The Wolfsberg group is an association of 13 international banks which seeks to develop guidance to help financial institutions (FIs) identify and prevent financial crime. In June the Wolfsberg group published its latest paper, "Demonstrating Effectiveness". The paper seeks to help FIs understand how to use the Wolfsberg principles and guidance documents to assess priorities in financial crime mitigation and the effectiveness of control design. While the stated audience of the paper is FIs, it also contains significant feedback for regulators.
It follows on and incorporates the elements from the group's December 2019 Statement on Effectiveness and August 2020 Follow-Up Statement on Developing an Effective AML/CTF Programme.
At the outset, the paper claims that many FIs - as a result of supervisory expectations - focus on technical compliance rather than a true effective risk-based approach. The group tells FIs to focus on national and supra-national risk priorities and to avoid what it describes as a "prescriptive" enterprise-wide risk assessment.
One problem, the paper posits, is the number of regulatory "expectations" which are not set out in law. The group calls upon regulators to clearly differentiate between legal or regulatory requirements, and ensure its expectations lead to useful information to prevent crime. Another problem is with tracking and defining "highly useful information" - reporting should be based on quality of information, not quantity or merely defensive reporting.
In terms of controls, FIs (and regulators) should focus on "the practical element of whether the controls are making a material difference in helping the FI" rather than "technical implementation and execution". According to the Wolfsberg paper, "[u]ltimately, each FI should be able to demonstrate effectiveness by telling its unique story, based on its risks and corresponding AML/CTF programme."
Ropes & Gray can help your firm identify risks and design effective controls to mitigate financial crime. Contact us to see how we can help.
Where an FI has reasonably focused on higher risk areas in line with its assessment of the threats it faces, an undetected weakness in a lower risk area is not by default an indication of programme failure, but rather a natural extension of the implementation of a risk-based approach