Advance to Boardwalk: Building an AML Risk Management Program Monopoly Style

Risk management THOUGHT LEADERSHIP Advance to Boardwalk: Building an AML Risk Management Program Monopoly Style

By Shannon Bennett, Director of Financial Crime Control Strategy and Consulting, Risk and Compliance, Wolters Kluwer Financial Services

“You have been elected Chairman of the Board, pay each player $50.” “Bank activities can save you from the headache of unwittingly taking on additional error in your favor, collect $200.” Sound familiar? Who among us didn’t grow risk as well as keeping you ahead in the game. up playing Monopoly or, depending upon your age, a themed version of it? If you have played the Monopoly game and understand its rules, it’s easy to The AML View of the Monopoly Game see how Hasbro has been able to make different variations of the same game using a standardized model to address different topics (i.e. Monopoly Disney With the game board as your framework, starting at GO, each group of Edition, Monopoly Star Wars Clone Wars Edition, CityVille Monopoly). properties represents a different phase in the development of your risk management program—from building your risk assessment to creating This approach of repurposing a standardized model can be applied to risk policies and procedures, identifying your controls, capturing your management and the different compliance functions within a financial deficiencies, performing testing, producing documentation, providing institution. For the purposes of this paper, the focus will be on the original oversight, carrying out training and finally ending with updating your risk version of Monopoly as a model for building a BSA/AML risk management assessment. Some of the topic areas, such as training and documentation, program, using the game board as the framework, as well as its playing are strategically placed on the game board to provide ongoing support of pieces and CHANCE/Community Chest cards when discussing different your program. aspects of the program. The game pieces are symbols for different elements of your business—the Setting up the Game player tokens represent customers, the property title deeds represent geographies, and services such as hotel stays represent products and Let’s talk about the Monopoly game board and how it translates into services. These will be incorporated into the discussion as appropriate to implementing and maintaining a strong BSA/AML Risk Management building a risk assessment. Program. In this game, you and all the other Monopoly players are compliance or risk officers of competitor banks. As compliance or risk Mediterranean to Boardwalk—Understanding Your Risk officers, you start on the same GO space, with the same rules, and are all provided the same budget by your bankers (Board of Directors), who then Step one of your strategy will typically consist of building your AML risk send you and the other compliance officers on your way to build an AML assessment. It should comprise the same methodology and principles that Risk Management Program for your institution. How you use that money as have been used in your other areas, hence using a standardized game board, you move across the game board will determine how effective you are as a identifying your players, following the formal game and finally a risk ranking Monopoly player. practice that provides you with a consolidated view of the risk across your organization. Your success will be determined by how you move strategically around the board, reacquainting yourself with the rules and knowing the other By using the Monopoly risk management model, four properties are used to players. First, understanding the steps you must take to build an effective represent the risk assessment. We’ll address the other two properties later program is essential. Second, you need to safeguard that you are up to date in the game; however, the first two properties (Mediterranean and Baltic) with regulator expectations when addressing your risk profile, familiar with symbolize the first steps you take when starting to build your risk assessment new guidance and understand the formal rules. Finally, understanding the as the foundation of your program. There is not much investment initially other players and their moves is important. For example, are you keeping and you can also see that their placement on the game board reinforces the up with what is happening with other institutions in regard to regulatory low risk attributed to those properties. actions, such as cease and desist orders or civil money penalties? Are you To create an AML risk assessment, your first step should be to identify those aware of decisions neighboring institutions are making, such as if they have customers that may bring a higher level of risk of money laundering due to quit offering certain services or changed their fees? Staying on top of peer the nature of their activity, occupation, or type of business. Understanding

1 Wolters Kluwer Financial Services

and identifying the risks associated to customers is the first essential part Place through Virginia Avenue represent your procedures. As any avid of your risk assessment in determining a risk-based approach. Similar to Monopoly player knows, when you invest in both sets of properties, the the Monopoly game, where Hasbro has supplanted some of the original rewards are bountiful. Keep in mind, that as with Monopoly, some of your tokens (iron and cannon) with different ones, and most recently added the rules (procedures, controls or processes) that have always been there cat, based on public feedback, the perception of risk associated to some can either now be missed or deliberately changed due to time, staff or a customers has changed over time based on regulator feedback. Due to that misinterpretation of their intention. Many of us grew up with having to land feedback, customer profiling has evolved and the reasons behind a decision on the actual space before having an opportunity to buy a property, however to accept or reject a prospective customer has changed over the years, and the actual rules provide a different scenario altogether. In the actual rules, if these reasons are all based on shifting perceptions of risk. As with the other the player landing on the property chooses to pass on purchasing it or simply tokens that have been removed, the cat may at some point be deemed cannot afford it, the property is auctioned off to the highest bidder. undesirable for Hasbro, as not all Monopoly game buyers like cats or feel it’s an appropriate token. Just as with money service businesses, which were In relation to BSA/AML, the approach of staying on top of the current rules deemed high risk, causing many banks to stop providing services to them. and best practices in order to understand the best way to win makes sense. In the older version of Monopoly that many of us played, the winner truly Let’s move to the geographies associated to your institution within your risk was most often left up to CHANCE by what you happen to land on or if you assessment. The property title deeds represent your geographies using this picked up the right card. For those of us that happened to start playing the framework. Based on the placement of the property spaces on the game game at the age of eight, we were certainly at a disadvantage to those more board and their value, one can deduce that the risk is tied to the location of seasoned players that had the upper hand at understanding how to win them. The value and risk of Mediterranean is very minimal, in comparison to the game or apply the rules in their favor. Going back from time to time to Boardwalk, which, when housed with a hotel, can bankrupt a player. Similar reevaluate your rules (policies, procedures and controls) to identify any gaps to Monopoly, regulators and law enforcement have provided quite a bit of ensures that you are managing your game to your risk profile. Just like the insight into which geographies are deemed riskier based on location and Monopoly game, any time you pick up a card (policy or procedure) from the activity associated to them. Some of this information includes jurisdictions Community Chest or CHANCE, it needs to tie back to the game board (risk identified by Financial Action Task Force (FATF), countries subject to OFAC assessment). sanctions, countries identified in the International Narcotics Control Strategy Report (INCSR), or by the Director of the Office of National Drug Control Picking up the “You have won second prize in a beauty contest. Collect $10” Policy (ONDCP). This information should be incorporated into your risk has always seemed out of place, and who wants to come in second? Having assessment when identifying the geographies of your institutions, which your examiners see how your policies and procedures address your risks with jurisdictions your customers conduct transactions and where your customers the proper controls is critical and when they don’t, or if they see a policy or reside when evaluating your geographical risk. procedure that doesn’t make sense, it is no different than throwing in a card similar to the beauty contest winner, that doesn’t tie back to the game. Finally, the products and services provided by your institution are comparable to the game’s services of motel/hotel stays, rides on the Never leaving anything strictly to CHANCE also means that your business railroads, utility payments or those bank fees when picking up a Community units should have procedures specific to the risks that are managed in that Chest card. As with the Monopoly game, the cost and frequency a service is department with clear processes to how they share information throughout used or landed on will be a factor in determining its risk. As you build your the organization, specifically with the area responsible for ongoing risk assessment and capture your products and services, be sure to identify monitoring and reporting. Policies, procedures and processes are only as their inherit risk and based on that risk identify the controls you either have good as the team that is responsible for executing them and should address in place or need to implement to mitigate the risk. Understanding the risk when and how handoffs occur, along with an expectation for adherence, as associated to your products and services will help you as you pull together well as a statement for the repercussions of noncompliance. the data when evaluating and determining your risk profile. Having the properties that represent policies and procedures wrap around In order to have a solid risk assessment, your documentation should Just Visiting provides an opportunity to safeguard that they are a true support the scope, methodology, standards and criteria used to identify reflection of your program and are mapped to your risk assessment and and determine the compliance risks throughout your organization. The meet regulatory requirements. This is where you’ll want to ensure that information gathered to create your risk assessment should be then used to you’ve identified the needed controls before moving on to the next step. determine the risk associated to your customers by using the three elements Taking some time to make updates to your program as your risk profile discussed earlier, and should help drive the policies and procedures related changes can keep you from rolling the dice and paying a fine. to your customer identification program (CIP) and customer due diligence (CDD). This approach advances you to the next group of properties and Move to Free Parking with Your Controls keeps you from having to go back three spaces or being assessed for street As we move to identifying and mapping your controls via technology repairs. solutions, visualize the next two sets of properties—St. James Place through Advance to St. Charles Place with Your Policies and Illinois Avenue. As you move along the board, your investment keeps Procedures getting greater as you build your program. These spaces require you to map your policies and procedures to your controls, work with business units to As we continue to build your framework, we’ll move onto Oriental through identify gaps, and evaluate your technology to ensure system capabilities are Connecticut Avenues, which represent your policies, whereas St. Charles recognized to eliminate manual workarounds.

