Escolar Documentos
Profissional Documentos
Cultura Documentos
BACKGROUND
Mr. Jay Mathews has been working with ABCX Bank since 2000. He has been working in the Operations
Department of the Bank and has been responsible for reconciliation of ATM record with the Journal. In May
2010, a Brokerage firm, which is a subsidiary of ABCX Bank reported large value transactions in an account,
which is owned by Mr. Mathews. An initial review by Internal Audit indicated that Mr. Mathews had managed to
open 3 customer accounts at ABCX and successfully misappropriate a total sum of KD 1.2 million from ABCX
Bank. While Audit report confirmed the fraud and the misappropriation of funds, the report did not endeavor to
carry out a forensic review of the processes to identify the weaknesses / control failures in the various processes
and departments.
As Head of Compliance, I was tasked to carry out a detailed forensic review of the case and to assess the
efficiency and effectiveness in the related processes, including KYC procedures, transaction reviews, AML
system effectiveness, internal reports handling and other control weaknesses leading towards the failure in
identification / detection of such frauds.
SCOPE
1. A process journey review, commencing from KYC procedures through to its final reporting / detection
mechanism, [restricted to the procedures involved with the 3 accounts opened by Mr. Mathews] to identify
failures of non compliance with related bank procedures and controls.
2. Review of the AML system rules and its effectiveness.
3. Review of the ABCX’s AML & Compliance unit’s processes and identify gaps against management
expectations.
4. Review of the Brokerage Company’s Compliance department’s processes relating to AML and verify if their
processes had identified the transactions in the customer’s account.
It is to be noted that the above scope was limited only with regard to the procedures relating to this particular case
and is based on our discussions with Internal Audit and AML & Compliance units in Kuwait. Based on the above
scope, the results of our review are as under:
1. Process Journey
We carried out detailed process review with the relevant departments to understand the complete journey
starting from account opening until transaction processing and its eventual monitoring controls within the
Bank. Based on our review, we noted the following Key processes that are relevant to our review.
a. Account opening review: We identified five key control procedures that are involved in this process,
viz. Customer identification procedure, Verification of Original IDs, Signature verification, Name
Verification in the AML system, and Branch Manager review. Of these 5 control procedures, we noticed
that the control tests on the first 3 procedures failed as the subject accounts were opened without the
customer’s presence or the verification of the Original IDs, and the customer’s signature.
b. ATM Card and PIN Issuance: This process involves two key control procedures, i.e. ATM card delivery
and PIN Number delivery. We noticed that both these controls were compromised in the case of these 3
accounts that were opened by Mr. Mathews. He could use his personal influence with the relavant staff
and obtain the ATM Card and PIN directly from them.
c. Transaction Processing: There were two key control procedures to review in this process. Viz.
Authorization for Dual Access control at the BTM, and Segregation of duties - Maker & Checker control.
We noticed that both these controls were again compromised as Mr. Mathews could obtain authorization
granted from the Business Unit Head.
d. Reconciliation: This process involves 2 key controls. Reconciliation between the Cash replenishment
and the ATM Journal Rolls, and another reconciliation between ATM (Bancs) and ATM Rolls. While the
reconciliation between cash replenishment and ATM Journal Roll had worked effectively, we noticed that
the 2nd reconciliation of reconciliation between ATM (Bancs) and ATM Rolls was being carried out be Mr.
Mathews. Hence, he successfully managed to hide the reconciliation differences.
e. Transaction Review and Monitoring: The following four key detective control procedures were
reviewed:
i. All transactions above KD 3000 are to be reviewed by the Branch Manager on a daily basis from the
'Cold' System. - We noticed that the Branch manager delegated this responsibility to a personal
banker. The review process failed, as the personal banker did not raise any suspicion to the branch
manager.
ii. Alerts are appropriately reviewed and cleared in the AML system in a timely manner by the
Relationship Officer. – There were 14 alerts that were generated for review through the AML system
between 27 December and 20 January 2011. We noticed that these were neither reviewed nor cleared
by the Relationship manager until May 2011. The Compliance Department cleared the same in May
2011, which is not an acceptable practice.
