cutting through complexity Effectiveness of Measures regarding Anti-Money Laundering and Counter-Terrorism Financing at FBME Bank Limited KPMG AG WPG Frankfurt A pril 2013 B. 1. Executive Summary Based on our audit work, we came to the overall conclusion that FBME basically fulfills the requirements as set out by the Cyprus regulator and is in principle in compliance with EU standards. 2. The Bank established an AML organization including written policies and procedures, which in principle is suitable to prevent ML/TF. 3. The existing older customer base, however, should be subject to a risk-based review, in order to ensure full AML compliance (e.g. KYC, source o f fimds/wealth, reliability checks o f ATPs involved) in accordance with the present regulatory requirements. The upcoming changes o f the 4th EU Directive may be taken into consideration. It should be considered to integrate the UBOs into the core date base, in order to make them subject to all (automated) regular prevention & mitigation measures, the customers are subject to. 4. Our key recommendations regarding points o f high or medium significance per fields o f review are as follows: a. Risk Management AML/CTF risk analysis: While the Bank addresses quite a number o f ML/TF risk-related issues and the correspondent mitigation measures, we recommend rethinking the overall approach to develop a comprehensive AML/CTF risk analysis, in order to create an even stronger instrument for the development o f efficient AML/CTF measures. For more information see Section 2. b. AML/CTF Organisation • AML Function: While the AML/CTF organization is run by an experienced MLCO, we recommend installing an Assistant MLCO who would formally be in a position to take over the responsibilities in case o f absence o f the MLCO. For more information see Section 3. • Internal Policies and Procedures: Although the Bank's internal policies and procedures can be regarded as comprehensive, they should be amended or further granularized in respect to a couple o f subjects. For more information see Section 4. • Suspicious Activity Reporting Process: In view o f the number o f ISRs and SARs (approx. 40 cases), the Bank is capable to manage the reporting process without an IT-based case management system for the time being. For more information see Section 5. 12 © 2013 KPMG AG WPG Frankfurt. All rights reserved. KPMG AG WPG Frankfurt A pril 2013 c. R is k M itig a t in g M e a s u re s in re la tio n to C u s to m e rs & T ra n s a c tio n s • Know your Customer (KYC)\ The compliance with the KYC requirements could be further enhanced by integrating UBO information into the core banking system. While the business address is captured, the use o f hold mail accounts and ATP-managed PO boxes should be reconsidered in order to avoid potential anonymisation. It should be ensured that where possible the source o f funds should be substantiated by proper documentation (e.g. F/S, business plans). For more information see Section 7. • Know your Counterparty: We recommend ensuring that the assurance o f the ATP's reliability in their function as “ reliable third party”is risk-based and further intensified. For more information see Section 9. • Transaction Monitoring: The scenarios and typologies o f the MANTAS transaction monitoring system should be derived from the AML/CTF risk analysis and reviewed on an annual basis in order to ensure an updated and bank-specific system. A back-up solution in view o f system failures should be considered. For more information see Section 12. • Payment Screening according to 1781/2006: Although the missing remittance information reportedly has always been identified, manual input o f transactions may lead to errors with regard to EU regulation 1781/2006 and therefore automatization should be considered. We understand that the Straight-Through-Processing planned to be introduced in June 2013 will include an automatic filter. The alternative rules and requirements should be specified in a more detailed manner. For more information see Section 13. • Payment Filtering fo r Sanctions: The “ Good guys list”or so called “ White List”should be subject to sanctions screening on a regular basis. The use o f numerous Excel-based lists (e.g. for UBOs) may complicate the controlling and may lead to errors. The percentage applied for fuzzy logic (approximately 50 %) is well below industry standard and may generate a large number o f alerts. This number o f alerts, however, can only be handled due to substantial staffing o f the Compliance department. For more information see Section 14. d. Q u a lit y A s s u ra n c e Internal Supervision: The overview o f Compliance Department's planned activities lists proper controls and reviews. Based on European benchmark practice, we recommend amending it with information regarding resource planning, time schedules, etc. For more information see Section 16. 5. As part o f our audit work, we reviewed a sample o f the Bank’ s customer files, comprising of 68 customer files (33 individuals and 35 companies) and 2 bank files. Our key findings are that in general the Bank adheres to the requirements for: • Maintaining a KYC file for each customer • Using standardized account opening forms, requesting key information from the customer including source o f wealth, expected turnover, etc. 13 © 2013 KPMG AG WPG Frankfurt. All rights reserved. K PM GAG WPG Frankfurt A pril 2013 • Id e n tify in g and v e rify in g the custom er and U B O and receiving relevant supporting docum entation • Assigning a ris k rating on each custom er and id e n tify in g cases fo r w h ic h sim p lifie d o r enhanced due d ilig ence is applied • • P e rfo rm in g database searches on all customers U s in g third parties fo r onboarding that are approved by the B ank and m ain tain ing a file fo r each o f the A T P s used 6. D u rin g o ur re v ie w w e also observed certain areas in w h ic h the B a n k ’ s im p lem en tation o f the d irective can be furth er enhanced o r adopted in a m ore conservative m anner. Such areas include: • T h e presentation o f group in fo rm atio n or ow nership structure w ith regard to o ld er custom er files to ensure that the lin k betw een group entities is clear, in particular w hen group entities include a num ber o f the B a n k ’s customers; h ow ever, w e understand that w ith in the last tw o years the B a n k has introduced a group structure form to cover these fo r n ew customers; furtherm ore, w e note that the custom er structures are grouped in the core banking system. • E x te n t o f investigation and docum entation o f the business p ro file o f a ) the custom er and b) the U B O . • Evid ence and ju s tific a tio n o f expected turnover and due diligence on the custom er’s source o f funds (e.g . F /S for corporate customers and salary slips fo r in d iv id u al customers) • T im in g o f custom er updates and review s, in p articu lar fo r cases w here the update o f o btain ing docum entation has been pending fo r a long tim e 14 © 2013 KPMG AG WPG Frankfurt. All rights reserved. w sm & KPMG AG WPG Frankfurt April 2013 C. Assessment of the Effectiveness of Measures regarding Anti-Money Laundering and Counter-terrorism Financing 1. General Remarks The following detailed report on the effectiveness o f measures regarding Anti-Money Laundering (AML) and Counter-terrorism Financing (CTF) focuses on areas where we have identified necessities for improvement concerning organizational or procedural matters. These areas o f improvement identified mainly are the result from a benchmark analysis against the AML/CTF standards set in comparable banks within the EU. Each gap identified is classified in terms o f significance on a threepart scale. The classification “ high”(red) refers to substantial issues. A very important gap is regarded as “ medium” (orange). The classification “ low”(yellow) refers to important issues. 15 ©2013 KPMG AG WPG Frankfurt. All rights reserved.