Contributor Report: Best Practices - Front Line Risk Mitigation, Part one of a three-part series
Wednesday, February 6, 2019
Posted by: Brian Monroe
First published here. Republished with permission and appreciation.
By Mandy Roth, Esquire, firstname.lastname@example.org
Financial Crime & Regulatory Compliance Manager, AML and OFAC sanctions
February 6, 2019
Mandy Roth has been working in the financial crime space for more than seven years, bringing to bear her prior 13 years of experience as an attorney. As a result of her legal background, Mandy is expert in the interpretation of laws, rules, regulations and guidance, and in risk identification and mitigation.
As a lawyer, she identifies areas of exposure within AML and sanctions compliance programs and can anticipate auditors’ and regulators’ concerns.
Roth practiced law for 13 years, specializing in securities regulation and securities fraud, and has 6-½ years of Financial Crime and Regulatory Compliance (FCRC) experience at Hong Kong Shanghai Banking Corporation (HSBC) and Wells Fargo.
Roth is passionate about sharing her expertise with others in the FCRC community. She enjoys shining a light on topics that will help bank compliance staffers to be more successful in their jobs and further the goal of reducing financial crime. This includes how to identify financial crime risks, conduct investigations and mitigate those risks.
She has been kind enough to allow ACFCS to republish her well-received three-part series offering practical, tactical ways for compliance professionals to enhance their skills at identifying and mitigating financial crime risk: Risk Mitigation on the Front Line, Best Practices in AML Investigations and Best Practices in Sanctions/PEP Investigations.
Roth also took time to chat with ACFCS Vice President of Content, Brian Monroe, about why she chose those particular areas to focus on to help the financial crime and compliance communities better detect and prevent financial crime and meet and even exceed regulatory expectations. She also shared some tips on how to break into and rise in the field.
Here is an edited transcript of the interview:
Why did you decide to write your three-part series on these particular topics?
Compliance professionals must have strong analytical skills and an understanding of how risk is mitigated, generally, to be effective risk mitigators. Uncertainty leads to lower productivity; missteps that have to be remediated also waste resources and add to the costs of maintaining compliance programs.
Thus, employees’ risk mitigation skills are critical as FIs try to conserve the costs of maintaining robust compliance programs.
It’s not rocket science, but risk mitigation skills are not intuitive; they require proper training. Within the AML and OFAC/Sanctions compliance space, in particular, there are opportunities at many FIs for improvement with respect to training and development of risk mitigation skills.
I wanted to provide guidance for AML and Sanctions compliance officers at all levels to help their companies provide robust risk mitigation efficiently and cost-effectively.
What is some of the best advice you ever received related to financial crime compliance?
Go to as many conferences, meetings and other events as you can where you have the opportunity – or can create the opportunity – to network with accomplished people in the financial crime/regulatory compliance risk mitigation space.
What is some of the worst advice?
To stay with a company going through compliance problems in order to see and learn from how the problems are ultimately resolved. Do not do this. If your company is struggling, and you’ve been there for a year, get out and move on to a company on stronger footing.
What advice would you give to someone just breaking into the compliance field to get their foot in the door or rise to higher level positions?
If you are a good writer, this is a great field for you; especially AML. Talk about your analytical writing skills if you’re going for AML jobs. Be able to demonstrate your analytical skills (writing or otherwise) from prior jobs if you are just starting out in any area of compliance.
Talk about your analytical skills in your cover letter. Write cover letters! Tout your IT, coding and data analytics skills, if you have them; they are increasingly important in the field of financial crime and regulatory compliance.
If you don’t have those skills, acquire them, especially if you want to advance. If you’re starting out and can’t find a permanent job, go for a consultant/contractor position to gain experience. (Don’t get confused by titles; some FIs have permanent jobs where the title is also Consultant).
FIs facing regulatory challenges tend to increase their staff, so that’s a good time to get your foot in the door, but as mentioned above, don’t stick around too long.
Are there any key trends you are seeing right now in the field? Such as any particular regulatory focal points? Or areas banks are adding staff or reducing staff?
The biggest trends in financial crime compliance are the increasing use of data analytics, the development of evermore sophisticated technology platforms to help FIs identify risks and AI. These tech solutions, though, must be used in conjunction with thinking human beings who have strong analytical and risk mitigation skills.
Thus, tech platforms will likely help compliance professionals do their jobs better. They also may help FIs reduce their risks, but they won’t completely replace the need for human beings to mitigate compliance risk.
