the region to suffer competitive disadvantage by voluntarily adopting higher AML standards than is required by law, as well as less focus among the regulatory community in pushing banks towards global policies. In some instances, the standards set by a bank’s home regulator may not be appropriate for ‘export’ to other markets in which the bank operates. This may be because they are not sufficiently demanding for use in other countries, or are too heavily influenced by local factors.

KPMG comment Operationalizing a risk-based approach they have followed in setting policies in to the bank’s services in other through global policies their organization so that they can explain countries or regions without meeting Global banks face significant challenges to regulators and internal stakeholders the AML requirements that are in developing and operationalizing their what approach they have taken in each necessary in those parts of the world risk-based approach across multiple country, and why. This is particularly (whether required by local regulations business units and territories. There is important as a line of defense when or by the bank’s global policy). also a real need for banks to fully regulatory expectations change in a articulate their risk-based approach, country or region without any formal Banks also need to focus continually including how the specific risk appetite changes to rules or legislation. Where on the effective implementation of of the bank has driven the design of the banks are able to explain what approach policies and procedures. Regulatory model. Much of the experience gained they have taken, and why, this can form action can equally be taken where by banks in developing their operational the basis for an informed discussion with banks have not applied policies and risk program under the requirements of the regulatory community and an procedures consistently, rather than Basel ll could also be leveraged in enhanced ability to avoid gaps emerging failed to design any in the first place. developing a comprehensive top-down, between regulatory expectations and the In practice, this means focusing on the bottom-up approach to designing and bank’s actual AML practices. realities of implementing the policies operationalizing an effective AML risk- and procedures, such as the clarity based approach. In addition, some banks Documentation of local deviations to of the policies for employees, training may find it useful to assess the extent to global policy is particularly important to and communicating the policies and which the risk of an AML failure has help ensure a common understanding procedures, and the application of been reflected within the operational risk across the organization of the policies these, i.e. how easily and quickly model of the bank. in place in each country or region. employees can follow processes

Without this, there is a risk that clients in practice, as well as monitoring Throughout this process, banks need to accepted into a part of the group with effectiveness on a regular basis. document carefully the thought process lower KYC standards can gain access



4. Formal testing and monitoring of AML systems and controls

Eighty-three percent of banks in the

survey formally test and monitor the

effectiveness of their AML systems

and controls

Greater senior management and regulatory focus on AML has heightened the relevance of formal and independent testing of the effectiveness of AML systems and controls. Our survey reflected this, with the overwhelming majority of banks reporting that they had a formal program of testing and monitoring of their AML systems and controls.

The results show an increase in the amount of testing and monitoring undertaken by banks since the 2004 survey (83% of banks versus 75% in 2004). The surprising figure is that only 92% of U.S. banks reported that they

undertook formal testing of their AML systems and controls, despite this being a requirement of the U.S.A. PATRIOT Act 2001 (in 2004, the comparable figure was 91%).

As with the previous survey, the European figure appears low, with only 70% of banks reporting that they had formal testing or monitoring of their AML controls. However, this masks variations in the different countries within Europe.

One hundred percent of respondents in 10 European countries (including France, Ireland, Spain and the U.K.) had formal testing in place, but a number of major European constituents had lower percentages (for example, Germany 38% and Switzerland 50%).

Figure 7

The drive among regulators and senior management to challenge banks’ control functions to demonstrate the effectiveness of AML systems and controls has led to an increase in both the amount of testing and monitoring taking place and the range of control functions involved

Respondents with a formal program for testing and monitoring the effectiveness of their AML systems and controls

% o

f res

pond

ents




In reading the results, it should be borne in mind that in Germany, local law requires banks’ external auditors to report on their AML systems and controls on an annual basis, and in Switzerland there is also a legal requirement for the external auditors of banks to audit AML compliance and report to the bank and their local regulator annually.

This suggests that banks in these regions may have responded to the question purely in terms of internal monitoring rather than by reference to any statutory review work undertaken by their external auditors. If the European figures were adjusted for

this, they would be broadly in line with other regions.

Our survey also showed that a wider range of functions within banks are now undertaking formal testing and monitoring of AML compliance, recognizing the range of functions involved in AML compliance.

Whilst the survey reflects the multiplicity of functions with potentially overlapping responsibilities with respect to AML, it is important to note that these functions have differing roles and responsibilities in relation to AML. There are three “lines of defense” in AML compliance: staff

Figure 8

engaged in client on-boarding and ongoing monitoring; control functions that test the effectiveness of controls on an ongoing and regular basis; and fully independent control functions that review and test controls after the event (Figure 9).

A significant figure in the 2007 survey is the increase in the amount of AML monitoring carried out by financial crime or fraud prevention units, which – although they may not be more independent than compliance – may nevertheless act as a center of excellence for AML and fraud prevention. The survey results therefore reflect a broader trend

Functions with a role in testing and monitoring the effectiveness of AML systems and controls

(Options are not mutually exclusive) Source: KPMG International, 2004 and 2007



and attributes brought to bear on the task. This means having the right mix of independence, timeliness of review, proximity to the business, and AML experience to ensure that the key issues are identified and tackled, and that learning points are fed back into operational processes.


in the industry towards the setting up of a financial crime function with oversight of both AML and fraud, and in the long-term may come to include market abuse. This is consistent with what is happening in the industry.

In Australia, for example, a number of banks are considering whether cost efficiencies and reductions in fraud can be achieved by combining AML and fraud monitoring within one function, using a common system.

Whatever the approach adopted, the key to effective AML monitoring is to seek to ensure the bank has a range of complementary skills, experience

Figure 9

“Three lines of defense”

KPMG comment Taking ownership of AML monitoring

With such a broad range of functions involved in AML monitoring, there is a risk within banks that senior management, and compliance, may take false comfort in the view that because the overall quantity of monitoring is high, it will be sufficient to prevent any mishaps. The reality is that some monitoring may be impaired, whether by lack of independence, infrequency of review, inexperience of staff, or lack of coordination between functions with resulting overlaps or gaps in monitoring. In many instances, internal audit is the last line of defense and through their detailed and independent review work, weaknesses in AML controls are often identified which should have been identified by other functions at a far earlier stage.

One approach to this problem can be to set up a dedicated quality assurance (QA) team for AML controls, whether this is situated within compliance or another independent risk function (such as a financial crime function). QA teams can be used to carry out spot checks on banks’ end-to-end AML control processes. This means not only focusing on the common areas for monitoring such as KYC and client on-boarding, but also looking at other areas such as staff training, transaction monitoring, and sanctions compliance. Internal audit should be an overlay to this, not a substitute for it, and should be able to leverage off work performed by the QA team in planning and executing their audit work.

One of the key challenges is finding suitably skilled and experienced staff. It requires a detailed knowledge of AML typologies, controls, and up-todate intelligence to identify the right issues and find areas for enhancement or additional focus.



5. Risk-based approach to Know Your Customer activity

Enhanced due diligence procedures for high-risk customers is common practice, and it is only in a small minority of countries that it has not gained wide acceptance. As risk approaches have become more sophisticated, however, banks have been forced to re-visit their existing client base and upgrade the quality of KYC information held

Most banks around the world

apply a risk-based approach

at account-opening

The requirement to know your customer underpins global efforts to counter money laundering, and it is a legal requirement in most jurisdictions. When a bank takes on a new customer, it provides the customer with an entry point to that bank both locally and internationally. It is therefore fundamental that banks understand their customers’ circumstances and financial situation and know with whom they are dealing. Doing so across a wide customer base is logistically challenging, and the international regulatory focus has been moving towards encouraging banks to apply a risk-based approach to KYC.

Figure 10

In our 2007 survey, we asked banks whether they used a risk-based approach to KYC, and – if so – what risk factors they took into account.

As in 2004, the majority of banks (86%) employ a risk-based approach, up from 81% in our last survey. These banks are also using a wider range of risk factors than three years ago; the broader acceptance of the wider range of risk factors is encouraging (Figure 11).

A key development in this year’s survey is the higher level of consideration given to whether the customer is a Politically Exposed Person (“PEP”) at account-opening stage. This reflects increasing focus on PEPs in the international environment.

Respondents that employ a risk-based approach at account-opening stage

% o

f res

pond

ents




Figure 11

Factors taken into account by respondents when using a risk-based approach at account-opening stage

% o

f res

pond

ents

with

a ri

sk-b

ased

app

roac

h

(Options are not mutually exclusive) Source: KPMG International, 2004 and 2007



Banks continue to use remediation

programs to ‘backfill’ customer data

The basic premise of AML is understanding who you are dealing with and the nature of their business. Risk-based monitoring for unusual or suspicious activity must be based on an understanding of what represents normal activity for that client. Banks have historically not held very much, if any, information on long-standing customers or groups of customers. Banks face a particular challenge in risk assessing existing customers whose relationship with the bank pre-dates the introduction of current KYC and account-opening legislation and guidance. As a result, a significant majority of banks have set up a program of retrospective remediation to fill in gaps in their KYC data. In a number of countries, this has been mandated by the regulatory authorities through a mix of formal rule-making, enforcement

action, or informal pressure (for example through the regulatory examination process). The emphasis in the U.S. has, in the past three years, been more focused on transaction “look-backs”, as opposed to remediating KYC information (which has been mainly a European trend). Transaction look-backs generally require a bank to review historic transaction data using scenarios or parameters agreed and negotiated with their regulator, with a view to investigating and filing suspicious activity reports where necessary. These exercises can be expensive and time-consuming, and can also be difficult to perform if gaps in KYC information mean that the institution does not fully understand the context for the transactions their customers have executed. Look-backs can be useful, however, in identifying new typologies of money laundering and/or spotting suspicious behavior spread

Figure 12

over a longer historical time-period than would normally be looked at through current transaction monitoring procedures.

We asked banks in our survey if they had an active program to remedy gaps in the KYC information they held on existing customers, what approach they had taken, and if they did not have a remediation program, why not.

The survey results show a slight but not significant increase in the number of banks engaged in a remediation program, although it remains significant that 77% of banks have a remedial plan in place. In 2004, 74% of respondents had a remedial program in place. This may help to explain in part the unexpected increase in costs of AML compliance that has been cited elsewhere in the survey.

Respondents with a program to remediate gaps in KYC information held on existing customers

% o

f res

pond

ents




For the banks that did not have a remediation plan, the most commonly cited reason was that they did not have sufficient gaps in their KYC information to warrant remedial action. The second most commonly cited reason was the absence of legal or regulatory pressure to do so (Figure 13).

We also asked banks to specify what methodology they had adopted for remedying gaps in their KYC information. This showed a broad range of approaches being used, as in our 2004 survey (Figure 14 on page 28).

The main change since our 2004 survey is the shift in approach used by banks from the ‘Central & South America and Caribbean’ region. In 2004, 73% of banks in the region reported that they were performing a remediation program across their

Figure 13

entire customer base. This year, the figure rose to 83% of banks performing a remediation program, with 40% carrying this out across their entire customer base. Of the remaining banks with a remediation program 55% of banks now report they use a risk- based approach, and 5% report they only gather more KYC information when a customer opens a new account or transacts new business.

We also asked respondents what issues they encountered in gathering KYC information from customers. Over 30% of banks reported difficulties in obtaining information in particular countries or regions.

The responses overall did not single out any specific jurisdictions as being uniquely difficult, but this is largely because a significant proportion of

respondents only operated in a small number of countries and so had no experience of operating in jurisdictions outside of this.

The main countries or regions in which respondents reported the greatest difficulties obtaining KYC information were the Cayman Islands, Russia, and Eastern Europe. In relation to Russia, this is likely to reflect known issues surrounding the wide use of shell companies, and the difficulties of identifying the beneficial owners of these. The U.S., Switzerland and Middle East were also cited by some correspondents as being difficult regions to obtain KYC information, although to a lesser degree, again reflecting difficulties in obtaining beneficial ownership information and/or wider bank secrecy / data protection concerns.

Respondents’ reasons for not having a remediation program in place

% o

f res

pond

ents

with

out a

rem

edia

tion

prog

ram

(Options are not mutually exclusive) Source: KPMG International, 2007

Note: One hundred percent of banks in Russia & CIS reported having a remediation plan and so do not appear in the above table. Note also that relatively few banks responded to this question (the majority of banks had a remediation program in place), and so the percentages given are from a low base. Respondents citing another reason or ‘don’t know’ have been excluded.



Figure 14

Respondents’ approach to remediation

% o

f res

pond

ents


KPMG comment The challenges of applying a risk- disciplines to bear on AML issues, as KYC data, with many banks under-based approach well as focusing on the outputs of their estimating the complexity, time taken Our survey has focused on the AML processes and not just the inputs. and cost of the exercise. It also reflects application of a risk-based approach to In jurisdictions where senior the fact that banks are not only seeking client on-boarding and KYC, but the management are given greater flexibility to fill gaps that have arisen because challenge is to apply this to all of the by the regulator to set their own risk- regulatory requirements have increased components of AML systems and based processes, they will be under since an account was opened; they are controls including training and pressure to create an audit trail for their also having to fill gaps left by poor compliance monitoring. As in the early thought processes, and document the application of the bank’s processes that stages of the development of operational rationale for the approaches that they have been in place since regulatory risk frameworks, it appears that banks in have adopted. requirements changed. This points to the many regions are in a situation where need for banks to plan carefully for any they are not able to articulate the linkage A particular area in which banks have remediation program. There are potential between the institution’s risk appetite used a risk-based approach has been cost savings and operational synergies and the risk-based approach adopted for filling in gaps in their KYC information for those who tackle the task in discrete AML. This may be exacerbated by the through remediation programs. Our stages, prioritized according to the level challenge of balancing absolute AML survey this year showed approximately of risk associated with those client legal requirements with desired best the same proportion of banks had a accounts, as well as anticipating and practices. Banks need to focus more on remediation program in place as in 2004 planning for future AML challenges. these areas, and bring some of the rigor (77% of all banks in our 2007 survey). of operational risk techniques and This reflects the challenges of backfilling



6. Politically Exposed Persons

Increasing numbers of banks have

specific procedures to identify and

monitor Politically Exposed Persons

PEPs are individuals who have political roles or associations, such as politicians, diplomats and high ranking members of the military, but there is no uniform definition of a PEP. Differing definitions appear in laws, regulations and guidance notes internationally. Despite this, there is a growing consensus among banks, governments and regulators that PEPs present heightened AML risks. In our 2004 survey, only 55% of banks using a risk-based approach to KYC reported that PEP status was one of their risk factors. In this year’s survey, the figure has increased to 81% of respondents (see section 5 of this survey).

