Sterling Bank Plc

Money Laundering,
Terrorist Financing &
Compliance Risk
Assessment

December, 2019
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

TABLE OF CONTENTS

Executive Summary iii

Abbreviations & Acronyms vi
1. Introduction 1
1.1. Company Profile 1
1.2. Background 2
1.3. Scope Limitations 2
1.4. Risk Characteristics and causes 3
1.5. Regulation and Statutory guide 4

2. The Risk Assessment Methodology 5

2.1. Methodology 5
2.1.1. Inherent Risk Identification 5
2.1.2 Risk Control Programs Evaluation 6
2.1.3 Residual Risks Assessment 6

3. ML/TF Risk Assessment Process 9

3.1. Evaluation of Inherent Risk 10
3.1.1. Inherent Customer Risk 11
3.1.2. Inherent Products & Services Risk 11
3.1.3. Inherent Delivery Channel Risk 12
3.1.4. Inherent Location Risk 14

4. Evaluation of Compliance Controls 17

4.1. Governance Structure 17
4.2. Written Policies 18
4.3. Customer Due Diligence & Enhanced Due Diligence 18
4.4. Record Keeping 21
4.5. Compliance Structure 21
4.6. Mandatory Reporting 23
4.7. Training 23
4.8. Internal Control & Audit 24
4.9. Internal Sanctions 26
4.10. Risk Management 26

5. Overall Risk Assessment Result 27

5.1 Inherent Risk 28
5.2 Controls 28
5.3 Residual Risk 29

6. Risk Assessment Findings & Recommendations 30

ii

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

REPORT ON THE ML, TF AND COMPLIANCE RISK

ASSESSMENT OF STERLING BANK PLC

Sterling Bank Plc (“the Bank”) engaged the services of DataPro

Limited to conduct the Money Laundering, Terrorist Financing and
Compliance Risk Assessment of the bank as at September 2019. This
is in accordance with Recommendation 1 of the FATF 40
Recommendations that: “countries should require financial
institutions to identify, assess and take effective action to mitigate
their money laundering and terrorist financing risks”.

Domestically, Regulation 5 of the CBN AML/CFT Regulation 2013

makes ML & TF Risk Assessment a mandatory obligation of banks as
follows: “A financial institution shall (a) take appropriate steps to
identify, assess and understand its Money Laundering (ML) and the
Financing of Terrorism (FT) risks for customers, countries or
geographic areas of its operations, products, services and delivery
channels (b) document its risk assessment profile (c) consider all
relevant risk factors before determining the overall level of risk and
the appropriate level and type of mitigation to be applied (d) keep
the assessment in the regulation up to date and (e) have the
appropriate mechanisms to provide risk assessments reports to
regulatory, supervisory and competent authorities and Self-
Regulatory Organisations (SROs).

It is thus in fulfilment of the CBN regulation that this exercise was

conducted for the Bank.

Our approach to the assignment was based on examination of

documents and polices, observations from branches and Strategic
Business Units (SBUs) visited, questionnaire administered in the
branches and SBUs as well as interview conducted for selected
personnel within the Bank.

We adopted a 5-Tiered rating model. This is in line with the model

used for the National Risk Assessment (NRA) of Nigeria conducted
in the year 2016.

iii

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

The exercise concluded that Sterling Bank’s Money Laundering,

Terrorist Financing & Compliance risk rating is Medium.

The details of our findings, breakdown of the rating procedure and

appendix are contained in the full report.

Yours faithfully,

Abimbola Adeseyoju, FCIN

iv

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

EXECUTIVE SUMMARY

The Financial Action Task Force (FATF) Recommendation 1 of its 40

Recommendations mandates countries to require financial
institutions to identify, assess and take effective action to mitigate
their money laundering and terrorist financing risks. Domestically,
Regulation 5 of the CBN AML/CFT Regulation 2013 (As Amended
in 2019) requires financial institutions to take appropriate steps to
identify, assess and understand their money laundering and the
financing of terrorism risk for customers, countries or geographic
areas of their operations, products, services and delivery channels.

In compliance with the CBN Regulation, Sterling Bank Plc engaged

DataPro Limited to conduct the Money Laundering, Terrorist
Financing and Compliance Risk Assessment of the Bank as at
September 2019. The assessment covers the Bank’s existing
AML/CFT compliance programs, policies, procedures & processes
for the period.

In conducting the exercise, the Bank’s inherent risk was evaluated

by considering four (4) major risk factors namely: Customers,
Products and Services, Delivery Channel and Location. Additionally,
evaluation of the Bank’s AML/CFT control programs was conducted.
The evaluation covered Governance structure; Written Policies;
Customer Due Diligence & Enhanced Due Diligence; Compliance
Management; Internal Control & Audit; Risk Assessment; Internal
Sanctions; Training; Mandatory Reporting and Record Keeping.
Finally, the control measures were applied to the inherent risks
identified, using 5-Tiered risk rating model namely. Low; Medium
Low; Medium; Medium High and High, to determine the ML, TF and
Compliance risk rating of the Bank.

Consequently, the report findings revealed that the Overall Risk

Rating of Sterling Bank Plc is Medium. This is as a result of
deficiencies in existing customer due diligence measures, customer
risk rating, customer updates and record keeping system.

