{{item.title}}
{{item.text}}
{{item.title}}
{{item.text}}
Luca Bonato
Director, Compliance & Regulation, PwC Switzerland
The key to effective risk governance and risk steering in the areas of money laundering (AML) and terrorist financing is transparency and knowledge on the part of the Board of Directors (BoD) and the Executive Board (ExCo).
In order to carry out their respective roles and responsibilities, transparency and knowledge of the specific inherent AML risks to which their organisation is exposed as well as the effectiveness of the corresponding control measures are crucial to ensure compliance with regulatory requirements and internal business risk strategies. Accordingly, banks must identify their individual AML risk categories, which represent an inherent risk. These individual risks must then be recorded, analysed and measured for each risk category.
In its recently-published Supervisory Notice 05/2023 of 24 August 2023, FINMA has now identified systematic deficiencies in banks’ compliance with their AMLA risk analysis requirements under Art. 25 para. 2 AMLO-FINMA.
In the published summary of FINMA's review results at 30 banks, deficiencies in the established AML risk analyses are repeatedly identified as one of the main weaknesses for most banks, thus jeopardising effective AMLA risk controls and risk management.
In response to these findings, FINMA has transparently published its expectation regarding compliance with the regulatory requirements of Art. 25 para. 2 AMLO-FINMA. FINMA’s core statements, supplemented by our market insights and industry practice to ensure effective risk management, are set out below.
According to Art. 3 para. 2 lit. a BA in connection with Art. 12 para. 2 BO as well as Art. 8 AMLA, a bank records, limits and monitors its AML risks. The banks therefore take the necessary measures to prevent money laundering. One of these organisational measures is the AML risk analysis pursuant to Art. 25 para. 2 AMLO-FINMA.
According to this, the AML unit or another independent unit must prepare a risk analysis with respect to combating money laundering and terrorist financing, taking into account the area of activity and the type of business relationships maintained by the bank. The scope of the AML risk analysis depends on the nature, size, complexity, service offering, client base and geographical presence of the bank. The AML risk analysis must be approved by the BoD and/or ExCo and must be updated regularly.
The results of the AML risk analysis should be used:
to better understand the bank’s AML risk exposure based on its clients’ profiles;
geographical exposure, product services and business activities;
to assist the BoD in updating and verifying their risk appetite statement and risk tolerance;
as a key risk steering and risk strategy instrument concerning the management of AML risks;
To achieve this, the BoD determines the business strategy, defines guiding principles for the bank’s corporate culture and signs off on institution-wide risk management strategies in accordance with para 10 of FINMA Circular 2017/1 – Corporate Governance. These tasks also include setting limits for exposure to AML risks and determining AML risk appetite.
In order to monitor compliance with the defined AML risk appetite and the corresponding AML risk strategy, the bank must define key risk indicators (KRI) that can be used to continuously check whether the bank operates still within the defined risk appetite. These checks are supported by the annual AML risk analysis.
The following categories may be taken into consideration when setting the KRIs and the corresponding risk limits:
Countries (e.g. target markets, exit markets or sanctioned countries)
Structures (e.g. complex structures, domiciliary companies, trusts, foundations)
Products (e.g. crypto assets, safe-deposit accounts)
Services (e.g. trade finance, wealth management, transaction banking)
A bank may determine any exceptions to this individually-defined risk appetite and strategy. If exceptions are to be expected, the internal regulations need to define the according process to allow exceptions to the set risk limits (“exceptions to policy” (EtP)) on a case-by-case basis. Such exceptions are to be granted by ExCo members after appropriate risk mitigation measures have been defined.
Furthermore, as a general rule it is crucial for FINMA to see that the risk appetite is reflected in the client population and that it does not contradict it. This assessment forms part of the annual AML risk analysis.
According to the explanatory report on the partial revision of the AMLO-FINMA dated 11 February 2015 (“Explanatory Report 2015”), a risk analysis must identify, record and analyse all money laundering risks to which a bank is exposed. For this purpose, FINMA specifies minimum standards for risk categories that must be assessed in every analysis.
These are i) the geographic presence of the bank, ii) the registered office or domicile of the clients, iii) the client segment and iv) the products and services offered. It should be noted that the catalogue of risk categories in accordance with Art. 25 para. 2 AMLO-FINMA and the Explanatory Report 2015 is not exhaustive, and must be supplemented individually depending on the bank's business model and range of services.
Each relevant AML risk category identified should be analysed, assessed, measured and weighted each year. The results need to be documented and explained in a way that is clear to qualified third parties (such as for FINMA or auditors).
