Financial institutions (FIs) have certain obligations under
AML laws to implement internal controls, validate the proper functioning of
their controls through independent testing, provide AML training for staff, and
designate officers whose sole responsibility is to manage and run the firm’s
BSA/AML compliance programmes.
BSA/AML programs have evolved with
increasing regulations over the years, but are they keeping pace with
regulators’ expectations and the strategies used by creative (illegal)
financiers? Trends in AML-related enforcements indicate they are not.
Earlier this year,
an AML-focused survey issued by Veris Consulting
unveiled some interesting statistics. Out of 284 senior management and
compliance professionals surveyed across 46 countries, 66% of respondents had
seen an increase in their AML and Office of Foreign Assets Control (OFAC)
compliance budgets, but 32% percent of them felt the increases were either
inadequate or severely inadequate.
Furthermore, 61 % reported an increase
in their AML and OFAC headcount and yet 70% still claimed they require
assistance from other functional areas within their institutions to fulfill
their BSA/AML duties. These results clearly indicate that automated systems are
needed to help AML compliance teams keep pace with demands.
markets and their compliance challenges become more complex, we see an increase
in the need for automated solutions that are flexible enough to keep pace with
changing regulatory demands. BSA/AML solutions generally cover three main areas,
though challenges exist with each.
1) Know Your Customer (KYC) and Customer
Due Diligence (CDD)
FIs are responsible for knowing their customers (hence
KYC) for purposes of making appropriate investments. Firms are also responsible
for validating the customer’s true identity and knowing what potential criminal
activity risk a customer could potentially expose the firm to, whether
intentional or not. This requires an assessment of the customer at the beginning
of the relationship, as well as periodic assessments thereafter to generate and
track changes of their profile. Effective assessments will scan a variety of
watch lists, including politically exposed persons (PEP), negative news, Office
of Foreign Assets Control (OFAC), known aliases, regulatory sanctions and
criminal actions, and then track and identify changes over time.
should be analysed for citizenship, residency and any other geographic
background that might indicate ties with countries, jurisdictions, regions or
organisations that are under embargo, economic sanctions or other financial
dealing that may be prohibited by governments or other law enforcement
organisations. High-end AML compliance systems will track personal, financial
and business associations and increase the customer’s risk potential based on
those relationships. For non-person entities, systems should identify the entity
type and business dealings in which they are involved. Identifying an entity’s
beneficial owners for personal assessment is also critical since the goal is to
identify the individuals associated with any questionable activity.
most significant challenge facing KYC and CDD processes is how to effectively
reduce the ‘noise.’ Most systems produce numerous false positives, because they
are not intelligent enough to differentiate immaterial anomalies from something
more significant. Some systems use entity data from subscription service list
providers. These lists need to be scrubbed and inconsistencies need to be
validated so the same issues are not repeatedly flagged, diverting the reviewer
each time a list is reprocessed.
Firms are also looking for ways to
broaden the data set used for analysis beyond traditional subscription lists. To
solve this, AML providers are looking at how ‘big data’ can be leveraged to
further uncover risks. The best way to detect if an individual presents a risk
is to understand the dynamic world around the individual. This means consuming
social media and other large sets of unstructured data to better establish
personal relationships, associations and connections, then apply that
information to more flexible and intelligent risk models. Enhanced due diligence
(EDD) procedures can then focus on individuals with the highest risk scores,
enabling BSA/AML officers to take action where it is most needed.
2) Suspicious Activity Detection
Suspicious activity detection is the
process of reviewing all transactions for anomalies that may indicate foul play.
Like KYC processes, detecting potential transaction issues requires the creation
and analysis of a transaction profile. This profile determines attributes such
as transaction type, payment methods, associated entities or persons, time,
locations and values. Traditional rules-based approaches prescribe defined
scenarios, which systems can readily detect. The more difficult cases are those
which on the surface are not obvious but, once uncovered, yield surprising
Regulators are calling for more principled or risk-based
approaches to help reduce noise and lead reviewers to the most important issues.
This level of analysis often requires neural networks for advanced risk and
probability modeling or predictive analysis. These systems have learning or
adaptive capabilities, so unlike rules with static thresholds they self-adjust.
In this way, risk values update dynamically as activities are evaluated over
time rather than alerting only point-in-time situations. The result is fewer and
more targeted alerts which help prevent reviewers from becoming overwhelmed.
These types of systems are very advanced, extremely expensive, and often out of
reach for firms with only limited budgets.
3) Case Management and
Regulators frequently perform audits and want to see evidence of
supervision and actions taken in accordance with a robust, well-defined BSA/AML
policy. Investigations may remain open for weeks or months with several
individuals participating in the review. Investigations often reference
historical reviews where correlations may exist. This means results must be
memorialised and remain accessible to reviewers and auditors to provide
supporting information for more effective investigations.
responsible for enforcing and investigating BSA/AML incidents have standard
reporting requirements and procedures. Effective solutions provide automated
reporting when the system or a firm’s employees detect a potential incident. The
Financial Crimes Enforcement Network (FinCEN) coordinates with most US
regulatory bodies to facilitate a consistent suspicious activity reporting (SAR)
process. Where possible, much of this information can be pre-populated,
increasing the efficiency of users as well as indicating which items require
reporting and tracking, whether or not those reports have been filed.
As BSA and AML compliance becomes more challenging,
expectations for real-time or near-real-time systems are increasing. Compliance
processes need to be run frequently and reviewers must be able to take action as
soon as risks are identified. With so few resources, time wasted trying to
manually organise and prioritise issues means red flags could be dropped or
ignored, reports may not get filed, and firms could be at greater risk of
regulatory fines or reputational damage.
Holistic and well-integrated AML
compliance systems will simplify operations for reviewers to consolidate and
prioritise issues, saving precious time and ensuring consistent follow-up. While
many solution providers diligently troubleshoot issues related to more effective
detection, increasing the ability to act and follow-up must also remain a
When Mark Cuban declared that "Data is the new gold" he highlighted why information is possibly the most valuable asset a business has. APIs are the unsung heroes that make it possible to extract that value.
How treasury stands to benefit from blockchain: Ripple’s goal to revolutionise cross-border transactions
Imagine a world where cross-border transactions can occur in real-time, at a few cents per transaction, to and from any bank, in any ... read more
Europe’s opening banking regulation is finally here. After months of preparation across the continent, the Revised Payment Services Directive comes into effect on January 13.
The revised Payment Services Directive regulation, regarded as one of the most disruptive in Europe’s financial services sector, will begin to make an impact on January 13, 2018.