Conduct and Practices Handbook Course (CPH) Quiz 19

The program training of directors should include complex products, services, lines of business, and risks that have a significant impact on the covered bank; laws, regulations, and supervisory requirements applicable to the covered bank; and other topics identified by the board of directors.

Section 326 of the USA PATRIOT Act requires that at the account level the financial institution must retain the identifying information for five years after the account is closed or, in the case of credit, five years after the account becomes dormant.

The US Criminal Code states that the Foreign Corrupt Practices Act is a United States law passed in 1977 that prohibits U.S. firms and individuals from paying bribes to foreign officials in furtherance of a business deal. The FCPA places no minimum amount for a punishment of a bribery payment.

“The other business processes that are related to the implementation of the AML/CTF risk governance framework are transaction monitoring, sanction screening investigation, alert management, model risk management, currency transaction governance, and rapid response team.”

Rule 504 states, that they maintain a sanctions screening application that is designed for the purpose of interdicting transactions that are prohibited by OFAC. It also covers typologies, wherein, each typology is identified with detail within the risk assessment. Lastly, its emphasis on data management.

The risk management’s regulatory expectations outline the standards by which financial institutions adhere to risk regulations and guidance.

It is under 12 CFR 30 Appendix D where it established heightened standards for certain large insured national banks, insured federal savings associations, and insured federal branches. Adopted under Section 39 of the Federal Insurance Deposit Act (FDIA)

In Canada Corruption of Foreign Public Officials Act (CFPOA) applies to persons and companies and makes it a criminal offense for persons or companies to bribe foreign public officials to obtain or retain a business advantage.

The Proceeds of Crime Act in UK provides for the confiscation or civil recovery of the proceeds from crime and contains the principal money laundering legislation.

PSD2 has a major influence on the payments ecosystem and infrastructure for banks, FinTechs and businesses, using payment data for the benefits of consumers.

The following are the direct and practical benefits of PSD2: increasing consumer confidence in e-commerce.; Mitigating all risks associated with online fraud.; Increasing the conversion rate by promoting the introduction of new payment methods.; and Providing greater freedom to merchants and customers regarding the means of payment.

GDPR applies to all companies that process and hold the personal data of data subjects residing in the European Union, regardless of their location.

The non-neglectable benefits of GDPR are improving business-customer confidence by creating an environment that puts data protection at the heart of the business and protects people’s ability to control their data.; Encouraging innovation by providing a higher level of flexibility without harming the rights of individuals to data protection.; Reducing transaction costs thanks to the application of a single law at the pan-European level. and Enhancing EU data processors’ cybersecurity by creating a secure international exchange environment.

The advantages include Make informed decisions about risk appetite and implementation of control efforts, allocation of resources and technology expenditures.; Assists management in ensuring that resources and priorities are aligned to risks.; Ensures senior management is made aware of the key risks, control gaps, and remediation efforts.; and Develop risk mitigation strategies, including applicable internal controls to lower residual risk exposure to an acceptable level.

A ‘legal person’ means any entity having legal personality under the applicable law, except for states or public bodies in the exercise of state authority and for public international organizations.

Step 5 in the approach risk assessment is to practice refreshing oneself with the risk assessment annually.

A partially effective internal control is the control requires some enhancement to be fully effective and is not performed consistently.; The control mitigates a significant portion of the AML risk with some breakdowns.; The control is partially manual and some breakdowns have occurred.; Controls are too new to be evaluated.; Components of management oversight, reporting, and/or escalation processes are new or in process of implementation.

The key factors are AML/CTF risks that are adequately incorporated into the development of new products.; There is no history of significant control failures within the previous five years.; The front line unit management anticipates and addresses changing AML/CTF compliance and takes prompt and effective action.; Independent reviews by the supervisory agency and Internal Audit have not found any significant issues in the previous five years.; and The front line unit has sufficient resources to meet its compliance obligations.

The risk and control self-assessment’s purpose is to evaluate the effectiveness of internal controls in the context of mitigating the inherent risks in the overall business environment.

It will support compliance with the local laws and regulations, represent a consistent approach and methodology for identifying the operational risks and the effectiveness of internal controls, and provide a context for the remediation and enhancement of the control environment.

In data governance, the best practice of many financial institutions is to establish a data management business function which should be supported by data management standards and procedures, Data integrity standards including reconciliation and SLAs, Data privacy policy, Data security policy including data classification, Data security officer, Data retention standards, Disaster recovery procedures. and Metrics and reporting.

The data management function manages all aspects of internal and external data transmissions for the financial institution.

The data transmission for financial institutions has a standard and should include the requirement for record counts, reconciliations, and encryption.

The file attendance controls include identifying duplicate transmissions, identifying late transmissions, ensuring that transmission errors are corrected promptly, and checking the transmission reconciliation reports.

The elements of data integrity are accuracy, completeness, timeliness, and authorized.

There should be a formal qualification process developed for the creation of a training faculty where candidates are assessed on their financial crimes and risk management knowledge, and their personnel and presentation skills.

It includes KYC, sanctions, terrorist financing, Bank Secrecy Act, USA PATRIOT Act, local law and regulatory requirements, the results of recent regulatory examinations, enforcement actions, and audit reports.

Training courses can be internal audit issues, examples of new and high risk products, and customers & geographies.

Names that should be screened periodically include employees, consultants and third-party service providers such as vendors, landlords, and tenants of properties owned by the financial institution.

The three basic levels of terrorist organization are, first, headquarters, where the core organization has a defined leadership structure, regional franchises of the core organization have leadership structures which may or may not be directly aligned with the core organization and th grassroots operatives, likely inspired by, or led by, the regional franchises or the core organization.