Across all banks, irrespective of whether they use a risk-based approach to KYC, 71% reported that they had specific procedures for identifying and monitoring PEPs on an ongoing basis. This is up from approximately 45% in our 2004 survey. In the U.S., nearly all banks have specific processes in place to identify and monitor PEPs, driven by the U.S.A. PATRIOT Act 2001, which requires monitoring of foreign PEPs.

The increased focus on PEPs has not been uniform across all regions, with some countries in ASPAC placing far less emphasis on PEPs as a risk factor (for example, Australia, Japan, South Korea, Philippines and Taiwan). This is believed to reflect higher public trust in politicians and senior business executives in some

Figure 15

Increased emphasis on reputational risk management, as well as legislative and cultural changes, mean that more banks than ever before have procedures in place to identify and monitor their relationships with Politically Exposed Persons

Respondents with specific procedures in place for identifying and monitoring PEPs on an ongoing basis

% o

f res

pond

ents




of these countries and a general lack of requirements to identify and monitor PEPs. This is changing, however, with recent legislative changes in some countries in the ASPAC region now requiring procedures for identifying and monitoring PEPs.

The comparatively low figure for Europe is likely to change as a result of the EU Third Money Laundering Directive, which requires banks to screen for PEPs. The Directive is due to be implemented by December 15, 2007 in all countries within the EEA, although it is possible that individual countries may take longer than this. Among the larger countries in Europe, there were significant variations in the extent to which they had specific procedures in place with regard to PEPs. In the five biggest countries by GDP in the EU, the U.K. and Germany

Figure 16

were the most likely to have PEP procedures (86% and 62% of respondents respectively). The three remaining countries lagged behind this: France (50%), Spain (29%) and Italy (13%).

One surprising result is that some of the smaller banks in our survey were more likely to have specific procedures in place for PEPs than their larger rivals. Out of the respondents who were in the top 250 banks globally (measured by tier 1 capital ), only 64% had PEP procedures. This compares to a figure of 87% for banks who were ranked 751-1000 of the world’s biggest banks.

Classification of PEPs

With differing definitions of PEPs across regions, and varying regulatory requirements, banks have sought

to use centralized lists of PEPs to facilitate easy classification of individuals as PEPs.

We asked our respondents what approach they took to create or obtain these lists (Figure 16).

Our survey shows that banks in Europe and North America were the most likely to rely entirely on commercial lists they had purchased, whilst respondents in Central / South America and the Caribbean, Russia/CIS, and Middle East / Africa were more likely to use a hybrid approach. We believe this is likely to be the case because of the blurring of politics and business in some countries in these regions, and therefore the necessity of modifying commercial lists to reflect local practices and risk appetite.

Banks approach to classifying individuals as PEPs

% o

f res

pond

ents

with

spe

cific

PEP

pro

cedu

res




Defining PEPs

There are a variety of definitions of PEPs available in domestic legislation, regulations, supranational bodies and industry guidance (three of these are provided below). Whilst these may at a high-level have common features, there are many differences in the detail.

This includes subtle differences in terms of the level of seniority necessary for politicians, judicial figures, or other officials to be classified as PEPs. There are also differences in the definition of who constitutes a ‘family member’ or ‘close business associate’ of a PEP. However, these difficulties of definition can be overcome by adopting a broad definition of a PEP, and applying a risk-based approach.

The real difficulties are the practical application of the requirements, including:

• Identification of family members or close associates of PEPs where this is not readily apparent from their name, situation, or information disclosed to the bank or available publicly.

• Identification of situations where existing customers may have become a PEP because of a change in their status, or the status of a family member or business associate of theirs.

• Application of PEP standards in countries with uncertain, unstable or non-transparent political structures.

Wolfsberg Group

“Individuals who have or have had positions of public trust, such as government officials, senior executives of government corporations, politicians, important political party officials, etc., as well as their families and close associates”.

Source: The Wolfsberg Group AML Principles on Private Banking, revised version, May 2002

The Financial Action Task Force

“Individuals who are or have been entrusted with prominent public functions in a foreign country, for example Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state owned corporations, important political party officials”.

Source: FATF Forty Recommendations, as amended October 2004.

EU Third Money Laundering

Directive

“Natural persons who are or have been entrusted with prominent public functions and immediate family members, or persons known to be close associates, of such persons”.

Source: Article 3(8) of the EU Third Money Laundering Directive, October 2005.



KPMG comment The operational complexity However, banks may need to bring Intelligence) providers to find out who of dealing with PEPs in relation these lists together into a single source their customers really are, and what to AML requirements which can be accessed from across reputation they have in local markets in With the heightened risks associated the bank. order to support their enhanced due with PEPs, banks may need to think diligence. A number of banks are also carefully about the end-to-end control As with sanctions screening, ‘PEP lists’ setting up their own internal Financial processes they have in place to identify are not static, and banks need a process Intelligence Units to coordinate PEPs, accept them as customers, and to source updates to lists against which intelligence gathering, and take a monitor their account activity. all new customers should be screened, proactive approach to identifying

and an accompanying process to try to emerging risks in relation to new Identifying PEPs ensure that the changes to the list are products, customers or markets. With a wide range of definitions of a screened against the bank’s entire client Enhanced due diligence and the use PEP from regulators, industry bodies base, so that any existing account holders of Corporate Intelligence is equally and governments, banks need to give who become a PEP are identified. applicable in respect of other high risk careful thought to what definition would customers such as high net worth be appropriate for their business, and Accepting customers individuals from high-risk jurisdictions. how they can apply this consistently Doing business with PEPs raises unique across all of their operations. While the reputational issues that require Activity monitoring

individuals who meet this definition will judgment and experience to evaluate. Banks must have processes in place to vary from country to country, a global For many banks, it is not possible to monitor the account activity of PEPs, approach helps to create a greater codify the range of risks, or the bank’s applying critical judgment in determining degree of consistency. risk appetite, for dealing with PEPs, and whether this activity is in line with

therefore it is important that senior expectations. Transaction monitoring Whilst the use of external providers of management is involved in the decision should be based on good quality due ‘PEP lists’ is common, banks need to to accept a new client who is a PEP, or diligence undertaken at account-opening think about centralizing their use of these agree to continue servicing a client who and updated on a regular basis. This lists in order to ensure consistency has become a PEP. These decisions should address the expected source of in the identification of PEPs. This does should be based on good quality funds in the account, and the expected not necessarily mean adopting a single information and intelligence, which is transaction activity in the account, provider for PEP lists; it may be not always readily available, and banks including any underlying business and appropriate to use a number of different are increasingly using respected beneficial ownership (if it is a corporate providers to obtain global coverage. Integrity Due Diligence (or Corporate account).



7. Transaction monitoring

People are still the first line of defense

in the fight against money laundering

Transaction monitoring has long been an area of focus for regulators and banks. It is the area of AML compliance that has incurred the greatest expenditure in both our 2004 and 2007 surveys, and is expected to remain a key driver of AML costs over the next three years.

The legal framework and AML requirements in most jurisdictions are based on a regime for reporting

suspicious activity to law enforcement, in addition to currency transaction reporting in a number of countries. Accordingly, most banks have developed systems and controls to monitor transactions and escalate unusual or suspicious items.

In our survey, we asked banks what methods they used to monitor transactions. This showed little change since the 2004 survey.

Figure 17

Vigilant staff continue to be the main defense that a bank has against money laundering, and whilst transaction monitoring may be the key to the future, much work remains to be done to improve the effectiveness of systems

Methods used by respondents to monitor transactions

% o

f res

pond

ents

(Options are not mutually exclusive)



Scor

e ou

t of 5

Mean score out of 5: 1= very unsatisfactory 5= very satisfactory



Within the regions, it is clear that there is comparatively less transaction monitoring in ASPAC with lower than average scores for nearly all of the monitoring approaches under review. This reflects a general lack of any requirements to conduct transaction monitoring, other than threshold monitoring, in many countries in this region. However, increasing emphasis is being placed on transaction monitoring as legislative requirements are updated around the region. The lower amount of transaction monitoring in the ASPAC region is also reflected in respondents’ satisfaction with their transaction monitoring systems (Figure 18).

“People who design these systems should use them. Although I've said systems are not sophisticated, they are sometimes too much so for our own good” Switzerland respondent

“I would like to have a system that can track both behavioral and statistical transactions based on a transaction pattern (e.g. volume, country, business)” Hong Kong respondent

Bearing in mind that a score of 3 is ‘neutral’ and a score of 4 is ‘fairly satisfactory’, the responses indicate banks are generally satisfied with their transaction monitoring, but only just. The scores in ASPAC are noticeably lower than other regions.

We also asked banks what recommendations they would make to improve their IT monitoring systems. Of the responses, 31% were focused on aspects of enhancing software or systems, such as increasing system capacity, or better integration of multiple systems across the bank. An additional 17% of banks wanted systems with improved functionality or broader coverage.

Figure 18

Increased number of Suspicious

Activity Reports

Greater investment in AML transaction monitoring systems and efforts appears to have resulted in higher volumes of suspicious activity reports (SARs) being filed with law enforcement authorities (Figure 19).

Our survey shows that 72% of respondents reported some level of increase in the number of SARs over the past three years, up from 67% in 2004. This trend is particularly clear in the North American region, with 95% of respondents reporting some level of increase. The two biggest reasons for the increase in SARs were reported to be improved electronic / automated transaction monitoring systems and better staff training.

Respondents’ satisfaction with transaction monitoring systems



“We need more intelligence-based transaction monitoring with the capability to detect transactions not noted by human scrutiny” Russia respondent

“We should focus

Figure 19

Change in number of suspicious activity reports compared with three years ago

on updating the enterprise-wide system, rather than different ones in different areas of the bank” Taiwan respondent


Figure 20

Factors that have caused the increase in SARs

% o

f res

pond

ents

Mean score out of 5: 1= no impact 5= very strong impact




Costs of transaction monitoring

Where respondents attributed the increase in SARs to improved transaction monitoring, we asked about the impact of this on the ongoing human and financial resources needed to operate these systems. A clear consensus emerged, with 92% of banks reporting that improved monitoring systems meant more resources were required. The most commonly cited reasons for the required increase in resources were ongoing maintenance costs, the need to review ‘false positives’, and the complexity of fully implementing the systems.

Our survey also looked at the potential commercial benefits flowing from implementation of automated transaction monitoring systems. Of the banks that identified commercial benefits, 37% cited improved marketing opportunities

and customer relationship management, 30% referred to improved reputational risk management, and 20% mentioned fraud reduction. In relation to fraud reduction, a number of banks now appear to be moving towards incorporating additional modules into their automated AML transaction monitoring platforms to identify potential fraud, as well as moving towards consideration of wider financial crime risks.

Feedback from government sources

In both this year’s survey and 2004’s, a number of banks emphasized the importance of better feedback from government sources such as financial intelligence units (FIUs). Around one third of banks could name a FIU that they regarded as particularly good at providing feedback, although typically they named the FIU operating in their

home state. This may reflect the fact that many respondents had not had personal experience of dealing with FIUs outside of their jurisdiction.

There was broad support for better and more frequent interaction with FIUs, although with recognition that this could lead to resourcing pressure within those organizations if the volume of SARs continued to increase and processing backlogs built up. In this context, the generally positive views expressed by U.S. banks about their domestic FIUs and law enforcement agencies is impressive given the strong growth in the volume of SARs in that region. Over 30% of U.S. banks said that their domestic authorities were good at providing feedback, with particular credit going to the Financial Crimes Enforcement Network (FinCEN).

FinCEN cross-border transaction It is estimated that it will take three and A significant challenge for FinCEN database a half years to set up the system and is how to use the information they The Intelligence Reform and Terrorism bring it into operation. It is also estimated receive as effectively as possible, and Prevention Act of 2004 required the that 300-500 million transactions would to analyze it in a way that produces Secretary of the U.S. Treasury to fall under the reporting requirements (as valuable insight and intelligence for law investigate the feasibility of requiring they have been defined to date), and that enforcement agencies. They also need U.S. financial institutions to report the system will need to hold a three year to consider how they will interact with certain cross-border transactions to history of transactions, with a further financial institutions so as to help them FinCEN. The feasibility study has now seven years of data maintained in an enhance their AML detection been completed, and it concluded that archive, in order to perform meaningful capabilities (i.e. the type and quantity it would be appropriate for financial and relevant analysis. of feedback they provide to industry). institutions which deal directly with foreign financial institutions to disclose The specific requirements of which The requirements and FinCEN database information on all cross-border transactions will need to be reported will clearly have an impact on all U.S. payments over US$3,000. have not yet been determined. In financial institutions handling cross-

addressing these requirements, FinCEN border payments, generating additional As a result, a program of work will now has stated they will take a number of reporting requirements for the industry. be undertaken to set up a central factors into consideration, including the database into which these transactions impact on financial institutions, the can be reported by institutions, and privacy concerns of individuals (both U.S. logged for subsequent analysis by FinCEN and non-U.S.), and the wider impact on

Source: ‘Feasibility of a Cross-Border Electronic Funds and other law enforcement agencies. the use of the dollar as the basis for Transfer Reporting System Under the Banking Secrecy

Act’, October 2006, published by U.S. Department of international financial transactions. Treasury Financial Crimes Enforcement Network.



