New AML Regulations Demand Significant Compliance Changes and Banks Need to Realize the Central Role Technology Can Play
It's been over a year and a half since the Financial Action Task Force (FATF) released a statement about the handling of financial crime in Brazil. Since that time, FATF has indicated that it is satisfied with progress on sanctions but wants more focus on financial intelligence in criminal investigations.
To this end, in January 2020, the Central Bank of Brazil enhanced AML compliance regulations , bringing them largely in-line with the definitions and latest updates from FATF and EU directives.
As a member of Oracle's Financial Crime and Compliance Management team, who has worked with financial institutions across global jurisdictions, I know how challenging it can be to comply with new regulations. I also know that incorporating the right technology into your anti-financial crime program can help you achieve compliance much faster than you would by relying on legacy systems, allowing you to not only keep up with regulations now but also maintain compliance over the long term. Here, I aim to provide some advice to Brazilian financial institutions on how they can use technology to ensure compliance as Brazil's regulations change. But first, here are some quick highlights from the enhanced regulation:
- A Top-Down Approach to Risk Assessment: The standard emphasizes that every member of an institution must be aware of its policies, procedures, and training. Outsourcing analysis is prohibited, except for support activities. Other requirements include the issuance of an annual report of internal control and audit activities.
- Expanded List of Politically Exposed Persons: The regulation expands the list of Politically Exposed Persons (PEPs) to comprise second-degree relatives and commercial relationships (close collaborators). Other additions include presidents and treasurers of political parties and the high-ranking officials of states and municipalities.
- More Ultimate Beneficial Owners (UBO) Requirements: The regulation boosts requirements related to Know Your Customer (KYC), specifically around the identification and qualification of the legal entities and all Ultimate Beneficial Owners (UBOs) who own a minimum equity interest of 25%. The new requirements make irregularities in documentation, false or difficult-to-identify information, and difficulty identifying the UBO subject to the possibility of reporting. The representative, including the attorney-in-fact, and the representative who exercises de facto command over the activities of the legal entity, is also considered the ultimate beneficial owner.
- Know Your Employee and Know Your Supplier: In addition to Know Your Customer (KYC), control procedures are required for Know Your Employee (KYE) and Know Your Supplier (KYS).
- More Specificity Around Suspicious Transaction Monitoring and Reporting: The regulation clearly defines the monitoring, selection, and analysis of suspicious operations or situations. There are specific guidelines regarding each stage and the maximum deadline for its performance. There are also guidelines regarding the scenarios institutions are required to monitor. Additionally, Customer Due Diligence cannot be outsourced or performed overseas. However, both analysis and reporting to the FIU can be centralized.
- Emphasis on Auditing and Documentation: The provisions require that regulated entities define indicators and test the program's effectiveness. Such requirements were already present in audits carried out by the Brazilian Central Bank and are now highlighted in the standard.
Traditional AML Systems Can't Keep Up
While all major financial institutions in Brazil have some AML systems in place already, traditional rules-based AML systems are unlikely to keep up with the new regulations. I expect that Brazilian financial institutions that attempt to achieve compliance by simply enhancing existing, legacy systems will encounter the following challenges:
- Longer Onboarding: Gathering and validating additional information (e.g., UBO) will result in longer, less efficient onboarding experiences.
- Inefficient Monitoring of New Scenarios: Simply creating deterministic rules for new scenarios will create high false positives compared to actual suspicious entity monitoring. Additionally, truly comprehensive monitoring requires additional, quality data attributes that might not be available in existing systems.
- Enormous Case Workload: Overall output generated from additional PEP, UBO, employee, supplier, or new activity monitoring will generate enormous workloads for compliance teams. Institutions without a suitable workload assignment strategy may encounter backlog issues.
- Inability to Achieve a Holistic View of Each Entity: If there are siloed systems for onboarding, monitoring, and case management, a holistic entity view will not be possible. Additionally, compliance with the requirement that institutions analyze entities based on shared email IDs and IP addresses won't be possible if all collected information cannot be combined into a single view.
- Inability to Generate Enterprise-wide Reports: Most importantly, board and senior management reporting require risk assessment dashboard reports across the enterprise, which won't be possible if there are siloed systems and no single entity view.
An Advanced Analytics-Based AML System Can Help You Comply with New Regulations Quickly
Fortunately, advanced analytics, like those found in Oracle's Financial Crime and Compliance Studio , can equip Brazilian financial institutions with the capabilities they need to comply with new regulations. Graph analytics, in particular, combined with other technologies like machine learning and artificial intelligence, represents a new path forward in understanding the intricate patterns of money laundering. These technologies can offer transformation on several fronts.
- Better Screening: Financial institutions are required to screen customers, employees, and suppliers against PEP and other high-risk lists during the onboarding process. However, a typical single or limited attribute matching engine produces a high false-positive rate. A multi-dimensional algorithm, which powers graph analytics, can increase matching results by combining key entity information with external information such as media scans. For example, a screening process combined with graph analytics can automatically flag a primary or secondary PEP involved in corruption charges, leveraging PEP output with a media scan. By leveraging the same platform, suppliers, employees, and service providers can be also be screened.
- Better Identification of Ultimate Beneficial Owners: Leveraging a centralized data gathering procedure, institutions can seamlessly gather ultimate beneficiary owner information. Automation with third-party data providers can allow for qualification. Powerful graph analytics can provide intuitive visualizations to understand the ownership structure among various companies/individuals and high-risk entities such as PEPs.
