1|Page

Emmanuel Godson Akwoviah

Essential elements of sound ML/FT risk management and ML/FT risk in a
cross-border organization as well as the guidance for supervisors.
Risk Analysis
The first step in managing ML/FT risks is to identify and analyse the risks, which
will lead to the design and effective implementation of SMART controls. The
analysis should include appropriate inherent and residual risks at the country,
Bank and business relationship level, among others.

As a result of this analysis, the Bank

should develop a thorough understanding
of the inherent risks in its customer base,
products, delivery channels and services
offered (including proposed new services)
and the jurisdictions within which it or its
customers do business; this
understanding should be based on
operational, transaction and other
internal information collected by the
Bank, as well as external sources. The
policies and procedures for customer due
diligence (CDD), customer acceptance,
customer identification and monitoring
business relationships and operations (including products and services offered)
should be appropriately risk based, with any resulting residual risk managed in
line with the Bank’s risk profile established through its risk assessment. The
assessment of risk should be documented and made available to authorities,
such as supervisors. This assessment is also useful in scheduling discussions
with other parties in the Bank to help them see the risks and the appropriate
controls to mitigate them.
Another key aspect is proper governance arrangements, which create a culture
of compliance with a strong “tone from the top.” The board of directors has a
critical oversight role, as they should approve and oversee policies for risk, risk
management and compliance, particularly since this is the senior-most
management of the Bank. The board also should have a clear understanding of
the ML/FT risks, including timely, complete and accurate information related to
the risk assessment to make informed decisions.
Along with senior management, the board should appoint a qualified chief anti-
money laundering (AML) officer with overall responsibility for the AML function
and provide this senior-level officer with sufficient authority that issues raised
2|Page

get the appropriate attention from the board, senior management and the
business lines. This AML officer becomes the board’s proxy for driving the day-
to-day success of the Bank’s AML efforts, and as such, the board should provide
the AML officer with sufficient resources to execute his/her responsibilities to
oversee compliance with the Bank’s AML program.
The creating, implementing and maintaining policies and procedures, as well as
communication of these to all personnel. They must also establish processes for
screening employees to ensure high ethical and professional standards and
deliver appropriate training on the AML policies and procedures, based on roles
and functions performed, to help with this process and keep employees aware
of their responsibilities. To facilitate this, employees should be trained as soon
as possible after being hired, with refresher training.
Once a year, the practise should be to identify and assess the main compliance
risk issues facing the Bank and the plans to manage them. Such plans should
address any shortfalls (policy, procedures, implementation or execution)
related to how effectively existing compliance risks have been managed, as well
as the need for any additional policies or procedures to deal with new
compliance risks identified as a result of the annual compliance risk assessment;
In addition report to the board of directors or a committee of the board on the
Bank’s management of its compliance risk, in such a manner as to assist board
members to make an informed judgment on whether the Bank is managing its
compliance risk effectively; and lastly report promptly to the board of directors
or a committee of the board on any material compliance failures (e.g. failures
that may attract a significant risk of legal or regulatory sanctions, material
financial loss, or loss to reputation).
AML officer is responsible for ongoing monitoring for AML compliance,
including sample testing and a review of exception reports, to enable the
escalation of identified non-compliance or other issues to senior management
and, where appropriate, the board. The AML officer should be the contact point
for all AML issues for internal and external authorities and should have the
responsibility for reporting suspicious transactions. To enable the successful
oversight of the AML program, the AML officer must have sufficient
independence from the business lines, to prevent conflicts of interest and
unbiased advice and counsel; the officer should not be entrusted with the
responsibilities of data protection or internal audit. Depending on the size of
the Bank, the AML officer may perform the function of the chief risk or
compliance officer; but should have a direct reporting line to senior
management and/or the board. Of course, the AML officer must be
knowledgeable of the legal and regulatory obligations, the Bank’s AML regime
and the ML/FT risks at the Bank.
3|Page