Joined-up monitoring

One of the challenges for internationally active banks in carrying out transaction monitoring is the ability to monitor a single customer’s transactions and account status across multiple countries. Our survey shows that a significant proportion of banks could not carry out this type of monitoring.

Within the global results, it was clear that North American banks were ahead of their peer group, with 42% of internationally active banks in the region able to carry out monitoring of customer transactions across multiple countries. Interestingly, there was no

Figure 21

evidence that the larger banks in our survey were any more capable in this area than smaller banks. This may reflect privacy laws in some countries that prevent the sharing of information around the group.

A number of banks are reported to be looking at introducing single customer identification numbers to use across all of their operations globally, which would significantly enhance their ability to carry out joined-up monitoring.

Banks capable of monitoring a single customer's transactions and account status across multiple countries

% o

f res

pond

ents




KPMG comment Taking transaction monitoring Despite the difficulties encountered, identified or prevented, and using forward many banks are now at a stage where this to reinforce staff awareness. With the significant steps forward in they are moving from putting an the processing capacity of IT, the move electronic monitoring system in place, • Intelligence is critical to designing towards electronic banking and services, to a point where the core platform typologies to screen for money and a steady decline in the cost of IT exists, and they can focus more on laundering, and banks need to equipment, new possibilities have refining the typologies they screen network effectively to pick up on opened up in the monitoring of customer for and the escalation criteria used. current trends in money laundering. transactions. Banks worldwide have In some countries, such as the U.K., taken steps forward in the automated Whilst there is a growing trend towards regulators and FIUs have set up fora monitoring of transactions, with implementing AML transaction for banks to share views, and learn significant investment in new IT monitoring systems, there are a number from FIUs about the trends they are platforms and development of advanced of industry best practice points that seeing in the market. Banks should data analytical software. However, banks’ banks can use: seek to ensure that they participate experience of new systems have not in the discussions they are entitled

• Whilst monitoring systems offer always met their expectations. They have to, and take steps to ensure the

the potential to screen highfound that significant resources need information they receive is – where

volumes of transactions and spot to be deployed in the continual updating possible – disseminated widely

patterns of behavior that may be of monitoring software, data feeds within the organization so that it can

spread over time or spread over for transactions, and review of the be used by front-line staff and

multiple transactions, they are no exceptions and potentially suspicious operations as well as the AML team.

substitute for staff vigilance on the transactions identified by the systems.

front-line. A significant proportion of Banks have also found it difficult to Good quality intelligence is particularly

SARs are raised by vigilant staff design the right typologies for identifying important in the context of monitoring

rather than complex systems, and money laundering, and calibrate the transactions for terrorist financing,

banks should ensure that in buildingescalation thresholds to a level they are and a number of banks in our survey

up systems they do not lose focus comfortable with. The challenge remains expressed the view that they would

on staff training and awareness-that many of these systems contain like to see more and better quality

building. Banks can enhance and complex mathematical algorithms that information sharing with FIUs; this

develop staff potential by singling make it difficult to understand intuitively will be critical in ensuring a joined-up

out occasions when money the inter-relationships between inputs approach.

laundering has been successfullyto the system and the outputs.


% o

f res

pond

ents

that

pro

vide

som

e fo

rm o

f AM

L tra

inin

g Global Anti–Money Laundering Survey 2007 39

8. Training

There is a growing commitment

to train staff to combat money

laundering

AML training and awareness is key to a bank’s ability to combat money laundering effectively, with 97% of banks saying they are dependent on the vigilance of staff to monitor transactions and identify suspicious activity. Reflecting this, 97% of banks say they provide some level of AML training to their staff. (Interestingly, out of the six banks in our survey with no AML training program, five nevertheless said they relied on the vigilance of staff to identify suspicious transactions).

The overall amount of training given by banks has not changed markedly since our 2004 survey, and continues to show

Figure 22

significant variation in the percentage of staff that banks deliver AML training to.

Within Europe, the figures for 2004 and 2007 show banks moving towards the center of the distribution (the 61-80% category), with fewer banks in the 81100% category and in the under 60% categories, than was the case in our 2004 survey.

These shifts may reflect a more risk-based approach to training, with banks focusing training more directly on staff with a real need for it, and the amount and content of training adjusted to reflect the AML risks inherent in employees’ roles. Whatever the cause of it, however, the training patterns seem to be reflected in the costs of AML compliance, with

Banks continue to invest heavily in training programs, with institutions in many regions under pressure to demonstrate the effectiveness of their training, and are looking to make it more relevant to front-line staff through case studies and practical examples

Estimate by respondents of percentage of staff who received AML training in the past two years




European banks reporting that training is relatively less expensive than it appears to be in other regions. Training was the fourth largest area of AML spending in the past three years for European banks, but - on average - was ranked second across all regions globally.

The results for the U.S. show particularly rapid change, and is likely to reflect the impact of the U.S.A. PATRIOT Act 2001, which requires AML training for all relevant employees of a bank, as well as some high profile enforcement actions (Figure 23).

Methods of training

As in 2004, face-to-face training continues to be the most common method used by all banks; this method is also regarded as being the most effective (Figure 24).

Despite there being no apparent shift in views of the effectiveness of computer-

based training (CBT), usage of this method has increased significantly from 2004 (up from 61% to 79% of all respondents). This may reflect a need by banks in some countries to ensure complete coverage of their employee base, and the comfort they can derive from electronic tracking of which employees have taken the training and passed the test, also important as employees change roles and move around the bank.

The use of CBT also makes it easier for banks to demonstrate compliance with any training requirements set by their regulator.

The survey results pointed towards a particular growth in confidence in CBT in emerging markets and corresponding higher usage thereof. In more developed markets, usage of CBT has also increased despite a slight dip in overall

Figure 23

confidence in the effectiveness of that method of delivery.

Improvements to training

We asked respondent banks about measures that could be employed to improve the quality of AML training (Figure 25). The main theme among respondents was the wish to use more case studies for staff, both to raise awareness that AML exists in the real world, and to give staff the practical skills and knowledge to apply the AML training in their role. Despite greater pressure on banks to examine the effectiveness of their AML controls, including training, the percentage of banks considering testing of staff appears low, and whilst testing is a common feature in many CBT packages, this can often be a fairly basic assessment test.

Estimate by North American respondents of percentage of staff who received AML training in the past two years, 2004 and 2007 surveys

(Percentages may not add up to 100% due to rounding)

Source: KPMG International, 2004 and 2007



“We need to use more examples or real case studies to give the staff the awareness that money laundering is a real existing issue” Austria respondent

“We need more face-to-face training – small groups role-playing to give people the chance to work together and practice what they are looking for” U.S.A. respondent

“We need to identify instances across all the institutions where things have gone wrong with KYC. We need to identify the reasons and train people to know how best to avoid them” India respondent

% o

f res

pond

ents

%

of r

espo

nden

tsFigure 24

Training methods used by respondents compared with assessment of effectiveness

(Options for training delivered are not mutually exclusive)


Figure 25

Measures that could be employed to improve the quality of AML training

(Options are not mutually exclusive) Source: KPMG International, 2007



KPMG comment Enhancing the effectiveness Whilst CBT modules can include a have comparatively low SAR of training degree of testing of comprehension, reporting and why this is the case With a significant proportion of this can often be at a fairly basic level

• whether a suspicious transactionSuspicious Activity Reports (SARs) and there is a need to include more identified by electronic monitoring raised by staff on the front-line, training case studies dealing with actual money systems should have been spotted is a key control that banks need to have laundering examples. In some respects, by staff first in place. In many jurisdictions, it is also face-to-face training offers more

mandatory under local regulations, or opportunities for staff to raise questions • the interaction that takes place with important as a line of defense should or demonstrate their understanding of staff during training sessions. any employee of the bank commit an AML requirements, and for those offence under AML regulations. providing training to assess their Monitoring of AML controls by

understanding. Accordingly, banks need compliance or internal audit can also In a number of countries, regulatory to focus more on the processes, formal include brief interviews with staff to attention is now shifting towards giving and informal, that they have in place to assess their current understanding of banks greater flexibility in who they train monitor the effectiveness of their AML systems and controls, and this, and what level of training they provide, training. This includes CBT test results, coupled with the results of monitoring reflecting the risk-based approach. but also making judgments based on a and testing, can be an effective way Whilst this offers the opportunity to range of other indicators: of assessing staff’s understanding. focus resources on the staff with the greatest need for AML awareness, and • the quality of KYC compliance during All of this information needs to be used to design training courses that are customer on-boarding to enhance the AML training program tailored to an employee’s specific

• the detail and level of understanding and wider AML systems and controls. needs, regulators are also beginning to

reflected in SARs escalated by staff ask more pressing questions about how banks assess the effectiveness of their • which branches or divisions of the training. bank have not raised any SARs or



9. Attitudes towards regulation

% o

f res

pond

ents


Global support for regulatory AML

frameworks

Our 2007 survey continues to reflect broad-based support for AML regulation internationally, with 93% of respondents saying the burden of AML regulation was acceptable, or even should be increased. However, this includes 51% of respondents who said that AML requirements needed to be better focused to combat money laundering more effectively.

Respondents in the North Americas region displayed divided views on their regulatory regime. Whilst a significant majority regarded the regulatory

Figure 26

burden as acceptable (83% of respondents), this left a large minority who regarded their regime as excessively onerous (17% of respondents). No respondents in the U.S. regarded it as necessary for their AML requirements to be increased, probably reflecting the increased activity and high profile enforcement cases in recent years.

Eight percent of banks globally believed that AML requirements in their jurisdiction should be increased, however some stronger views were expressed, notably in the UAE, Nigeria and Kazakhstan (Figure 27).

Statement most closely reflecting respondents’ view on AML requirements

Broad-based support for AML efforts by the public sector, but prevailing view that more needs to be done to combat money laundering effectively

Figure 27 % of respondents in that country expressing the view that AML requirements

should be increased

United Arab Emirates 83%

Nigeria 50%

Kazakhstan 67%




We believe this reflects banks in the Middle East wanting more specific guidance from their regulators so that there is more consistency in the application of AML requirements, and a more level playing field for banks in the region. The result for Nigeria is likely to be a consequence of the country being removed from the FATF list of Non-Cooperative Countries and Territories in June 2006, and a resolve by Nigerian banks and its government to ensure that it remains off the list.

Of the respondents who expressed the view that – whilst the burden of regulation was acceptable – there was room for improving AML requirements, a wide range of potential improvements were identified. However, there was no strong consensus among banks in any country as to how regulation could be improved. Overall, there was a general feeling that regulators should produce clearer legislation, and together with

law enforcement, should provide better quality feedback (18% of the banks we surveyed referred to this). There was also a significant minority of banks that wanted their regulator to adopt a risk-based approach (6% of all banks we surveyed).

Impact of global legislation and

guidance on banks

As in 2004, we asked banks to identify the legislation or guidance that had the greatest impact on them by scoring them from one to five.

The results show little variation over the past three years (at a global level), but regional differences emerged. In particular, perceptions of the influence of all types of legislation and guidance on North American banks has strengthened, with the U.S.A. PATRIOT Act 2001 scoring highly among North American banks (4.53) followed by domestic regulatory guidance (4.30).

Figure 28

Although the U.S.A. PATRIOT Act 2001 was enacted six years ago, it has taken time for banks to implement and adjust to the new regime, and to respond to additional guidance provided by U.S. regulators (after enactment of the legislation) as well as follow-up points from regulatory examinations. The ripple effect of this legislation on overseas banks has taken even longer to gain momentum.

In Russia & CIS, there has also been a shift in the requirements impacting their business, in that the effects of international requirements and expectations are now much more pronounced, and it has emerged as the only region in which international guidance (Basel, Wolfsberg) was rated as a more significant impact on their business than domestic regulatory guidance.

Impact of global legislation and guidance on respondents




KPMG comment AML global environment

For money laundering to be successfully tackled, it is critical that there is a joined up approach between the private and public sectors. What is needed within banks is a clear understanding of the typologies used by money launderers, and the risk factors they should use in identifying these, as well as intelligence in relation to individuals and entities. Whilst banks can make some progress on their own initiative, the regulatory focus has now shifted towards better cooperation and intelligence sharing between governments and banks. This has been given greater urgency not only by the need to improve the effectiveness of AML efforts, but in particular by the need to tackle terrorist financing.

Within a number of countries, structures have been put in place to facilitate this information sharing. This includes industry associations, issuance of guidance, government and regulatory liaison, and formal working parties and committees.

As an example, the U.K. government has identified a number of priority areas for stepping up its approach to financial crime:

• Enhanced data-sharing between the public and private sectors, and pooling intelligence better between different public authorities, including the U.K. Vetted Group (see panel opposite).

• Further steps to extend the risk-based approach, including through the creation of a new money laundering Supervisors’ Forum and a commitment to ensure authoritative guidance is available in all regulated industries. The forum will bring together all of the U.K. organizations with responsibility for ensuring compliance with domestic and international AML/CTF standards,

to entrench a risk-based, intelligence-led approach to supervision, and – as a secondary priority – share information on threats and vulnerabilities.

Section 314 of the U.S.A. PATRIOT Act permits information sharing between financial institutions and law enforcement, and among financial institutions.

Pursuant to Section 314(a), FinCEN receives requests from law enforcement including names of individuals and/or entities believed to be engaged in money laundering or terrorist financing. FinCEN circulates those requests every 2 weeks to a designated point of contact within financial institutions. The institutions receiving such requests must respond within 2 weeks if they have held accounts for such individuals/entities within the past 12 months, or conducted transactions on their behalf within the last 6 months. Institutions are well served if they use this information to conduct internal reviews to determine whether suspicious activity has occurred within the bank.

