Risk Assessments in an Anti-Money Laundering Compliance Program

Today we celebrate that noted British comedian who made his fame in America – Bob Hope.  He had a successful film career largely thanks to the series of seven “Road” movies he made with Bing Crosby and Dorothy Lamour, including Road to Singapore (1940), Road to Morocco (1942), Road to Utopia (1946) and Road to Rio (1947). Hope is also known for his entertainment of US military forces overseas. In 1941, after America’s entrance into World War II, Hope began performing for US troops abroad; he would play shows for more than a million American servicemen by 1953. Some 65 million people watched him perform for troops in Vietnam on Christmas Eve in 1966, in his largest broadcast. Hope also became a legend for his countless TV specials, which he would perform over the course of some five decades. He hosted the Academy Awards ceremony a total of 18 times, more than any other Oscars’ host.

What does Bob Hope have to do with compliance? First he was a comedian and second he reinvented himself several times. The anniversary of his birthday reminded me of an article written by Carole Switzer, the co-founder and President of the Open Compliance and Ethics Group (OCEG), for Compliance Week Magazine entitled “Analyze This: The Value of Business Risk Assessments.” In her article, one in a continuing of her series of GRC Illustrated articles, Switzer says that anti-money laundering (AML) compliance programs, like therapy are “difficult to define and relatively easy to avoid.” She quoted Larry David, co-creator of Seinfeld and creator of “Curb Your Enthusiasm” for the following thought on therapy, “I know enough about myself now to know that I really don’t need to know anymore.” Unfortunately, as Switzer notes, many companies have the same problem when it comes to their AML programs.

Switzer discusses a recent report by the UK Financial Services Authority (FSA) which highlighted four general reasons that UK banks failed to have effective AML programs. The same four reasons hold true for non-banking sector US companies in the area of AML.

(a) Denial. The FSA reported that one-third of the banks “failed to review their business-risk assessment program on a regular basis. Additionally, about one-third of the companies scrutinized also failed to alter their risk assessments in response to new developments and insights, such as when allegations of major corruption were levied against a customer or when a country’s risk profile spiked due to regime change.”

(b) Grandiose delusions (imagine a bank with grandiose delusions!). The FSA found that too many “customer-facing “relationship managers” could override customer risk scores produced by the risk-assessment program—without sufficient evidence to support the decision to disregard the score.”

(c) Borderline suspicious. Bank personnel did not understand how the AML risk assessment was generated and indicated that they were “confused” regarding what score indicated that a customer was a high risk.

(d) Avoidance coping. The FSA noted that institutions “inappropriately low risk weightings for high-risk factors, “sometimes overtly”; while “other banks chose to ignore well-known high-risk indicators and other adverse information from a variety of sources, “such as links to certain business activities commonly associated with higher levels of corruption.”

Fortunately Switzer laid out her thoughts on what an effective business risk assessment program should contain. From this risk assessment, you can identify where your company should focus its AML resources, determine how changes might affect your company, and where your program may need enhancement. She is quite clear that without an effective risk assessment, “your AML program will be inefficient as well as ineffective.” She sets our five steps to take.

1. Define the Risk. Switzer says that “At the forefront of any good business risk assessment program is an executive vision. The executive sponsorship must ask themselves diffi­cult, critical questions.” This is largely because while there are certainly known risks to a business there are also risks you and your company may not be aware of so it is important to define what you know but leave it flexible enough to cover the unknown when it becomes known to you. Switzer lists some of the questions that you might begin with, which include: What are the inherent risks in our current business? What controls do we have in place? How much risk, after the business risk assessment process is instituted, remains? Should we close business locations? Should we add additional controls? Should we put spending restrictions in place? Are other industries at the same level of risk?
2. Gather Intelligence. In this step, after executive sponsorship has set the strategy in motion, you must gather intelligence to truly understand the exposure across the organization’s products, services, and customer base. The AML team should consult local business and compliance leaders to gain key insight. The specific steps include: (1) Develop the business risk assessment questionnaire. (2) Determine what controls are currently in place. (3) Review the external risk. (4) Understand the magnitude of each risk factor. (5) Gather and normalize all data for review.
3. Review the Findings. Once a full business assessment has been conducted and all the data collected, a full analysis of the data is performed at multiple levels. The overall picture of risk is reported to business line, regional leaders, and enterprise leaders. Switzer’s specific steps include (1) Creation of full evaluation reports of all measured data. (2) Involve AML staff, regulators, and critical business leaders in your review. (3) Utilize external, unbiased consultation to determine product and service risk for remediation.
4. Decide How to Proceed. Switzer advises that after you come to an understanding of your exposure and risk, your vision has been set, and you have gathered data and reviewed it, you can set a course to move ahead. However, she cautions that “continual review of the plan’s impact on the business, even at this stage, is critical.”
5. Implement the Plan. At this final step, after your company has defined its strategy, determined, by measurement, the exposure to AML risk, understood and evaluated the areas of potential risk and then “determined a path to accept, resolve and eliminate, it’s time to go to work setting the plan into motion—however, just because you are now implementing doesn’t mean you can relax. Constant scrutiny, learned best practices, and ongoing monitoring are critical.”

