Fintelekt Advisory Services and the Asian Bankers Association hosted a webinar on Conducting Enterprise-Wide AML/CFT Risk Assessment on March 3, 2021.
The webinar was moderated by Shirish Pathak, Managing Director, Fintelekt Advisory Services and the speakers were Madhu Sinha, Independent AML Compliance Professional and Former Head of AML, Citi Bank India and Stephen Cutler, Chief Enterprise Risk and Compliance Officer, Omnipay.
The speakers discussed the importance of comprehensive and ongoing Enterprise-Wide AML/CFT Risk Assessment (EWRAs), ensuring comprehensive inclusion of risks, regulatory expectations, international standards and managing costs and resources for EWRAs.
Madhu Sinha explained the approach to EWRAs – why conduct them, how to conduct them, the review process, desired outcomes, and regulatory expectations.
- An EWRA assesses a financial institution’s inherent AML/CFT risks, effectiveness of control environment, and the need to implement additional measures to mitigate residual risks where necessary.
- It forms the cornerstone of the AML/CFT risk management programme and helps Financial Institutions (FIs) to apply a risk-based approach based on residual risks of business lines.
- It is important to develop a model that includes all the risk factors and is customised to the size and complexity of the FI’s business.
- The EWRA model should consider customer types, products and services, geographies, channels and transactions and assign a risk rating to all of these elements.
- A quantitative analysis of data as well as qualitative inputs such as nature of the complex, hiring practices, provision of training, etc. are necessary to arrive at the residual risk.
- It is critical that the Board of Directors and senior management of the organisation are engaged and involved with every step of the EWRA process.
- Regulators expect that the process is followed in spirit and not approached as tick-mark exercise and hence they look for a structured methodology, deliberation by senior management, good use of data analytics and identification and action upon areas of improvement flagged off by the EWRA exercise.
“The EWRA should be a living document. Since the risks to a business, external factors and typologies keep evolving, the EWRA cannot be a static document and needs to be continuously updated.” – Madhu Sinha, Independent AML Compliance Professional and Former Head of AML, Citi Bank India
Stephen Cutler emphasized that organisations need to be focused and serious in incorporating all of the risks in order to protect the employees, the company, the industry, the communities, and the nation.
During the EWRA project, organisations should focus on aspects such as:
- A thorough understanding of the AML risks and the organisation’s control mechanisms
- An assumption that there will always be risks and that these risks will keep on evolving
- Effective planning and continuous adjustment of the organisation’s responses
- Providing effective training to employees involved in the process
- Adequate involvement of the Board and senior management
- Avoiding the use of copy-pasted tools from another organisation, instead of customizing the process to the specific organisation
EWRAs must be approached with an open mind. There is a risk of biases entering the process: such as over-reliance on the first piece of information available, overestimating the importance of available information, the tendency to see patterns in random events, or a confirmation bias.
“Risk Assessments are often “scientific” and quantifiable, but they also contain an element of “art” because the quality of the assessment depends on the personnel putting them together.” – Stephen Cutler, Chief Enterprise Risk and Compliance Officer, Omnipay