CDD and acceptance

Banks should develop a Customer Acceptance Policy (CAP) to identify the
customers that are likely to pose a higher
ML/FT risk (e.g., politically exposed persons (PEPs)) as well as those
relationships that the Bank will not accept Banks should apply basic due
diligence to all customers and increase the due diligence as the risks increase;
some customers may be eligible for simplified due diligence where the ML/FT
risk is low, in accordance with applicable law.
Banks’ CDD policies should address customer and beneficial owner
identification, verification and risk profiling. As part of this, Banks should
identify customers and verify their identity, as well as that of beneficial owners.
Banks should not establish a relationship or carry out transactions until the
customer’s identity has been verified, unless doing so would interrupt the
normal conduct of business (in which case the Bank should develop appropriate
controls while verification and CDD is performed).Verification of identity
should be through reliable means; for beneficial ownership, Banks may use a
written declaration from the customer, but should not rely solely on such
declarations. However, in cases where countries do not publish information
about ownership, Banks may be limited in what they can do to verify ownership
of a legal entity. As part of the general CDD for all customers, Banks should have
policies that set forth the information to be collected to enable it to develop a
risk profile for the customer or a category of customers that will enable it to
identify activity that deviates from what it would consider normal and that
could be deemed unusual.
Where CDD cannot be performed, or customer identify verified, the Bank
should not open an account (or should close one if it has opened one) and
should consider reporting such activity as suspicious to appropriate authorities.
This applies to anonymous accounts as well; these should not be opened. If a
Bank allows for numbered accounts (there may be special cases where
customers should not be broadly available throughout the Bank, such as for
merger and acquisition activity, where unauthorized disclosure could result in
civil and criminal violations or for accounts that law enforcement has
specifically requested secrecy, such as for a sting operation), these should not
be allowed to serve as anonymous accounts; sufficient personnel should have
full access to the information to ensure appropriate CDD on and oversight over
these accounts. Banks should have processes in place to enable front office,
customer facing activities to identify designated entities or individuals in
accordance with national legislation , although generally, this will be done by a
back-office function, to avoid potential conflicts with a person who may be a
4|Page

designated terrorist or narcotics trafficker (instead of a false positive) in a Bank

office. Recognizing the importance of introduced business and reliance on
other institutions, the BCBS’ guidance indicates that while the transfer of funds
from an account in the customer’s name from another institution may provide
some comfort, the Bank should still conduct CDD, as it is possible that the other
institution closed the customer’s account for
cause.

Transaction monitoring systems and

ongoing monitoring
Transactional monitoring system is key to
mitigating ML/FT risk within the Bank, the
BCBS recognizes that AML risks require more
than just appropriate policies and procedures;
Banks must have adequate and appropriate
monitoring systems. For most Banks, this will
involve an information technology (IT)
monitoring system; if the Bank does not believe it needs an IT monitoring
system, it should document the rationale for why it does not need one. The
monitoring system should cover all accounts and transactions of the Bank’s
customers and enable a trend analysis of activity and identify unusual business
relationships and transactions, particularly with regard to changes in the
transactional profile of customers.
Banks should be able to risk rate customers and manage alerts with all the
relevant information at their disposal.
This indicates a feedback loop should exist between the customer risk-rating
systems and the transaction-monitoring system, so that as unusual or
suspicious activity is identified, it increases the risk of the customer. This
increased risk may also result in higher risk customers being subject to
enhanced forms of monitoring, as well as enhanced CDD and more frequent
refresh of CDD information.
IT system parameters should be properly tuned for the bank’s risks, so that it
enables identification of alerts that may indicate ML and be reviewed by the
AML officer. The AML officer should have access to the IT system, even if it is
operated and/or owned by a business line. A critical way to mitigate ML/FT risk
is by using the transaction monitoring system to conduct ongoing monitoring
of customer activity, building on the information from the risk assessments and
customer profiles. This enables banks to satisfy its obligation to identify and
report suspicious activity. Monitoring systems should be adapted to the risks
5|Page

present in the bank, such as if the bank identifies a particular ML scheme

occurring within its jurisdiction. A bank should have appropriately integrated
management information systems to provide both first and second line of
defence staff with timely information to monitor and analyse customer
accounts, including transaction history, account documentation, significant
changes in customer or business profile and unusual transactions (being
mindful of prohibitions on disclosing reports of suspicious activity or tipping off
customers about such reports). Banks should also consider the use of their IT
solutions to periodically screen accounts against sanctions lists.

The definitions of the risk listed below will be utilized when analysing all
information gathered to determine the Bank’s Final BSA/AML Risk Score:

Inherent Risk
Define what determines a rating of High,
Moderate or Low
International transactions
Yes or No
Geographic Risk
Define what determines a rating High,
Moderate or Low
Cash Intensive
Yes or No
Monitoring/Mitigating Controls
Define what determines controls
considered to be Strong, Adequate or
Weak
Residual Risk
Define what determines a rating of High,
Moderate or Low
6|Page

Risk Assessment link to BSA/AML compliance Program

Currency Transaction Reports (CTRs) and Monetary Instrument Logs (MILs)

Information about the Bank’s daily work process relative to CTRs and MILs
should be included in the risk assessment. The daily work process would
include:
1. System used to process CTRs
2. Reports utilized to identify all reportable CTRs and verify cash in and cash
out totals are correct
3. How cash is aggregated by tax identification number
4. How CTRs are created and verified
5. E-filing and acknowledging the file
6. Number of CTRs filed
7|Page

7. Number of exempt clients, Phase I and Phase II, and define exemption
process
8. Process of verification of monetary instrument logs