1 KEYNOTE ADDRESS: AIBA Quarterly Session New supervision and governance requirements for FBOs: Are you prepared? Title page to include presentation title/topic, speaker, date etc. SEPTEMBER 20, 2016 Will Ansah & Howard Shain

2 Bio Summary – Will AnsahNortheast Director, Financial Institutions Leader for Risk Advisory Services Responsible for the delivery of all risk advisory services related to financial institutions including internal audit, SOX, FDICIA, Regulatory Compliance (including BSA/AML audit), Risk Management, Loan Review, System Implementation, etc. Based out of the New York office 15+ years experience consulting with all sizes of foreign banking organizations as well as domestic banks Author of recent white papers on Enhanced Prudential Standards and Dodd-Frank Stress Testing Strong prior “Big 4” experience Partner at RSM effective October 1, 2016 CPA, CFE, MBA

3 Bio Summary – Howard ShainSenior Director, New York Financial Services Leader for Risk Advisory Services Provide internal audit and SOX services to clients in the financial services sector Former Big 4 partner and leader of the firms’ New York Financial Services Business Risk Services practice American Express international internal audit director, chief auditor for company’s international banking subsidiaries and member of the Operations Risk Management Committee Citibank internal audit executive, based in New York, London and Buenos Aires. Global responsibility for auditing trading and capital markets businesses, and participated in the bank’s Market Risk Policy Committee CPA, MBA

4 Agenda Importance of Corporate GovernanceImportance of Risk Governance/Management The Regulatory Environment OCC guidance on Corporate and Risk Governance Three Lines of Defense & COSO 2013 Enhanced Prudential Standards Foreign Banks in the news Some recommended action items Q&A

5 Corporate Governance of Financial InstitutionsGovernance of financial institutions has focused increasingly on the responsibility of the Audit Committee in holding management accountable for financial reporting, the system of internal controls throughout the organization, and complying with laws and regulations.

6 OCC Corporate and Risk Governance BookletDiscusses the board’s authority and responsibilities for governing the bank’s structure, operations and risks Oversee management, providing organizational leadership and establishing core corporate values Create a corporate and risk governance framework to facilitate oversight and help set the bank’s strategic direction, risk culture and risk appetite Delegate authority to senior management for directing and overseeing day-to-day management of the bank, developing and implementing policies, procedures and practices that translate the board’s goals, strategic objectives and risk appetite and limits into prudent standards for the safe and sound operation of the bank Promote a sound corporate culture

7 OCC Corporate and Risk Governance Booklet (Continued)Explains enterprise risk management and the importance of viewing risk in a comprehensive, integrated manner. Discusses a risk governance framework as a means to manage a bank’s risks enterprise-wide. Key components of risk governance include the risk culture, risk appetite and the bank’s risk management Expands the discussion on risk management systems to include the three lines of defense – front line units, independent risk management and internal audit. Among the examination areas emphasized are: Competencies of the Board Corporate Culture Risk Governance Framework Risk Culture Audit Programs

8 Heightened Standards (12 CFR 30 and 170)Sets out the roles and responsibilities for front line units, independent risk management and internal audit Requires a comprehensive written statement that articulates the bank’s risk appetite and serves as a basis for the framework Requires the establishment and implementation of the risk management framework Requires active board oversight of the bank’s risk- taking activities and hold management accountable for adhering to the framework

9 Three Lines of Defense The Institute of Internal Auditors (IIA) indicates the best practice for the Audit Committee’s oversight of an institution’s operation is employing Three Lines of Defense: Operational Management Manages risk daily through maintenance of effective internal controls Operational managers are responsible for reporting process deficiencies to Senior Management and implementing corrective actions Risk Management and Compliance Function Defines tolerable level of risk to accept throughout the organization Monitors various risks that could lead to potential non-compliance with applicable laws and regulations, and informs Senior Management of any instances of violations Internal Audit As defined by the IIA, “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes” The IIA highlights the need for interdependence of Internal Audit and the Audit Committee with the internal auditors providing objective recommendations to ensure the effectiveness of the internal controls and the Audit Committee providing validation and the oversight needed to ensure corrective actions are taken Standard content slide with simple bulleted content

10 Corporate Governance – Three Lines of DefenseSource: Institute of Internal Auditors (IIA)

11 Third Line of Defense – Internal AuditAn effective Internal Audit function is essential to alleviating some of the Board of Directors’ and Audit Committee’s governance and control responsibilities, and providing the independent assurance that the first two lines cannot At least annually, the Internal Audit function helps Management assess the effectiveness of governance as well as the risk and control framework throughout the institution The Audit Committee’s approval of the Internal Audit Plan and Charter based on this assessment ensures Internal Audit resources are focused on adding value and improving operations for the institution’s most pressing needs (a risk based-approach) High quality Internal Audit reports provide objective and actionable plans to the Audit Committee and Management that will help the institutions improve their risk management processes, enhance their financial sustainability, efficiency, and competitiveness Internal Audit’s ongoing monitoring of these plans allows it to communicate to both the Audit Committee and Management whether the necessary steps are being taken to correct any deficiencies and mitigate the risks they pose

