MLRO’s and Disaster Recovery – are you prepared?
Published November 2005
The MLRO role and Disaster Recovery (“DR”) do not always go hand in hand, there
are of course the smaller firms whose CF11 is also the CF10, and for them it
should be done and dusted but even then, have you really thought of everything?
For the middle and larger firms this may not always be the case. Certainly the
FSA take business continuity very seriously, so if I were you I would read on.
If you have a CF10 who is responsible for DR, then as a CF11 what input did/do
you have? Have you seen the DR Plan, did you have input into it, has the
original been produced after your input, and if so, were there any significant
changes made after you had seen it or indeed, signed it off. As an MLRO you
should be part of the DR Plan sign off and review procedures.
DR is more important now than ever, sure, probably the biggest threat to a
business is a fire, however, with the new terrorist threat that now exists
(suicide bombers, dirty bombs, 9/11, 7/11 ECT), the possibility of needing to
evoke your DR Plan is more of a real threat right now than ever before.
So, what should you be doing, have done, where do you start, what are the
pitfalls and what’s the most important things from an MLRO’s prospective? Below
are some useful checks that I believe all MLRO’s should read, indeed, if nothing
else, the least this article will prove to be is a simple check list for you,
satisfying you that all is well at your Firm, at best, it may save your neck at
some stage in the future.
The Checklist:
1 Lets start with the basics, do you have a DR Manual?
2 Has every department written their own procedures and are they in the Manual?
3 Does each department manager, and deputy manager have a copy of the Manual
kept at their home address (off site)?
4 Has each department visited your offsite DR premises and tested they can
access their systems and that everything works satisfactorily?
5 Are you aware who will be working from the DR site, and who will be working
from another office or from home?, indeed, has everyone working from home have
the equipment to do so?
6 Have you looked at your own situation, do you and your team know what to do,
have you produced your procedures? I appreciate you might not want your
procedures produced for public reading in the main DR Manual, and if that’s the
case, fine, but have you written these procedures and given them to your staff
to take home? These AML procedures should contain the passwords to access the
systems you use, your staff should have tested these from their homes and
acknowledged this to you in writing, they should have a courier service
available to move documents from their home (off site) to another designated
place, central point, control hub, business unit whatever. Do your staff have
access to the (a) courier service account number and codes, they should be in a
position where they have the ability to call the courier from their home on the
company account and be able to send documents wherever.
7 My staff have a back up of all the forms we use at their homes, this way they
can access the forms well before our systems are evoked at the DR site, evoking
all systems can take over twenty four hours.
8 Have you the MLRO visited the DR site, have you watched a DR test in progress
and made documented notes?
9 A great idea? At NIBC all managers have a telephone list produced and
laminated (credit card size) which we keep in our wallets or purses which
contains:
9a All managers business mobile telephone numbers;
9b The DR site telephone number s and account numbers;
9c Some senior managers home telephone numbers (note, remember the Data
Protection Act here, you need to get the senior managers permissions to publish
their private numbers, of course, you don’t
need to for their business owned mobiles. This little card the size of a credit
card and half the weight of one could be the most useful tool you have in the
event of your offices suddenly being unavailable.
Indeed if you’re a foreign bank like we are, print off some extra cards and send
them to key personnel at your H.O. e.g. the Group Compliance Officer and Group
MLRO, Head of IT and Legal? At the end of the day its up to you of course.
Remember, while there are people who do not take DR that seriously, as they
believe someone else has the situation under control, when things don’t work in
your department, then guess where the finger points.
10 Taking all the above into account, has everything been documented and
recorded, indeed are these records easy to lay your hands on, personally, I
(like many, an MLRO wear several hats) as the MLRO, Compliance Officer and
Disaster Recovery Officer I have DR as a section in my “Compliance Monitoring
Plan” (“CMP”) CMP being a subject I will write about soon, the CMP forces me to
review and record DR on a regular basis.
11 CMP DR Recording, what should you record and at what periods, well I schedule
three visits a year to this area, where I have a full review, but having said
that, any DR issues that arrive are recorded and put into the CMP, e-mails on DR
are also printed off and filed in the DR section of the CMP, this achieves two
things: (a) it ensures that when it comes round to the review date you have some
issues previously raised to look in to, and (b) it demonstrates to everyone that
audits the CMP (FSA, IAD, external auditors etc) that whilst you have three /
four reviews a year, keeping up to date with things continues all year round, DR
should not be seasonal.
12 DR Training, lest not forget this one, without spreading the word all
is lost (big time). I give an induction to all new employees within two days of
their start date, I appreciate this might not be possible for large institution,
indeed, my HO do an induction the first Monday of each month, however, for me
its easier. I cover DR for all employees and get them to sign that they attended
the session, I also do an Annual Refresher Training for all employees thus
ensuring this remains an issue to be thought about.
Indeed, as the CF10 I send out annual questionnaires on compliance issues, and
always ask about DR, the message here at NIBC is everywhere and constant, all
our managers and staff know what to do if the situation ever arises, can you say
the same?
13 Internal Restructures. Don’t forget the above when departments within your
institution change, merge, or new ones are introduced, your auto pilot should
switch on and speak to whoever you deem necessary with regards to ensuring the
new business unit are DR aware. Indeed, you should be involved right from the
idea process as opposed to after the event, if your not, then what internal
committees exist that perhaps you should sit on?
14 DR Offsite Tests. We do two a year, these tend to take three days, these are
recorded of course with IT taking copious notes, personally I visit one of the
tests for one day, this maybe day one set up, or day two/three observations and
testing, again my personal notes are taken and placed in the relevant section of
the CMP.
15 Back up, well I mentioned earlier that I have a disc and procedures at home,
and can access any of the systems and forms I need when away from the office,
but lets not forget the back up, like the vast majority of firms we back up
daily with our tapes being collected every morning, these are taken to a sight
that as the crow flies is not to far from the office, this bugged me as to what
happens in a chemical attach situation, or a dirty bomb? So, call me over the
top (?), but I decided to have an additional back up (monthly or bi weekly) that
goes to an alternative storage site further out.
16 The MLRO Annual Report to Senior Management, well here’s another subject for
me to cover at a later date, having said that, what a great tool to do our job
this is, enough of that, back to the article, do you use your Report to mention
that DR is covered, and what has happened since the Report was issued (with
regards to DR)?
Well I really hope that reading the above has put your mind at rest that all is
well at your firm, or given you some food for thought, or given you some ideas
to put in place at your firm. Compliance Online have asked me to writer an
article every month from a practitioners prospective, so I hope you find my
articles of interest, down to earth and about our real world. A few years ago I
started an MLRO forum with a view to bringing on the young ones, helping
practitioners share and resolve problems, set benchmarking standards and do
something for our industry, I really hope my articles do something in this
regard.
Ben Hur
Compliance Officer and MLRO NIBC Bank N.V.
Chairman the Anti Money Laundering Practitioners Forum
(www.mlros.com)