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

ABBREVIATIONS & ACRONYMS

AML/CFT Anti-Money Laundering/Combating the Financing

of Terrorism

CAMU Centralized Account Management Unit

CAV Customer Address Verification

CBN Central Bank of Nigeria

CDD Customer Due Diligence

CEMP Customer Experience Management Personnel

DNFBPs Designed Non-Financial Businesses or

Professions

EDD Enhanced Due Diligence

FATF Financial Action Task Force

KYC Know Your Customer

ML Money Laundering

NFIU Nigerian Financial Intelligence Unit

NRA National Risk Assessment

PEPs Politically Exposed Persons

SBU Strategic Business Unit

STR Suspicious Transaction Report

TF Terrorist Financing

vi

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

1. INTRODUCTION

1.1 COMPANY PROFILE

Sterling Bank Plc (“the Bank”) operates as a full-fledged national

commercial bank in Nigeria. The Bank came into existence as a
result of the merger of five (5) Nigerian banks. In mid-2011, it
acquired the franchise of the erstwhile Equitorial Trust Bank.
Sterling Bank has continued to grow its operation by actively playing
in the retail end of the banking industry.

As at the time of conducting this assessment, the Bank had 180

branches, 847 ATMs and 7,853 POS. Additionally, it had 781,573
USSD users and a customer base of 3 million.

Sterling Bank offers a range of deposit-based products which can

be largely classified into Savings Accounts, Current Accounts and
Investments. It also offers trade-related products such as bills for
collection, invincible, SMEs, letters of credit and funds transfer.

The Bank equally offers an array of digital products. They include:

Social Lender, Specta, ChatPay, Sterling Alternative Finance
(SAF) Retail, i-invest, GoMoney, AltMall, Doubble, FarePay,
Snap Cash and Imperium.

Geographically, the Bank operates in the South West, South East,

South South, North West, North East and North Central. However,
the Bank’s operation is largely concentrated in the South West. The
Bank does not have any foreign branch or subsidiary.

Sterling Bank caters for both the high and low end of the market.
The profile of its customers include: Politically Exposed Persons
(PEPs), Financially Exposed Persons (FEPs), High Net Worth
Individuals (HNWIs), Foreigners, Corporates and Individuals.

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

1.2. BACKGROUND

In order to benchmark its level of compliance and determine the

general and specific Money Laundering (ML) and Terrorist
Financing (TF) risks it faces, Sterling Bank appointed DataPro as an
Independent Risk Assessment consultant.

The Independent Assessment of the Bank’s existing AML/CFT

compliance programs, policies, procedures & processes was carried
out in the month of September, 2019.

This compilation serves as a report of DataPro’s findings to the

Bank’s Management.

1.3. SCOPE LIMITATIONS

 The assessment does not include verifying the effectiveness

and adequacy of the Affiliates and Associates of the
organisation.
 The engagement does not include creating any additional/new
templates/reports or undertaking any actions to implement
the recommendations provided in the report.
 The assessment was based on the existing activities of
Sterling Bank. Accordingly, we have no obligation to update
our report or to revise the information contained therein to
reflect events/transactions and initiatives undertaken by the
Bank subsequent to the date of this report.
 Due to the inherent limitations associated with systems,
errors; omissions; and other irregularities may occur and not
be detected. Our work was not designed specifically to
investigate fraud or other criminal activities.
 Our work was limited to 28 SBUs and 76 branches. However,
the 76 branches spread across the (six) 6 geopolitical zones
as presented in figure A.

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

FIGURE A: GEOGRAPHICAL SPREAD OF BRANCHES VISITED

North Central
11% North East
South West 8%
37%
North West
9%

South South South East

26% 9%

Source: DataPro Limited

1.4. RISK CHARACTERISTICS AND CAUSES

The Nigeria National Risk Assessment (NRA) on Money Laundering

& Terrorist Financing (2016) identified major money laundering
threats facing Nigeria to be bribery and corruption, pipeline
vandalism and illegal oil bunkering, advance fee fraud, drug
trafficking and fraud and forgery.

Moreover, the report relates that money laundering poses a great

threat to the banking sector in Nigeria. This is because the Deposit
Money Banks (DMBs) dominate the business of receiving deposits
and providing direct access to those deposits through the payments
system. The exploitation of the banking system by fraudulent
individuals and groups, as well as corrupt public officials is enabled
by factors such as the sheer size of the banking sector, complexity
of banking products which allow concealment, the shift to electronic
payments channels which reduces face to face contacts and
connivance by some of the banks employees in certain instances.

In addition, major terrorist financing threats facing Nigeria include

a wide array of illegal and criminal activities such as kidnapping,
extortion, armed robberies, smuggling etc that yield high returns to
terrorists organisations as well as sympathizers and member’s
levies and contributions. The NRA (2016) also reports that the TF
threat facing Nigeria could be assumed to emanate from domestic
funding rather than any other source.

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

Although the vulnerability of the Banking sector to TF is adjudged

to be low as stated by the 2013 NFIU Trends and Typologies
Report on TF 2013, terrorists may use the Bank by adopting money
laundering techniques.

1.5. REGULATORY AND STATUTORY GUIDE

This report is compiled in line with the principle of Recommendation

1 of the Financial Action Task Force (FATF) issued in 2012, the
requirements of the Money Laundering Prohibition Act 2011(As
Amended), the Terrorism Prevention Act (2011), the CBN
AML/CFT Regulations, 2013 (As Amended in 2019) and the CBN
Administrative Sanctions Regime 2018.

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

2. RISK ASSESSMENT METHODOLOGY

2.1. METHODOLOGY

The ML/TF risk assessment was conducted by carrying out the

following steps:

 Inherent risk identification

 Risk controls programs evaluation
 Residual risks assessment

2.1.1 Inherent Risk Identification

In line with best practices, money laundering and terrorist financing

risk identification involves majorly four (4) risk factors. These are
Customer type, Product type, Delivery channels and Geographical
location.