Section 314(b) permits institutions which have registered with FinCEN to share information among themselves with respect to individuals and/or entities the institution has reason to suspect may be or may have been involved in money laundering or terrorist financing. This is a useful tool which enables institutions to complete a picture of a customer that might not otherwise exist within the institution.

The Australian regulator also recognizes the need for information sharing and places a strong emphasis on working with industry to improve understanding of money laundering issues and regulatory requirements and expectations.

U.K. Vetted Group

“The Vetted Group is a multi-agency forum comprised of experts from law enforcement agencies and the regulated private sector which considers sensitive intelligence on new money laundering risks. The group develops the intelligence using the specialist knowledge of its members and identifies areas where further joint working would be valuable. The group also reviews intelligence to produce declassified material which is tailored to be as relevant and meaningful as possible to the private sector audience.

This material is circulated by the Serious Organised Crime Agency (SOCA) the [U.K.’s FIU] to the appropriate industry sector as an Intelligence Alert. Alerts have already been issued on the Abuse of Virtual Payments Systems and the Takeover and Redemption of Life Insurance Policies, and a further program of activity for the Vetted Group is agreed to late 2007.

This approach allows the private sector to add value to SOCA intelligence analysis at an early stage and ensures that SOCA shares relevant information which will enable its partners to increase the resilience of their anti-money laundering procedures”.

Source: ‘The Financial Challenge to Crime and Terrorism’, February 2007, published jointly by HM Treasury, the Home Office, the Serious Organised Crime Agency, and the Foreign and Commonwealth Office.



10. Sanctions compliance

Greater international pressure to tackle terrorist financing has raised the profile of sanctions compliance. The complex nature of practical implementation of the detail of multiple overlapping sanctions regimes is clearly a challenge for many banks

Background

Domestic governments have, for many years, administered sanctions regimes on the basis of international policy.

In many cases, the sanctions regimes adopted and administered by domestic governments mirror the sanctions imposed by the United Nations Security Council acting under chapter VII, Article 41 of the UN Charter.

Recent Changes

We did not cover the issue of sanctions application in our 2004 survey and its inclusion in 2007 is testament to the growing impact of the issue on financial institutions globally. In particular, the influence of U.S. Treasury sanctions administered and managed by OFAC has become high profile in recent years due to their extra-territorial application and the number of ways in which banks all over the world can be caught by them and potentially be held liable for violations. The impact of OFAC sanctions violations can be very damaging to an institution’s reputation but can also have substantial financial ramifications with punitive fines and criminal action.

In our survey this year, we asked banks how they updated KYC information on principals for the purposes of sanctions screening and monitoring (i.e., directors, shareholders, and beneficial owners of opaque entities). Eighty percent of banks reported that they had procedures in place to update principal KYC information, although this still left a significant minority who did not have any procedures in place.

Respondents showed divergence in the approach taken to updating principal information, with the majority opting to do so only in response to a trigger event.

Where banks did not have procedures in place to update principal information, 50% said that the reason for this was the absence of legal or regulatory pressure to do so. Around 25% of these respondents also commented that they did not have sufficient deficiencies in their KYC information to justify putting procedures in place for this.

Office of Foreign Assets Control

OFAC mission statement OFAC sanctions coverage

‘The Office of Foreign Assets Control OFAC covers: OFAC prohibits transactions with:(OFAC) of the U.S. Department of theTreasury (U.S. Treasury) administers and • U.S. activities; • Sanctioned countries and territories;

enforces economic and trade sanctions • “U.S. persons” no matter where • Specially designated nationals

based on U.S. foreign policy and they are located (SDNs);

national security goals against targeted • Persons includes institutions • Sanctioned entities;foreign countries, terrorists, international • U.S. persons includes U.S. • Those engaged in sanctionednarcotics traffickers, and those engaged nationals or foreign nationals activitiesin activities related to the proliferation who are resident aliens or of weapons of mass destruction.’ “green card” holders.

Source: OFAC web site and KPMG International, 2007


% o

f res

pond

ents


Figure 29

Approach to updating principal information for the purposes of sanctions compliance


KPMG comment Sanctions entity, and therefore any updates to client sanctioned individuals or organizations With increasing focus on terrorist records also need to be screened against from moving their funds to a bank based financing, sanctions compliance has sanctions lists. in a jurisdiction where no sanctions are become a more high profile issue for in place against them, or compliance

In addition to checking account-holders, banks and regulators. It is imperative standards are known to be lower. banks also have an obligation to filter for that banks have appropriate controls

in place to ensure compliance with payments to or from sanctioned Institutions need to screen transactions

sanctions laws at all stages of the individuals or entities, and to ‘block’ the (before they have been processed)

transaction lifecycle. execution or settlement of payments to seek to ensure that the counterparty where necessary. In carrying out this to a payment is not a sanctioned

At account-opening, clients should be filtering, it is critical that the central individual or entity, and that the screened against applicable sanctions repository of sanctions lists is updated as underlying transaction is not restricted lists before an account is opened. In soon as practicable after an update is or prohibited by a sanctions program. addition, banks need to check their released. Our member banks are seeing A particular challenge in this area is existing client base against new names leading practice as updating this filtering in respect of ‘cover payments' that have been added to sanctions lists. repository within twenty-four hours of an (see panel overleaf). As the volume of This can be challenging where data on update being released. In the U.S., it can cross-border transactions has gone up principals or beneficial owners is held in happen more frequently than this, with to accommodate increasingly manual form or distributed over many OFAC lists being checked multiple times a international investment and trade different databases. Banks also need day to identify whether filters need to be flows, it will be particularly important to be vigilant to ensure that updates to updated and prevent any unlawful for banks to be vigilant in the client records (such as a change of payments being made inadvertently in correspondent banking relationships signatory) do not result in them holding the few hours following the release of an that they have. an account for a sanctioned individual or update. This is important to prevent



Cover payments which may relate to sanctioned (2) The adoption of payment messaging ‘Cover payments’ is a term used to individuals, entities or countries. standards within the banking industry. describe a specific type of payment These standards would require made from one bank to another via Moreover, correspondent banks cannot financial institutions not to omit, delete correspondent banks. This may be distinguish between cover payments or alter information in messages – or necessary where the two banks do not that are made to settle underlying use particular types of messages (such have a direct banking relationship and client transactions, and those that are as those used for cover payments) – need to use intermediaries to settle made to settle proprietary flows for the purpose of avoiding detection payments between them. Cover between the originating and of that information by any other payments have several characteristics, beneficiary banks. This means that financial institution in the payment but a key one is that information on the correspondent banks cannot process. originator (or originators) and unilaterally deal with the issue of cover beneficiary (or beneficiaries) is payments. Although they may request It has yet to be seen what format the ordinarily communicated directly from that other banks do not send cover new SWIFT messaging protocol will the originating bank to the beneficiary payments to them, or only send cover take, and whether it can address the bank. This means that any payments where details of the problem of how to communicate the correspondent banks involved in the originator and beneficiary are included, details of originator and beneficiary transaction are not usually aware of the they have no mechanism to be sure where the cover payment is settling identity of the originator or beneficiary. this request has been complied with. the net balance arising from multiple

underlying transactions between the Cover payments can often be used The indicative transaction flows for a originating and beneficiary bank. where the originating bank and single cover payment using SWIFT are However, it will require greater beneficiary bank execute multiple indicated in the diagram opposite. transparency between banks (as well transactions on behalf of their as more concrete procedures) for the customers each day. It can be more This problem of cover payments has issue to be effectively tackled. economical to batch these up and been recognized by the industry, with make one net payment via their the Wolfsberg Group and The Clearing If these proposals are adopted by the correspondent banks to ‘cover’ the House Association LLP issuing a joint SWIFT member firms, a new message outstanding balance between the statement on the topic . The statement format could be in place by November originating bank and beneficiary bank. includes two components: 2008. This would be a key step in This can help to reduce fees and improving the transparency for parties intraday liquidity needs. (1) A proposal to create a new or to international payments.

enhanced SWIFT message format for The nature of the information disclosed third-party cover payments that to correspondent banks in a cover enables information on the beneficiary payment is in many cases insufficient and originator to be included, and to allow them to identify payments

“These actions will promote the effectiveness of risk-based programs designed to reduce vulnerabilities associated with financial intermediation and enable banks to avoid the use of their facilities by individuals and organizations that the banks would not accept as their own customers, including, most particularly, those engaged in money laundering, terrorist financing or transactions in violation of relevant sanctions.” Source: Wolfsberg Group, Clearing House Statement on Payment Messaging Standards, April 19, 2007.


Step 4: Correspondent Correspondent Bank A makes Correspondent

payment to Correspondent Bank B Bank A Bank B within the relevant funds transfer system.

MT202 Step 5: Correspondent Bank B sends Step 3: confirmation to B’s Bank A’s Bank instructs its correspondent that funds have been bank to make a transfer to B’s Bank transferred into its account

MT202 Step 2: A’s Bank informs B’s A’s MT103 B’s Bank that its client, Bank Bank A, intends to make a payment to B

Step 1: Step 6: A instructs its bank to B’s Bank instructs B that make payment to B funds have been paid into

its account.

“ ” A “B” Originator of funds Beneficiary

(Payor) (Recipient)


Figure 30

Cover payments

Step 1: A instructs its bank to make a payment to B, and provides account details for B’s Bank. A’s Bank is able to assess whether the payment would be compliant with sanctions regimes that apply to it.

Step 2: A’s Bank sends a SWIFT message (MT103) to B’s Bank informing them about the payment. This generally includes details of A and B, and therefore B’s Bank is normally able to assess whether the payment would be compliant with sanctions regimes that apply to it.

Step 3: A’s Bank sends a SWIFT message (MT202) instructing that a transfer be made to B’s Bank. This does not ordinarily include details of A or B, and therefore Correspondent Bank A cannot know whether the payment would comply with the sanctions regimes that apply to it.

Step 4: Correspondent Bank A makes payment to Correspondent Bank B within the relevant funds transfer system. Neither of the Correspondent banks are aware of the existence or identity of A and B, and thereby cannot know whether the payment would comply with relevant sanctions laws.

Step 5: Correspondent Bank B sends a SWIFT message (MT202) confirming that a transfer has been made from A’s Bank to B’s Bank.

Step 6: B’s Bank instructs B that funds have been paid into its account.

Key: MT103 refers to SWIFT Message Type 103, Single Customer Credit Transfer – used for customer transfers MT202 refers to SWIFT Message Type 202, General Financial Institution Transfer – used for bank-to-bank transfers




Concluding remarks The issue of AML is one that continues to present a challenge for banks. From ensuring the appropriate tone and profile is set by senior management, to the alignment of operational processes across a complex business, the challenges faced by banks continue to evolve, as do the regulatory environments in which they operate.

A more sophisticated approach, focusing on risks, by banks and regulators to tackle the issue, together with better cooperation and feedback between the public and private sectors is necessary in the continued fight against money laundering, terrorist financing and wider financial crime. The challenges that banks encounter are even more acute in the less familiar area of counter-terrorist financing, and there are compelling reasons for governments internationally to work more closely with banks in finding pragmatic mechanisms to disrupt and prevent terrorist financing networks.

In this context, a move towards a more risk-based approach (by banks and their

supervisors) is to be welcomed. A risk-based approach offers banks greater flexibility in how they assess and respond to the AML risks they face. However, for this to be successful, both banks and their regulators need to step up to their obligations. For banks, this means allocating the right resources to their AML efforts, securing senior management engagement, and driving through the cultural changes, investment in IT and processes, and monitoring to implement a credible and effective AML strategy. For regulators, governments and FIUs, it means greater feedback to the industry on SARs, better promulgation of good practice, clear standards, and a constructive approach

to dealing with AML issues in banks. This means real follow through on the risk-based approach.

In the current climate of ever increasing complexity across the global financial system, the AML challenges for the industry can only be resolved through constructive engagement between the public and private sector. In the past three years, there have been meaningful steps in this direction in a number of countries, and there are strong and compelling reasons, along with widespread willingness, for this momentum to be maintained.



Regional perspectives:

Europe

Towards greater consistency The implementation of the EU Third Money Laundering Directive across the EEA in December of this year will be the result of a combined effort by member governments to tackle the issues of money laundering and terrorist financing across the region. The Directive changed EU AML standards to bring them into line with the 2003 revision of the FATF recommendations on money laundering and terrorist financing. Many states in Europe will, however, face challenges in incorporating the requirements into their national legal systems and for the accession states the challenges will be particularly great.

The role of senior management

Across the European Union, the implementation of the EU Third Money Laundering Directive by December 2007 will result in the incorporation into member states’ national law of specific provisions on the role of senior management in respect of AML. Specifically, the Directive requires that senior management approval is obtained for certain AML-related tasks, such as the establishment of correspondent banking relationships and the acceptance of customers that are classified by the bank as ‘high risk’.

In the U.K., many of these key requirements are already included in the industry’s guide to AML good practice (the Joint Money Laundering Steering Group’s Guidance notes (JMLSG)). In 2006, the JMLSG notes

were updated to include specific guidance on senior management responsibility, PEPs, and the application of a risk-based approach to AML and CTF. Perhaps as a consequence, 100% of U.K. banks in our survey reported that AML was a high profile issue for senior management; that they used a risk-based approach at account-opening; and that they applied heightened due diligence at account-opening for PEPs.

Cost of compliance

The rise in expenditure on AML in Europe has been greater than was anticipated in the 2004 survey with this year’s survey showing a gap of 10 percentage points between predicted and actual growth. European banks said that they expect growth in AML costs of 27% over the next three

years, despite recording growth of 58% over the past three years.

This average expected growth rate for Europe masks some significant variations between states, with larger countries reporting relatively low historic and expected future growth rates in costs. Of the five largest European countries in our survey (measured by GDP), France reported the highest expected increase in AML costs over the next three years (35%). The U.K. and Italy reported the lowest anticipated increase, with both reporting an average expected increase of 13% over the next three years.