2 Risk Management Thought Leadership

These properties border Free Parking for a reason. How many of us play solidify your program. This is actually worth noting as recently some the game using Free Parking as a place that we deposit the fines and taxes financial institutions have been issued penalties due to the lack of executive we’re required to pay and whoever lands on Free Parking hits the jackpot? oversight of rather egregious activity. As with your program in relation to the Although this is not a formal rule within Monopoly, many of us can relate Monopoly game, delays in building the essential elements of your program, to that pool of money when talking about technology. This is the make it such as proper oversight, may put you behind the other Monopoly players, if or break it point when it comes to ensuring you’re investing in the right you are sitting in jail for a few turns. Avoiding the wrong moves or relying on solution for the size and complexity of your organization. It is also something a roll of the dice at this point in the game, may set you back from your peers expected by your regulators. and reflect poorly with the regulators.

By taking the time to perform due diligence on your options and/or delving Take a Ride on the Reading with Training into a system you already have to make sure you’re using it to its fullest potential, you can avoid the common Monopoly mistake of pooling funds If you are a seasoned Monopoly player, you may have noticed the railroad in Free Parking that has only the player landing on the space coming out the properties were not addressed but are still instrumental to the framework winner or when talking about it in terms of technology, the only winner is the of your program and, as you’ll learn, keep it on track. Take notice of the vendor of the solution. placement of the railroads on the board game. The four railroads have one property centered in the middle on each side of the board. The railroads Familiarizing yourself with the rules by rereading the instructions to the represent ongoing training, which should be a regular part of your program Monopoly game is a similar approach when looking at the technology that and should support your policies, procedures and processes. As part of your supports your program. Reevaluating whether the solution purchased years training, making sure that employees not only took the training, but also ago is still working for your institution and has the functionality you need, attest to their understanding and adherence to your policies will reinforce means identifying whether the instructions that everyone has come to know accountability as well as compliance. Think of your training as the railroads and follow are truly the up-to-date version and have not been somehow strategically placed around the Monopoly board and no matter what route misunderstood over time due to changes in staff or program needs. You you take on the board, you are always crossing a railroad, thus a training don’t want your technology to be a dumping ground of cash into Free opportunity. Like the CHANCE card states, “Take a trip to Reading Railroad. If Parking for whoever lands there first. There is a reason Hasbro discouraged you pass GO, collect $200.” While helping meet your regulatory obligation, such rules in their game. ensuring that training is ongoing strengthens your program and provides growth opportunities to your staff, which is a successful ride for both of you. Testing – Doctor’s Fee Pay $50 Advance Token to Nearest Utility Atlantic Avenue to Marvin Gardens represent the testing phase. First, performing transaction testing determines whether your controls are Let’s move to the two Utility Companies (water and electric) on the game working correctly and, second, the findings should be well-documented. board. As part of your framework, these equate to the documentation and Notice the properties border the “GO to Jail” space and is a warning to slow reporting that are essential to your entire program in a variety of ways. down as these properties are critical to your program and should not be However, as they relate to the game board, these two properties are placed skipped over. As with Monopoly, if players bypass the official instructions, a within the properties that represent policies and procedures and testing. different outcome is most likely to occur. These areas are pretty evident with the need for documentation. Having an unwritten policy or procedure does not hold up too well with examiners; Most of us believed that you had to land on the property to buy it, however, having it documented provides evidence that it is part of your program with a greater likelihood of winning occurs if a player isn’t at the mercy of a roll of the expectation that they are followed. Additionally, your documentation the dice or picking up a CHANCE card. Similar to your program, if your staff should support your program and provide examiners with the insight they advances three spaces rather than follows the proper instructions there will need during an exam. most likely be a gap, even though strong controls have been implemented to mitigate your risk. As with all testing, issues may be found and changes to Your reporting should also provide a clear view of your program to your processes may be the outcome. Communicating these changes to impacted leaders, allowing them to understand the risks, deficiencies, staffing and staff as well as to senior management will provide visibility and transparency. oversight needed to win. This is true when managing your exam and audit This leads us into the next step of the framework. findings, as well as your testing. Capturing how the findings were addressed and who addressed them is essential to hold the responsible parties Oversight from Pennsylvania Avenue accountable. This is when tracking the general repairs to your properties is necessary. It is better when you’ve identified and repaired deficiencies, but if As we travel forward to the next set of properties that borders on the you happen to pick up a CHANCE card from your examiner, paying $25 for other side of the Go to Jail space and includes Pacific through Pennsylvania each house and $100 for each hotel may be costly to your program. Avenues. This set of properties represents the oversight of your program, and includes adequate staffing, appropriate reporting lines, and supervision by Clear documentation allows you to tell your story with facts and data, qualified leaders and your board. Ironically, you’ll notice that Pennsylvania whether you are updating your risk assessment or tuning your monitoring Avenue is included to represent oversight. This reinforces the need that the system. Having strong documentation and reporting is required to put the executive leaders within your organization should have the understanding right light (or electricity to keep with the Monopoly game) throughout your and visibility into your program. To get to those final properties, you must risk management program. avoid landing on Go to Jail as the oversight properties are needed to help

