100 likes | 113 Views
In a previous newsletter I spoke on three basic steps required when conducting a risk-based approach risk assessment of your business. Step one was to assess the risk of the four different categories within your business which include clients, products, countries, and channels. The second step was to determine what your businessu2019 risk appetite is. And the final step is to review your internal controls. In todayu2019s article we will look a bit more in detail at how to assess your businessu2019 clients, products, countries, and channels.<br><br>
E N D
Assessing the Risk Categories
In a previous newsletter I spoke on three basic steps required when conducting a risk-based approach risk assessment of your business. Step one was to assess the risk of the four different categories within your business which include clients, products, countries, and channels. The second step was to determine what your business’ risk appetite is. And the final step is to review your internal controls. In today’s article we will look a bit more in detail at how to assess your business’ clients, products, countries, and channels.
The first category we have are your clients. Remember to keep in mind that you want to tailor your risk assessment based on your institution or firm. All businesses are different and will require different policies, procedures, and controls based on who and what you are dealing with. Let’s start with an easy enough question in terms of your customer base; Who are your customers? Sounds simple enough, but you’ll need to dig to find out information on who you are working with. What type of client base are you dealing with? What industry are they in, where are they located, and so forth. In order to be compliant and to answer these questions, you will need a sound KYC/CDD program to ensure you are not dealing with criminals and terrorists, individuals or regimes on a sanctions list, and will need to obtain information on PEP’s as they are more susceptible to bribery and corruption. You will also want to have an audit trail and documentation on any due diligence you perform. Once you have assessed your customers you will need to give them a risk rating determined by the information you have received from your customer due diligence. This rating should be from low, medium, or high in terms of how much risk they offer.
The first category we have are your clients. Remember to keep in mind that you want to tailor your risk assessment based on your institution or firm. All businesses are different and will require different policies, procedures, and controls based on who and what you are dealing with. Let’s start with an easy enough question in terms of your customer base; Who are your customers? Sounds simple enough, but you’ll need to dig to find out information on who you are working with. What type of client base are you dealing with? What industry are they in, where are they located, and so forth. In order to be compliant and to answer these questions, you will need a sound KYC/CDD program to ensure you are not dealing with criminals and terrorists, individuals or regimes on a sanctions list, and will need to obtain information on PEP’s as they are more susceptible to bribery and corruption. You will also want to have an audit trail and documentation on any due diligence you perform. Once you have assessed your customers you will need to give them a risk rating determined by the information you have received from your customer due diligence. This rating should be from low, medium, or high in terms of how much risk they offer.
The third category to look at will be countries. This category can get a little tricky as it ties-in to a lot and you will have to keep up to date with any changes that may occur from a regulatory standpoint and will want to stay informed on current sanctions lists. What you will be risk rating countries on is determined by where the financial institution is headquartered, where your clients are located, where your clients are doing business, where are your services offered, what is the place of domicile of your client, does it differ from place of incorporation, is nationality important to you, and where are your transactions going to or coming from? These are some of the many questions you will be assessing when pertaining to risk rating countries. Lower risk customers will have limited international clients and most transactions will be domestic and local in behavior. Medium risk may have international branches and clients, or for US based institutions, may have branches or clients located in High Intensity Drug Trafficking Area (HIDTA) and High Intensity Financial Crime Area (HIFCA) locations. Higher risk institutions may deal with countries near sanctioned countries or international clients from offshore jurisdictions, or for US institutions branches or clients located in HIDTA and HIFCA locations as well. Another aspect you want to look at when risk rating countries is whether they are a member of the Financial Action Task Force or of a FATF-style regional body. Typically, non-members are more likely to lack AML/CFT requirements equivalent to international standards and/or may have a negative political standing or bad reputation.
Update or replace any hardware or software that was breached. Attackers are constantly working on new avenues of attack by finding new vulnerabilities. Keeping your hardware current and your software patched can prevent you from succumbing to attacks that could be prevented. ● Determine exactly what devices or networks were compromised and determine if any data was lost. If possible, find the perpetrator(s) of the attack. This may involve bringing in a specialist which can be expensive, but there are also many useful forensic tools that can help find any evidence left behind by an attacker and exactly what they gained access to. ● ● Ensure your backup process is robust. If data was compromised you may need to restore your systems from a backup, and now would be a terrible time to discover that your process was flawed. To ensure smooth transitions and minimal downtime in the future, test the restoration from backup and make sure everything works as expected. ●
The last category on the list to risk rate are the delivery and distribution channels of your services. You will want to look at how accounts originate; was it through a walk-in or was it online with an online only identification process? How do you service these accounts? Higher risk accounts may be remote servicing, for example, online, mobile or telephone banking. From here you are going to want to monitor transaction risks. How much money in a single transaction, what is the frequency of transactions, as well as looking for trends, new typologies, and emerging risks. With your different channels and services, you will want to have the proper technology in place to monitor these transactions and to stay ahead of any potential wrongdoing your clients may pose.
Keeping track of all this can be a handful but is necessary in the fight against money laundering and terrorist financing. And let’s be honest, your institution doesn’t want to be fined or risk reputational damage from being non-compliant. These assessments will need to be a group effort and must have support from senior management as they make the ultimate decision on how much risk they are willing to take. It is, however, the compliance officers’ job to keep them informed and consult on the matter of staying compliant.
Contact SILO Compliance Systems info@silocompliance.com Complete set available at www.silocompliance.com