Enterprise Risk Management
The Company’s goal in risk management is to ensure that it understands, measures, and monitors the various risks that arise from its business activities, implements the appropriate risk mitigation measures, and that it adheres strictly to its established risk management policies.
Periodic strategic planning sessions and meetings by top management, and the various management and Board committees are being held to identify, assess, and formulate contingency plans to manage or minimize the adverse impact of risks to the Company.
The Board of Directors performs an oversight role for the Company’s risk management activities and approves I-Remit’s risk management policies and any revisions thereto. The Chief Executive Officer, as the overall risk executive, oversees the risk management activities of the Company and ensures that the responsibilities for managing risk are clear, the levels of risk taken on by the Company are acceptable, and that an effective control environment is in place. Risk management is an integral part of the day-to-day business management of the Company and each operating unit has a responsibility to measure, manage, and control the risks associated with the functions they perform.
The Company’s Corporate Treasury function provides services to the business, coordinates access to domestic and international financial markets, monitors and manages the financial risks relating to the operations of the Company through internal risk reports which analyze exposures by degree and magnitude of risks. These risks include market risk (including foreign currency risk, fair value interest rate risk, and price risk), credit risk, liquidity risk, and operational risk.
The Company seeks to minimize the effects of these risks by using derivative financial instruments to hedge risk exposures. The use of financial derivatives is governed by the Company’s policies approved by the Board of Directors, which provide written principles on foreign exchange risk, interest rate risk, credit risk, the use of financial derivatives and non-derivative financial instruments, and the investment of excess liquidity. Compliance with policies and exposure limits is reviewed by the auditors on a continuing basis. The Company does not enter into or trade financial instruments, including derivative financial instruments, for speculative purposes.
Market Risk Management
Market risks (consisting of foreign currency risk, fair value interest rate risk, and price risk), are the risks that the value of a currency position or financial instrument will fluctuate due to changes in foreign exchange rates and interest rates. The Company also has various financial assets and liabilities such as accounts receivable from agents abroad and accounts payable to beneficiaries in the Philippines, which arise directly from its remittance operations.
I-Remit provides money transfer and remittance services in 23 countries and territories. The Company undertakes transactions denominated in foreign currencies; consequently, exposures to exchange rate fluctuations arise. Foreign exchange risk is managed through the structure of the business and an active risk management process. In the substantial majority of its transactions, I-Remit settles with its foreign offices, associates, and agents in their respective local currencies, and requires the foreign offices, associates, and agents to obtain settlement currency to provide to recipients. The Company’s policy prohibits speculating in foreign currencies. It is the Company’s policy that all foreign currencies that arise as a result of remittance transactions be traded daily with bank partners and only at prevailing foreign exchange rates in the market. The daily closing foreign exchange rates are used as the guiding rates in providing wholesale rates to subsidiaries, associates, affiliates, tie-ups, and agents. The trading proceeds are used to pay out bank loans and other obligations of the Company. The foreign currency exposure that exists is limited by the fact that the majority of transactions are settled within a day or two (2) days after these are initiated. In addition, in money transfer transactions involving different currencies received and paid in Philippine pesos, I-Remit generates revenue by receiving a foreign currency spread based on the difference between buying currencies at wholesale exchange rates and providing the currencies to its customers at retail exchange rates. This spread provides some protection against currency fluctuations.
The Company’s exposure to interest rate risk arises from its cash deposits in banks which are subject to variable interest rates. The interest rate risk arising from deposits with banks is managed by means of effective investment planning and analysis, and maximizing investment opportunities in various local banks and financial institutions. The Company’s exposure to interest rate risk is minimal.
The Company is also exposed to equity price risks arising from equity investments. The Company’s exposure to equity price risk is minimal.
Credit Risk Management
Credit risks are risks that arise when a counter-party in a transaction may potentially default and cause a possible loss to the Company. The nature of its business exposes the Company to potential risk from difficulties in recovering transaction money from its foreign partners, including tie-ups and agents. Accounts receivable from foreign offices and agents arise as a result of its remittance operations in various countries.
