R E G U LATORY I N ITIATIVE S

BASEL COMMITTEE GUIDANCE ON

HOW TO MANAGE ML AND TF RISK:

PART I

Essential Elements
I
n January 2014, the Basel Committee on Banking
Supervision (BCBS), the international standard
setter for banking supervisors, issued Sound
Management of Risks Related to Money Laundering
and Financing of Terrorism, guidance1 to banks on
how to manage the risks of money laundering (ML)
and the financing of terrorism (FT). The BCBS has
long recognized that sound management of ML risks
protects banks and the national banking system, as
well as preserving the integrity of the international
financial system. The guidance combines, updates and

This is the first of two articles to address

the BCBS guidance, focusing on the
essential elements of sound ML/FT risk
management. The next will address how
to manage ML/FT risk in a group-wide and
cross-border organization as well as the
guidance for supervisors.

Risk analysis and governance

The first step in managing ML/FT risks is
to identify and analyze the risks, which
will lead to the design and effective
implementation of appropriate controls.
The analysis should include appropriate
inherent and residual risks at the country,
sectoral, bank and business relationship
level, among others. As a result of this
analysis, the bank should develop a thorough understanding of the inherent risks
in its customer base, products, delivery
channels and services offered (including
proposed new services) and the jurisdictions within which it or its customers do
business; this understanding should be
based on operational, transaction and
other internal information collected by
1

replaces previously issued Customer Due Diligence

for Banks (October 2001) and Consolidated KYC Risk
Management (October 2004). It also incorporates the
revised 40 Recommendations of the Financial Action
Task Force (FATF) by reference, recognizing that the
FATFs Recommendations go into more detail. The
BCBS also points out a number of other documents
it has issued that factor into the overall management
of ML/FT risks, such as those dealing with the internal
audit function, management of operational risk and
enhancing corporate governance.

the bank, as well as external sources. The

policies and procedures for customer due
diligence (CDD), customer acceptance,
customer identification and monitoring
business relationships and operations
(including products and services offered)
should be appropriately risk based, with
any resulting residual risk managed in
line with the banks risk profile established through its risk assessment. The
assessment of risk should be documented
and made available to authorities, such
as supervisors. This assessment is also
useful in scheduling discussions with
other parties in the bank to help them see
the risks and the appropriate controls to
mitigate them.
Another key aspect is proper governance
arrangements, which create a culture of
compliance with a strong tone from the
top. The board of directors has a critical
oversight role, as they should approve and
oversee policies for risk, risk management and compliance, particularly since
this is the senior-most management of

http://www.bis.org/publ/bcbs275.pdf

80 ACAMS TODAY | SEPTEMBERNOVEMBER 2014|ACAMS.ORG|ACAMSTODAY.ORG

the bank. The board also should have a

clear understanding of the ML/FT risks,
including timely, complete and accurate
information related to the risk assessment
to make informed decisions. Along with
senior management, the board should
appoint a qualified chief anti-money laundering (AML) officer with overall responsibility for the AML function and provide
this senior-level officer with sufficient
authority that issues raised get the appropriate attention from the board, senior
management and the business lines. This
AML officer becomes the boards proxy
for driving the day-to-day success of the
banks AML efforts, and as such, the board
should provide the AML officer with sufficient resources to execute his/her responsibilities to oversee compliance with the
banks AML program.

Three lines of defense

The BCBS describes three lines of defense
in the banks AML efforts; first, the line of
business, second, compliance and internal
control functions, and third, internal audit.

R E G U LATORY I N ITIATIVE S

The first line of defensethe line of

businessis responsible for creating,
implementing and maintaining policies
and procedures, as well as communication of these to all personnel. They must
also establish processes for screening
employees to ensure high ethical and
professional standards and deliver appropriate training on the AML policies and
procedures, based on roles and functions
performed, to help with this process and
keep employees aware of their responsibilities. To facilitate this, employees
should be trained as soon as possible
after being hired, with refresher training
as appropriate.

The second line of defense broadly

consists of the AML compliance function,
as well as the larger compliance function,
human resources and technology. In all
cases, the AML officer is responsible for
ongoing monitoring for AML compliance,
including sample testing and a review of
exception reports, to enable the escalation of identified non-compliance or other
issues to senior management and, where
appropriate, the board. The AML officer
should be the contact point for all AML
issues for internal and external authorities and should have the responsibility
for reporting suspicious transactions. To
enable the successful oversight of the

AML program, the AML officer must have

sufficient independence from the business
lines, to prevent conflicts of interest and
unbiased advice and counsel; the officer
should not be entrusted with the responsibilities of data protection or internal
audit. Depending on the size of the bank,
the AML officer may perform the function
of the chief risk or compliance officer;
but should have a direct reporting line to
senior management and/or the board. Of
course, the AML officer must be knowledgeable of the legal and regulatory obligations, the banks AML regime and the
ML/FT risks at the bank.