iii. Compliance oversight and follow up for review and clearance of alerts – We again noticed a
compromise of control here since the Compliance department staff had reviewed and cleared the
alerts, instead of following it up with the Business Unit Head.
iv. Appropriate Rules are built in the AML system to identify and alert High value transactions. - The
system failed to generate any alerts for non-cash deposits in "Individual" Accounts, and the same was
not detected by the Compliance Unit.
f. Reporting / Whistle blowing misses: The Head of AML Unit received a call from an other Bank
enquiring on Mr. Mathew’s account conduct and his transactions. This should have created a Red flag
alert for the MLRO to further investigate his account, or report the matter to Human Resources, for their
investigation. Unfortunately, this process was not followed by the MLRO and consequently, he failed to
blow the whistle in this case.
g. Record Keeping: Three control procedures relating to the case were reviewed. Viz. Authorization form
for ATM Card and PIN collection, Transaction vouchers processed by Operations staff, and the AML
system maintain log of actual date of Alert clearance. We noticed that the Authorization letter for PIN and
ATM card collection missing for 1 account, Internal vouchers missing for total transaction value of KD
9,500/-, and the AML he system does not maintain adequate log to identify the actual date of clearance of
alert.
The detail of various processes highlighting the control effectiveness / failures in various areas, is shown in
Appendix 1. In summary, the table in Appendix 1 highlights 9 preventive controls, 7 detective controls and 3
are classified as audit trail related issues. While the above control lapses / compromises highlights a
significant number of control test failures throughout the processes, we believe that majority of control
failures are primarily due to internal staff’s involvement with a deliberate intent to defraud the Bank. The
control failures may not be the actual reflection of control weaknesses under normal circumstances.
We noticed that KYC procedures were severely compromised in this particular case, where all the 3
accounts were opened without meeting the customer face to face. Mr. Mathews also successfully
managed to obtain ATM Card and PIN directly from the relevant staff the same day, without
customer’s physical presence. This Key control failure had opened the gateway for Mr. Mathews to
subsequently abuse the weaknesses in the controls in his and other related areas of operation, due to his
familiarity of the control weaknesses in these areas.
In addition to the above, the detective control mechanisms of reviews through Cold system reports, & the
AML system alerts too failed due to failure of adequate review of the cold system by the branch manager and
the timely review of alerts and non generation of specific alerts. Finally, the Head of AML & Compliance
unit head failed to blow the whistle or initiate any investigation following an enquiry from Burgan Bank,
received about a month earlier.
Currently, the ABCX AML system has 9 active rules as listed in appendix 2. Of these, the key rules are:
Rule no. 328 - Alerts for cash transactions exceeding KD 3,000/- for ‘Individuals’
Rule no. 327 - Alerts for all transactions exceeding KD 30,000/- in value for ‘Individuals’.
Rule no. 276 - Alerts for cash transactions exceeding KD. 3,000/- for ‘Corporate’ customers; and
Rule no. 315 - Alerts for non-cash credits exceeding KD 50,000/- for ‘Corporate’ customers.
Prior to the introduction of rule no. 328, there was rule no. 324 introduced on 27 October 2010 and active
until 12 February 2011. This rule identified all deposits (cash and non-cash) above KD 3,000/- in ‘Individual’
accounts. However, this rule alone generated large number of alerts within a short period of time (approx
16,800 alerts over 76 working days), and resulted in high accumulation of pending alerts.
On 25 January, 2011, a request to review this Rule no. 324 was received by Group Head of Compliance from
ABCX Head of Internal Audit following an internal discussion with Head of AML & Compliance and DCEO
– Risk, Compliance and Operations. This was then discussed over phone with Head of Internal Audit and
Head of AML & Compliance. Head of AML & Compliance advised that the Relationship Officers review the
‘Cold’ system on a daily basis for all transactions above KD 3,000/- and this rule was duplicating the efforts
and increasing the number of alerts to an unmanageable level and was extended beyond the desired audit
recommendation, which recommended consolidation for cash transactions, in particular. Head of AML &
Compliance therefore suggested that this rule be restricted to Cash transactions only on a cumulative basis.