The Company has adopted a policy of dealing only with creditworthy counterparties and obtaining sufficient collateral, where appropriate, as a means of mitigating the risk of financial loss from defaults.
The Company only transacts with entities that are rated the equivalent of investment grade and above. This information is supplied by independent rating agencies where available and, if not available, the Company uses other publicly-available financial information and its own trading records to rate its major counter-parties. The Company’s exposure and the credit ratings of its counter-parties are continuously monitored and the aggregate value of transactions concluded is spread amongst approved counter-parties. Credit exposure is also controlled by counter-party limits.
In addition, the Company is applying the following credit policies to its tie-ups and agents: (i) enforcing a contract that incorporates a bond and requiring that the full amount of the transactions be credited to the Company bank account prior to the delivery of funds to the beneficiaries and in certain cases, requiring advance funding equivalent to the average daily remittance transactions to fulfill or deliver their remittance transactions; (ii) requiring settlement on the next banking day, otherwise, the fulfillment or delivery of remittance transactions will be placed on hold; (iii) evaluation of individual potential partners and agents’ credit worthiness, as well as a close looking into the other pertinent aspects of their businesses which assures the Company of the financial soundness of its partner firms; (iv) active monitoring of receivable balances. The Company’s receivables from agents and tie-ups have a high probability of collection which have turnovers ranging from one (1) to five (5) days. The other receivables which include advances to related parties have high probabilities of collection and are due in less than one (1) year.
Liquidity Risk Management
Liquidity risk is the risk that a firm will not be able to meet its current and future cash flow and cash needs, both expected and unexpected, without materially affecting its daily operations or overall financial condition. Liquidity risk management rests with the Board of Directors which has established an appropriate risk management framework for the management of the Company’s short-, medium-, and long-term funding and liquidity management requirements. The Company manages liquidity risk by maintaining adequate reserves, banking facilities and reserve borrowing facilities, by continuously monitoring forecasts and actual cash flows, and by matching the maturity profiles of financial assets and liabilities.
Operational Risk Management
Operational risks are risks of losses resulting from inadequate or failed internal processes, people and systems or from external events, such as those resulting from fraud or defalcations from internal or external sources, or actual financial losses arising from failed processes, systems and procedures.
The Company’s main goal in managing operational risk is to create and maintain an operating environment that ensures and protects the integrity of its financial resources, assets, transactions, records, and information resources. The Company attempts to mitigate operational risks by maintaining a comprehensive system of internal controls, establishing standard systems and procedures, implementing a system to monitor transactions, maintaining key back-up procedures, and undertaking regular contingency planning.
The Company’s internal control system is intended to provide reasonable assurance regarding the effectiveness and efficiency of operations, the adequacy of safeguards for assets, the reliability of financial controls, and compliance with applicable laws, rules, and regulations. The internal control system is composed of policies, processes, systems, and activities to achieve these objectives. The internal control system consists of two major activities: (i) preventive control activities; and (ii) monitoring activities. Preventive control activities seek to prevent or deter undesirable acts from occurring. These are proactive controls, designed to prevent losses, errors, or omissions. These activities include segregation of duties and tasks, proper authorizations, rotation of duties, adequate documentation, or physical security measures over cash and other assets. Monitoring activities aim to detect undesirable acts that have already occurred. These provide evidence “after the fact” that a loss or error has occurred but do not actually prevent these from occurring. These activities consist of regular supervisory reviews of account activities, reports, and reconciliations; routine spot-checking of transactions, records, and reconciliations; variance analysis, including comparisons with budget and historical data; physical inventories; control self-assessment; and internal audit review of controls.