The methodology adopted for identifying inherent risk in the risk

factors highlighted above include the following:

 Documentation review
 Interview

Documents reviewed with a view to identify inherent risk are:

 AML/CFT Policies and Procedures of the Bank

 Enterprise Risk Management Policy
 Standard Operating Procedure (SOP) of selected SBUs
 Consumer Banking Product Programs
 Internal Audit Report
 Bank Examiner’s Report for the period ending July, 2019
 Review of Corporate Data

Interviews were conducted with Service Managers in 76 branches

and group heads of some selected SBUs.

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

2.1.2 Risk Controls Programs Evaluation

Evaluation of the Bank’s AML/CFT control programs was carried

out. It covered the following:

 Governance Structure
 Written Policies
 Customer Due Diligence & Enhanced Due Diligence
 Record Keeping
 Compliance Structure
 Mandatory Reporting
 Internal Control & Audit
 Risk Assessment
 Internal Sanctions
 Training

In order to evaluate the above appropriately, we adopted the

following methodology:

 Data gathering/statistical review

 Documentation review of customers’ file
 Observation of customers’ onboarding procedure
 Observation of mandatory reporting procedure
 Interview with compliance key personnel
 Observation of record keeping procedure
 Review of compliance systems and application
 Review of compliance policies and procedures
 Administration of questionnaire
 Review of financials

2.1.3 Residual Risks Assessment

In order to determine the overall risk rating of the Bank, we

applied the control measures to the inherent risks identified, using
5-Tiered risk rating model. This is defined as follows:

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

 1 - Low Risk
 2- Medium Low
 3- Medium
 4- Medium High
 5- High

Table 1 shows the details of documents reviewed.

Status
S/N Document Type
Requested Obtained Reviewed
1 2018 Annual Report of the Bank   

2 Compliance Manual   

3 Compliance Organogram   

4 Enterprise Risk Management   

Framework
5 Branch Network   
6 Description of all Bank’s   
products and services
7 Description of all business units   
and business lines
8 Description of all customers and  X X
clients types
9 Description of all delivery   
channels
10 Description of all IT and New   
Technologies
11 Description of all marketing  X X
strategies
12 Account Opening Package   
13 All AML/CFT Procedures   
Manuals
14 Existing bank monitoring   
framework
15 Sanction filtering tools   
16 Mandatory and Suspicious   
Reporting Tools

Table 2 shows the details of interview sessions and questionnaire

administration.

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

Interview Questionnaire
S/N Description
Sessions Administration

1 Service Managers in 74 Branches  

2 Account Management Unit X 
3 Branding & Communications X 
4 Central Clearing  
5 Compliance Group  
6 Treasury Operations X 

7 E-Banking Operations X 
8 Enterprise Project Management X 
Office
9 Enterprise Risk Management X 
10 Finance & Performance X 
Management
11 Finance Operations X 

12 General Internal Service X 

13 Human Capital  
14 Institutional Banking X 
15 Internal Audit  
16 Legal X 
17 Non-Interest Banking  
18 Personal Banking Team X 

19 Private Banking  
20 Service Management X 
21 Strategy & Innovation X 
22 Technology X 
23 Technology & Digital Compliance  
24 Treasury  
25 Mobile Financial Services X 
26 Customer Care  
27 Transaction Banking X 
28 Trade Services  
29 Micro Banking X 

Note: Interviews were conducted within SBUs that have direct

interface with customers and are involved in other strategic
engagements.

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

3. ML/TF RISK ASSESSMENT PROCESS

3.1 Evaluation of Inherent risk

The inherent risk evaluation considered four (4) risk factors. These
are:

1. Inherent Customer Risk

2. Inherent Products & Services Risk
3. Inherent Delivery Channel Risk
4. Inherent Location Risk

These factors are assessed on the basis of their LIKELIHOOD of

occurrence and IMPACT they could have on the Bank.

The assessment and weight are hereby presented.

LIKELIHOOD
WEIGHT DESCRIPTION
1 Low Rarely occurs, only in exception
2 Medium Possible to occur at some point
3 High Will occur, only in exception

IMPACT
WEIGHT DESCRIPTION
1 Low Limited sum of money

2 Medium Moderate sum of money

3 High Significant sum of money and

prosecution/criminal charge of the
Institution

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

3.1.1 Inherent Customer Risk

The Bank operates in the retail end of the market. As at December

2018, total number of customers was 2,548,942. The trend of
customer enrollment is hereby presented.

FIGURE B: 5 YEARS TREND OF CUSTOMER ENROLLEMENT

700000
600000
500000
400000
300000
200000
100000
0
2014 2015 2016 2017 2018

Source: Sterling Bank Plc

It is important to stress that we did not come across any

significant case of ML/TF involving the customers of the Bank.
However, there were records of Law Enforcement Agencies request
relating to the Bank’s customers during the period under review in
figure C.

FIGURE C: LAW ENFORCEMENT ENQUIRIES (Q1 2017-Q3 2019)

1200

1000

800

600

400

200

0
Q1 '17 Q2 '17 Q3 '17 Q4 '17 Q1 '18 Q2 '18 Q3 '18 Q4 '18 Q1 '19 Q2 '19 Q3 '19

Source: Sterling Bank Plc

10

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

The Bank’s customers can be segregated into the following groups

namely: Politically Exposed Persons (PEPs), High Networth
Individuals, Foreigners, Non-resident Nigerians and other
Individuals & Corporate bodies.

The inherent customer risk rating of the Bank is heightened by the

fact that it caters for customers with high likelihood of occurrence
and high level of impact.

