• Financial Crime Resource Centre

• >Financial Crime News
• >Comments & Analysis
• >Examiner
• >Antifraud
• >Elearning
• >Consultancy
• >Risk ID

• Events

• >Breakfast Meetings
• >Conferences
• >Meeting Agendas
• >Articles
• >Meeting Presentations
• >DLA Piper Publications

• Job Board

• >Compliance Vacancies

• About Us

• >About Us
• >History
• >Editorial Board

• T's & C's

• >Terms
• >Privacy Policy

MLRO’s and Disaster Recovery – are you prepared?

Published November 2005

The MLRO role and Disaster Recovery (“DR”) do not always go hand in hand, there are of course the smaller firms whose CF11 is also the CF10, and for them it should be done and dusted but even then, have you really thought of everything? For the middle and larger firms this may not always be the case. Certainly the FSA take business continuity very seriously, so if I were you I would read on.

If you have a CF10 who is responsible for DR, then as a CF11 what input did/do you have? Have you seen the DR Plan, did you have input into it, has the original been produced after your input, and if so, were there any significant changes made after you had seen it or indeed, signed it off. As an MLRO you should be part of the DR Plan sign off and review procedures.

DR is more important now than ever, sure, probably the biggest threat to a business is a fire, however, with the new terrorist threat that now exists (suicide bombers, dirty bombs, 9/11, 7/11 ECT), the possibility of needing to evoke your DR Plan is more of a real threat right now than ever before.

So, what should you be doing, have done, where do you start, what are the pitfalls and what’s the most important things from an MLRO’s prospective? Below are some useful checks that I believe all MLRO’s should read, indeed, if nothing else, the least this article will prove to be is a simple check list for you, satisfying you that all is well at your Firm, at best, it may save your neck at some stage in the future.

The Checklist:

1 Lets start with the basics, do you have a DR Manual?

2 Has every department written their own procedures and are they in the Manual?

3 Does each department manager, and deputy manager have a copy of the Manual kept at their home address (off site)?

4 Has each department visited your offsite DR premises and tested they can access their systems and that everything works satisfactorily?

5 Are you aware who will be working from the DR site, and who will be working from another office or from home?, indeed, has everyone working from home have the equipment to do so?

6 Have you looked at your own situation, do you and your team know what to do, have you produced your procedures? I appreciate you might not want your procedures produced for public reading in the main DR Manual, and if that’s the case, fine, but have you written these procedures and given them to your staff to take home? These AML procedures should contain the passwords to access the systems you use, your staff should have tested these from their homes and acknowledged this to you in writing, they should have a courier service available to move documents from their home (off site) to another designated place, central point, control hub, business unit whatever. Do your staff have access to the (a) courier service account number and codes, they should be in a position where they have the ability to call the courier from their home on the company account and be able to send documents wherever.

7 My staff have a back up of all the forms we use at their homes, this way they can access the forms well before our systems are evoked at the DR site, evoking all systems can take over twenty four hours.

8 Have you the MLRO visited the DR site, have you watched a DR test in progress and made documented notes?

9 A great idea? At NIBC all managers have a telephone list produced and laminated (credit card size) which we keep in our wallets or purses which contains:

9a All managers business mobile telephone numbers;

9b The DR site telephone number s and account numbers;

9c Some senior managers home telephone numbers (note, remember the Data Protection Act here, you need to get the senior managers permissions to publish their private numbers, of course, you don’t
need to for their business owned mobiles. This little card the size of a credit card and half the weight of one could be the most useful tool you have in the event of your offices suddenly being unavailable.

Indeed if you’re a foreign bank like we are, print off some extra cards and send them to key personnel at your H.O. e.g. the Group Compliance Officer and Group MLRO, Head of IT and Legal? At the end of the day its up to you of course. Remember, while there are people who do not take DR that seriously, as they believe someone else has the situation under control, when things don’t work in your department, then guess where the finger points.

10 Taking all the above into account, has everything been documented and recorded, indeed are these records easy to lay your hands on, personally, I (like many, an MLRO wear several hats) as the MLRO, Compliance Officer and Disaster Recovery Officer I have DR as a section in my “Compliance Monitoring Plan” (“CMP”) CMP being a subject I will write about soon, the CMP forces me to review and record DR on a regular basis.

11 CMP DR Recording, what should you record and at what periods, well I schedule three visits a year to this area, where I have a full review, but having said that, any DR issues that arrive are recorded and put into the CMP, e-mails on DR are also printed off and filed in the DR section of the CMP, this achieves two things: (a) it ensures that when it comes round to the review date you have some issues previously raised to look in to, and (b) it demonstrates to everyone that audits the CMP (FSA, IAD, external auditors etc) that whilst you have three / four reviews a year, keeping up to date with things continues all year round, DR should not be seasonal.

12 DR Training, lest not forget this one, without spreading the word all
is lost (big time). I give an induction to all new employees within two days of their start date, I appreciate this might not be possible for large institution, indeed, my HO do an induction the first Monday of each month, however, for me its easier. I cover DR for all employees and get them to sign that they attended the session, I also do an Annual Refresher Training for all employees thus ensuring this remains an issue to be thought about.

Indeed, as the CF10 I send out annual questionnaires on compliance issues, and always ask about DR, the message here at NIBC is everywhere and constant, all our managers and staff know what to do if the situation ever arises, can you say the same?

13 Internal Restructures. Don’t forget the above when departments within your institution change, merge, or new ones are introduced, your auto pilot should switch on and speak to whoever you deem necessary with regards to ensuring the new business unit are DR aware. Indeed, you should be involved right from the idea process as opposed to after the event, if your not, then what internal
committees exist that perhaps you should sit on?

14 DR Offsite Tests. We do two a year, these tend to take three days, these are recorded of course with IT taking copious notes, personally I visit one of the tests for one day, this maybe day one set up, or day two/three observations and testing, again my personal notes are taken and placed in the relevant section of the CMP.

15 Back up, well I mentioned earlier that I have a disc and procedures at home, and can access any of the systems and forms I need when away from the office, but lets not forget the back up, like the vast majority of firms we back up daily with our tapes being collected every morning, these are taken to a sight that as the crow flies is not to far from the office, this bugged me as to what happens in a chemical attach situation, or a dirty bomb? So, call me over the top (?), but I decided to have an additional back up (monthly or bi weekly) that goes to an alternative storage site further out.

16 The MLRO Annual Report to Senior Management, well here’s another subject for me to cover at a later date, having said that, what a great tool to do our job this is, enough of that, back to the article, do you use your Report to mention that DR is covered, and what has happened since the Report was issued (with regards to DR)?

Well I really hope that reading the above has put your mind at rest that all is well at your firm, or given you some food for thought, or given you some ideas to put in place at your firm. Compliance Online have asked me to writer an article every month from a practitioners prospective, so I hope you find my articles of interest, down to earth and about our real world. A few years ago I started an MLRO forum with a view to bringing on the young ones, helping practitioners share and resolve problems, set benchmarking standards and do something for our industry, I really hope my articles do something in this regard.

Ben Hur
Compliance Officer and MLRO NIBC Bank N.V.
Chairman the Anti Money Laundering Practitioners Forum
(www.mlros.com)

Copyright © MLRO's.com 2009. All Rights Reserved.