- More Accurate Client Risk Ratings: Once a prospect is screened, all required information, including expected transaction volume, international activity, purpose, and source of income, is collected. This information helps determine the entity risk segment and anticipatory profile. If a prospect is expected to engage in electoral campaigns, donations to the accounts of candidates or political parties, and even the incompatible use of the electoral party's cash fund, the financial institution may choose to ask for additional information or to not onboard that entity. Further, this information should be monitored on an ongoing basis and checked for discrepancies with the information that was provided during onboarding.
- Better Transaction Filtering: Once the prospect is approved, transactions should be screened in real-time for involvement with persons or entities related to terrorist activities listed by the United Nations Security Council (UNSC). Transactions should also be screened for the existence of resources owned or controlled, directly or indirectly, by persons or entities known to have committed or attempted to commit crimes of the proliferation of weapons of mass destruction or participated or facilitated their commitment.
- Better Monitoring Through Mass Surveillance, Machine Learning, and Entity Resolution: A money-laundering scheme is not a siloed activity. Instead, it is a series of related activities that may appear unrelated. This requires typology monitoring as compared to single transaction monitoring. Financial institutions should therefore move away from individual/red-flag monitoring toward mass surveillance―in other words, evolving from an alert/event-based investigation to a case-based investigation. The correlation of various events should happen based on shared information, such as email ID, IP address, and more. This will allow analysts to see holistic entity activity instead of siloed events. Once comfortable with this concept, financial institutions should leverage graph analytics for event correlation, thereby uncovering hidden networks that might otherwise be missed. Graph analytics can also help find circular flows of funds, another common pattern of money laundering.
Supervised machine learning using graph analytics can be a game-changer in increasing monitoring effectiveness. Detailed information gathering during onboarding is essential to identifying entities behaving outside "normal" activity. Machine learning can be leveraged to uncover new patterns and schemes, identify instances of known criminal patterns, and score customer behaviors and non-behavioral attributes. For example, financial activity with any PEP and not justified by economic events should be considered in the list of situations, including in cases of cash deposits, reinforcing the need to identify this type of person since the beginning of the relationship with KYC. Unsupervised machine learning should be applied to detect previously unmarked, unknown corruption, and bribery schemes.
Graph matching can enable entity recognition and resolution, providing a holistic view of all the matched entities by various attributes, such as name, address, or e-mail. This unifies data in real-time to create a single entity view across the enterprise. Entity resolution can be applied to resolve different entities to determine the registration of the same e-mail address or Internet Protocol (IP) by different legal entities or organizations, without reasonable justification. In many cases, criminals use aliases or pseudonyms to conduct illicit business, which can be resolved by bringing internal and external data together for consistent entity definition. This is especially useful when criminals use different products/services to "layer" within one institution.
- More Effective and Efficient Investigations Through Context, Collective Intelligence Learning, Natural Language Processing (NLP) Narratives, and Sentiment Analysis: Financial institutions can leverage powerful graph analytics to connect the dots between internal and external data, providing a holistic representation of networks that uncovers hidden patterns. Investigators can click through entities and their connections—represented as nodes on the graph model—to analyze networks and suspicious activities. For example, once detected by a machine learning model, investigators can expand the graph by bringing external data such as business registry information to analyze legal entities' structures to ensure none of the ultimate beneficial owners are designated drug traffickers or negatively news on them. Graph analytics can be pivotal within the public-private relationship to analyze transactions with electoral campaigns, donations in the accounts of candidates, transactions in political parties, and even the incompatible use of the electoral party's cash fund. This will not be possible without the ability to combine data from various sources together.
AI can be leveraged to en hance human expertise through recommendations and suggested actions while also helping analysts gain situational awareness and learn institutional best practices. Once detected by a machine learning model and determined by an investigator to be a true positive, previously detected organized money, laundering cases can be leveraged to make recommendations for new cases (a graph). This way, institutions can be ensuring collective learning. This can increase automation and ensure that institutions can meet 45-day deadlines for every phase of monitoring.
Leveraging investigation outcomes, NLP can generate automatic case narratives, eliminating the manual component, reducing investigation times, and avoiding human errors. Case narratives are vital for the prosecution of suspect entities—and can help financial institutions improve investigation quality and reduce drug crime. NLP can be very helpful in ensuring the concluded drug-trafficking case has been well summarized (in the case narrative) to help law enforcement prosecute these highly sophisticated criminal rings. This can be missed without a well-documented case. The generation of a case narrative can be automated to ensure that cases can be concluded within 90 days, including reporting.
Sentiment analysis can help identify and extract opinions from suspicious activity reports, leveraging text across blogs, social media, traditional media, and more. Sentiment analysis findings should feedback into the system to uncover unknown behaviors and provide case recommendations for quick decisioning.
- Streamlined MIS reporting: A unified platform with strategic data management is key to the foundation of monitoring program efficiency and effectiveness applied to monitor anti-money laundering and counter-terrorist financing (AML/CFT). Additionally, adopting a risk-based approach can be increased by allowing the application of reinforced controls for situations of greater risk and streamlined controls in lower risk situations, which is not possible without the ability to generate enterprise-wide management information systems (MIS) reports.
We see the new AML regulations in Brazil as a positive step forward in the global fight against financial crime, and we expect that these new guidelines will help Brazil to show forward traction in its next FATF assessment, which is due in 2021. To maximize compliance with these regulations, financial institutions should consider enhancing their anti-money laundering systems with advanced analytics.
To learn more, feel free to message me to explore more or have a conversation.
For more information, please visit:
Oracle Financial Crime and Compliance Management Solutions: oracle.com/aml
Oracle Financial Services: oracle.com/financial-services
Subscribe to The Check-In, our financial services newsletter:
Keep up with the latest blogs and more: Sign up today