AML risk & Sanctions risk analysis & minimisation

> How to determine a clear risk tolerance and risk appetite as requested by FINMA
> Challenges in connection with the Sanctions Risk Analysis
> How can financial institutions minimise inherent risks in connection with sanctions?

RISK TOLERANCE / APPETITE

Defining a clear risk tolerance and risk appetite: how to comply with FINMA’s request?

• Purpose of the risk tolerance: how must risk tolerance be expressed (in terms of AUM, number of clients… ?)
• Must risk tolerance be expressed in reference to each inherent risk ?
• How can risk tolerance be determined? Can it be challenged by auditor/ regulator or is it a pure business decision that cannot be challenged?
• Good and bad practices; what can auditors and regulator think of them
• Tolerance of sanctions risk: new aspects, adaptation

How to ensure the respect of the risk tolerance

• If net risk (result of risk analysis) is superior to risk tolerance:
  • Which mitigation measures can be taken, how to quantify them (quantification named also control risk)
  • If the mitigation measures are insufficient to reduce the net risk, the business model (which determines inherent risks) must be changed: examples of change of the business model
• The continuous respect of the risk tolerance: at onboarding of new clients, when changing the risk score of certain clients, when new risks emerge (ex: sanctions)
• Setting up control mechanisms to limit the residual risks
• Exceptions to policy at onboarding and conditional approvals
• FINMA demands to use better both qualitative and quantitative indicators related to client inherent risks and of the control risks : difficulties, solutions adopted in practice
• Derisking: practices of derisking after the sanctions. Different practices that have taken place in light of sanctions: Examples in Wealth Management, Asset Management and Correspondent Banking

AML RISK ANALYSIS & SANCTIONS RISK ANALYSIS

How to evaluate the country risk when it becomes more and more complex?

• What are the different criteria/ components : domicile, residence, nationality/ passport (current, or in the past: for example, Roman Abramovitch has a portuguese passport, should a be classified as Portuguese or Russian?), multiple nationalities, tax residence, RBI/CBI, place of business activity (investment, trade), source of wealth (past, current), location of assets, source of incoming funds or outcoming funds…
• Who should be taken into account: contracting party, UBO, counterparties, place of incorporation/ headquarter of structure,…
• Which components must prevail/ have more weight ?
• What has the sanctions risk (violation, circumvention) modified in the evaluation of the country risk?

Challenges in connection with the Sanctions Risk Analysis for Financial Institutions

• Differences and overlaps between AML risk analysis and sanctions risk analysis
• Where do the potential risks for a financial institution lie in connection with the applicable sanctions?
• How can financial institutions minimize inherent risks in connection with sanctions?
• Sanctions Risk Exposure vs. Sanctions Risk Appetite

THE ROLE OF CONSOLIDATED SUPERVISION IN RISK MANAGEMENT

Consolidated supervision: what is it, requirements, implications for PEPs and sanctions

• What are the objectives of the supervision of subsidiaries ?
• What are the duties of the consolidated supervision (new FINMA circular) ?
  • Control the quality of certain controls done by subsidiaries
  • Imposing the risk appetite of the group to the subsidiaries ? Imposing to the subsidiaries to exit a client that is outside of the risk appetite/tolerance of the group, even if the client is inside the risk appetite of the subsidiary ?
  • Consolidated supervision generates the escalation of information from the subsidiaries: what does escalate precisely: names of clients, information, files…?
• What is a consolidated risk analysis at group level, for example in the case of sanctions, or PEPs ?
• What if, through the consolidated supervision, the same client appears to have different bank accounts in several subsidiaries; the client consolidated position makes him a big client; what are the questions to be asked? What will happen to this client and for the different subsidiaries which are having him/her as a client?
• What are the practical consequences of consolidated supervision?
• Consolidated supervision relative to PEPs : how combine the standards defined by the headquarter/group and imposed to the subsidiaries and the autonomy of the subsidiaries to have their own / possibly stricter definition of what is a PEP (for example by including as PEP the domestic PEPs)
  • how to manage Swiss PEP standards and international PEP standards (e.g. in some countries PEP definitions are tighter than in CH and how to manage the PEP framework for a Swiss bank with international subsidiaries). If a country has a more narrow PEP definition (e.g. consular staff is PEP), is it correct that the Head Office needs to apply these standards as well and consider individuals as PEPs even they do not fall into the Swiss understanding of a PEP.
  • Approval requirements of foreign booked PEPs in the head office (according to AMLO-FINMA Art 19 para 1 and Art 6 para 1 lit. c). What are the expectations, possible delegations and exceptions?
• Consolidated supervision relative to sanctions: extraterritoriality of Swiss sanctions, issues with the subsidiaries located in jurisdictions which don’t apply the sanctions against Russia (like UAE…)