Accordingly, the proposed modification to rule no. 324 was discussed with Head of Internal Audit and
thereafter advised via an email with copy to DCEO – Risk Compliance and Operations, Group Head of Audit,
and Head of AML and Compliance in ABCX, prior to modification. The modified rule [Rule no. 328]
therefore identified all cash deposits on a cumulative basis above KD 3,000/- in value.
However, we now noticed that both the daily transaction review process on the cold system failed to raise any
suspicion and also the AML system failed to generate relevant alerts subsequent to the above rule change.
This warrants a need to revisit the modification of Rule 328, and revert back to its earlier status.
In addition to the above, an additional rule [Rule no. 327] to identify all transactions exceeding KD 30,000
was created in consultation with the Head of AML & Compliance. However, this rule failed to generate the
intended alerts, and the same was not identified & alerted by Kuwait Compliance. This rule needs an
immediate rectification to ensure that alerts are duly generated.
The AML system generated a total of 14 alerts on the subject 3 customer accounts against rule no. 324 for
values totaling KD 15,660/- during 28 December 2010 and 21 January 2011. However, these alerts were
never reviewed by the Relationship Officer and remained outstanding until early May 2011, when the same
was cleared by the Compliance Department post review by Head of Compliance, and without any
consultation with the Relationship Officer. This has impaired compliance independence and created a conflict
of interest scenario for the Compliance department.
Compliance Department has been strictly advised not to clear the alerts on their own and instead follow up
more vigorously with the business units and use other escalation tools to enforce a timely clearance of alerts.
One key system limitation noticed is that the AML system does not maintain an audit trail of the actual date of
alert clearance. This is a key concern and the same has been raised with the IT project manager and the
vendor for an immediate review and to provide an appropriate solution.
Whilst Mr. Mohammed has vast experience from his earlier role in the CBK inspection department, and is
complimented with his awareness of the CBK regulations, he and his staff do not possess any professional
qualification, such as CAMS (Certified Anti Money Laundering Specialist) or other similar courses in AML /
Compliance. Further, over the past few years, the AML and Compliance function roles has been fast evolving
as a highly demanding function which requires an active participation and a more proactive and swift
approach. The key gaps noticed in the current unit vis-à-vis our requirements are:
1. Group Compliance had prepared a Compliance Monitoring program, which was approved by the Audit &
Compliance Committee for implementation. Yet the Compliance unit continues to adopt the earlier
checklist approach and failed to implement the Compliance monitoring program.
2. Even the checklists approach is not effectively and efficiently managed with the overall turnaround time
for the obtaining the completed checklists extends close to around 5-6 months.
3. The reliance of support from the Group Compliance is too high, including assistance with reports for the
pending AML alerts and its follow-up, documenting procedures and coordination with Kuwait IT for data
related issues.
4. The Head of AML & Compliance had failed to carry out testing of the Rules created in the AML system
and this has resulted in failure to detect any errors on the same.
5. The overall follow up with the business units for the timely clearance of the AML alerts is not effective
and forceful, which results in huge accumulation of alerts, and delayed clearance from the Relationship
Officers.
6. The follow ups for any large value transactions enquiry is being carried out through memos and
significant timeline is provided with repeated reminders, thereby resulting in undue delays in either
closure of a case or to determine the same, if suspicious.
7. There has been no coordination between ABCX and its Brokerage Company’s compliance department,
despite the company being its subsidiary.
8. Two cases which were reported to Head of Legal in December 2010 and January 2011 as suspicious were
not reported to the public prosecution by the Legal Department, as per the procedure. Head of AML &
Compliance did not escalate the same to the DCEO, or the CMD, or the Group Head of Compliance.
9. Head of AML & Compliance received an enquiry from another bank with regard to the subject staff. This
should have raised an alert for further investigation, or reporting to the Human Resources for their in-
house investigation.
10. Besides the above, the general approach has been very passive and lacks efforts to try and understand the
functionality and technicalities of the AML system, despite Group compliance having organized a two
day workshop in 2009.