Standard systems and procedures pertain to the prescribed manner of processing transactions, handling cash and other assets, maintaining records, and preparing reports. The Company has operating manuals detailing the procedures for the processing of its remittance transactions, the implementation of its various business processes, and the use of its information technology resources. These operating manuals undergo periodic reviews and revisions, if needed. Amendments to these manuals are implemented through circulars sent to all divisions and offices of the Company. Management endeavors to implement a control-conscious environment that also supports ethical values and sound business practices. Management is responsible for “setting the tone” and encouraging the highest levels of integrity and ethical behavior, as well as exhibiting leadership behavior that promotes responsibility and accountability.
Independent reviews are regularly conducted by the Internal Audit Department to ensure that risk controls are in place and functioning effectively. The Internal Audit Department undertakes a comprehensive audit of all divisions and departments in accordance with a risk-based audit plan. It conceptualizes and recommends the implementation of an improved system of internal controls to minimize operational risks. The Audit Plan for each fiscal year is approved by the Audit Committee of the Board of Directors. These audits also include the area of information security that covers application systems, databases, networks, and operating systems. The results of internal audit activities are discussed with the Audit Committee and subsequently, submitted to the Board of Directors.
Recognizing the importance of customer service in its operations, the Company has a Customer Support Team composed of a dedicated and highly-trained team of frontline support officers who assist the Company’s subsidiaries, associates, affiliates, tie-ups and agents, and the Company’s customers and their beneficiaries. The Company provides 24 x 7 customer service support and minimizes operational risks by ensuring accuracy and effectiveness in operations and in the delivery of services.
The Company also has a Business Continuity Plan (BCP) that outlines the activities and the procedures to be undertaken in the event of abnormal or emergency conditions, or a disaster, to ensure that disruption to operations will be kept at a manageable level, financial losses will be minimized, the safety and security of employees, customers, and Company records will be maintained, and normal operations will be restored in the shortest time possible. I-Remit maintains a disaster recovery (DRP) site with Globe Telecom/Innove Communications in Makati City.
The other risks identified that the Company is exposed to include regulatory risk, legal risk, and technology risk.
Regulatory risk refers to the potential for the Company to suffer financial losses due to changes in the laws or monetary, tax or other governmental regulations of the Philippines or of another country where it has business operations. Losses may be in the form of regulatory sanctions for non-compliance, and in extreme cases, may involve not just mere loss in terms of reputation or financial penalties, but a revocation of the license, registration, or authorization to carry on its business activities.
The Company’s Compliance Program, the implementation of which is overseen and coordinated by the Compliance Officer, is the primary control process for regulatory risk issues. The Compliance Officer is responsible for communicating and disseminating new rules and regulations to all concerned units, analyzing and addressing compliance issues, and reporting compliance findings to the Management Committee, Executive Committee or the Board of Directors.
I-Remit’s subsidiaries, associates, affiliates, tie-ups and agents have and maintain all registrations or licenses and permits necessary to provide remittance and money transfer services in their host countries. Compliance officers are appointed in each of the Company’s foreign offices whose primary responsibility is to ensure compliance with all local laws, rules, regulations, and ordinances; and licensing, registration, and reporting requirements.
The Company is considered a “covered institution” pursuant to the Anti-Money Laundering Act (AMLA) of 2001 (Republic Act 9160 as amended by Republic Acts 9194, 10167, and 10365). I-Remit, Inc. is registered as a remittance agent with the Bangko Sentral ng Pilipinas pursuant to BSP Circular No. 471, Series of 2005 issued on January 24, 2005, that prescribes the registration and standards for the operation of foreign exchange dealers, money changers, and remittance agents. On January 5, 2011, the BSP issued BSP Circular 706 Series of 2011 that prescribes updated anti-money laundering rules and regulations. The revised anti-money laundering rules and regulations were adopted by the Company in its Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Compliance Manual that was approved by the Board of Directors on June 17, 2011. The manual includes policies and guidelines that cover areas such as the customer due diligence process (“Know Your Customer” rule), large cash transactions, record-keeping, suspicious transaction reporting, and training of employees. These policies and guidelines are also based on the revised Financial Action Task Force (FATF) 40 Recommendations.
