compliance - worksession
TRANSCRIPT
KYC data collection as per 2012
Regional / Global Bank (a larger bank that provides Cash Management services)
Reviews 100 correspondent banks per
year. Requires confirmation of static data,
supporting documents and specific EDD /
account activity information:
• Collects client information via public sources Average time spent to search & collect: 5 hours
Average time to validate data: 4 hours
• Sends KYC AML/CFT questionnaire to each
client Turn-around time depends on urgency and
importance of
relationship (4-8 weeks)
• Responses received by Email with non-standard
PDF attachments
Manual input of data required 1 hour
• Total time spent: 1,000 hours (> 0.5 FTE for 100 correspondents, 5 FTE for 1000
correspondents)
Local / Small Bank (a smaller bank that requires Cash Management
services)
Receives 100 KYC information
requests per year. Needs to provide
static data, supporting documents and
to fill individually designed KYC
AML/CFT questionnaires:
• Receives data request by email/phone.
Request is for documents and AML/CFT info
3-4 hours to fill each questionnaire
1 hour per request to collect other
documents, draft and send bilateral
response
Turn-around time depends on urgency
and
importance of relationship (4-8 weeks)
• Total time spent: 400-500 hours (>0.25 FTE per 100 correspondents)
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
KYC Market Environment as per 2012
• No market standard
• Constantly evolving intrusive Due Diligence procedures
• Reliance on expensive front office resource (RMs) to collect
sensitive critical EDD** data
• Language barriers, translation issues, cost to verify data
• Estimated total cost per KYC record: USD 5,000 (low risk) to
USD 15,000 (high risk)
• Plus: High reputational risk and cost due to negative news
and enforcement
• Minimum revenue required per client: USD 25,000 (low risk),
USD 75,000 (high risk)
“De-risking” becomes synonym for widespread global
termination of correspondent banking relationships
Global impact on trade-related GDP feared to be minus 2-3%
*CDD: Customer Due Diligence, **EDD: Enhanced Due diligence
Sanctions are very complex!
40,000 names on lists
4 Billion fuzzy combinations
14 Billion $ fines levied on financial institutions for violation of sanctions regulations
1 Day
Average interval between sanctions list updates for banks active globally
-50%
Decrease in number of correspondent relationships from some US banks
+100%
Increase in alerts every 4 years due to increase in SDNs and transaction numbers
+20%
Yearly increase in names and aliases on US OFAC list
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
List Content Challenges abound!
Inconsistent listings (across lists)
There are 112 spelling variations in Muammar Kaddafi’s name in print media
The OFAC list provides 8 of them.
The UN sanction uses only 1 form of the name.
The form used in the UN sanction does not match any of the 8 in the OFAC listing.
Qaddafi, Muammar
Al-Gathafi, Muammar
al-Qadhafi, Muammar
Al Qathafi, Mu'ammar
Al Qathafi, Muammar
El Gaddafi, Moamar
El Kadhafi, Moammar
El Kazzafi, Moamer
El Qathafi, Mu'Ammar
Gadafi, Muammar
Gaddafi, Moamar
Gadhafi, Mo'ammar
Gathafi, Muammar
Ghadafi, Muammar
Ghaddafi, Muammar
Ghaddafy, Muammar
Gheddafi, Muammar
Gheddafi, Muhammar
Kadaffi, Momar
Kad'afi, Mu`amar al-
Kaddafi, Muamar
Kaddafi, Muammar
Kadhafi, Moammar
Kadhafi, Mouammar
Kazzafi, Moammar
Khadafy, Moammar
Khaddafi, Muammar
Moamar al-Gaddafi
Moamar el Gaddafi
Moamar El Kadhafi
Moamar Gaddafi
Moamer El Kazzafi
Mo'ammar el-Gadhafi
Moammar El Kadhafi
Mo'ammar Gadhafi
Moammar Kadhafi
Moammar Khadafy
Moammar Qudhafi
Mu`amar al-Kad'afi
Mu'amar al-Kadafi
Muamar Al-Kaddafi
Muamar Kaddafi
Muamer Gadafi
Muammar Al-Gathafi
Muammar al-Khaddafi
Mu'ammar al-Qadafi
Mu'ammar al-Qaddafi
Muammar al-Qadhafi
Mu'ammar al-Qadhdhafi
Mu`ammar al-Qadhdhāfī
Mu'ammar Al Qathafi
Muammar Al Qathafi
Muammar Gadafi
Muammar Gaddafi
Muammar Ghadafi
Muammar Ghaddafi
Muammar Ghaddafy
Muammar Gheddafi
Muammar Kaddafi
Muammar Khaddafi
Mu'ammar Qadafi
Muammar Qaddafi
Muammar Qadhafi
Mu'ammar Qadhdhafi
Muammar Quathafi
Mulazim Awwal Mu'ammar Muhammad Abu
Minyar al-Qadhafi
Qadafi, Mu'ammar
Qadhafi, Muammar
Qadhdhāfī, Mu`ammar
Qathafi, Mu'Ammar el
Quathafi, Muammar
Qudhafi, Moammar
Moamar AI Kadafi
Maummar Gaddafi
Moamar Gadhafi
Moamer Gaddafi
Moamer Kadhafi
Moamma Gaddafi
Moammar Gaddafi
Moammar Gadhafi
Moammar Ghadafi
Moammar Khadaffy
Moammar Khaddafi
Moammar el Gadhafi
Moammer Gaddafi
Mouammer al Gaddafi
Muamar Gaddafi
Muammar Al Ghaddafi
Muammar Al Qaddafi
Muammar Al Qaddafi
Muammar El Qaddafi
Muammar Gadaffi
Muammar Gadafy
