After a short summer break, the FAIR Institute Operational Risk workgroup met again in August to continue our project using the FAIR methodology to revise a typical list of “top operational risks” (we found our list on Risk.net).
Through this exercise, we hope to apply some critical thinking to what’s truly a risk, and publish a revised list with supporting analysis for practitioners to use as a starting point for their own programs. You can read more about this project in Part 1 and Part 2 of this blog series.
This month, the group looked at AML, CTF and Sanctions Compliance (referring to the anti-money laundering and counter-terrorism financing laws, #8 on the list from Risk.net) as the foundation for our analysis. This includes everything from a criminal opening an account under a fake name to launder illegally obtained funds, to stock trades with a party in an Office of Foreign Assets Control (OFAC) sanctioned country that might be using the profits to fund terrorism.
Should be no surprise that regulatory and compliance considerations come up in several different flavors throughout the top risks list. However, through the analysis and data gathering process you might be surprised that the data contradicts many of our instinctual assumptions.
For example, at a recent Anti-Money Laundering conference, one former Federal prosecutor with the United States Department of Justice noted that he has “never seen any organization suffer reputational damage from an [AML] enforcement action.” Even with the possible linkage to terrorism financing, there isn’t any public data to suggest that brand damage is a likely outcome of an AML sanction. Likely not a popular viewpoint in the compliance circles, but still a critical data point for our analysis of potential magnitude.
What’s the Risk?
The interesting point about these compliance related risks is that the facilitation of criminal activity isn’t the risk organizations worry about, but rather it is being caught out of compliance. Intense scrutiny in the areas of BSA/AML and sanctions enforcement is likely to continue based on current trends. At the start of 2017, all the five largest U.S. banks by asset size had been subject to public regulatory actions relating to BSA/AML or sanctions deficiencies at some point within the past five years. Public disclosures also reflect that regulators and law enforcement remain active in these areas of investigation, with a number of the largest financial institutions disclosing ongoing inquiries at the end of 2016.
Using this as a starting point, the group established a risk statement to capture the spirit of this AML/Sanctions risk:
“Malicious actors (external or internal) may conduct transactions through our services to facilitate illegal or sanctioned activities resulting in resource intensive investigations, fines and settlement costs.”
The Asset at Risk
Essentially, any business process that falls under these laws and regulations will be a concern. Examples include account opening processes, money movement systems, and trading processes.
The Threat Actor
When you consider who will attempt to initiate prohibited financial transactions, the main threat is generally an External Malicious Actor, however, there are scenarios involving an Internal Malicious Actor. The threats we worry about are criminals and terrorists.
The typical triad from information security of confidentiality, integrity, availability (C-I-A) doesn’t work for many operational risk scenarios. For this scenario, the effect would be Compliance or Governance.
Based on these factors, the following key scoping attributes were captured:
The list of Key Controls is certainly not meant to be exhaustive given the breadth of this scenario, just gives an indication of the common types of controls used in this space.
The group also discussed the following assumptions for the scenario:
- Impact could be fines, business interruption, loss of access to critical government services, or relationships with regulators could be damaged
- Effort to support the investigation, and the fines or settlement costs will be the most probable costs
- There could be additional long-term cost to the organization due to increased regulatory and oversight scrutiny
- Although Reputation damage and loss of Competitive Advantage were both considered as secondary forms of loss, it was agreed that this would be insignificant and not worth capturing
- If the event is big enough, the organization may suffer some productivity loss as services are temporarily suspended or revenue generating staff are pulled from their normal responsibilities to assist with the investigation (or even follow up audits and exams)
There was some debate within the workgroup about whether Replacement cost was relevant to this scenario or not. One take is that employees may be terminated because of negligence or misconduct, and there could be some tangible cost to replace that skillset. Still a topic that requires some more thought.
In 2015, we saw record-setting penalties imposed, at times approaching and exceeding the billion-dollar mark. According to the Economist, the largest settlement related to money-laundering violations was settled by HSBC in 2012 with U.S. authorities for $1.9 billion:
While the frequency and size of enforcement actions in 2016 was lighter than in the prior year, 2017 has seen a noticeable uptick in the announcement of significant enforcement actions that suggests the larger trend remains in the direction of very high regulatory expectations and continued enforcement. The BankersOnline site is a helpful resource to search the penalties by year going back to 2007.
How Do Your Results Compare?
Hopefully you can take this analysis template and compare to similarly scoped risks in your own environment, and see how it compares. The workgroup would love to hear your feedback where your analysis could have made different assumptions, identified different data points, or went down a different path. Please consider joining the FAIR Institute’s Operational Risk workgroup to share your experience with the community. We will be continuing this exercise on the next workgroup call, and we hope to see you all in Dallas for the 2017 FAIR Conference later this month!