Financial crime compliance is only becoming more and more important for FIs as regulators increase their scrutiny of AML and Sanctions compliance, not just in traditional banks, but in all kinds of FIs, including insurance companies, broker-dealers, asset managers, etc.
FIs are actively hiring both experienced and less experienced compliance professionals, including AML and sanctions professionals, all over the country.
I have seen some companies institute large layoffs when improved technology reduces the need for headcount, or after a hiring frenzy when the company finally figures out who’s good and who’s not as good. This is a good reason for making sure your skills are unassailable.
And now, on to the story!
Best Practices: Risk Mitigation on the Front Line, Part one of a three-part series
By Mandy Roth, Esquire
The dominating theme of my experience in financial crime compliance (FCC) has been that many anti-money laundering (AML) and sanctions staff lack an adequate background in basic risk mitigation principles.
This confusion contributes to insufficiently robust AML and sanctions/politically-exposed person (PEP) risk mitigation. When I coach AML and sanctions investigators, and I point out basic risk mitigation concepts, how they apply to AML or sanctions or how similar AML and sanctions reviews are fundamental, many really struggle with it, conceptually and in practice.
In this article, I will show how risk mitigation, as a general matter and removed from the FCC context, is based on universal principles, which I call best practices. In upcoming articles, I will show how these best practices apply to AML and sanctions risk mitigation.
My purpose is to clarify why specific steps must be taken in AML and sanctions to provide robust risk mitigation. These best practices serve one purpose: to provide not some risk mitigation, but robust risk mitigation.
Say, for example, you’re an expert in fire risk assessments for commercial buildings. You’re hired by Insurance Co. to assess fire risk in a commercial building, Justice Thurgood Marshall Tower (JTMT), and determine if you can robustly mitigate or reduce the risk, within reason, sufficiently for Insurance Co. to take on the risk of insuring JTMT (risk can never be mitigated 100%).
Where would you start?
Best practice one: Ask the right questions.
Here they might be: What are the building materials? When was it built? Who built it? What’s their track record? Who did the electrical wiring? Does JTMT contain, or share a wall with another building, which contains a kitchen? Does the kitchen have a stove, oven or fryer? Are the grounds reasonably well-maintained?
Best practice 2: Perform a holistic review.
To uncover all possible risk factors and risk mitigating factors, conduct a holistic review. This means you look at everything, leaving no stone unturned that could remotely impact risk. With JTMT, research uncovers that it:
- was built 26 years ago under outdated codes;
- had one serious electrical fire in its second year that incinerated the first floor;
- contains a kitchen where a stove, oven and fryer are used;
- shares a wall with another commercial building which had a fire last year;
- sits on a Northern Californian site where forest fires are common – last forest fire was six months ago.
These findings seem to present serious risk factors. However, my holistic review also identified risk mitigating factors. JTMT was:
- brought up to code five years ago and codes have not changed;
- recently inspected by an experienced fire inspector and local fire chief, who provided a written report certifying its compliance with fire safety standards. Inspections will re-occur yearly.
- The interior, including kitchen, was recently upgraded with state-of-the-art fire-resistant equipment, including a fire alarm system and high-pressure sprinklers placed throughout the building and on its exterior.
- In addition, the fire alarm system and sprinklers are checked monthly by a fire inspection company with a strong record throughout its 30-year history.
- No fires in JTMT since its second year.
- Fire next door was started by an over-heated toaster. Toasters are now banned in both buildings.
- During a recent forest fire, JTMT was untouched because it was built with fire-resistant materials and landscaped with fire-resistant plants, shrubs and trees.
At this point, you determine that there are sufficient risk mitigating factors to reasonably mitigate the original, inherent risk factors.
Best practice 3: In a holistic review, it is the accumulation of risk mitigation factors, viewed collectively, which results in robust risk mitigation. Don’t leave out any pertinent information.
Say you have a huge stack of fire risk assessment reports to get out under a tight deadline, and your boss scrutinizes productivity as well as accuracy. You might be tempted to mention only one risk mitigating factor and cut the rest. Don’t.
Include all risk mitigating factors in order to demonstrate robust risk mitigation. If you ignore risk mitigating factors, you might be providing some risk mitigation, but you’re not providing robust risk mitigation.
You cannot accurately weigh risk mitigating factors against risk factors if you’re not counting some of them. Similar to a puzzle, you don’t have the full picture if you leave one piece out. Other reasons for including all pertinent information:
- You claim to be an expert in risk mitigation. With JTMT, you are being paid to provide your expert risk assessment in a high-risk, high-stakes situation. There are a lot of people – including you -- who stand to lose if you don’t do a competent job, commensurate with the experience you claim and the fees your company charges.