I-Remit requires its subsidiaries, associates, affiliates, and agents to validate the true identity of a customer based on official or other reliable identity documents or records before accepting a transaction. The Company exercises due diligence when dealing with customers, persons appointed to act on a customer’s behalf, and beneficial owners. A “beneficial owner, in relation to a customer of I-Remit, refers to the natural person who ultimately owns or controls a customer or the person on whose behalf a transaction is being conducted and includes the person who exercises ultimate effective control over a legal person.
The Company and its subsidiaries, associates, and affiliates are also required to implement a risk-based approach in customer due diligence in which pre-determined criteria are used to assess potential money laundering and terrorism financing risks that will determine the proportionate measures and controls that will be applied to mitigate such risks. I-Remit applies enhanced due diligence measures when customers are assessed to be “high risk.” These measures include: (i) requiring additional documentary evidence of identity; (ii) verifying the identity and background of a customer by referring to publicly-available information or verifying information provided with the relevant government bodies; (iii) establishing, by appropriate and reasonable means, the source of income or wealth, and the source of funds of the customer or the beneficial owner; (iv) determining the banks where an individual customer has maintained or is maintaining accounts and obtaining proof thereof such as bank statements or passbooks; (v) obtaining the approval of top management for a transaction where the customer or a beneficial owner is a politically-exposed person or subsequently becomes a politically-exposed person. The Company, on an ongoing basis, also monitors and continually assesses the transaction patterns of its customers and adjusts or makes changes to the risk classification or the level of due diligence applied on its customers when the situation warrants the same to manage money laundering or terrorism financing risks.
I-Remit checks each remittance transaction with the lists of specially-designated nationals or blocked persons, and lists of terrorists, terrorist organizations, or persons associated with terrorists or terrorist organizations. These lists are: (i) Office of Foreign Assets Control (OFAC) of the US Department of the Treasury (Specially Designated Nationals and Blocked Persons List); (ii) Office of the Superintendent of Financial Institutions (OSFI) of Canada (Consolidated List of Names Subject to the Regulations Establishing a List of Entities Made Under Subsection 83.05 of the Criminal Code or the Regulations Implementing the United Nations Resolutions on the Suppression of Terrorism or the United Nations Al-Qaida and Taliban Regulations); (iii) European Union (EU) (Consolidated List of Persons, Groups and Entities Subject to EU Financial Sanctions); (iv) United Nations Security Council Consolidated List Established and Maintained by the 1267 Committee with respect to Al Qaida, and the Taliban, and other individuals, groups, undertakings and entities associated with them; (v) Israel Ministry of Defense Declaration of Terrorist Organizations, Unlawful Associations and Confiscation Orders; and, (vi) Australia Department of Foreign Affairs and Trade (DFAT) Consolidated List.
The Company is required to submit reports on “covered” transactions and “suspicious” transactions to the Anti-Money Laundering Council. Covered transactions involve single or multiple transactions in cash or other monetary instruments in excess of PHP 500,000 within one (1) banking day. Suspicious transactions are transactions that may involve money laundering or terrorism financing or attempts to circumvent or avoid any reporting requirement.
The BSP requires all registered remittance agents to maintain accurate and meaningful originator information on funds transferred or remitted by requiring the sender or remitter to fill-out and sign an application form, which shall contain minimum data and information, such as the complete name and of the remitter, permanent address, nationality, amount and currency to be remitted and source of funds for individuals. All records of transactions are required to be maintained and stored for five (5) years from the date of a transaction unless a longer period is required by the relevant regulator in a host country or a transaction or group of transactions becomes the subject of an investigation for money laundering or terrorism financing.
I-Remit’s foreign subsidiaries, associates, and agents are required to comply with the anti-money laundering regulations of their host countries to ensure that funds being sent are of lawful and verifiable origin. Among others, remitters are required to present documents such as proofs of identification, residency, and financial origin as required by local regulations of the host countries. Remitted amounts are also subject to the prescribed transmission limits of the monetary authorities or the financial intelligence units of each host country. Cash or non-cash transactions that amount to or exceed certain threshold amounts are also reported.