This analysis should consist of three main components:
Inherent risk (assessed qualitatively and quantitatively)
Control risk (control/mitigating measures and respective effectiveness)
Residual risk (effect on business strategy)
Inherent risks are operational AML risks to which an institution is exposed through its services, products, activities, client population, geographic reach, processes and systems, without regard to control and mitigation measures.
Obtaining a reliable data source is required for identifying and assessing the inherent AML risk. When evaluating the data sources, the bank could – among other institution-specific categories – consider the following categories, which can be assessed qualitatively and quantitatively:
The presence of the bank abroad and the application of a foreign regulatory system can increase the AML risk for a bank. This assessment should be aligned with the cross-border strategy. For each country served, the control expertise and language skills need to be ensured for adequate risk management purposes.
Each type of product and service exposes the bank to a different inherent AML risk. The qualitative inherent risk of each service and product needs to be assessed. Furthermore, a quantitative overview of these products and services related to the overall client population is recommended.
As stated above, the criteria listed in Art. 25 para. 2 AMLO-FINMA are not exhaustive and need to be adjusted individually according to the business model and service offering. The criteria on the left could also be considered as inherent risk categories.
Furthermore, in the risk analysis the bank has to consider the relevance of every single criterion stated in Art. 13 para 2 AMLO-FINMA regarding business relationships with a high level of risk. The explanatory report on the partial revision of the AMLO-FINMA of 4 September 2017 (“Explanatory Report 2017") states that a criterion shall be considered relevant if it affects a significant number of business relationships of the bank.
The internal AML control framework is a set of measures designed to mitigate the related inherent AML risk of the bank. The effectiveness of the controls must be verified on a regular basis (controls of controls). This assessment includes information on how the controls were performed (automated, semi-automated, manual), whether the performance was documented and the control goal was achieved, whether training was provided on how to perform the controls and whether the controls are new or already established within the bank.
For each inherent AML risk category identified, the corresponding control measures must be evaluated and the operating effectiveness of the control analyzed. A source for control measures is usually found in:
Internal control inventory
Summary of key processes & tasks defined in internal policies
Committee & meetings for risk steering according to internal policies
IT tools for AML client surveillance
Yearly compliance activity plan
Ongoing anti-money laundering related projects and initiatives
Residual risks are operational AML risks to which the bank is exposed after taking controls and mitigation measures into account. The residual AML risk must be aligned with the bank’s risk appetite. FINMA’s Explanatory Report 2015 states that based on the learnings and results of the annual AML risk analysis, a bank describes its additional measures to manage, control, steer, report and monitor these residual risks in alignment with its AML risk appetite, KRI and business strategy.
This includes in particular understanding the development of AML risk exposure, as well as the assessment of the resource situation for controlling the AML related client risks. The remaining risks are the operational AML risks that the bank’s ExCo and BoD consciously tolerates in order to execute its business strategy and service offering.
According to margin no. 78 of FINMA Circular 2017/1, the Compliance function performs an annual bank-wide compliance risk analysis. The specific AML risk assessment, or parts of it, can be integrated into this comprehensive compliance risk analysis. However, the bank must ensure that the more extensive requirements of Art. 25 para. 2 AMLO-FINMA are adequately met.
According to the global risk management principle in Art. 6 para. 1 AMLO-FINMA, a bank with international branch offices or which operates a financial group with foreign group companies shall record, limit and monitor its legal and reputational risks related to money laundering and terrorist financing on a global level. This must be done periodically in the form of a risk analysis at a consolidated level.
The explanations given in the Explanatory Report 2017 make it clear that this is a risk analysis in accordance with Art. 25 para. 2 AMLO-FINMA, including the risks associated with the business relationships as well as transactions in the branch offices and group companies, and must follow the structure of the AML risk analysis of the Swiss bank.
Overall, it can be stated that in communicating FINMA’s expectation of the regulatory duties, FINMA has tightened and increased the minimum standards required for an effective risk analysis towards the market. In practice, this means that a lot of time and effort can be saved once a comprehensive risk analysis approach and framework as well as a dynamic and reliable data source has been established.
The next steps should be that each bank – and other financial intermediaries – should perform a gap assessment against FINMA’s guidance. It is expected that a majority of banks and other financial intermediaries will need to strengthen and enhance their AML risk analysis and the corresponding framework in order to meet FINMA’s expectations and regulatory guidance.
Based on the results of the gap assessment, additional implementation measures have to be defined and executed. Since we have done it before, as your trusted partner we are on hand for an in-depth discussion to address and assess your needs so we can jointly develop a risk-based, tailored and proportionate solution to strengthen your organization's AML risk analysis framework in a sustainable manner.
#social#