Due to the increased sensitivity of the above issues, the need for a professionally qualified and adequately
experienced AML and Compliance officer was advised to Kuwait HR in October 2010 and efforts to identify
an appropriate bi-lingual staff has been in progress. A total of 6 candidates were interviewed over the period
and 3 were shortlisted. Of the 3, two did not accept our offer and the final candidate interviewed on 18 May
2011 and immediately advised to Head of HR for follow action with regard to recruitment. This issue is
being followed up with HR.
ABCX’s Brokerage Company’s Compliance team comprises of a total of 5 staff in total. The Head of
Compliance is Mr. Nawaf Sahar, who took charge of Compliance through an Internal Transfer with effect
from 15th May 2011 and is assisted with 2 staff handling AML and 2 other staff monitoring the limits from a
compliance perspective.
A visit to KMEFIC office was carried out 02 May 2011 alongwith ABCX Head of AML & Compliance for
introduction and necessary coordination in future. From our discussions with Mr. Nawaf Sahar, we noted that
the Compliance Unit had identified the transfers in Jay Mathews’s OLT account during the month of May and
after closely reviewing the same, Mr. Sahar had reported the case internally at KMEFIC to the Chairman and
Internal Audit on 16 May 2011, which was later reported to ABCX management.
The AML monitoring in the Brokerage Company is currently carried out through manual process, except for
name screening for which World Check has been subscribed for. Automation of the AML review and
monitoring has been on hold for the following:
The effectiveness of the monitoring was successful with regard to the subject case, as Compliance had
identified it and duly notified to its senior management.
5. Conclusion
In conclusion, we noticed that Jay Mathews managed to successfully exploit certain weaknesses in his area of
operations and misused the trust of his colleagues thereby causing a series of systematic control failures
across the various units within the bank.
The key recommendations arising from our review for ABCX are as follows:
1. Retail Banking Division should reiterate to all its staff on the need to strictly comply with the Account
Opening procedures, in particular no Retail banking account should be opened without face to face
contact with the customer. Any exception should be formally reviewed and authorized by the DCEO of
the relevant Business unit through a formal waiver request form, as attached in Appendix 3.
2. All Branch managers to should be advised to review the ‘Cold’ system and the AML system on a daily
basis and action them as appropriate, and in a timely manner.
3. Head of Operations should review the authority levels granted to ensure appropriate segregation of logical
access to the BTM system, and the reconciliation process should be independent of the staff responsible
for transaction processing.
4. ABCX management should advise and authorize for necessary rule modification in the AML system to
include non cash transactions for “Individuals”.
5. All staff should be reminded of the Bank’s Whistle Blower policy and Code of Business Conduct and
ethics.
6. The recruitment process for the AML & Compliance Manager should be expedited by Kuwait HR.
7. Follow up with IT for the necessary system enhancements to ensure that the actual date of alert clearance
is appropriately stored in the AML system.
8. A review of existing rules across the Group entities to be carried out to ensure uniformly acceptable rules,
as a minimum standard across the Group.
9. The procedure for Rule management will be strictly enforced across the Group, with due authorization
from the respective unit DCEO for any rule changes, and the same should be reported to the Management
and the Audit and Compliance Committee, whenever affected.
Appendix 1
ANALYSIS OF CONTROL PROCEDURES
278 Debit Transactions in Charitable Organizations Accounts. KD10 and above. Daily
128 This Rule checks for the transactions belonging to the customers who are flagged as watch list Daily
customers.
130 This Rule checks for the customers transactions whose risk rating between given parameters Daily
(Transaction of High Risk Customers)
129 This Rule checks for the transactions belonging to the customers who are flagged as PEP customers Daily
328 "Individual" exceeding KD 3000/- on cumulative basis (Cash) Daily
327 All Transactions exceeding KD 30,000 for customer type 'Individual' Daily
276 Cash Deposit of KD3,000 and above for customer type "CORPORATE" Daily
315 Transaction (except cash) of KD 50,000 and above for customer type "CORPORATE" Daily
Appendix 3
From:
Date:
Account Name:
Account Number:
Account Opening procedures are in course of completion for the above named account. A waiver is requested
for the following account opening requirements.
I confirm that I am aware of the Bank’s requirements for account opening procedures and have considered the
implications of this request in accordance with the AML procedures.
File this form with Account Opening Documentation and forward copy to Compliance