Switzer concludes by stating that “Risk assessment programs must evolve quickly as risks and crimes do. Building in a good system of correction and monitoring that can flex with your organization is critical.” So just as Bob Hope reinvented himself as the tastes of society changed, your risk assessment should be a “living, breathing process.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Assessing Risk? ethiXbase is an Invaluable Tool

Most compliance practitioners have gotten the message that a risk assessment should inform the creation of, or enhancements to, your Foreign Corrupt Practices (FCPA) or Bribery Act anti-corruption compliance program. But just say that you are Compliance Officer and the Chief Compliance Officer (CCO) comes into your office and tells you that the company wants to look at going into China to either manufacture a key component of your company’s most valuable product or go into Russia to sell a new product line. The CCO would like you to do a risk assessment from the anti-corruption/anti-bribery perspective. You cannot go to outside counsel or an outside expert. Faced with this problem, what might be the best single resource for you to begin this research?

Put another way, what is the best one-stop database site for anti-corruption and anti-bribery on a worldwide basis? I think that the answer is will lead you to one resource that I would suggest you take a very hard look and that is ethiXbase.com. The reason – it simply has a breadth and scope that cannot be matched.

The database has five tabs which allow you to research in a wide variety of areas. In addition to the individual tabs, details of which are listed below, you can set notifications for email alerts. You should also note that the site is updated on a daily basis. The specific information includes the following:

Dashboard

This tab allows you to set any of the BRIC, Brazil, Russia, India and China, countries as a default country. From this setting you will receive information on the latest actions in the country; the latest FCPA enforcement actions related to the country you have selected; enforcement statistics and trends and summary of legislation relating to anti-corruption, translated into English. This tab also provides general statistics on the country such as population, capitol and elected federal officials.

FCPA Index

This tab provides a simply breath-taking scope of information for the compliance practitioner. Every FCPA enforcement action and publicly announced on-going investigation is available to you in a searchable database. The ease of use is outstanding. There is information on Federal register, federal agency, public laws, and Congress bills related to the FCPA and, finally, there are risk factors disclosed by companies around the world in all of the above. Amazingly, this database is updated on an hourly basis so you have the most up-to-date information available.

Global Index

This database is equally broad in scope to the FCPA Index but set up for the entire world. Pick any country and you will immediately have access to anti-corruption legislation and the applicability of the Organization for Economic Co-operation and Development (OECD) and United Nations Convention against Corruption (UNCAC). You will find OECD reports as well as other Non-Government Organizations (NGOs) such as the International Monetary Fund (IMF). There is also an index of ancillary laws such as privacy laws and anti-money laundering legislation in each country.

Law Firm Memos

For any compliance practitioner, this resource is simply fabulous; it houses the best legal Memos from the best law firms in the world. It is database of more than 1,000 client alerts and white papers from firms specializing in compliance issues. It is searchable by law firm name, topic and title. You can set up customized watches or bookmark specific memos.

News

Last, but certainly not least, is the News section. This features news in the following categories: Home, News Home, Featured, Africa, Middle East, Europe, North America, Central-South America, South East Asia, Australasia, South Asia and Central Asia. Why is this so important? It can keep you abreast of the most current anti-corruption and anti-bribery news across the globe. More importantly, if an issue or matter pops up in your industry or a geographic region in which your company does business, you will know about it and can be prepared to review it internally. It is a great way to understand how and where the Department of Justice (DOJ) is using its investigative resources.

