Q&A from Enhancing Screening and Transaction Monitoring Processes Webinar
November 13, 2019
Transaction monitoring and sanctions screening are crucial processes for both traditional and non-traditional financial institutions. With changing regulations coupled with increased regulatory scrutiny being the new normal, having a streamlined and flexible approach has become more important for AML compliance teams looking to improve cost savings and resource allocation.
Here are some questions and answers from our recent webinar on this topic:
Q: Can you give specific examples about what you mean by residual risk?
A: Daniel Buckingham, Director of Compliance Strategy, Governance and Technology, Transfast: When we talk about inherent risk, that is really looking at a product or service and looking at the attributes and how that product or service can be used and how it could be abused by a customer. It’s looking at its inherent setup and saying what is its potential for being abused?
When we start talking about residual risks though, it’s saying OK, I’ve applied a level of control framework against the risk of that product, so I may have certain monitoring controls in place. I may have certain first line of defence mechanisms in place. When we talk about residual risk, all we are trying to say is do we believe that the control environment across the first and second line has the ability to manage that risk in totality or is there some risk left over?
So for example, the front line of defence control could be face-to-face because it’s an over-the-counter transaction. Part of that is visualizing and verifying the person that is doing the transaction with you, but in the background you are monitoring to look for certain typologies. But the data that’s coming in means you are not able to properly target that and so your monitoring control produces a lot of noise, as the result, when you produce a lot of noise you also run the risk that from an investigation standpoint you may miss something as well.
So in that case you may believe there is an element of residual risk left over and it’s not fully mitigated and it’s up to you to then say, do I need to do that or is that within my risk appetite? If you look at the residual risk only you are potentially looking at a very small subcomponent of the risk or a symptom of the risk, not the actual risk itself.
Q: Given that sanctions are essentially regulated to report on hits from a list, once a hit has been verified and returned on good data how does risk even enter into the equation?
A: Mandar Vaidya, Assistant Vice President Compliance, ICICI Bank Canada: The risk really comes in if you are not able to identify and detect a match or not able to do proper due diligence in terms of the alert that comes in.
Let’s say if you get a match and you ignore the match and say it’s a false positive, it could really be a true match or a potential match. If it is a Politically Exposed Person (PEP) and you don’t classify them as a potential high risk client, then you are exposing yourself for non- compliance and the regulators could find your program non-compliant.
Q: Can Alessa be integrated with other lists or just World-check? Do you provide screening services to be in compliance with OFAC – CACR list for Cuba?
A: Eric Hansen, Senior Risk Specialist, CaseWare RCM: Yes. CaseWare has taken the approach where we have an integrated partnership with World-Check where we include not just the names but the additional second-level identifiers such as the year or birth, the citizenship, the relatives and close associates. But we can integrate other lists, especially internal lists.
An important consideration when you are trying to integrate a third-party watchlist is that it is getting it integrated into the software properly. Our clients work with all sorts of external data sets lists now from cannabis related business lists to adverse media and our team here is always working on integrating new data sets.
Q: What systems would you recommend for any institution to make sure that they are managing their risk?
A: Daniel Buckingham: I think conceptually one needs to build a toolkit. We spoke about the risk assessment and having in place sound risk-assessment practices.
Risk assessments have to be looked at on different levels. We’ve spoken about the need to look at customers and the risk associated with them. So you need to have in place some sort of risk assessment capability at a customer level.
We also want to look at risks holistically because understanding those risks is what is going to drive your awareness of what it is you need to monitor and detect. That’s where we start talking about enterprise AML risk assessments or even just enterprise risk as a topic by itself it looks across the organization as a whole — operational, financial, technology etcetera.
So those risk assessments activities are really going to give you the focus you need to figure out what it is you want to look at. On top of that, you are going to need something to do your monitoring and detecting. You really need to think then about how big is the risk I am looking for and how much of the organization do I need to monitor here?
Not everything needs to be automated, but as we all know, the more transactions you have, the more customers you have, the harder it is going to be for a person or persons doing manually processes for them to detect those actual things.
That’s where you should start considering some level of automation. But don’t forget that manual processes play an important part and they always will.
Q: What about executive orders and general licences from the treasury department around Venezuela, What measures should we take?
A: Mandar Vaidya: What we do is identify high-risk countries. We classify them as high risk, so any transactions involving this country are going to be high risk, based on the executive orders and ministerial orders.
There are a lot of cases where the sanctions may not be against a specific country but more towards specific sectors or specific entities, so as long as you are not dealing with them you are OK. We have identified high-risk countries based on the directives and other risk indicators.
Q: How long should Politically Exposed Persons be considered PEPs once they leave office? How should they be treated for screening hits?
A: Mandar Vaidya: We look to the guidelines and regulations. In Canada for example, domestic PEPs are PEPs for five years after they have left office. We take a conservative approach and consider PEPs forever – once a person is a PEP they are there forever.
Q: How does one check PEP relatives of a customer if not disclosed?
A: Mandar Vaidya: That is challenging. There is no universally applicable database that says this person is closely associated with a PEP. However, there are certain guidances given by the regulators. People who co-own a business, for example, they would be seen as close associates.
Q: What is the top 10 list for triggers for transaction monitoring other than watch list screening?
A: Daniel Buckingham: I do not think there is such a thing as top 10. This goes back to what I was saying about really understanding the risks that you are trying to monitor and detect. What data elements do you need to identify that, and then you need to ask yourself the question, are some of these mandated. (Some are time mandated like CTRs and EFTs).
There are black and white requirements like those, but as you start to move to user definable parts of the risk that you are trying to look at – that is where you need to look at the data. You need to understand what your risk profile is in the company. It is going to be a case-by-case basis, but it is truly an understanding of the individual elements that make up those trigger points.
Q: What are some best practices for common names?
A: Eric Hansen: Find a system with appropriate memory. If you keep getting hits on John Smith after being cleared in the AML environment, I would work with your technology partner to look for a kind of memory in the system as the technology is there now.
Second, in terms of common names, go to the second level of identifiers with year of birth being the strongest one. If it is a foreign name, you can look for the name in original script. It goes back to integrating all of the data points necessary so you are not just screening name versus name.
Q: Are there ways to identify PEP relatives and close associates?
A: Eric Hansen: Going to a trusted external list-provider like World-Check is certainly one way, the other is voluntary disclosure – asking the client flat out. This is something that at the end of the day leaves many financial institutions struggling.
So you can use a combination of adequate Know Your Customer (KYC) and then going to an external watchlist, short of that is open internet searches, but when you are going to that extent you certainly can’t trust everything that’s out there and you are really opening up yourself to inadequate data.
Q: Why don’t we include as part of the KYC Process, why do we not ask for the name of a spouse or partner?
A: Daniel Buckingham: One of the realities is that the more information you ask for, the more you impact the client experience and the bigger impact you have on trying to retain your customer base. If you are the only institution asking for more detail and no one else is, a lot of clients are just going to straight to those who don’t ask for the information.
There’s also rules and regulations surrounding collecting personal data.
If you have any questions or would like to discuss further, please do not hesitate to contact us.
About Anu Sood
Anu Sood (LinkedIn | Twitter) is the Director Marketing at CaseWare RCM and is responsible for the company’s global marketing strategy. She has over 20 years of experience in product development, product management, product marketing, corporate communications, demand generation, content marketing and strategic marketing in high-tech industries.