Pub. 4 2014-2015 Issue 1
14 O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S tions processed through the customer’s depository accounts and ultimately failed to properly allocate resources to monitor the effectiveness of third-party controls over AML activities conducted on behalf of the financial institution. Common to each of these cases are: • A lack of adequate risk identification related to customer activities • Weak customer due diligence processes • A lack of effective controls over monitoring and reporting of suspicious activity Risk Assessments Detailed, realistic risk assessment is critical to an effective AML program. The purpose of the risk assessment is to help you assign the right resources to mitigate unacceptable levels of risk. An effective AML risk assessment should consider activities performed by the TPSP. Here are a few areas to consider to help enhance your institution’s AML risk assessment. Strategic Business Plans Management’s business strategy is a very important fac- tor in assessing AML risks in your institution. For example, management may decide to use the services of a third-party payment processor (TPPP) to develop product lines that are more profitable than average deposit services. Money launder - ing risk inherent in these types of business relationships tend to be higher because of the significant volume of transactions and customers served by TPPPs. Similarly, higher-risk relationships with other types of third parties—such as mortgage brokers or originators, retirement plan administrators (particularly self-directed IRA administra- tors), or credit or debit card originators—all come with unique risks associated with their products and services that may elevate your institution’s AML risk profile. You should be certain to incorporate inherent risks in these types of vendor relationships into your overall AML risk assess- ment. Dependent on the number of TPPPs and the significance of these relationships to the overall revenues of the institution, a separate third-party risk assessment and AML management programmay also be warranted. Customer Identification and Due Diligence Programs Your institution most likely de- ploys a reasonably effective process to manage both its customer identification and customer due diligence programs (CIP and CDD, respectively), which help establish the customer’s true identity and intended use of accounts and services. However, the most effective risk assessments will include an evaluation of how effective your TPSP’s CIP and CDD are as well. TPSPs may be providing products and services to hundreds or thousands of customers, so your reliance on the effectiveness of their CIP and CDD may be significant. More information on the importance of CDD appears below. Products and Services Your institution’s products and servicesmost likely have been well vetted through many years of examinations and analysis. However, when you work with TPSPs and TPPPs, your institu- tion’s risk profile may increase significantly. TPPPs may support customers who offer products that are inherently at higher risk for money laundering or other illegal activity (such as medical insurance products, money exchange, pornography, and Inter- net gambling). These types of businesses would typically be identified through the TPSP’s CDD process, but it’s important to consider product and service risk as part of your institution’s combined AML risk profile. Customer Due Diligence Performing due diligence over new customers is a critical role of your TPSP. Your institutionmost likely will be delegating certain portions of CDD to your TPSP as part of a contractual arrangement for services. The level of delegation will depend on the type of product or service the TPSP will be supporting. With a TPPP, multiple layers of CDD may be necessary and close monitoring must be maintained over delegated functions to mitigate AML-related risks. As noted above, many TPPPs provide services to other businesses, which in turn contract with hundreds or thousands of customers to process payments through their businesses. CDD must be performed at the busi- ness level as well as the contracting customer level to ensure potential customers whomay conduct undesirable or illegal busi- ness activities are declined and accepted accounts are properly monitored for suspicious activity. The TPSP should have a well-documented AML program that includes written procedures for conducting CDD appropriate to the types of products and services provided. Independent testing of these procedures should be performed on a regular basis. Whether the TPSP performs testing through regular internal audits or contracts testing through a third party, your institution should have full access to reports on testing results and issues identified in reporting should be resolved within a reasonable period of time. Where more complex layers of CDD are required, your insti- tution should be fully engaged in reviewing and validating the results of CDD provided by the TPSP for each new customer. In the case of a TPPP providing services to businesses, supporting Third-Party – continued
Made with FlippingBook
RkJQdWJsaXNoZXIy OTM0Njg2