Muammar Gaddhafi
Muammar Gadhafi
Muammar Ghadaffi
Muammar Qadthafi
Muammar al Gaddafi
Muammar el Gaddafy
Muammar el Gaddafi
Muammar el Qaddafi
Muammer Gadaffi
Muammer Gaddafi
Mummar Gaddafi
Omar Al Qathafi
Omar Mouammer Al Gaddafi
Omar Muammar Al Ghaddafi
Omar Muammar Al Qaddafi
Omar Muammar Al Qathafi
Omar Muammar Gaddafi
Omar Muammar Ghaddafi
Omar al Ghaddafi
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
So, what’s wrong with this filter?
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
And why might these names be missed in a SWIFT message?
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
And why might these ‘famous’ people be missed?
SDN/IND/Type
Review of names suggests
Deceased Individuals may
be “Missed”/Skipped
List update
issues?
Other
issues?
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
An Analogy: In the unlikely event of a fire …
- Fire alarms mitigate low
frequency but high impact
events
- Irrespective of the likelihood of a
fire, a building fire alarm system
must work when needed
- Testing ensures that the alarms
will operate correctly in the
unlikely event of a building fire
- Most fire alarms are tested
weekly
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
In the unlikely event of a sanction violation …
- Sanctions filters mitigate business
risk of low frequency but high
impact events
- Irrespective of the likelihood of a
sanctions violation, businesses
have an obligation to ensure that
sanctions controls work
- Sanctions testing ensures that
your filter will operate in alignment
with your risk policy
- Many sanctions filters are rarely
tested
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
Sanctions and High Risk Jurisdictions
Business challenges
• Hard to get a comprehensive overview of Correspondent relationships incl.
down/upstream relationships
• Hard to collect reliable data on a regular basis to perform ongoing due-diligence
• Difficult to be efficient when reviewing relationships
KYC
Teams
Business challenges
• Hard to ensure that the controls in place work and reconcile with
implementations/use data to adjust systems
• Hard to ensure all risks are covered (sanctions, AML, payment quality/free formats,
use of MT202)
• Difficult to monitor and understand status of RMAs
Operations
Teams
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
Sanctions and High Risk Jurisdictions
Business challenges
• Difficult to get a high-level view of the institution’s global risks (direct and indirect)
• Limited ability to drill down into details
• Limited ability to produce detailed reports internally via a user-friendly independent
analytic tool
Compliance
Teams
• Head of
• Group
• Subsidiary
Business challenges
• Difficult to get a global overview of risk exposure with countries with sanctions or
high risk jurisdictions
• Almost impossible to get confirmation that policies are being followed
• No dynamic alerts of new risks as they emerge (on a monthly basis)
Sanctions
Teams
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
FATF Recommendation 16 states…
Countries should ensure that financial institutions include:
required and accurate originator information
required beneficiary information
This includes wire transfers and related messages.
The information has to remain with the wire transfer or related
message throughout the payment chain.
Countries therefore should ensure that financial institutions
monitor wire transfers for the purpose of detecting those which
lack required originator and/or beneficiary information, and take
appropriate measures.
More information can be found on this link: FATF
Recommendation
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
Recommendation 16 applies to domestic and cross-
border transfers Financial institutions must include
the name of the originator;
the originator account number or unique transaction number where such an account is used to
process the transaction;
the originator’s address, or national identity number, or customer identification number, or date
and place of birth;
the name of the beneficiary; and
the beneficiary account number or unique transaction number where such an account is used to
process the transaction.
Key elements to the new European regulation on information accompanying
transfers of funds (click here to view the regulation):
Ensure that transfers of funds are also accompanied by the name of the payee and the payee's
account number
Issue warnings, set deadlines, reject transfers, or restrict or terminate its relationship with a PSP
that repeatedly fails to provide the required payer and payee information, and report that failure.