3 Finish Your Program with an Annual Visit to the Boardwalk tax comes into play in circumstances that your program hasn’t gone through the necessary steps needed to manage your risk profile. This makes sense in There are four properties that represent the risk assessment. We discussed cases where all the elements of your program are not there. the first two properties, which represent the first steps in building your risk assessment as the foundation of your program. We will now move to the The final placement of the last tax (CMP) can be seen at the end of game final two properties of the Monopoly game and of your risk management board between Park Place and Boardwalk. If you’re penalized in this space, framework. The last two properties on the board, Park Place and Boardwalk, you may have skipped over some of the necessary properties or spent too represent the updating of your risk assessment. By completing the game much of your time throwing the dice and trying to get out of jail as others board (building your program) you should have identified and mitigated worked on building a strong solid program. But in either case, the goal would your highest risks with an effectively built program. The last two properties be to go back to GO and replay the game now understanding the board and not only reflect the highest risk/reward based on their value, but also its rules. reinforce that your risk assessment should be regularly reevaluated either as you annually pass through GO or as you add products, services, types Advance to GO and Collect $200 of customers or expand into new geographies. As any seasoned Monopoly So all in all, one can see how Monopoly taught us to be strategic by needing player knows, keeping your risk assessment updated is essential to avoiding to think ahead but still following the rules and, most important, avoiding or being cited for deficiencies in your program. Managing your program making the same mistakes (rolling doubles three times and getting put into using an updated risk assessment allows you to mitigate your risk profile jail causing lost opportunities to invest). Remember—with the regulators, successfully. unless directed to do so, you should always be moving forward and never Pay Poor Tax of $15 backward because the last thing you want to do is “Spin the Wheel of Fate” when it comes to the regulators as that is another Hasbro game called LIFE. Finally, what is more appropriate than to tag the luxury and income taxes (or Civil Money Penalty or CMP) as your program’s deficiencies, as they can be very costly when not capturing and correcting findings as needed or required by your examiner or auditor? If you look at a Monopoly board, you’ll notice the placement of these (taxes) deficiencies. The first deficiency

When you have to be right

About Wolters Kluwer Financial Services - Wolters Kluwer Financial Services provides audit, risk, finance and compliance solutions that help financial organizations improve efficiency and effectiveness across their enterprise. With more than 30 offices in 20 countries, the company’s prominent brands include: FRSGlobal, FinArch, ARC Logics for Financial Services, Bankers Systems, VMP® Mortgage Solutions, AppOne®, GainsKeeper®, Capital Changes, NILS, AuthenticWeb™ and Uniform Forms™. Wolters Kluwer Financial Services is part of Wolters Kluwer, a leading global information services and solutions provider with annual revenues of (2012) €3.6 billion ($4.6 billion) and approximately 19,000 employees worldwide. Please visit our website for more information.