Within Europe also, there were significant variations in approaches to outsourcing. Banks in only three countries currently outsourced some



EU Third Money Laundering

Directive

The approval of the EU Third Directive on Money Laundering 2005/60/EC (The Directive) represented a substantial commitment by EU member states to the introduction of measures to combat money laundering and terrorist financing across member states. The Directive enhances and updates the content of the First and Second Directives on the prevention of money laundering in EU states.

The Directive introduces a number of key measures which must be adopted by member states in their domestic legislation (and expands the regulated sector beyond financial institutions) including the following:

• The ‘risk-based approach’ – The Directive was the first to enshrine this concept within EU law. It also provides for flexibility in the application by banks of due diligence procedures which may be enhanced or simplified based on an assessment of a range of risks associated with the client;

• PEP due diligence – Banks, among other institutions in the regulated sector, are required to identify Politically Exposed Persons at the account-opening stage and to have in place appropriate measures do deal with such individuals;

• Identification of any ‘beneficial owners’ that are individuals who own or control 25% plus one share of a legal entity (or more).

The Directive’s implementation deadline is December 2007. Whilst some member states’ domestic AML regimes already include the provisions of the Directive, many require substantial enhancements to ensure compliance before the deadline and, as a consequence, application may be uneven in the period immediately after the implementation deadline (as was the case for the Second Directive).

Source: EU Third Money Laundering Directive (2000/60/EC)

of their AML functions: the Netherlands (33% of respondents), the U.K. (29%) and Italy (29%). We believe that some of this is likely to be the outsourcing of basic identification services (e.g. checking names and addresses against electoral rolls), rather than more substantial outsourcing.

AML policies and procedures

Reflecting the concentration of internationally active banks responding to our survey in this region, 94% of internationally active European respondents reported that their policies and procedures had a global dimension to them. European banks were divided equally between the two ‘global’ approaches to AML policies and procedures set out in our survey. Forty-nine percent of European banks stated that they had a global set of policies and procedures which they attempted as much as possible to implement consistently across their entire organization (a ‘global’ approach). Forty-five percent of European banks reported that they had a global AML policy, but that detailed procedures were set at a regional or local level (a ‘hybrid’ approach). European banks were significantly more likely than those in other regions to apply a global approach, reflecting the high-level and flexible nature of much European AML legislation.

Formal monitoring of AML systems

and controls

Only 70% of respondents in Europe say that they have a formal program for testing the effectiveness of AML systems and controls and, although this represents an 11 percentage point increase on our 2004 survey, it is lower than other regions. The cause of this is a comparatively low number of respondents in Germany and Switzerland

without a formal monitoring program, where banks appear to have responded to the question purely in terms of internal monitoring rather than reference to any statutory review work undertaken by their external auditors (a requirement in those two countries). If the European figures were adjusted for this, they would be broadly in line with other regions.

Risk-based approach to Know Your

Customer activity

Although several jurisdictions in Europe have implemented a risk-based approach, the term has particular resonance in the U.K., where it has been a feature of the regulator’s and industry’s approach to AML since as early as 2003-2004. Across the rest of the European Union, the EU Third Money Laundering Directive will result in the incorporation of this approach into the legislation of all member states. The Directive is significant in that it is represents the first attempt by a major country or region to give banks flexibility on how they assess and respond to customer risk.

Ahead of the implementation of the EU Third Money Laundering Directive in December of this year, 83% of the European banks surveyed say that they already employ a risk-based approach in their treatment of customers at the account-opening stage. A significant proportion of banks also had a remediation program in place (73%) that will enable them to perform risk-based monitoring of customer activity more effectively. The challenge for banks in the coming years will be to apply a risk-based approach to all customer monitoring, including transaction monitoring but also regular updating of KYC information as customer relationships develop and change.



Going forward, a significant proportion of banks in Europe will be providing services covered by the Markets in Financial Instruments Directive (MiFID), which imposes additional obligations on banks to collect information from customers on an ongoing basis. Although this information is intended to be used to ensure the suitability or appropriateness of services or products provided to customers, it may also have benefits or economies of scale in terms of KYC and ongoing monitoring. However, it is likely that the pressure to implement so many regulatory initiatives at one time (Basel/CRD, MiFID, EU Third Money Laundering Directive) will mean that some of the potential efficiencies may be over-looked, and much of the implementation of these initiatives may not be as comprehensive, robust or considered as banks would like.

Politically Exposed Persons

In 2007, 75% of European banks said that they consider whether a customer is a PEP for the purposes of conducting due diligence at account-opening stage, a marked increase on the 35% who claimed to do so in the region in 2004. The increase is likely to be a consequence of increased focus on PEPs in recent years and the increased focus on the issue during the EU Third Money Laundering Directive’s implementation phase. The challenge, as in other regions, however is to reconcile the many different interpretations of who is a PEP, and develop effective processes to identify and monitor PEPs on an ongoing basis.

Transaction monitoring

Sixty-five percent of European banks surveyed said that they use sophisticated externally developed IT systems to monitor transactions, which

respondents in the region believed to be the key factor in the rise in SARs over the past three years.

While there is generally no specific legal or regulatory requirement across Europe that banks implement an automated transaction monitoring system within their organization, monitoring is the key to the fulfilment of numerous other legal and regulatory obligations, such as sanctions screening, and assists in the implementation of a risk-based approach. The preamble to the EU Third Money Laundering Directive also states that it would be ‘appropriate’ for banks and larger financial institutions to have electronic monitoring systems in place. An effective system for transaction monitoring depends to a great extent on the information gathered at the account-opening stage but the process itself is not necessarily limited to procedures conducted at client on-boarding. In fact, the Directive requires regulated institutions to undertake ongoing monitoring of their client relationships to ensure that transactions on each customer’s account are in line with the bank’s expectations of the customer’s activity.

Transaction monitoring has taken on additional significance across Europe in light of recent terrorist attacks in London and Madrid and the potential ability of transaction monitoring systems to help identify patterns of behavior which correspond with established ‘typologies’ for terrorist activity. Nonetheless, terrorist financing still presents substantial challenges to banks across Europe because of the small value of transactions that may be associated with terrorism. Accordingly, enhanced transaction monitoring alone is unlikely to prove a solution to their

difficulties. There is a need for increased sharing of intelligence and information between the private and public sectors.

Training

Only 38% of European banks surveyed indicated that they provided training to 81-100% of their staff. This is in stark contrast to the 93% of U.S. banks claiming to do so and is below average for the survey as a whole. This seems to be a result of banks in the region taking a risk-based approach to training, with more emphasis on tailoring their training to the level of risk attached to specific staff roles within the business, for example by allocating additional resources to the training of customer-facing staff. By contrast, the high U.S. figure appears to be driven by the requirements of the U.S.A. PATRIOT Act 2001 which requires training of all relevant staff, and therefore CBT is an easy way to achieve this even if it is regarded as less effective than other methods (98% of U.S. banks use CBT, versus 80% of European banks).

As in other regions, it is likely that regulatory attention will increasingly focus on the overall effectiveness of training. In the U.K., this is already encapsulated in industry guidance (the JMLSG Notes) that have been endorsed by the U.K. regulator and HM Treasury. The Notes state that banks should not only obtain acknowledgement from the individual that they have received the necessary training, but should also take steps to assess its effectiveness.



Attitudes towards regulation

Our survey indicates that the majority of banks in Europe believe that their current legislative and regulatory burden is acceptable but that the content of existing legislation requires improvement if money laundering is to be effectively tackled in the region.

This broad support for the regulatory framework in Europe is likely to be attributable to the flexible, risk-based approach that has been incorporated into the EU Third Money Laundering Directive, as well as the degree of consultation that has taken place between the Commission, regulators and banks in writing the Directive.

Sanctions

A key step in countering terrorist financing has been the screening of individuals at account-opening stage

and on an ongoing basis against lists of individuals identified as having links to terrorist activity (in addition to those connected to other criminal or illegitimate purposes), along with screening of payments to/from these individuals. These lists are produced, among others, by the UN, the EU and domestic organizations such as the Bank of England in the U.K. and OFAC in the U.S.A.

Due to the number of global banks operating out of London, there has been increasing emphasis in the U.K. on the extra-territorial aspects of U.S. legislation and in particular the OFAC sanctions regime. These have presented both operational and technological issues for banks arising out of the need to screen customers against applicable sanctions lists and wide-ranging operational considerations

around ensuring that transactions being processed through the bank’s locations around the world are in line with relevant U.S. legislative requirements where applicable.

Outlook

With significantly greater flexibility arising from the EU Third Money Laundering Directive, it will be challenging for banks to determine how to embed an effective AML approach in their business while at the same time leaving a sufficient audit trail for the process whereby they have made decisions about the key AML risks and the suitability of controls to mitigate these risks. However, the Directive also offers a major opportunity for banks to enhance their AML controls.



European Union enlargement For example, under the EU Third Whilst safeguards are in place in On May 1, 2004, the EU welcomed ten Money Laundering Directive (‘the relation to these provisions, and much new countries to join the Union, Directive’): depends on how individual states expanding its membership to twenty- choose to implement the Directive, five states. The new entrants were • Banks are not required to identify new opportunities may be opened up Cyprus, the Czech Republic, Estonia, customers that are regulated for money launderers to gain access Hungary, Latvia, Lithuania, Malta, financial banks other than confirming to the financial system in countries

that they are in fact regulated. Poland, Slovakia and Slovenia. On that have not had time to adapt to and January 1, 2007, two additional states • Banks may be entitled to rely on implement the Directive in full, and joined, Bulgaria and Romania. regulated third parties for then to move funds into more reputable

identification and verification, including financial centers. Some banks may be This poses additional AML risks for entities that are not in the regulated particularly vulnerable to these risks if banks operating in the EU. Many of the financial services industry, but are their internal procedures are based on countries joining the EU have not nevertheless covered by the Directive the assumption that EU banks are low historically had stringent AML processes (e.g. lawyers, accountants, estate risk, and accordingly apply less scrutiny

agents, money service businesses, in place, and although their admission to to these relationships.

or other high-value dealers). the EU requires them to comply with EU legislation, it is likely that it will take time • Banks do not need to apply As well as changes to the legal fabric for these countries to adapt. The enhanced identification procedures of the EU, enlargement has clearly regulatory framework in many of these to non face-to-face customers also engendered changes in the real countries is also believed to be less well where the initial funds are economy, including greater cross-developed, meaning the practical transferred from an account held in border trade and migration into and application of AML standards may have the customer’s name with another from the accession states, which has

EU bank.been inconsistent in the past. in turn led to new banking products

• In the context of non face-to-face with unique AML risks. The existence The challenge with this is that many transactions, banks can rely on the of greater volumes of legitimate legal provisions in EU law are predicated fact that initial funds are transferred payments to and from countries that upon the assumption that the same into a new customer account from would otherwise have been regarded regulatory standards have been an account held in the customer’s as potentially high risk may also make consistently implemented and enforced name with another EU bank, where it harder to identify any illegitimate across the EU. Until this is the case in they would otherwise have to apply flows.

the more demanding identificationreality, however, the financial system is procedures that apply to other high-potentially more vulnerable to money risk customers. As with emerging markets, those laundering. In particular, it may open up operating in the enlarged EU need new opportunities for money launderers • The enhanced due diligence that to approach AML sensitized to the to move money into the financial applies to correspondent banking potential risks involved and construct system in accession states and across relationships does not apply where AML programs accordingly. into more developed financial systems. the correspondent is another EU

credit institution.




North America

Role of senior management

Our survey indicated that only 63% of respondents in North America felt that AML issues were a high priority for senior management. This response is surprising in the light of the volume of legislation on this issue and the profile of AML and CTF issues in the region. It is also unexpected because of the number of high impact AML-related enforcement actions in the region, and the substantial personal liability and criminal sanctions senior staff in North America can be subject to for violations of AML and CTF legislation and regulations. One possible explanation for this is that some banks have hired relatively senior executives to AML roles (often as a response to the new regulatory environment) and senior management may feel that they are entitled to delegate in full to these AML staff and do not need to have ongoing engagement in the implementation of their bank’s AML strategy. This may help to explain the comparatively low

AML is high on the agenda North America’s legal and regulatory landscape for AML is dominated by the Bank Secrecy Act, the U.S.A. PATRIOT Act 2001, and the application of the OFAC sanctions regime. These have extended U.S. jurisdiction beyond the limitations of national borders and have, as a consequence, had an impact on banks around the world.

score for the North American region at a time when a wide range of factors would otherwise have suggested AML would be a high profile issue for senior management.

Cost of compliance

North American banks have seen the highest percentage rise in expenditure of any region in the survey over the past three years (71%), much of which, banks tell us, has been directed at improving transaction monitoring. It is expected that expenditure will continue to grow in this region though respondents predict that the pace of growth will slow, despite banks having significantly under-estimated what the growth in costs would be in our 2004 survey. For many banks the anticipated slowdown in costs is likely to reflect the fact that they believe they have already implemented the basic architecture for AML that was required as a result of the U.S.A. PATRIOT Act 2001.


In the U.S. case, it is apparent that all internationally active banks have a global component to their policies and procedures, reflecting the need to implement the extra-territorial components of domestic legislation on a global basis, including OFAC requirements.

Formal monitoring of AML processes

The U.S.A. PATRIOT Act 2001 identifies four pillars of requirements to be met by covered institutions, one of which is the requirement that banks have an independent system for testing AML systems and controls. Ninety-three percent of banks surveyed in this region say that they have a formal monitoring system in place, which implies that seven percent of the banks in our survey were not in compliance with U.S. statutory requirements. This is supported by the fact that nine out of ten regulatory enforcement orders in North America cite a lack of independent testing as a specific failing.



U.S.A. PATRIOT Act 2001

The U.S.A. PATRIOT Act 2001 amended the Bank Secrecy Act in response to the 11th September 2001 terrorist attacks in the U.S. The U.S.A. PATRIOT Act 2001’s purpose is to strengthen U.S. measures to prevent, detect and prosecute international money laundering and terrorist financing.