- To mitigate your own or your company’s risk of liability, whether from a legal, regulatory or personal perspective. If it’s not documented, you didn’t do it. Omitting risk factors or risk mitigating factors shows an auditor or regulator, or a prosecutor or court, that you ignored important information. If JTMT later experiences a fire and you or your company are sued, or you risk being fired, you need to be able to say, “I did my due diligence and it’s all clearly documented here for you to see.”
Policies and procedures should emphasize the importance of conducting a holistic review. Financial institutions should not undermine robust risk mitigation with rules, rules of thumb or “guidance,” which encourage you to disregard some risk mitigating factors or only use others.
Once you complete the holistic review, you must document it in a report: analyze your findings and articulate a reasoned conclusion, supported by the facts and reasonable inferences you draw from those facts.
A well-supported conclusion demonstrates to the reader that you have exercised sound judgment and decision-making.
Best Practice Four: Use logical writing to demonstrate your holistic review, convey your findings and build an argument that will reflect sound judgment.
In what order will you explain the risk factors and risk mitigating factors? You must use formal logical writing when documenting any type of risk mitigation. Logical writing:
- Conveys the cumulative impact of the risk factors – i.e., what you’re up against, what you have to overcome to mitigate the risk;
- highlights the collective strength of the risk mitigating factors against the risk factors;
- builds a strong argument;
- enables the reader to follow your reasoning;
- increases the chances that you will convince the reader of your sound judgment and decision-making;
- supports robust risk mitigation.
Best Practice 4a: Use low-hanging fruit first. Start with the most obvious, in-your-face risk factors or risk mitigating factors.
Best practice 4b: Continue down the list of risk factors, or risk mitigating factors, in order of priority as you see them. From most important to least important; from general to specific; from the inside of the building to the outside; from the oldest to the newest. I used a combination of these approaches above (see Best Practice 2).
Best practice 5: In the Conclusion, draw upon your findings to support your conclusions in a logical flow. The body of the report contains all of your findings; the Conclusion highlights a few. Tailor the Conclusion to the facts of the case. With JTMT, your Conclusion might read:
“This assessment identified significant risk factors, including the prior electrical fire and JTMT’s location in a forest fire zone. However, the investigation identified sufficient risk mitigating factors to reasonably mitigate the identified risks. JTMT has been brought to current code, has state-of-the-art fire-protection engineering, which is checked monthly by competent personnel, and the fire-resistant building materials and landscaping offer additional risk mitigation against possible fire. These findings, among others identified in this report, support the conclusion that the risk of fire is reasonably mitigated to an extent sufficient to merit insurance coverage.”
In sum, risk mitigation requires a holistic review, thoroughly documented in a logical flow, and a reasoned, well-supported Conclusion. Auditors and regulators focus on how you documented your findings and the reasoning behind your decisions. Therefore, focus on providing thorough documentation as outlined here to provide robust risk mitigation.
About the author
Mandy Roth has been in the financial crime space for 6 1/2 years, bringing to bear a powerful combination of a strong legal background as an attorney to parse out and understand the nuances of laws, regulations, rules and guidance with the practical experience of implementing and remediating compliance and sanctions programs at some of the world’s largest banks.
Roth has 13 years of law practice experience, with a specialty in securities regulation and securities fraud, and more than seven years of Financial Crime and Regulatory Compliance (FCRC) expertise at Hong Kong Shanghai Banking Corporation (HSBC) and Wells Fargo.
Key accomplishments include:
- Quality coaching: Training & coaching hundreds of AML & OFAC Sanctions Investigators and Quality Assurance Specialists.
- Authoritative assurance: Authoring policies and procedures for numerous FCRC units, including AML & OFAC Investigations, Reporting and SAR Writing Teams and the Quality Assurance function within AML, OFAC and Reporting.
- Top performer: Developing and implementing solutions for performance trends and challenges.
She is an acknowledged expert in AML/BSA and OFAC sanctions risk identification and mitigation and regularly offers insight on industry best practices and the interpretation of complex regulations. She has published more than two dozen articles on the top issues in the financial crime and regulatory compliance space.
With her legal background, Roth can anticipate the perspective of auditors and regulators on many aspects of the FCRC program, including governance, internal controls, policies and procedures and training.
At HSBC, she developed and drove AML & OFAC sanctions policies and procedures; supervised the performance of internal controls over AML & OFAC investigations and government reporting (SARs, OFAC Reports); and responded to audit and regulatory inquiries.