81

R E G U LATORY I N ITIATIVE S

The third line of defense is the audit

function. Audit should report to the
audit committee of the board of directors (or similar oversight body) and
independently evaluate the risk management and controls of the bank through
periodic assessments, including: the
adequacy of the banks controls to mitigate the identified risks, the effectiveness of the banks staffs execution of the
controls, the effectiveness of the compliance oversight and quality controls,
and the effectiveness of the training.
The audit function must have sufficient
knowledgeable employees with sufficient audit expertise. Audits should be
conducted on a risk-based frequency;
periodically, a bank-wide audit should
be conducted. Audits should be properly
scoped to evaluate the effectiveness of
the program, including where external
auditors are used. This indicates that
audits may be conducted both at a
deeper level on higher risk areas of the
bank, but also that there must be some
overarching audit of the bank as a whole
that will enable a broader view, encompassing the results of the targeted audits,
to develop a bank-wide assessment of
the overall AML compliance. Auditors
should proactively follow up on their
findings and recommendations.

Audits should
be properly
scoped to
evaluate the
effectiveness
of the program

CDD and acceptance

Banks should develop a Customer
Acceptance Policy (CAP) to identify the
customers that are likely to pose a higher
ML/FT risk (e.g., politically exposed
persons (PEPs)) as well as those relationships that the bank will not accept
(e.g., shell banks or those prohibited
under economic sanctions, such as those
imposed by the Office of Foreign Assets
Control (OFAC)). Banks should apply
basic due diligence to all customers
and increase the due diligence as the
risks increase; some customers may
be eligible for simplified due diligence
where the ML/FT risk is low, in accordance with applicable law.
Banks CDD policies should address
customer and beneficial owner identification, verification and risk profiling.
As part of this, banks should identify
customers and verify their identity, as
well as that of beneficial owners. Banks
should not establish a relationship or
carry out transactions until the customers identity has been verified, unless
doing so would interrupt the normal
conduct of business (in which case the
bank should develop appropriate controls
while verification and CDD is performed).
Verification of identity should be through
reliable means; for beneficial ownership,
banks may use a written declaration
from the customer, but should not rely
solely on such declarations. However,
in cases where countries do not publish
information about ownership, banks may
be limited in what they can do to verify
ownership of a legal entity.
As part of the general CDD for all
customers, banks should have policies that set forth the information to be
collected to enable it to develop a risk
profile for the customer or a category
of customers that will enable it to identify activity that deviates from what it
would consider normal and that could be
deemed unusual.
Where CDD cannot be performed, or
customer identify verified, the bank
should not open an account (or should
close one if it has opened one) and should
consider reporting such activity as suspicious to appropriate authorities. This
applies to anonymous accounts as well;
these should not be opened. If a bank

82 ACAMS TODAY | SEPTEMBERNOVEMBER 2014|ACAMS.ORG|ACAMSTODAY.ORG

allows for numbered accounts (there may

be special cases where customers should
not be broadly available throughout the
bank, such as for merger and acquisition
activity, where unauthorized disclosure
could result in civil and criminal violations or for accounts that law enforcement has specifically requested secrecy,
such as for a sting operation), these
should not be allowed to serve as anonymous accounts; sufficient personnel
should have full access to the information
to ensure appropriate CDD on and oversight over these accounts.
Banks should have processes in place to
enable front office, customer facing
activities to identify designated entities or individuals in accordance with
national legislation (e.g., OFAC-designated
persons), although generally, this will be
done by a back-office function, to avoid
potential conflicts with a person who
may be a designated terrorist or narcotics
trafficker (instead of a false positive) in a
bank office.
Recognizing the importance of introduced
business and reliance on other institutions,
the BCBS guidance indicates that while
the transfer of funds from an account in
the customers name from another institution may provide some comfort, the
bank should still conduct CDD, as it is
possible that the other institution closed
the customers account for cause.

Transaction monitoring systems

and ongoing monitoring
Since the transactional monitoring system
is key to mitigating ML/FT risk within the
bank, the BCBS recognizes that AML
risks require more than just appropriate
policies and procedures; banks must have
adequate and appropriate monitoring
systems. For most banks, this will involve
an information technology (IT) monitoring system; if the bank does not believe
it needs an IT monitoring system, it should
document the rationale for why it does not
need one. The monitoring system should
cover all accounts and transactions of
the banks customers and enable a trend
analysis of activity and identify unusual
business relationships and transactions,
particularly with regard to changes in the
transactional profile of customers. The
IT system should allow the bank to gain
a centralized knowledge of information,

R E G U LATORY I N ITIATIVE S

Banks should be able to risk rate customers and manage

alerts with all the relevant information at their disposal
for example, having the information organized in different ways, such as organized
by customer, by legal entity within a larger
group and/or by business unit. While the
guidance indicates a bank must have a
system, it should be understood that this
does not mean that there can only be one
IT tool that will do all of this; rather, the
tools must be able to work together to
enable the bank to gain an enterprise level
view of ML/FT risk across the bank.

account documentation, significant

changes in customer behavior or business
profile and unusual transactions (being
mindful of prohibitions on disclosing
reports of suspicious activity or tipping
off customers about such reports). Banks
should also consider the use of their IT
solutions to periodically screen accounts
against sanctions lists (e.g., OFAC) and to
identify foreign PEPs and other high-risk
customer types.

Banks should be able to risk rate

customers and manage alerts with all the
relevant information at their disposal.
This indicates a feedback loop should
exist between the customer risk-rating
systems and the transaction-monitoring
system, so that as unusual or suspicious
activity is identified, it increases the
risk of the customer. This increased risk
may also result in higher risk customers
being subject to enhanced forms of
monitoring, as well as enhanced CDD
and more frequent refresh of CDD information. IT system parameters should be
properly tuned for the banks risks, so
that it enables identification of alerts that
may indicate ML and be reviewed by the
AML officer. The AML officer should have
access to the IT system, even if it is operated and/or owned by a business line.

Management of information

A critical way to mitigate ML/FT risk is by

using the transaction monitoring system to
conduct ongoing monitoring of customer
activity, building on the information from
the risk assessments and customer profiles.
This enables banks to satisfy its obligation
to identify and report suspicious activity.
Monitoring systems should be adapted to
the risks present in the bank, such as if
the bank identifies a particular ML scheme
occurring within its jurisdiction.
A bank should have appropriately integrated management information systems
to provide both first and second line of
defense staff with timely information to
monitor and analyze customer accounts,
including transaction history, missing

Since one of the primary purposes of

AML rules is to create records that enable
law enforcement to trace financial transactions back to the people who conduct
them, banks should retain records. Banks
should both record the documents it is
provided when verifying customer/beneficial owner identitywhether a photocopy of the document or by recording
information from the document or nondocumentary sourceand enter all CDD
information into its IT system. The CDD
information should be kept up-to-date
and accurate, which will mean periodically assessing the information, generally
on a risk-based frequency.
Banks should also document decisions
related to investigations of unusual
activity, whether a decision is made to
file a report of suspicious activity or not.
Banks should maintain all of these records
as required by law, for at least five years
after closure of the account; if an ongoing
investigation is occurring, relevant CDD
records should not be destroyed merely
because the record retention period has
expired. All documentation, including
policies and procedures, should be made
available to appropriate supervisors, to
enable an assessment of compliance.

Reporting of suspicious
transactions and asset freezing
Ongoing monitoring of accounts and
transactions will enable banks to identify
unusual activity, refer unusual activity

to an internal review function, eliminate false positives and report suspicious activity in a timely and confidential
manner. This process should be clearly
spelled out in policies and procedures
and communicated to appropriate staff.
Where suspicious activity has been
reported, the bank should take appropriate action regarding the customer,
including raising the risk rating of the
customer and/or deciding whether to
retain the relationship (either the account
or the entire relationship). In some
cases, it may make sense to close out
one account and not the whole relationship, such as when a customer has both
a checking account and an outstanding
loan. Banks should screen new customers
against applicable sanctions lists and the
existing portfolio against changes to the
sanctions list to identify relationships
that may need to be frozen; banks should
have a means of properly freezing any
assets identified as part of this process.

Conclusion
While many of the concepts contained in
the BCBS guidance are not new to the
industry, it is important to note that this
guidance is being provided to banking
supervisors to help them develop a
common international understanding of
what is expected of financial institutions
to mitigate ML/FT risk. Harmonized
legislation in the various jurisdictions
removes many of the incentives for
money launderers to seek out weaker
jurisdictions and promotes a stronger
and safer financial system that can better
identify criminal misuse of the system
and facilitate the detection, prevention
and, eventually, prosecution of financial
crimes. While banks continue to get bad
press for their role in the financial crisis,
it is comforting to know that AML efforts
undertaken following the guidance
provided by the BCBSand replicated
internationally throughout the financial
industrymake our communities a bit
safer with every report of suspicious
activity that results in another criminal
taken off the streets.

Kevin M. Anderson, CAMS, director,

Bank of America Corporation, Falls
Church, VA, USA, kevin.m.anderson@
bankofamerica.com

ACAMS TODAY|SEPTEMBERNOVEMBER 2014|ACAMS.ORG|ACAMSTODAY.ORG

83