And particularly for an intermediary Payment Service Provider:
Ensure that all of the information received on the payer and payee that accompanies a transfer of
funds is retained with the transfer.
Have procedures in place to detect whether particular information is missing, or has been
completed using characters that do not meet the conventions of the relevant messaging or payment
and settlement system
Sanctions
Screening
Hosted solution
for cost-effective
compliance with
sanctions
regulations
Sanctions
Testing
Maximise the
effectiveness and
efficiency of
banks’ sanctions
environment
The KYC
Registry
One global
source of KYC
information for
correspondent
banking
Compliance
Analytics
Enhanced
understanding &
management of
financial crime-
related risk
Current set of financial crime compliance services
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
Moving toward a Financial Crime Compliance Utility Vision – 3
main pillars
Sanctions Analytics/AML KYC
Interconnected Utilities leveraging commonalities
and data between the products & services
Financial Crime Compliance
Utility
e.g.
• Transaction &
Name screening
• List Management
• Standards
• Alert Management
e.g.
• KYC Registry
• KYC Market Place
• Standards
• Notifications
e.g.
• Compliance Analytics
• FATF 16
• Bank-to-bank
monitoring
For ALL SWIFT users (small AND large) SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
Public lists
Premium lists
Private list
US
EU
UN
PEP
OTH
Group
Local
Transaction
screening
Customer
screening
AM
ER
ICA
S
EU
RO
PE
A
SIA
-PA
CIF
IC
Complexity
Lack of control
Costs
Transformation
• Sources
• Formats
Selection
• Monitoring
• No consistency
Distribution
• Duplication
• No transparency
List management – Challenges
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
Public lists
Premium lists
Private list
US
EU
UN
PEP
OTH
Group
Local
Transactions Customer
data
AM
ER
ICA
S
EU
RO
PE
A
SIA
-PA
CIF
IC
Standardisation
Transparency
Efficiency
M
O
N
I
T
O
R
I
N
G
E
N
R
I
C
H
M
E
N
T
O
P
T
I
M
I
S
A
T
I
O
N
S
E
L
E
C
T
I
O
N
D
I
S
T
R
I
B
U
T
I
O
N
Search & navigate
Audit & archiving
Feedback
mechanism
Policy
manager
Operator
List Management Service
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
Name Screening Service
List
Service
Business
Logic
Decision
Portal
On
lin
e
ch
ec
k
The service will cover:
- Online individual name checks (one at a time check) Live Jan 2017
- Ongoing screening of entire customer database (recurring batch
process based on files manually uploaded) H2 2017
Alert Management
Screening
Configuration
User management
Sanctions lists
PEP lists
Negative news, …
Ongoing check, delta
screening, multiple
names check,…
On
go
ing
ch
ec
k
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
Overview of the Payments Data Quality module
Payments data
quality rules
Payments data
quality attributes
FI
N
Compliance
Analytics
Centrally hosted and managed
by SWIFT Understand presence and quality of
originator and beneficiary information in
your SWIFT messages
Verify whether this data meets regulatory
requirements in line with FATF
Recommendation 16
Use reporting and alerts to assess and
improve your own data quality and take
appropriate measures with counterparties
to ensure compliance
New module within Compliance Analytics
Available in mid-2016
Product characteristics
• MT103,
MT202COV,
MT205COV
• Inbound and
outbound flows
• All entities
belonging to the
financial group
Common set of rules
managed centrally by SWIFT
with input from the
community • Shared dummy list of commonly
used not acceptable entries
• Shared white list of commonly
accepted entries - synonyms
• Rules applied in the flow - No
extraction/storage of fields
50/59
• All rules applied to 50/59 –
Filter results via the reporting
tool
• Management information,
trends, data mining, data
visualisation, basic
notifications
• Weekly or monthly reports
• Consolidated group level,
drill down to BIC11
• Consolidated rule types, drill
down to sub rule type
• Field 20 to trace back
transactions
• FATF country risk
classification to filter results
Scope Rules Reporting
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
SWIFT Business Forum Canada - Compliance Services: Moving toward a utility model - 13 April 2016
Key categories of rules
Party identifier
• Empty value
• Account number length
• Invalid IBAN
• Cheque
Name
• Name length
• Number of consecutive repetitive characters
• Presence of CCC
• Characters present in dummy list
Address and additional info
• Address length
• Number of consecutive numerical / alphabetical repetitive characters
• Characters present in dummy list
• 50F additional info
Country
• No country in all lines
• Country line maxed out
• Characters present in dummy list
Other
• Use of field option (structured or free format)
• Country of domicile of originator / beneficiary matches country of originator / beneficiary bank
• Characters present in the “double nesting” or “human trafficking” list
Rules are applied to all payments (103, 202Cov, 205Cov).
Result of checks are numeric or boolean (true/false)