I-Remit and its subsidiaries, associates, affiliates, and agents are licensed or registered with the various financial and central monetary authorities and/or the financial intelligence units of their host countries. These include the Australian Transaction Reports and Analysis Centre (AUSTRAC); Financial Transactions and Reports Analysis Centre (FINTRAC) of Canada; the Commissioner of Customs and Excise (Hong Kong); the Financial Conduct Authority, Prudential Regulatory Authority and Her Majesty’s Customs and Excise (United Kingdom); the Financial Services Agency (Japan); the Companies Office (New Zealand); the Monetary Authority of Singapore; and the Central Bank of China (Taiwan).
Regulatory risk also includes the strict monitoring or the limitation on the entry of foreign workers entering specific countries by their respective governments. Governments of some concerned nations have implemented strict monitoring measures on the number and types of foreign workers entering their respective countries because some of their citizens have incessantly blamed their inability to obtain jobs on the increasing competition from foreign migrant workers. By nature, the Philippine remittance industry relies heavily on the number of OFWs residing or working abroad, and sending money to the Philippines. Any decline in the growth of OFW deployment as a result of regulations or restrictions imposed by host countries may hamper the overall growth of the remittance industry.
Legal risk pertains to the potential for loss arising from the uncertainty of the outcome of legal proceedings or potential legal proceedings. It also refers to the uncertainty of the enforceability of the obligations of the Company’s business partners, agents, tie-ups, and suppliers. Changes in law and regulations could adversely affect the Company. Legal risk is higher in new areas of business where the law is often untested by the courts. The Company seeks to minimize its legal risks by using stringent legal documentation, employing procedures designed to ensure that transactions are properly authorized and documented, and by constantly consulting its external legal counsels locally and in the countries it operates in.
Technology risk refers to the risk that customers may suffer service disruptions, or that customers or the Company may incur losses arising from system defects such as failures, faults, or incompleteness in computer operations, or illegal or unauthorized use of computer systems. The delivery of financial services is characterized by rapid technological change, changing customer preferences, the introduction of new products and services, and the emergence of new standards. The Company realizes the potential losses arising from the breakdown or malfunction of computer systems as well as from the misuse of its infrastructure and networks. The Company gives importance to computer security and has a comprehensive information technology security policy. The Company identifies and evaluates technology risks by setting specific standards that need to be complied with and implementing measures based on the evaluation to manage these risks. The Company ensures the implementation of an ongoing project management and control system in development and quality control.
The Company defines and maintains information security policies that follow industry standards, such as the use of firewalls, secure socket layer (SSL) encryption, anti-virus measures, and user-defined access controls. The Company’s major application systems have multiple security features to protect the integrity of applications and data. Access to I-Remit’s Foreign Remittance System via the Internet has several security restrictions including firewalls, secure socket layers using 128-bit encryption, digital certificates and password identification. All remittance transactions are encrypted with hash totals / test keys to ensure authenticity of transaction details.
Most of the information technology assets including critical servers are located in a centralized data center at the Company’s headquarters, which are subject to appropriate physical and logical access controls. Likewise, the systems are designed to be redundant to ensure continuity of business operations in the event of unforeseen events or disasters. The system also has parallel servers concurrently operating and connected to different ISP providers to ensure non-disruption of its operations.
Supporting the Company’s business processes is a dynamically-scaled network of virtualized servers and storage farms. The network is secured from malicious attacks, virus intrusions, and security threats internally and externally through the use of a multi-layered network set-up consisting of VLANs, virtual private networks, security appliances, firewalls, anti-spam software, WAN router, Internet link load balancer, and anti-virus systems. The company has a state-of-the-art backup and replication protocol that runs every night while a more concentrated database replication process transpires between the company’s headquarters and the disaster recovery site in real time. A part of the Company’s strategy is to continuously upgrade its technology infrastructure to ensure that it is able to manage the risks associated with technology or any unforeseen natural or man-made risks that may hamper the continuity of its operations.