12 Why is Risk Management Important?Business volatility, complexity and increasing risk is dominating the landscape for all financial institutions. Financial Institutions have started to respond but the journey is challenging and new thinking is needed if risk management is to improve resilience and enhance value creation Business volatility and economic uncertainty are here to stay – increasing resilience is the order of the day Business model complexity is stifling performance and creating inefficiency Speed of business change is rapid – increased speed of response and corporate agility is needed The current internal and external environment has created increased risk, risk complexity and risk velocity Exercising control across the business model is challenging - dominated by a critical web of third party relationships and geographic spread The emergence of new/changed risks requires improved oversight rigor and access to new skill sets Stakeholders are asking for more complete answers to more challenging questions - regulation continues to drive onerous compliance requirements

13 Emerging Regulatory RisksTrade-Based Money Laundering Estimated 80% of the world’s illicit money flow stemming from trade- related business Complex network of global trade make it more difficult to identify suspicious activity Banks are focusing in-depth on monitoring trade-based finance clients and their activity. Cybersecurity Consumer banking applications, although convenient, lead to greater security risks than traditional banking ‘phishing’ attempts continue to get more complex with increase focus on employee vulnerabilities Multiple agencies proposing new regulations to increase security measures and senior-level oversight

14 Emerging Regulatory RisksCorrespondent Banking Regulators focusing more on ‘Know Your Customer’s Customer’ Implementing correspondent bank risk profiles Enhanced transaction monitoring systems to address global sanctions and foreign corruption Recent U.S Regulatory Updates FinCEN will require financial institutions to identify beneficial ownership of all new accounts by May 2018 Starting in January 2017, New York State will require annual AML certification on the safety and soundness of the Bank’s transaction monitoring system

15 Corporate Governance – COSO 2013 &Three Lines of DefenseSource: COSO

16 Enhanced Prudential StandardsEffective July 1, 2016 for Foreign Banks in the US Requirements can be categorized into 4 groups by asset size

17 Enhanced Prudential StandardsCategory I: Risk Management U.S. Risk Committee made up of global BOD Annual certification of board risk committee Capital & Stress Testing Home Country Stress Testing requirements and Capital requirements consistent with BASEL III Stress Testing Category II: Liquidity - In addition to requirements under Category I (except the establishment of U.S. risk committee of global BOD) Establish Liquidity Risk Management standards following BASEL III framework and conduct internal liquidity stress tests Results of internal liquidity stress tests to be reported to Federal Reserve Board

18 Enhanced Prudential StandardsCategory III: Risk Management U.S. Risk Committee made up of global BOD Annual certification of board risk committee Appointment of Chief Risk Officer Capital & Stress Testing Home Country Stress Testing requirements and Capital requirements consistent with BASEL III Liquidity Maintain 30-day liquidity stress buffer (14 days for FBO U.S. branches and agencies)

19 Enhanced Prudential StandardsCategory IV: Structure Form an Intermediate Holding Company (IHC) and transfer assets Liquidity - In addition to requirements under Category III Standardized approach of U.S. Based Capital Rules per BASEL III framework and conduct internal liquidity stress tests Stress Testing CCAR and DFAST requirements

20 Foreign Banks in the newsMega Bank Fined $180 million by the New York Department of Financial Services and under a consent order Root cause of key findings were around ineffective corporate governance and risk management Limited knowledge of compliance on U.S. BSA/AML rules and regulations Ineffective compliance management systems (policies and procedures, monitoring tools and systems, failure of three lines of defense) Conflict of interest with Chief Compliance Officer Mega Bank The BSA/AML officer for the New York branch, who was based at the bank’s Taiwan headquarters, and the branch’s chief compliance officer both lacked familiarity with U.S. regulatory requirements. In addition, the chief compliance offer had conflicted interests because she had key business and operational responsibilities, along with her compliance role. Compliance staff at both the head office and branch failed to periodically review surveillance monitoring filter criteria designed to detect suspicious transactions. Also, numerous documents relied upon in transaction monitoring were not translated to English from Chinese, precluding effective examination by regulators. The New York branch procedures provided virtually no guidance concerning the reporting of continuing suspicious activities; had inconsistent compliance policies; and failed to determine whether foreign affiliates had in place adequate AML controls.

21 Some Recommended Action ItemsBuild an effective 3 lines of defense model including an independent trusted advisor at the third line. Build “effective challenge” into the risk culture and framework and get Head Office’s buy-in Enhance compliance management systems Enhance staffing levels and expertise especially around compliance and risk management Improve working relationship with Bank regulators Include Corporate Governance and Risk Management (including EPS) as part of audit plan

22 Q & A

23 RSM US LLP 1185 Avenue of the Americas New York, NY O: