Anti Money Laundering System Assurance: Don’t Leave Your AML Program to Chance
By Jenna Danko on Jul 09, 2014
The renowned thought leader, industry observer and author, Brett King, frequently refers to the "friction" customers experience in their relationship with their banks. Take the instance of a high net-worth customer of one the world’s most recognized and largest banks having to submit three different sets of "know your customer" documents annually for each relationship she has been having with the bank for several years: savings, credit card and investments, respectively.
Furnishing these documents—even with the personalized service the bank is able to offer her—is not only time consuming for the customer and a source of considerable friction, it is a fairly expensive affair for the bank. Add up the pennies that such an exercise costs the bank for each of its customers, and we are looking at a substantial dent to its bottom line. Moreover, having gone through the rigmarole of a compliance exercise that ostensibly keeps the regulator happy, the bank has only generated a huge amount of data that it now has to sift through and process.
Is the compliance exercise, especially parts relating to anti money laundering (AML), an end in itself as the example above suggests? Or rather, can banks leverage their investments in compliance to bring down data silos, derive enterprise-wide views of a customer relationship and, in general, enhance customer experience? Having worked with some of the world’s foremost financial institutions, we would argue and vouch for the latter. Indeed, in our experience, banks that invest wisely stand to reduce direct and indirect financial and reputational risk, whilst strengthening overall compliance and risk management initiatives.
But how can you make sure that AML investments are being well spent?
Within a couple of years of the new raft of anti-money laundering directives and regulations, such as the 3rd Money Laundering Directive and the PATRIOT ACT, the majority of tier one and tier two banks had adopted some variant of AML solution, either custom-built or off-the-shelf. Whilst that ticked the box for the time being, the times have certainly changed. Financial crime is even more complex and sophisticated, both in terms of device and execution. With transaction volumes exponentially increasing, the amount of data banks have to sift through is enormous and, for some, overwhelming. Keeping control remains challenging and expensive, with each AML system having to be updated separately with each new regulatory requirement.
In his March 2013, testimony before the U.S. Senate Committee on Banking, Housing & Urban Affairs, Comptroller of the Currency, Thomas J. Curry, specifically cited the need for "an enterprise-wide management information system that provides reports and feedback that enables management to more effectively identify, monitor, and manage the organization’s BSA risk on a timely basis." Such a platform would include the following features.
- Data quality. It is important to integrate a wide range of internal and external data, including criminal records, white lists, and black lists, and not only identify customers on those lists but also determine when a customer might be transacting with an individual on a watch list.
- Flexibility and scalability. AML solutions must have the flexibility to accommodate new requirements and data sources, while also efficiently processing increasing amounts of data in changing organizational contexts.
- Automated analytics. A state-of-the-art compliance platform must not only automate the analysis of transaction patterns and forewarning, it must provide banks the wherewithal to submit its adopted data models and algorithms to regulatory scrutiny.
- Performance. When it comes to AML compliance, time is of the essence. Organizations, therefore, require a high performance environment that can process tens of millions of transactions for alerts in six hours or less, allowing analysts to conduct their work in a timely manner. Firms that deploy high-performing platforms also stand to optimize their overall IT investment.
- Portability. The adage “build once and deploy often” holds true when it comes to investing in an AML solution. It is important to consider ease of portability as businesses enter new markets and lines of business.
- Closed-loop process. Regulators are focused on process standardization and improvement in AML compliance. New guidelines call for a strong BSA/AML audit function that ensures identified deficiencies are promptly addressed and corrected. Compliance solutions can be instrumental in advancing the governance process that is a top priority for regulators.
- Investment optimization. Compliance and risk management are expensive propositions, yet share many of the same data requirements. Investing in a solution with a data foundation that can support multiple compliance and risk management objectives not only optimizes investment but also improves data quality and expands transparency.
These points clearly articulate the foundations of any good compliance/AML technology programme, but increasingly the mood seems to be shifting to focus on AML system assurance. For example, the KPMG International, Global Anti-Money Laundering Survey 2014 findings suggest compliance costs are increasing at an average annual rate of 53% for banking institutions and further rises are likely over the next three years. Within that budget, transaction monitoring systems were considered to the main focus of AML budget expenditures in recent years, followed by “know your customer” reviews and updates, and staff recruitment, according to KPMG.
Figure 1. AML expenditure (KPMG International, Global Anti-Money Laundering Survey 2014)
However, equally important is that satisfaction with transaction monitoring systems has also declined with survey respondents ranking satisfaction an average of 3.42 out of 5, compared to 3.6 in 2011. KPMG claim the reason for the decline seems linked to the increased demands on these systems as the costs have continued to increase, but so too have the requirements and expectations of these systems and the number of staff that use them.
AML systems and processes (transaction monitoring and KYC in particular) are clearly being put to the test and many are being found wanting against the standards outlined by people such as Thomas J. Curry.
So what can financial institutions do to improve satisfaction in their AML systems as well as ensure they remain relevant and effective? As a start,they should complete independent testing of every element of their surveillance systems end to end. This includes a look at the quality and completeness of source data against regulations and business requirements, productivity of existing and potential scenarios, thresholds and the robustness of the system workflows to ensure they can all cope with the volume and complexity of this dynamic environment. Plus the challenge of assessing how much effort is required to update multiple AML systems with new data requirements across the enterprise? If the answers keep you awake at night, then perhaps a change (of job or system) is needed!
To support this need for continuous assurance and oversight financial institutions are increasingly looking to leverage GRC technologies to link data coming from financial crime systems, directly to documented policies, procedures, risk and controls assessments and audit reports for additional analytic insight.
For example, continuously monitoring AML controls through implementing focused metrics and key indicator’s to detect potential areas of emerging risk, ensuring detection thresholds and scenarios are all up-to-date and approved, that alerts/cases are being actioned within agreed SLAs, that departments are undergoing the AML training and that volumes of false positives are understood and are being managed down proactively etc.
In recent conferences such as ACAMS Europe 2014 and OpRisk Europe 2014, a recurring topic of conversation and presentation was the increasing need for the third line of defence to feel “comfortable” that the financial crime and compliance systems and associated processes are doing what they should do. Although this is driven arguably by the long overdue regulatory focus on Audit activities and accountability when it comes to serious financial crime and compliance risk control failure this is undeniably now a driver.
So how satisfied are you with your current AML system? What techniques and approaches are you employing to ensure your AML system(s) remain effective, valid and fit to meet the ever changing demands placed on it? What benefits and challenges do you see in converging your financial crime and GRC technologies?
Let us know. We’d love to hear from you.