Consequently, inherent customer risk rating is considered High.

3.1.2. Inherent Products and Services Risk

The products and services of the Bank are structured to facilitate

deposit and lending activities. As at year end 2018, deposit
liabilities and loans & advances were N761b and N621b respectively.

The products and services of the Bank can further be broken into:
Current Accounts, Savings Accounts, Investments and Trade
Services.

TABLE 3: PRODUCTS CLASSIFICATION

Savings Current Investment Trade Services

 Financial  Classic  Individuals  Bills for
Inclusion Current  Non-individuals Collection
 Youth Account  Invincible
 Regular  Minimum  SME
 Hybrid Balance  Letter of
 Non-individual Account Credit
 Turnover  Funds
Transfer
Source: Sterling Bank Plc

Based on the reviewed products compendium provided by the Bank,

only few products (financial inclusion 1 & 2) have value limitation
attached to them. Other products have capacity to handle internet

11

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

banking and mobile banking limits of N1,000,000 per transaction and

N5,000,000 per day.

We do not have significant cases of products and services abuse.

However, there were instances of financial crimes experienced by
the Bank as shown in figure D.

FIGURE D: 5 YEARS FINANCIAL CRIME TREND

120

100

80

60

40

20

0
2014 2015 2016 2017 2018

Source: Sterling Bank Plc

The inherent products and services risk rating of the Bank is

largely as a result of its high value limitation on non-face-to-face
platform. Therefore, inherent products and services risk rating
considered Medium.

3.1.3. Inherent Delivery Channel Risk

The Bank renders services to its customers using various channels.

Customers have the option of dealing with the bank on a face-to-
face basis by visiting any of its 180 branches. However, there are
electronic channels with significant number of customer enrollment.
These channels are: Cards, Mobile, Internet, Application and USSD.

Figure E shows the number and trend of electronic-based

customers.

12

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

FIGURE E: 5 YEARS TREND VALUE OF ELECTRONIC-BASED

CUSTOMERS

2500000

2000000
Card
1500000 Mobile
Internet
1000000
App
USSD
500000

0
2014 2015 2016 2017 2018

Source: Sterling Bank Plc

It is important to also note that the Bank did not operate any
foreign branch and subsidiary as at the time of conducting the
assessment.

Additionally, we did not come across any significant case of abuse

involving the use of the Bank’s electronic-based delivery channel.
However, during our interview session, most interviewees at branch
level confirmed that most financial crime related complaints
received from customers are electronic-banking related.

This often occurs where customers unintentionally disclose their

personal account details to fraudsters based on the belief that
they are talking to officers of the Bank. The fraudsters thereafter
utilise the privileged information to defraud the customers on
electronic platforms.

It is important to note that the proportion of the Bank’s customers

on electronic platform is gaining traction annually as shown in figure
F.

13

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

FIGURE F: 5 YEARS TREND OF BANK CUSTOMERS ON

ELECTRONIC PLATFORM

160
140
120
100
80
60
40
20
0
2014 2015 2016 2017 2018

Source: Sterling Bank Plc

The inherent delivery channel risk rating was largely influenced by

the electronic based channel of the Bank. This is in view of the
capacity of such channel to encourage non-face-to-face transaction
and facilitate cross-border transaction. The inherent risk rating
for delivery channel is therefore Medium.

3.1.4 Inherent Location Risk

Sterling Bank is headquartered in Lagos. It has branches spread

across Nigeria. As at the time of compiling this report, total
number of branches was 180, including the cash centres.

The distribution of the Bank’s geographical spread is as presented

in figure G.

FIGURE G: STERLING BANK GEOGRAPHICAL SPREAD

North Central
10% North East
3%
North West
7%
South East
South West 11%
53%

South South
16%

Source: Sterling Bank Plc

14

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

The activities of the Bank are largely concentrated in the South

West, specifically Lagos. However, the Bank has reasonable
operation (6 branches) in the North Eastern part of Nigeria. These
are areas considered as hot beds of the Boko Haram operation, the
Nigerian dreaded terrorist organisation.

Based on the document reviewed between the period of 1st quarter

2017 and 3rd quarter 2019, the Bank received 41 requests from the
Department of State Security (DSS). This is the Law Enforcement
Agency with primary responsibility for prosecuting offences related
to terrorism.

Economic and financial crimes are predominant in the South

Western and Eastern part of Nigeria where the Bank’s operation
are domiciled. This assertion is reinforced by the significant level
of request the Bank received from the Economic and Financial
Crimes Commission (EFCC) compared to other Law Enforcement
Agencies.

TABLE 4: BREAKDOWN OF LAW ENFORCEMENT AGENCIES

REQUEST

DATE EFCC POLICE DSS COURT SPIP ICPC NDLEA TOTAL

Q1 ’17 195 91 2 0 2 1 0 291
Q2 ‘17 201 95 2 0 1 10 1 310
Q3 ‘17 208 72 2 0 2 1 0 285
Q4 ‘17 351 120 5 2 1 2 0 481
Q1 ‘18 515 254 5 2 1 14 0 791
Q2 ‘18 303 129 3 2 2 13 1 453
Q3 ‘18 403 295 2 5 3 15 2 752
Q4 ‘18 655 330 7 8 0 22 0 1,022
Q1 ‘19 510 255 5 0 3 15 2 760
Q2 ‘19 410 250 4 4 0 13 0 681
Q3 ‘19 601 245 4 3 0 5 0 858
Source: Sterling Bank Plc

15

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

Although the Bank provides services to Nigerians in diaspora and

foreigners that are resident in Nigeria, it does not maintain any
foreign branch and subsidiary.

The inherent geography risk rating is largely influenced by the

reported predicate offences of the location of the Bank’s branches.
Therefore, the inherent risk rating based on location is considered
Medium.

16

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

4. EVALUATION OF COMPLIANCE CONTROLS

The following compliance controls were evaluated.

1. Governance Structure
2. Written Policies
3. Customer Due Diligence & Enhanced Due Diligence
4. Record Keeping
5. Compliance Structure
6. Mandatory Reporting
7. Internal Control & Audit
8. Risk Assessment
9. Internal Sanctions
10. Training

The above compliance controls were assessed and weighted as

presented in the table below.

WEIGHT DESCRIPTION
1 <80% Ineffective
2. 80-84% Partially Effective
3. 85-89% Largely Effective
4. 90-94% Substantially Effective
5. 95-100% Fully Effective

4.1 Governance Structure

Sterling Bank has a CBN approved organogram. The organogram

clearly shows that the Board performs oversight function on
Compliance.

The Bank has an AML/CFT policy which was approved by the Board
in 2018. AML/CFT policy and other related policies are
communicated to all employees via emails and dedicated portals.

17

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

The Conduct & Compliance Division renders quarterly report on

compliance, governance and whistleblowing matters to the Central
Bank of Nigeria. However, we did not come across an evidence of
feedback obtained by the compliance unit on issues raised.

We consider Sterling Bank’s governance structure to be Fully

Effective.

4.2 Written Policies

The Bank AML/CFT policy is documented. This was last reviewed in

the year 2018. The policy is communicated and made accessible to
all Bank staff via the online portal.

Aside the online portal, Cluster Compliance Officers also conduct

regular training on the policies of the organisation in order to
enhance awareness. Additionally, the Bank has adopted e-learning
avenues to expose the AML/CFT policy of the Bank to employees.

The policy of the Bank cover essential AML/CFT procedures such

as: Customer Due Diligence (CDD), record keeping, mandatory
reporting, Politically Exposed Person (PEP) procedure and
prohibition of dealing with anonymous persons.

However, we observed that Non-Interest Banking Unit policy was

yet to be updated even though it was due for update in July 2019.

We therefore consider Sterling Bank’s AML/CFT policies to be

Partially Effective.

4.3 Customer Due Diligence & Enhanced Due Diligence

Sterling Bank has robust customer onboarding process. Most

customers are on-boarded via the branches. The Bank’s customers
are either walk-in or marketed. Either way, every customer is
expected to complete an account opening form which is submitted
to the Customer Experience Management Personnel (CEMP). The
subsequent procedure is as presented in figure H.

18

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

FIGURE H: CUSTOMER ON-BOARDING PROCEDURE

Account
Opening Address
Screening Generate Verification
Account  PEP account CAMU positive to
CEMP Review lift
Upgrading  Sanctions number with
 Credit default restriction
 restriction for
Account BVN
customer
Reactivation
use

Source: DataPro

The Service Managers and Compliance Officers at branch level

review account opening packages before they are eventually
uploaded on the 1Xpress portal of the Bank.

The CEMP performs screening relating to verification of identity,

BVN, PEP and Sanctions before enrolling customers on the 1Xpress
platform.

The Centralized Account Management Unit (CAMU) of the Bank also

review documents for completeness and spool for Customer
Address Verification (CAV). It is only after addresses are
confirmed as genuine that customers can access their account.

We consider the Bank’s customer on-boarding process as

Substantially Effective because it enables the identification of PEP,
high risk customers and automation of sanctions screening.

The Bank’s Customer Due Diligence (CDD) process was assessed

based on the four (4) elements of CDD namely:
 Customer Acceptance Policy
 Customer Identification Procedure
 Risk Management
 Transaction Monitoring and Update

 Customer Acceptance Policy

The Bank’s AML/CFT policy covers Know Your Customer (KYC)

procedure. The CEMP, Service Managers, Compliance Officers and

19

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

other relevant staff are conversant with the policy on customer

acceptance.

 Customer Identification Procedure

Customers are required to provide acceptable means of

identification including utility bills and complete account opening
forms. The only exemptions are Tier I and Tier II accounts.

In the event of account upgrade and reactivation, customers’

addresses are expected to be re-verified where the newly provided
addresses are different from what the Bank has in its records.

We observed in few instances that address verification carried out

at branch level are sometimes very close to the time the customer
requested for upgrade. Sometimes, address verification was
conducted earlier than the time or date of such request.

 Risk Management

Customer risk rating procedure is embedded in the account opening

package. This is expected to be completed by the Relationship
Officer. The risk classification in the account opening package only
provides for high or low risk with the omission of “medium risk”
classification. It also does not provide enough breakdown to
recognise risk factors that could lead to appropriate risk
classification.

Additionally, the risk classification of a customer is only available to

Compliance staff and no other customer-facing officers.

There are also evidences of wrong classification of corporate

bodies as Designated Non-Financial Businesses or Professions
(DNFBPs) and Trust Companies.

The Bank has a robust procedure for PEP risk management.

However, there is need to regularly update the PEP list for
comprehensiveness.

20

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

 Transaction Monitoring & Update

We observed that customer records updates are mostly done when

they reactivate or upgrade their account. Most customers with
long-time relationship with the Bank do not have their details
upgraded.

There are cases of customers on loan without updated details such

as address.

4.4 Record Keeping

We considered record keeping by examining the Bank’s collation,

retention and retrieval procedure.

There is strong awareness on AML/CFT related records to be

obtained by the Bank’s staff. The Bank generates records of
customers’ identification and transaction. However, there are cases
of poor quality of document collected such as utility bills. Most
utility bills do not reflect the proper address of the customer.

Additionally, passport photographs collected do not have the name

of the owners written at the back. This could lead to misapplication
of passport photograph to unintended customers.

We observed that staff members appreciate the need to retain

customers records relating to identification and transaction.
However, awareness regarding how long AML/CFT records should
be kept within the Bank was discovered to be quite low. Lack of
proper awareness on retention timeline may lead to complacency on
the part of the responsible staff.

The Bank is currently digitizing its records. It is expected that the

process will mitigate against records retrieval risk.

We consider the record keeping of the Bank to be Partially

Effective.

4.5 Compliance Structure

There are 95 people working in the Compliance unit of the Bank.

The unit has 5 functional departments which are: Due

21

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

Diligence/Capacity Building, Transaction Monitoring, Law

Enforcement Management & Regulatory Intelligence, Regulatory
Compliance Monitoring and Reporting & Cluster Compliance.

The activities of these departments are coordinated by the Group

Head who in turn reports to the Chief Compliance Officer. In line
with the directives of the Central Bank of Nigeria, the Bank also
appointed an Executive Compliance Officer (ECO).

FIGURE I: COMPLIANCE ORGANOGRAM

Board of Director
,

, MD/CEO

Executive
compliance officer

Advisory Committee of
Executive Experts (ACE)
compliance officer

Chief Compliance Non Interest Bank (NIB)

Officer Compliance (2 Staff)

Group Head Office

Head Due Head, transaction Head, Law Enforcement Head, Regulatory Head, Cluster
Diligence/Capacity monitoring (1) Management, Compliance, Monitoring Compliance (1)
Building (1) Regulatory Intelligence Compliance (1)
(1)

Due Diligence Capacity Trade Compliance Enterprise Anti-Money Law Regulatory Regulatory Cluster
Officers Building Officer Officer Transaction Laundering Enforcement Reporting Compliance Compliance
Monitoring Management Officer, (60) Staff,
Officer Inclusive of 12
Regional Regional
Coordinator

Source: Sterling Bank Plc

The Bank does not have Compliance Officers in all its branches.
However, it runs a cluster arrangement which was approved by CBN.

The cluster arrangement appears adequate in some part of the

country. However, we observed that the cluster arrangement needs
to be strengthened in the South West part of the country where
the operations of the Bank is largely domiciled.

We consider the compliance structure of the Bank to be

Substantially Effective.

22

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

4.6 Mandatory Reporting

There is a bank-wide awareness for reporting of suspicious

transaction. All the branches visited are fully aware of the need to
report Foreign Transfer Report, Currency Transaction Report and
Suspicious Transaction Report.

The branches report most times via their resident Compliance

Officer or the Cluster Compliance Officer who in turn report
directly to the Compliance group.

Electronically, the Bank has deployed SoftAML solution which

generates alert. The alerts are subject to series of review from
the Transaction Monitoring Analyst to STR Panel.

FIGURE J: STR REPORTING PROCESS

SoftAML
Alerts
Review by Submit to Head HTMU
Review panel
transaction Transaction Review and TMN Report
Review &
Monitoring Monitoring Submit to on GOAML
Approval
Analyst (ATM) Review
Other Sources
Source: DataPro

Tipping off is considered an offence. Most staff interviewed

agreed that it is a serious offence. However, almost everyone do
not know the type of punishment that a staff could suffer as a
result of tipping off.

The Bank currently reviews alerts a day after they are generated.
This may not allow for action to be taken on issues that require
immediate attention.

The mandatory reporting of the Bank is considered Largely

Effective.

4.7 Internal Control & Audit

The Bank’s operation is subject to Annual External Audit. The

External Audit does not provide an in-depth assessment of
Compliance function.

23

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

The Internal Audit assesses the operation of Compliance unit. To

ensure a substantial coverage, Internal Audit had a 3 year rolling
plan ending December 2021. According to the plan, Compliance
function is slated for audit in the second and fourth quarter of the
year.

The Audit reports on Compliance covered critical aspect such as:

Law Enforcement Monitoring Regulatory Intelligence, Transaction
Monitoring, Due Diligence & Capacity Building and Non-Interest
Banking.

The Internal Auditors are members of several Auditing and

Accounting bodies. None have certification from AML/CFT
Compliance Certification bodies. However, it was confirmed during
interview that Internal Audit staff attended AML/CFT trainings
organised by the Bank in recent times.

The Internal Audit program and compliance obtained from the

department was reviewed. It covered salient compliance areas such
as: CDD, Training, PEPs Procedure, Regulatory Request Management
and Regulatory Returns. However, the audit program does not cover
customer risk rating and profiling.

We consider Internal Control & Audit of the Bank to be Partially

Effective.

4.8 Risk Assessment

The Enterprise-wide Risk Management (ERM) policy of the Bank

recognises Compliance Risk. It also specifies compliance risk
assessment for new products or modification to the features of
existing products. However, the ERM does not specify risk
management action for new products and branches as well as risk
based monitoring of the Bank’s operation.

24

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

FIGURE K: ENTERPRISE RISK MANAGEMENT APPROACH

Bank Goals/Objective(Example)
 Strategic
 Technology
 Operating
 Regulatory

Risk Identification & Risk Monitoring Risk Control (example)

Measurement (examples)
(Examples)
 Board/Committee
 Documented Procedures
 Inherent Risk Reports Tied to  Separation of Duty Control
Assessment Policy  Accounting Procedures –
 CBN-RBS Risk
Counts, Reconcilements
Assessment Limits/Guidelines
 Credit Analysis-
 Product Risk (Financial/Loan,
Methods/Tool
Assessment etc)  Transaction Limits
 Examinations/Audit
 Disbursement Limits
 Loan Review  EVE (Rate Shocks)
 Documentation reviews,
 Compliance
Analysis Files, and Follow-Ups
Audits/Exams
 Contractual Warranties &
internal & external
 GAP Analysis Indemnification
 Legal Review of
 Insurance Coverage
Contracts & Product
Document  Investment Market
Value Report

 Management
Reports
Highlighting
Exceptions (Budget

General
 Board of Directors
 Management
 Organization Structure, Adequate
 Segregation of Functional Personnel
 Physical/Information Security

Source: Sterling Bank Plc

The Bank has provision for risk profiling of its customers at on-
boarding stage. The Compliance Operation Manual also requires
Enhanced Due Diligence on customers that are upgraded from low
to high risk monthly.

Additionally, the Bank screens for Politically Exposed Persons at on-

boarding stage. This also includes sanctioned individuals and
entities. There is also a provision to obtain Management approval to
categorise customers as high risk on the core banking application.

25

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

There is a process to risk rate new products before they are

offered to the public. However, the product menu obtained by us
does not carry the risk rating of the Bank’s product. Additionally,
product type does not form part of the customers’ risk rating done
by the Bank.

We consider risk rating to be Partially Effective.

4.9 Internal Sanctions

The Bank AML/CFT recognises sanction for staff in the event that
they fail to adhere to the requirements of AML/CFT regulations
and policies.

The Bank policy further listed the consideration to determine the

culpability of a staff before applying sanction.

Records available show that a total number of 345 staff were

sanctioned by way of dismissal, warning and suspension. However,
only 19 were related to money laundering and terrorist financing.

Most staff do not know the nature of sanction applicable to ML/TF

infractions. Additionally, the Bank AML/CFT policy was not explicit
as to the nature of sanction a staff will suffer if they commit
ML/TF related infractions.

We consider the sanction regime put in place by the Bank to be

Fully Effective.

4.10 Training

The Bank has an annual training plan. It conducted AML/CFT

trainings for its staff members including the Board.

The training focus covers relevant AML/CFT topics such as CDD and
Risk Management. The training mode also includes a mix of E-
learning and classroom format. Facilitators for the training are
drawn from within and outside the Bank.

The Bank did not achieve full coverage for its staff for AML/CFT
training purposes. Additionally, the Bank has not been able to

26

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

achieve its budgeted training threshold since 2017. Figure K shows

its training budget performance.

FIGURE L: TRAINING BUDGET PERFORMANCE FOR JULY 2017 –

JULY 2019

4500
4000
3500
3000
2500
2000
1500
1000
500
0
July 17 - July 18 July 18 - July 19 July 19 - July 20

Source: Sterling Bank Plc

Note: Budget figure for July 2019 – July 2020 was obtained from Human Capital.

We consider training as Partially Effective.

27

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

5. OVERALL RISK ASSESSMENT RATING

5.1 Inherent Risk Rating

Sterling Bank’s inherent risk assessment is presented as follows:

RISK FACTOR RISK SCORE RISK RATING

Inherent
2.75 High
Customer Risk
Inherent Products
2.46 Medium
& Services Risk
Inherent Delivery
2.44 Medium
Channel Risk
Inherent
2.21 Medium
Geographic Risk

Overall, the Bank’s inherent risk is considered MEDIUM.

5.2 Control Evaluation

The evaluated controls put in place by the Bank is presented as

follows:

RISK FACTOR RISK RISK RISK RATING

WEIGHT SCORE
(%) (%)
Governance Structure 5 5 Fully Effective
Written Policies 5 3.75 Partially
Effective
CDD & EDD 20 16.66 Partially
Effective
Record Keeping 20 16 Partially
Effective
Compliance 5 4 Substantially
Structure Effective
Mandatory 20 17.5 Largely Effective
Reporting
Risk 5 3.75 Partially
Assessment Effective

28

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

Internal Control 5 4.17 Partially

& Audit Effective
Internal 5 5 Fully Effective
Sanctions
Training 10 8.3 Partially
Effective
TOTAL 100 84.13

5.3 Residual Risk Rating

Inherent Risks Controls Strength Residual

Risks
95-100% Low
90-94% Low
Low 85-89% Low
80-84% Medium Low
<80% Medium
95-100% Low
90-94% Low
Medium 85-89% Medium Low
80-84% Medium
<80% Medium High
95-100% Low
90-94% Medium Low
High 85-89% Medium
80-84% Medium High
<80% High
Overall, Sterling Bank’s residual risk is rated MEDIUM.

29

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

6. RISK ASSESSMENT FINDINGS AND RECOMMENDATIONS

Our findings during the course of the assessment, as well as

recommendations, are highlighted as follows:

6.1. Expired means of identification

Issue: The means of identification for a lot of the accounts in some

branches were expired.

Recommendation: The Bank should review the process of obtaining,

examining, verifying, capturing, retaining, maintaining, retrieving
and updating customers means of identification. Manual process of
means of identification management is cumbersome, hence
automation of the process is desirable as it is economical, effective
and efficient.

6.2. Absence of names on the reverse side of customers’

passport photographs

Issue: Most branches visited did not have the names of customers
written on the reverse side of the customers' passport
photographs.

Recommendation: In some cases, there could be blurred images or

photocopies of means of identification. There is therefore need to
ensure names are written on the reverse of passport as this will
assist in marching exact passport photographs especially when they
are misplaced, mixed up or lost but later found. It will also prevent
identity mismatch.

6.3. Address Verification - Outsourced Services

Issue: Although provision was made by the Bank in the account

opening form under comments (for Bank use - Address Description
and result findings); this is not sufficient to cover for
regulatory/law enforcement requirement.

Recommendation: The Bank should insist on KYC/Visitation Report

duly signed by responsible Bank officers. The exercise for high
30

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

risk and major customers should be done directly by the Bank or

revalidated by a senior personnel of the Bank.

6.4. No evidence of Sanctions/Terrorists/Watch list Persons

and Entities being done during transaction consummation.

Issue: Sanctions/Terrorists/Watch list Persons and Entities’

screening is done by the Bank at the point of onboarding. However,
it appears screening of transactions is not integrated at transaction
consummation stage as there was no evidence to prove it is being
done Bank-wide.

Recommendation: The status of customers (individuals, entities

and/or organisations) is dynamic. Hence may change at any time. A
customer who is free from regulatory infractions, sanctions, money
laundering, financing of terrorists and/or proliferation of Weapons
of Mass Destruction (WMD) today, may fall short of the law,
regulation or requirements tomorrow. Therefore, there is need for
ongoing due diligence and for filtering to be done at both the
onboarding and transaction consummation stages. This is to avoid
dealing with terrorists, sanctioned and/or watch listed persons and
entities or organisations and therefore protect the Bank and its
officers against untoward consequences.

6.5. Diaspora Accounts Address Verification

Issue: KYC Visitation is only done on the Nigerian address or

relative address in Nigeria.

Recommendation: Due diligence should be extended to offshore or

diaspora address and occupation. This can be outsourced to credible
foreign due diligence consultants.

6.6. Non-Interest Banking Unit policy not reviewed

Issue: Non-Interest Banking Unit policy was yet to be updated

though it was due for review in July 2019.

31

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

Recommendation: Policies are living documents that should grow and

adapt with the Bank. Therefore, the Bank should prioritise review
of the policy in order to keep abreast of regulations and industry
best practices. Additionally, this will ensure that the policy is
consistent and effective.

6.7. FATCA Compliance

Issue: The FATCA Compliance section of some account opening

forms were not properly completed.

Recommendation: There is need to establish the FATCA Status of

every customer. The citizenship of a customer is quite important to
the Bank to determine its dealings with the customer. This session
should make it possible to ascertain not only United States of
America (USA) citizenship, but also to determine other nationalities
or citizenships, if applicable. Some requirements are incumbent on
the Bank when banker-customer relationship is established. Some
foreign nationals maintain dual citizenship and at times, these
countries are in high risk territories and regions or Non-
Cooperative Countries and Territories (NCCT).

6.8. Customer information update

Issue: Customer information are not regularly updated.

Recommendation: There should be regular customer information

update to ensure available customer information maintained by the
Bank are necessary, complete and valid. We recommend that the
exercise should be done based on risk profiling and categorisation
of customers. The higher the risk class of the customer, the more
regular the review and update of documentations, information and
required due diligence should be carried out.

6.9. Alerts are reviewed a day after generation

Issue: Alerts are reviewed a day after generation. This will hinder
swift action to be taken on issues that require immediate attention.

32

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

Recommendation: Alerts should be reviewed the same day they are

generated and STRs filed once a transaction or activity is flagged
as suspicious. This will enable the Bank to have an efficient
customer due diligence regime.

6.10. Internal Audit Unit does not have audit program for
compliance

Issue: The Internal Audit of the bank does not have audit program
for compliance unit. This will affect the depth and quality of work
expected to be done in compliance during audit.

Recommendation: Internal Audit should develop comprehensive

audit program for compliance audit.

33

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

APPENDIX

STERLING BANK INHERENT RISK RATING MATRIX

RISK
S/N RISK FACTOR BREAKDOWN LIKELIHOOD IMPACT SCORE
1.0 CUSTOMER TYPE
1.1 PEP 3 3
1.2 HNI 3 3
1.3 FOREIGNERS 3 3
1.4 DNFI 3 3
1.5 DIASPORA 3 3
1.6 OTHERS 2 1
2.8 2.7 2.75

2.0 PRODUCTS & SERVICES

SAVINGS Financial Inclusion 1
ACCOUNTS: 3 1
Financial Inclusion 2 3 1
Youth 3 3
Regular 3 2
Hybrid 3 2
Non-Individual 3 1
3.0 1.7 2.33
CURRENT Classic CURRENT
ACCOUNTS: ACCOUNT 2 2
Minimum Balance
Account 2 2
Turnover 2 2
2.0 2.0 2.00

INVESTMENTS: Individuals 3 2
Non-Individuals 3 2
3.0 2.0 2.50
TRADE PRODUCTS
Bills For Collection 3 3
Invisibles 3 3
SME 3 3
Letters of Credit 3 3
Funds Transfer 3 3
3.0 3.0 3.00

34

DataPro
ML, TF & Compliance Risk Assessment, 2019
Sterling Bank Plc

3.0 DELIVERY CHANNEL

BRANCH 2 2
ATM 2 1
CARDS 3 3
MOBILE 3 3
INTERNET BANKING 3 3
AGENT 3 3
APP 3 2
USSD 2 1
2.6 2.3 2.44
4.0 GEOGRAPHY
NORTH CENTRAL 3 3
NORTH EAST 3 3
NORTH WEST 3 3
SOUTH EAST 2 2
SOUTH SOUTH 3 2
SOUTH WEST 2 2
FOREIGN 0 0
2.3 2.1 2.21
17.24
2.46

35

DataPro