Specifically, the U.S.A. PATRIOT Act 2001 consolidated and amended AML requirements in the U.S., with the effect that banks must develop a written AML compliance program that includes the following four key pillars:

• the development of internal policies, procedures and controls;

• the designation of a compliance officer;

• an ongoing employee training program;

• an independent audit function to test the program.

The U.S.A. PATRIOT Act 2001 also requires that an institution's due diligence for international private clients includes steps to identify the source of funds and the purpose and expected use the account. The Act also requires heightened due diligence with respect to foreign PEPs. In addition, although there is no mandatory requirement to identify domestic PEPs or identify the source of funds for U.S. private clients, there is a strong regulatory expectation that banks should do this.

In addition, section 311 of the U.S.A. PATRIOT Act 2001 provides the U.S. Treasury with the ability to determine that a foreign jurisdiction or institution constitutes a ‘primary money laundering concern’ and to impose ‘special measures’ with respect to such jurisdiction, institution(s), class(es) of transactions, or type(s) of account(s).


Customer activity

In line with the average for the survey as a whole, 83% of North American banks say that they apply a risk-based approach at account-opening stage.

Eighty percent of banks have a system in place to remedy gaps in KYC information held for existing customers, up by only one percentage point from the 2004 survey. Of the North American banks that have a remediation program in place, there are a mix of approaches taken to the exercise, with 38% only gathering new KYC information when the customer transacts new business or opens a new account, 28% taking a risk-based approach, and 25% reviewing all of their customer base. This reflects a slight shift towards using a risk-based approach since the 2004 survey.

During the three years since our last survey, we have seen a significant increase in the U.S. in transaction “look-back” reviews, with U.S. regulatory authorities putting greater emphasis on the review of the bank’s past transaction history over and above attempts to remediate gaps in KYC information (the latter being an area of focus for European regulators).


The identification of foreign PEPs is one of the key requirements outlined in the U.S.A. PATRIOT Act 2001. There is also a strong regulatory expectation that banks would identify U.S. domiciled PEPs. As such, it is a high priority for banks in the U.S.A.. Across the whole of North America, 98% of banks said that they had specific procedures in place to identify and monitor PEPs.


The majority of banks surveyed in North America indicated that increased transaction monitoring activity had been a key factor in rising AML costs in banks across the region. Measured against other regions, North American banks were more likely to rely on externally developed IT systems to carry out transaction monitoring (83% of banks reported using these). Potentially as a consequence of higher investment in IT, 42% of internationally active banks in the region said that they were able to monitor one customer’s transactions and account status across multiple countries, more than any other region surveyed.

Banks in the region reported the highest increase in the number of SARs, both in our 2004 and 2007 survey. Over 63% of respondents in North America said that the number of SARs they had filed had increased 'substantially’. U.S. banks appeared to have significantly higher levels of satisfaction with their domestic FIU (FinCEN), with over 30% saying FinCEN was particularly good at providing feedback. Despite this, few respondents linked the rise in SARs to better feedback and interaction with the FIUs.

Training

North American banks show a significant commitment to providing AML training for their staff, with 93% saying that they provide AML training to more than 80% of their employees. It appears that one of the key drivers for this focus on training is the U.S.A. PATRIOT Act 2001 and its requirement that regulated financial institutions operate an ongoing training program for all relevant employees.

Source: U.S.A. Patriot Act 2001



Around a third of respondents from North America said that they felt that computer-based training was the most effective method of delivering training, more than in any other region. This may be because of the broad geographical coverage that CBT can provide, the ability to communicate a consistent message, or an economic response to a statutory requirement to train all relevant staff (i.e. CBT is the easiest way to get complete coverage of all relevant employees, and keep track of the training they have received).


The compliance environment in the U.S. places significant and detailed requirements on regulated institutions. From the Sarbanes-Oxley Act 2002 to U.S.A. PATRIOT Act 2001 to the Foreign Corrupt Practices Act 1977, U.S. institutions are under increased pressure to ensure that their systems and controls are capable of dealing with an increasing regulatory burden. These legislative requirements relate not only to domestic business in the U.S. but also to their overseas subsidiaries, branches and personnel. The burden of legislation is now felt to be excessively onerous by a significant proportion of banks, with 18% saying that AML requirements in their country were unacceptably onerous and should be reduced. Only 12% of those surveyed in 2004 believed this to be the case.

Sanctions

The U.S.A. Office of Foreign Assets Control administers the U.S. sanctions regime and recent history has witnessed significant regulatory enforcement actions and fines specifically targeting OFAC violations. This has included fines being levied with respect to activity that occurred mainly offshore but the transaction touched the U.S. or involved a U.S. person.

In addition, industry best practice dictates that institutions in the U.S., particularly those doing international business, as well as U.S. institutions abroad, screen transactions and customers against other lists, such as those issued by the UN, and the U.S. State Department.

The scanning of both transactions and customers against these lists is a resource intensive exercise. Unlike transaction monitoring where activity is monitored, alerts investigated, and reports made -- if necessary -- after the fact, sanctions scanning or filtering is done in real time. Transactions stopping in filters must be investigated on the spot and rejected or blocked if any true "hits" are identified, with reporting required in short order. Violation of OFAC provisions can carry strict liability penalties, and repeat violations can bring about enforcement actions.

Knowing one’s customer is critical in the area of sanctions scanning. For example, institutions must not only understand named account-holders, but also authorized uses or signatories. In the case of institutional clients, signatories, owners, large shareholders, and management must also be considered.

Outlook

Significant legal and regulatory pressure in the North American region has created a more challenging AML landscape over the past three years, particularly in the U.S.. Changes initiated in 2001, with the U.S.A. PATRIOT Act, have taken time to influence the AML strategies and controls of banks and other financial institutions, both inside and outside the U.S.. With ongoing debate about the future direction of U.S. regulation and regulatory enforcement (principles versus rules), it will be interesting to see if governments, regulators and law enforcement are ready to move towards a more flexible approach to AML. It is likely, however, that ongoing concerns - particularly in relation to terrorist financing and sanctions enforcement - mean that there will not be any substantial or practical easing of the regulatory burdens faced by U.S. financial institutions in the short term.




Asia Pacific (ASPAC)

A work in progress With many countries in the region in the process of developing and introducing new legislation or strengthening existing legislation, we can expect to see considerable investment in AML over the next two to three years. These legislative and regulatory changes will see a move away from rules-based requirements toward a more risk-based approach and this is likely to result in challenges for banks and regulators.


Our survey results show that over two thirds of banks in this region consider AML issues to be high priority for senior management, an increase from 49% of respondents in 2004. We believe that this increased emphasis on AML issues is a recent development. In addition, respondents warned that many banks in the region considered AML to be ‘just another compliance issue’ which brings costs but no tangible benefit to financial institutions.

Cost of compliance

Banks in this region claim the lowest increases in spending on AML in the three years since we conducted our last survey, and are anticipating future growth that is in line with the global average. This may be considered surprising in light of the proposed or

recent AML legislation introduced in a number of ASPAC states including Japan, Korea and Singapore. As a consequence of these new requirements, it seems likely that institutions will undertake additional expenditure in relation to AML training, transaction monitoring and the implementation of appropriate systems and controls. In Australia, the costs of complying with its recently introduced new legislation are expected to be substantial and we understand that senior management are questioning whether sufficient commercial benefit can be derived from this expenditure to justify the cost.


AML legislation and regulations currently in place in Europe and the U.S. are having a growing influence in this

region as multinational banks increasingly apply global policies modeled on the European and U.S. requirements.

The approach to the implementation of AML policies and procedures does vary across the region. In India, for example, banks with a more global presence tend to apply their home market requirements as a minimum standard for overseas branches and make additional provision for any local requirements which are in excess of that minimum standard.

Banks from Pakistan, on the other hand, would be more likely to follow overseas requirements. For example, some of Pakistan’s largest banks use U.K. AML policies and procedures for some of their overseas branches.



This position is likely to change over time. There is a real desire in India to try to meet the various requirements of the main international regulators. To assist in this process, the Reserve Bank of India is currently establishing AML regulations in line with this. Pakistan, as a whole is also fast improving its own local AML legislation and regulations in response to increasing pressure from international regulators (the U.S. in particular) and by the close of 2008 Pakistan is aiming to have its own stringent set of standards in place. Another key driver of Pakistan’s reform program is the desire to be seen to be taking a stand against money laundering and terrorism.


and controls

Overall, 79% of banks in ASPAC say that they have a formal AML monitoring program in place, with respondents indicating that compliance often plays a more direct role in the process than elsewhere in the world. In Australia, for example, compliance are usually responsible for AML monitoring, while designated crime and fraud departments carry out internal investigations. Australia’s new AML legislation has, like the U.S.A. PATRIOT Act 2001, introduced a requirement that banks undertake independent monitoring of AML systems and controls but it is not yet clear where the responsibility for this independent monitoring will lie.


Customer activity

In many of the countries in this region, with the exception of Australia, legislation tends to be rules-based. There is, however, a move across the region toward the application of a risk-based approach, as various countries upgrade their AML regulatory standards.

In spite of this predominantly rules-based approach to AML in the region, 87% of respondents said that their banks applied a risk-based approach at client take-on.

Despite the real challenges in the maintenance of customer records on an ongoing basis, our survey indicates that less than two thirds of respondents in ASPAC have a program to remedy gaps in their KYC information, the lowest percentage recorded for any of the regions surveyed. For the 36% of ASPAC banks that did not have a remediation plan, 47% said that they did not have one because they had no deficiencies in their KYC data. Twenty-nine percent of these respondents said that they did not have a remediation plan in place because of the absence of legal or regulatory pressure to do so.

New legislation across the region aims to ensure that banks will be doing this in future although there are specific regional and cultural issues which may prove a barrier, including the risk of offending clients with requests for additional information.


The concept of applying heightened due diligence standards to PEPs is a new one across much of this region, and for that reason it is not surprising that considerably fewer than half of responding banks sought to identify and monitor PEPs on an ongoing basis, less than in all other regions in our survey. Certain countries within the region face specific problems in relation to the practical application of this concept in the context of their clients. In China, for example, as in Russia, the line between business and politics is often blurred thus making the task challenging.


Many of the banks in this region are used to working to quite specific rules for monitoring transactions and as a consequence are likely to respond slowly to the introduction of a more risk-based approach. The results for the region show comparatively less transaction monitoring than elsewhere in the world, with particular reluctance to purchase externally developed IT monitoring systems. As a result of potential under-investment in IT, only 9% of internationally active banks in the region said that they could monitor one customer’s transactions and account status across multiple jurisdictions.

There has been a rise in SAR reporting across the region, with 69% of respondents reporting some level of increase in the number of SARs they have filed.

Training

Respondents across ASPAC tell us that training in many parts of the region is relatively unsophisticated, reflecting outdated legislation and lack of regulatory pressure. Seventeen percent of respondents indicate that they provide training to less than 40% of their total staff. In addition, in countries such as India and Pakistan, although it is common for banks to provide training that meets the minimum regulatory requirements, the quality of some of the training taking place in the region might need to improve to bring it up to international standards. Training is, however, assuming greater importance in countries like Australia, where new legislation means that banks will be required to demonstrate to regulators that their staff have been adequately trained under a risk-based approach.




Our survey results showed broad-based support for AML legislative frameworks in ASPAC, with no respondents in the region saying the regulatory burden was too onerous. Forty-seven percent of all respondents said that the AML requirements in their country were adequate and that no change was necessary (the highest of any of the regions we surveyed). Even so, an equal number of banks said that regulators in the region could focus their requirements more effectively in order to combat money laundering (47% of all respondents). There appears to be a generalized belief across ASPAC that the regulators could communicate more regularly with banks, sharing the outcomes of SARs and new money laundering typologies, and thus helping to spread industry best practice.

The legislative process in ASPAC is less consultative than in other regions. However, the introduction of new AML legislation in Australia indicates a move towards a more consultative approach. This legislation was drafted in partnership between the industry, the Attorney General’s department and the AML regulator.

Sanctions

In line with many other regions, a number of banks that are foreign filers with the SEC have been criticized or disciplined by U.S. regulators. This has raised the level of awareness about the extra-territorial impact of U.S. requirements, and focused management’s attention on ensuring that effective sanctions policies and procedures are in place.

Outlook

AML is clearly moving up the corporate agenda for banks in the ASPAC region. As the countries in this region review and upgrade their legislation and regulatory requirements to bring their AML regimes into line with global practice, there will be considerable investment in AML and greater harmonization of requirements among these countries. Global banks have a very important role to play in this process, as their experience in other parts of the world will be important in shaping the AML environment in the region.




Central and South America and the Caribbean


The results of our survey indicate that senior management considers AML to be a high priority in this region, with 88% of respondents confirming that this is the case within their own institutions. This represents virtually no change from the response in 2004. This sustained interest in AML issues affecting banks in the region may well be a consequence of recent regulatory enforcement actions in which a lack of senior management oversight has been specifically singled out as a weakness within the institution. In some instances, the entire board of directors of some institutions have been replaced as a result of regulatory action related to AML, and this has helped to focus senior management’s attention on the issue.

Cost of compliance

Banks in the Central and South America and Caribbean region anticipate high growth in future AML costs, with an average expected growth rate of 42% over the next three years. This is despite

In the shadow of the U.S.A. Banks in Central and South America and the Caribbean are, through trade and financial links, closely bound to the U.S. and have been impacted by the extra-territorial effects of U.S. legislation. Banks in the region reported greater AML investment than ever before in order to meet the higher standards expected of them.

already strong growth since our last survey. Banks in the region attributed the rise in costs to increased expenditure on transaction monitoring and training, perhaps in response to increased pressure from U.S. regulators. A third of our respondents had responsibility for global or North American operations, and many other banks in the region have correspondent banking relationships with the U.S.. These links to the U.S. are believed to have been influential in increasing focus on AML training in the region. This is reflected elsewhere in our survey, with banks in this region rating OFAC rules as the most significant impact on their institution with the exception of local legislation and regulations. The banks currently face increased burden not only to indirectly “comply” with U.S. but also with EU legislation and regulations. While this in the short term increases the cost of compliance, in the long term, financial institutions in this region will be well suited to preserve their global competitiveness, while satisfying

regulatory demands not only in their home countries, but within other world financial markets as well.


Banks in the region showed a slight increase in the number of banks seeking to use a global AML policy across their entire organization. The number of banks reporting that they develop policies and procedures at a global level and implement them consistently worldwide, increased by 18 percentage points, and now account for 38% of all banks in the region. This is likely to reflect the U.S. influence, as well as the fact that banks in the region are in an early stage of the development and implementation of AML policies and procedures. The percentage increase can most likely be attributed to a number of enforcement actions in the U.S. and EU that are being used by banks in the region as guidelines in order to avoid similar costly enforcement actions.




and controls

All banks in the region reported that they had a formal program for testing the effectiveness of their AML systems and controls (the only other region to report this was Russia & CIS). However, several banks have voiced concerns about regulatory expectations regarding the requirements for testing the effectiveness of their automated AML monitoring systems, and the lack of regulatory guidance in this area.


Customer activity

Along with the majority of respondents to our survey, many banks in this region say that they use a risk-based approach at account-opening and that they consider the two most important factors for risk assessment to be the nature of the customer’s business and whether the individual is a PEP.

A relatively high percentage of banks in the region have a remediation program in place to fill in gaps in their KYC information for existing customers (83% of respondents). This has increased by 10 percentage points from the 2004 survey, although the key change since this time is a growing emphasis on the use of a risk-based approach to remediation. In our last survey, 100% of respondents with a remediation program said that they were doing so across their entire customer base. This year, only 40% of respondents were in this situation, with the majority of the remaining banks using a risk-based approach.


Most respondents in this region, 83% of those surveyed, said that they had a

procedure in place for identifying and monitoring PEPs. Regional factors, such as a history of political corruption, are likely to have influenced the high profile that this issue has in the region. The majority of jurisdictions in the region require banks to identify both foreign and domestic PEPs, which exceeds the requirement in the U.S.A. PATRIOT Act 2001 to identify foreign PEPs only.


Respondents in the region noted transaction monitoring as one of their two most significant areas of investment, although the majority of banks in the region said that they were satisfied with the systems that they had in place (more so than any of the regions surveyed except Russia and the CIS).

Banks in the region also said that improved transaction monitoring was the most significant driver of increased numbers of SARs and claimed a relatively high degree of functionality for their IT, with 38% of internationally active banks in the region saying that they could monitor a single customer’s transactions and account status across multiple jurisdictions (only the North American banks did better than this, with 42% of banks making the same claim).

The high results for this region and the U.S. is not surprising given the high degree of U.S. regulatory influence in the region and the banks’ ability to adapt and mirror their processes in line with U.S. regulatory expectations. However, transaction monitoring cannot be viewed in isolation, and many respondents commented that their transaction monitoring efforts could be improved by

conducting and continuously updating:

• a comprehensive assessment of the banks’ products and product groups in order to determine the risks certain products and product groups pose for money laundering and terrorist financing;

• a full analysis to understand the universe of all transaction-types that the institution uses;

• a comprehensive assessment to determine the risk the customer base poses for money laundering and terrorist financing.

Training

The proportion of staff at banks in this region that are given AML training was relatively high, with 71% of banks saying they had trained 81-100% of their staff in the past two years. This emphasis on AML training may be attributable to the impact of U.S. legislation, specifically the U.S.A. PATRIOT Act 2001. However, rather than conduct tailored training courses, many institutions choose to give every relevant member of staff the same level of basic AML training so as to satisfy both local and U.S. regulators. With some of the large banks having tens of thousands of employees, this is a pragmatic approach to meeting compliance needs, but is only the first step toward implementing a robust and comprehensive AML training program that takes into account the different lines of businesses and AML risks across the bank.


Banks in the region, in common with those across the survey, say that the biggest influence on their AML policy and procedures is their domestic legislation and regulation. However, U.S. legislation is the next most commonly cited influence on AML



policy, reflecting the close commercial and financial ties between the U.S. and Latin America, and the correspondent banking relationships that underpin these relationships. Banks in this region are currently experiencing a certain level of “double” regulation, both by domestic regulatory bodies and indirectly by U.S. legislation. One of the most commonly cited concerns of banks in this region is the lack of overall harmonization of regulations between the U.S. and domestic regulations. Banks have cited numerous efforts being conducted by trade associations in order to achieve a greater level of harmonization between domestic and U.S. regulators, while preserving the integrity and soundness of the entire Americas financial markets.

Sanctions

In the area of sanctions compliance, the extra-territorial effects of U.S. law have been particularly prominent, because of the close trade and financing links between the region and the U.S., banks reported particular vigilance in updating their information on principals for the purposes of sanctions screening and monitoring (83% of banks reported they did so on an annual basis). Similar to the challenges banks are experiencing in the area of transaction monitoring, the U.S. influence is significant, leading to amendment of AML compliance programs to take account of this.

Outlook

With ongoing U.S. and international pressure, banks in the region are likely to continue to enhance their AML processes in line with the evolution of practices in the U.S. and elsewhere. Whilst this can raise operational issues and costs, it will make it easier for banks in the region to carry on business internationally and access overseas markets, and this is increasingly important at a time that the majority of emerging markets are going through unprecedented economic growth and internationalization of capital flows.




Russia and the Commonwealth of Independent States


Ninety-five percent of the banks that we surveyed in Russia and the Commonwealth of Independent States (CIS) claim that senior management consider AML issues to be high priority. This is the highest proportion of banks in any of the regions in our survey. This may, to some extent, be a result of the sample of banks which responded to our survey in this region, which tended to be the largest banks in the region, and therefore may have a higher focus on AML, but also reflects the large number of banks that have lost their banking license for AML-related reasons. Since the start of this year, 22 financial institutions in Russia have lost their banking license; in 20 instances, failure to comply with AML requirements was one of the cited reasons. Sixty financial institutions had their licenses revoked in 2006, with AML being cited in 57 instances.

A focus on rules rather than principles The AML environment in Russia continues to be highly formal, with an emphasis on strict adherence to rules, and regulatory pressure to adopt AML best practices. At the same time, there are grey areas in Russian AML requirements, leading to demands for the regulator to provide clarity over requirements, particularly where AML deficiencies have resulted in revocation of banking licenses.

Cost of compliance

Our survey suggests that AML expenditure in this region has risen by 60% since we conducted our 2004 survey, six percentage points higher than the predictions these banks made in our 2004 survey. The region also reported the highest expected rate of growth for AML costs over the next three years, with banks expecting on average a 53% increase in costs over this period. While expenditure has undoubtedly risen, this appears to have been from a lower initial base.

AML compliance functions in Russian banks tend to be smaller than in other regions, but are well trained and experienced, reflecting the need to have local knowledge in an environment where AML requirements are not always clear in practice and information is not as readily available as in some other jurisdictions.

There are ongoing and widespread efforts by banks in the region to recruit new people with relevant AML experience.


The percentage of internationally active banks in this region indicating that they develop and implement policies and procedures at a global level is 69%, a relatively high percentage compared to other regions. This is likely to reflect regulatory pressure on AML compliance, with banks seeking to demonstrate a comprehensive and thorough approach through global AML policies.


and controls

Of the banks surveyed in this region, 100% stated that they had a formal program in place to test the effectiveness of their AML systems and controls (up from 93% in 2004).



As for other high results in the region, this is likely to reflect ongoing regulatory pressure and an environment of heightened sensitivity to AML issues.

The majority of monitoring and testing of AML systems and controls is carried out by internal audit, with 95% of respondents saying internal audit had a role in this activity (against 43% saying compliance were involved). Many banks also have a separate AML function, which is required under CBR regulations to be independent. Some banks have started to add a separate compliance function, but for the time being most monitoring of AML systems and controls is carried out by internal audit.

Risk-based approach to KnowYour

Customer activity

Ninety-five percent of respondents from Russia and the CIS say that they employ a risk-based approach at account-opening, with most banks stating that the nature of the customer’s business is the most

important factor in assessing AML risk. This represents a slight but not significant increase on the 2004 results. The results are driven by the CBR regulatory requirement to assign a risk level to each customer, with specific rules on how this should be done (including the nature of the customer’s business, among other factors). Many banks in the region employ security professionals to assist them in identifying customers, finding out about their background, and/or following up potentially suspicious transactions.

One hundred percent of banks in the region also reported that they had a remediation program in place to fill in gaps in the KYC information they held on existing customers (the highest percentage of any of the regions we surveyed). This result represented no change from the 2004 survey, suggesting that remedial programs are taking a long time to bring to completion. Since our last survey, banks appeared to have changed the approach they were using in their

Figure 31

remediation efforts. There was less reliance on a risk-based approach, and greater tendency to review their entire customer base.


Current legislation and regulation in Russia/CIS does not require that banks identify PEPs or have measures in place to deal with them. The CBR is, however, currently considering the introduction of legislation which will require banks to do so. The enhancement of requirements relating to PEPs is in response to the recommendations of FATF and the Wolfsberg Group.

Despite the absence of regulatory or legal requirements to identify PEPs, 69% of banks within the region say that they do so. This is believed to be driven by a wish to improve their reputational standing internationally, and to enable correspondent banking relationships to be maintained with banks operating in regions, such as North America and Europe.

Respondents’ approach to remediation within the Russia/CIS region




While these are positive steps for institutions in this region, the political and cultural environment in Russia will undoubtedly continue to present challenges to banks of all sizes and areas of coverage. Specifically, the grey area between politics and business in the region will require banks to be vigilant, use judgment, and continue to review and update their PEP policies and procedures.


Banks in this region say that they use a broad range of methods to monitor transactions, with most banks reporting they use the full range of monitoring techniques to some degree. In addition, respondents reported wide use or development of sophisticated IT systems to assist in the automation of monitoring processes, with 100% of banks saying they currently use internally developed systems for this. This is believed to reflect regulatory pressure to do so.

In contrast to most other regions, our survey did not identify a significant increase in the number of SARs reported by banks in Russia & CIS. Only 21% of respondents reported a ‘substantial’ increase in SARs, which is half the global average (42% of global respondents reported a ‘substantial’ increase in SARs). This is likely to reflect reluctance among banks to over-report SARs in an environment where this might be interpreted by their regulator to be a sign of problems in the client base or KYC controls of the bank.

Training

Eighty-six percent of banks surveyed in this region said that they provided training to more than 60% of their staff, which is slightly above the average reported for all regions. Respondents reported greater usage of CBT than in our last survey, possibly

reflecting the relatively small size of compliance departments and therefore a lack of qualified AML staff to carry out face-to-face training. It has been observed that training programs can be formulaic at present, although there is growing recognition of the need to focus on effectiveness of training.


The majority of respondents in this region were broadly supportive of their regulatory regime, saying the burden of AML compliance was acceptable. Sixty percent of respondents, however, said that their regime needed to be better focused in order to combat money laundering more effectively. In Kazakhstan, recognizing this was a small number of banks overall, the majority of respondents said that they would like governments to increase the level of regulation applicable to banks in the region, perhaps indicating a lack of government focus on the issue.

A particular dimension to AML in the region is that much of the illegal activity in the region is not connected with the placement of cash into the financial system, but the reverse. It can be the process of making illegal encashments, in which money held in bank accounts is converted into cash which can then be used to pay ‘black’ salaries (without tax being withheld, or the income declared to the tax authorities) and/or corruption payments. The majority of banking licenses that have been revoked on AML grounds have typically been connected to encashment schemes rather than conventional money laundering. The legislation against encashment is not regarded as being particularly effective in its implementation, with the CBR recommendations perceived as the main source of rules and enforcement in this area.

In terms of the impact of legislation and regulations, respondents in this region cited domestic legislation as having the greatest impact on their business as did banks from most other regions. Perhaps because of a relative lack of established guidance on AML issues and practical implementation from domestic regulators or the slow pace of legislative change, banks in Russia and the CIS listed the Wolfsberg Group’s guidelines in second place in terms of impact on their AML policies and procedures. U.S. legislation and regulations are relatively less important in this part of the world, the exception being those banks wanting to begin or maintain correspondent banking relationships with North America.

Sanctions

Sanctions compliance has become more of a significant issue in the region since the U.S.A. PATRIOT Act 2001 came into effect, with significant repercussions for banks that have correspondent banking relationships with U.S. banks. Given the common usage of shell companies in the region, the overwhelming majority of banks (95%) have procedures in place to update their information on the principals behind such structures in order to assist in ensuring ongoing sanctions compliance.

Outlook

With continued regulatory pressure on AML compliance, and high inherent risks of money laundering, banks will need to be vigilant in ensuring their AML controls remain in line with regulatory expectations and international practices. There are clear and significant legal and reputational risks for banks that do not focus sufficiently on developing, implementing and monitoring a robust AML strategy.




Middle East and Africa

Role of senior management

Across the region, our results show a lower than average prioritization of AML issues at senior management level with only 54% of banks believing AML to be a high profile issue for senior management. In 2004, our results demonstrated a substantial divide in responses from institutions in this region between Africa and the Middle East, with 88% of Middle East respondents indicating at that time that they believed AML to be a high priority issue compared with just 50% of respondents in Africa. This year, the position is reversed, with 78% of

Figure 32

Africa – Profile of AML at senior management level

Seeking more guidance Our results show that attitudes to AML regulation vary greatly between countries across this region, although common themes are the need for a more consultative approach by governments and regulators, and a general feeling among all respondents that greater clarity of direction is required on AML policy in future.

African respondents saying it was laundering is an issue which has only a high profile issue, and only 41% recently begun to be addressed by of Middle Eastern banks saying so, senior management. This appears to be with 47% citing moderate profile. a response to the increase in perceived

AML risks and/or external pressure In the Middle East, strong economic from countries, such as the U.S.. growth and wealth creation are likely to have increased the inherent AML risks, Cost of compliance

and therefore it is surprising to see AML The Middle East and Africa region apparently slipping down senior experienced the second highest management’s agenda. percentage increase in AML costs over

the past three years, with banks In Africa, our survey showed an reporting an average increase in costs increased profile for AML at senior of 70%. It is important to note, management level. With the exception however, that this increase has been of South Africa and Nigeria, money from a low base, reflecting the relatively

Figure 33

Middle East – Profile of AML at senior management level

High profile

Moderate profile

Low profile

High profile

Moderate profile

Low profile

2004 Survey 50% 40% 10% 2004 Survey 88% 12% 0%

2007 Survey 78% 22% 0% 2007 Survey 41% 47% 12%

Source: KPMG International, 2004 and 2007 Source: KPMG International, 2004 and 2007



recent increase in interest in AML issues at senior management levels. Much of the increased expenditure has been focused on investing in the enhancement of customer information held on bank databases. This is due in part to the specific regional challenges faced by banks in obtaining customer information at account-opening because of a range of diverse factors, e.g. the lack of publicly maintained records in countries such as Malawi, Tanzania and Angola.

Training has also been an area of focus for investment across both the Middle East and Africa but in the Middle East, the secondary focus has not been the updating of customer information but rather greater investment in the enhancement of transaction monitoring capabilities. Our results also suggest that increased costs are attributable to more external reporting, with two thirds of the African banks surveyed indicating that this had had a ‘very strong impact’ on costs. Respondents in the Middle East were less emphatic about the impact of external reporting on their overall AML costs.


Only 29% of internationally active banks in this region claim to develop and implement policies at a global level. A significant proportion of banks rely on policies and procedures designed at a local level. Whilst these can take into account local sensitivities and cultural issues, they also appear to be driven by a reluctance among banks to suffer the competitive disadvantages of voluntarily applying higher AML standards in their overseas branches than is required by local law.


and controls

The majority (81%) of respondents from the Middle East and Africa say that they have a formal program in place to test the effectiveness of their AML systems and controls. The quality of some of this monitoring can be called into question, however. There is a high degree of reliance on internal audit to carry out independent testing, and doubts as to whether internal audit have sufficient experience and knowledge to carry out this testing effectively. In addition, our member firm’s experience is that internal audit reviews, in many cases, only take place infrequently and some time after the event. This highlights the need for compliance to become more engaged in undertaking regular reviews of systems and controls.


Customer activity

Eighty-nine percent of the banks surveyed in this region claim to adopt a risk-based approach at the account-opening stage, with only two banks in Africa and one in the Middle East saying that they did not make any assessment of customer risk at the inception of a customer relationship. However, whilst a risk-based approach may be integrated into policies and procedures, it is often the case that banks experience real challenges in implementing these in practice.

Client risk assessment can be a difficult process within the region due to the specific challenges faced by banks operating here. In Mozambique, for example, limited sources exist against which company ownership information can be verified, making a flexible approach to client risk difficult to achieve. Across the whole region,

reduced access to IT can prove a challenge.

In addition to these practical issues, cultural practices can also present challenges to institutions in this region, particularly in relation to the gathering of customer information and specifically in the Middle East, where customers may in some cases view banks’ requests for additional information as intrusive or offensive.


The Middle East and Africa survey group covers a broad spectrum of political regimes which can, in addition to the cultural challenges in the region, present specific challenges for financial institutions in employing a risk-based approach at the account-opening stage. This is particularly true in Africa where it may, for example, be difficult for an institution to refuse to enter into or indeed to exit a PEP relationship where to do so may attract personal risk to bank staff.

Despite these difficulties, 89% of respondent banks across the Middle East and Africa say that they have specific procedures in place for identifying and monitoring PEPs perhaps indicating a more formalized approach being adopted.


Banks in the Middle East and Africa, like other regions, are heavily reliant on staff vigilance to combat money laundering throughout their banks. The significance and potential impact of staff awareness is heightened in this region, however, by the lower level of investment in transaction monitoring systems. Greater investment in automated processes may well make the task



of monitoring transactions more manageable and effective in this region, although experience indicates that this will not necessarily reduce costs; it may only result in the diversion of resources to reviewing and reporting a higher volume of suspicious transactions.

Banks in the region reported an increase in the number of SARs they had filed, with 50% saying the number had increased substantially (the average for our survey was 42%). Banks attributed the increase to improved monitoring, enhanced account-opening procedures, and better staff training.

Training

Seventy-five percent of banks across the Middle East and Africa said that they had provided training to more than 60% of their staff over the previous two years, which is in line with the average for our survey. This represents an increased amount of training since our 2004 survey (in which the comparable figure had been 56%).

It is not easy to measure the effectiveness of staff training delivered by institutions in this region. Banks generally favor face-to-face training over other methods such as computer-based training. This is perhaps due to the relatively limited access to technology in some areas and particularly across Africa, and thus the increased coverage that face-to-face training can provide.


Respondents in this region had mixed views on AML regulation, with a relatively high proportion of banks (35%) saying that AML requirements should be increased, even if this increased the burden on banks. None of the African

banks surveyed said that they felt that the legislative burden was too onerous, with most saying that the legislation in place was adequate but required clarification.

Behind the regional results, there were significant differences of view for different countries. In particular, banks from both UAE and Nigeria showed strong support for an increase in AML requirements (83% and 50% of respondents in each country, respectively). Banks from other countries also reported an appetite for increased AML regulation, although for several of these countries we only had one respondent, and therefore the results may not be representative of views generally in those countries.

In addition to those banks seeking an improvement in AML standards, 15% of respondents said that although the regulatory burden was acceptable, regulatory requirements should be better focused to tackle money laundering more effectively. The demand for regulatory change in the region is likely to reflect the respondents’ comments on the lack of formal consultation processes in the region during the formation of AML policy by regulators and governments.

The impact of non-domestic legislation and regulations is more limited for respondents in this region, primarily due to their limited geographical coverage. A number of respondents do, however, have relationships with banks or clients in the U.S. or are involved in effecting dollar transactions, all of which may be covered by the requirements of the U.S.A. PATRIOT Act 2001 and OFAC.

The alternative or parallel remittance system known as ‘Hawala’ has attracted

a drive for increased regulation in the Middle East. This method of transferring money can often prove cheaper for customers than traditional banking methods and it has, therefore, continued to be a popular and attractive option, particularly for migrant workers transferring money back home. One example of increased regulation of Hawala is in the UAE, where 'Hawaladers' are now required to register themselves with the UAE central bank, and are also required to record a higher level of detail in relation to their customers.

Sanctions

Specific regional challenges apply in the Middle East and Africa in relation to the application of the sanctions regime. It can, for example prove difficult to perform a check against sanctions lists based on the customer's name due to the multiple available spellings of names used in the region. Sophisticated IT systems provide a potential solution to this issue but again require substantial investment in both the systems, and in the training of bank staff to understand sanctions and use the automated systems properly.

Outlook

Ongoing regulatory and international pressure is likely to lead to enhancements in the AML regulation in Africa and the Middle-East, together with broader acceptance and usage of best practices from other parts of the world by banks. Increasing investment flows between the region and markets internationally is also likely to add momentum to the movement towards enhancement of AML standards.



KPMG International

KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. We operate in 148 countries and have more than 113,000 professionals working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International, a Swiss Cooperative. KPMG International provides no client services.

Major KPMG Member Firms’ Contributors

We would like to thank all of our AML contacts for their contribution to the AML survey, in particular:

Europe North America Russia & CIS

Karen Briggs Teresa Pesce Ian Colebourne

Mark Daws Darren Donovan Oleg Lykov

Jeremy Allan Laurence Birnbaum-Sarcy

Anders Wombell Middle East & Africa

Neal Dawson ASPAC Colin Lobo

Marius Fourie Gary Gill Kevin West

Eleanor Winton Deepankar Sanwalka

Jimmy Helm Arpinder Singh

Giles Williams

James Martin Central/South America & Caribbean

Eric Collard Antonio Pereira

Lee Griffin

KPMG Forensic

KPMG Forensic helps clients reduce With a team of 250 partners and staff Our wealth of experience allows us to reputational risk and commercial loss. across the U.K., together with an work closely with you and provide We do this by using accounting, international network of over 1,600 robust, practical advice. Our aim is to investigation, intelligence, technology professionals spanning 29 accredited help you take immediate, effective and industry skills to help our firms’ practices, we have both a strong action to achieve a positive outcome, clients prevent and resolve commercial national presence and a multinational whilst remaining sensitive to concerns disputes, fraud, misconduct and capability to handle complex cross- over business disruption, breaches of rules and regulations. border engagements. confidentiality and reputational issues. We also help public sector agencies to deal with criminal issues.

Global AML ContactsAfrica and Middle EastAfrica1 Middle East and South Asia2

Kevin West Colin Lobo

Tel: +27 12 431 1521 Tel: +971 6517 0724 Fax: +27 12 431 1301 Fax: +971 6572 3773 [email protected] [email protected]

Herman De Beer Bob Chandler

Tel: +27 11 647 7342 Tel: +971 6517 0723 Fax: +27 11 647 8266 Fax: +971 6572 3773 [email protected] [email protected]

Americas Canada United States

Pamela Johnson Teresa Pesce Laurence Birnbaum–Sarcy Tel: +1 613 212 3614 Tel: +1 212 872 6272 Tel: +1 212 872 5808 Fax: +1 613 212 2896 Fax: +1 212 658 9494 Fax: +1 212 872 7701 [email protected] [email protected] [email protected]

Latin America3 Darren Donovan Antonio Pereira Tel: +1 617 988 1833 Tel: +1 305 913 2697

Antonio Pereira Fax: +1 617 507 8321 Fax: +1 305 946 0633 Tel: +1 305 913 2697 [email protected] [email protected] Fax: +1 305 946 0633 [email protected]

Asia Pacific Australia India Malaysia

Gary Gill Deepankar Sanwalka Woonchee Ooi

Tel: +61 (0) 2 9335 7312 Tel: +91 (124) 307 4302 Tel: +60 3 2095 3388 Fax: +61 (0) 2 9335 7466 Fax: +91 (124) 254 9101 Fax: +60 3 2094 7005 [email protected] [email protected] [email protected]

Tony Byrne Japan Republic of Korea Tel: +61 (0) 2 9335 8227

Mahito Ogawa Daniel Kang Fax: +61 (0) 2 9335 7466 Tel: +81 3 5218 6770 Tel: +82 2 2112 0577 [email protected] Fax: +81 3 5218 6708 Fax: +82 2 2112 0704

China and Hong Kong [email protected] [email protected]

Grant Jamieson Tetsuya Umehara Singapore Tel: +852 3121 9804 Tel: +81 3 5218 6701

Bob Yap Fax: +852 2869 7357 Fax: +81 3 5218 6708 Tel: +65 6213 2677 [email protected] [email protected] Fax: +65 6225 0984 [email protected]

1 All assignments in the Africa region are undertaken from our accredited Forensic practice in South Africa. 2 All assignments in the Middle East and South Asia region are undertaken from our accredited Forensic practice in the United Arab Emirates. 3 All assignments in the Latin America region are undertaken from our accredited practices in Argentina and Brazil.


kpmg.com

Europe Austria

Gert Weidinger

Tel: +43 732 6938 2107 Fax: +43 732 6938 2153 [email protected]

Belgium

Els Hostyn

Tel: +32 2708 4362 Fax: +32 2708 4399 [email protected]

Central and Eastern Europe4

Jimmy Helm

Tel: +420 2 22 123 430 Fax: +420 2 22 123 100 [email protected]

Denmark

Torben Lange


France5

Jean Luc Guitera


Germany

Dieter John


Frank Weller


Ireland

Andrew Brown

Tel: +353 (0) 1410 1147 Fax: +353 (0) 1412 1147 [email protected]

Italy

Gabriella Chersicla


Luxembourg

Eric Collard


Netherlands

Jack de Raad


Russia

Ian Colebourne


Spain

Pablo Bernad


Sweden

Martin Kruger


Switzerland

Anne van Heerden


United Kingdom6

Karen Briggs

Tel: +44 (0) 207 311 3853 Fax: +44 (0) 207 311 3710 [email protected]

Mark Daws


Jeremy Allan


Neal Dawson


Lucy Major


4 All assignments in the Central Eastern Europe region are undertaken from our accredited Forensic practice in the Czech Republic.5 KPMG in France also covers French-speaking African countries.6 United Kingdom also includes offshore financial centres such as Isle of Man, Bermuda, Cayman Islands and Channel Islands.

The information contained herein is of a general nature and is not intended to address the circumstances of any © 2007 KPMG International. KPMG International is a Swiss cooperative. Member firms of the KPMGnetwork of independent firms are affiliated withKPMG International. KPMG International provides noclient services. No member firm has any authority toobligate or bind KPMG International or any othermember firm vis-à-vis third parties, nor does KPMGInternational have any such authority to obligate orbind any member firm. All rights reserved. Printed inthe United Kingdom.

KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.

Designed and produced by KPMG LLP (UK)’s Design Services

Publication name: Global Anti-Money Laundering Survey 2007

Publication number: 307-231

Publication date: July 2007

particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

The views and opinions are those of the interviewees and survey respondents and do not necessarily represent the views and opinions of KPMG International or KPMG member firms.

KPMG Forensic is a service mark of KPMG International.

Forensic advisory and expert witness services may be subject to legal and regulatory restrictions.

anti money laundering - global survey 2007 - kpmg

Documents