So how does all of this relate to your assigned task? ethiXbase allows you to research the relevant laws of each jurisdiction that you wish to enter. You can also review all FCPA enforcement actions to determine if your sales model may be similar to any companies which have run afoul of the FCPA. The Law Firm Memo section will give you the underlying legal basis to support your findings. With the Dashboard you can set up the email notifications for any new legal enforcement actions, Memos or news for the country or countries that you need to follow closely. Lastly, the News section will allow you to keep abreast of the reported information for each country.

I have thoroughly reviewed ethiXbase and use it in my compliance legal practice. You should as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Suggestions for Starting a Regulatory Compliance Risk Assessment

Ed. Note-today we have a guest post by our colleague Mary Shaddock Jones, who has recently joined the world of private practice.

You have just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates.  Seems like a daunting task.  How do you proceed?  Here are a few suggestions to get you started:

1. Risk Assessment– I believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis.  For the purposes of this exercise- you are required to identify the legal (statutory) and regulatory requirements in each country which your company currently does business.  There could be thousands of different legal and regulatory requirements.  I believe that the key is to first consider the requirements that could significantly affect the company’s ability to meet its missions and goals.
2. Identifying Key Legal/Regulatory Risks– In order to determine the “Key” risks (i.e. those which could significantly affect the company), you need to “divide” the company into various “risk centers” and identify the “risk owners” within each risk center.  For instance, if your company is required to import vessels/equipment into a foreign country to perform work, then one significant risk to the company is the inability to import the vessels/equipment if the person responsible for doing so fails to follow the proper legal/regulatory requirements.  As a result, one of the “risk centers” could be the vessel/equipment regulatory compliance department.  If your company manufacturers tennis shoes in the U.S. but imports the various components of the shoes from foreign countries.  A breakdown in the importation of the individual component could have a significant impact on the company’s ability to sell its tennis shoes.  As a result, one of the “risk centers” could be the procurement department.  The point is this- you, as the Compliance Manager have to understand your company’s business processes in each country with sufficient clarity that you can begin to identify the various “risk centers” and “risk owners”.
3.  Identifying Major Steps-  Now that you have identified the various “risk centers”, it is time to meet with the individual risk owners to collectively map out each step in the process unique to the particular risk center.  By doing so, you can next identify what each major activity in the process.  Once the major activities are identified, you can then begin to collect  information as to what laws/regulations apply in each country.
4. Identifying Major Laws/Regulations-   In the scenario presented, your company performs work both in the United States and in several international locations.  First, you need to understand the U.S. laws which apply to foreign business activities, including such things as economic sanctions and boycotts; export controls; anti-terrorism; anti-bribery and corruption to name a few.  Other U.S. laws, such as environmental, employment, trade, tax and anti-trust laws, may also apply. Finally, you will need to consult with knowledgeable counsel in the various countries to identify the local laws which apply to each of the major activities outlined above.
5. Maintaining Privilege- Risk Assessments should typically be performed by legal counsel or at least under the direction of legal counsel so to utilize the attorney-client privilege in order to protect privilege and confidentiality issues which may arise during the risk assessment process.
6. Acting as “Project Manager”– Under the scenario presented, you have been presented with a huge project.  You should approach it with the hat of a “Project Manager” in order to define the project, identify the risks, coordinate the experts both within the company and outside the company who can identify the Key Risks, then collect and organize the information so that it can be presented to Senior Management in a useful format.

Mary Shaddock Jones, Attorney at Law and former Assistant General Counsel and Director of Compliance at Global Industries, Ltd. can be reached via email at  msjones@msjllc.com or via phone at 337-515-8527 .

Join Ms. Jones and myself  for Upcoming Webinar

Tuesday, June 21 at 1 EDT, I am co-presenting on a webinar with Mary Shaddock Jones, on “Supply Chain Relationship Management Under the FCPA and Bribery Act”. The event is co-hosted by Ethisphere and World Check. For information and registration details click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.