10-09-2013, 10:25 AM
Automation: The Key to AML Compliance Success
Rex Gooch, SunGard Protegent - 8 Oct 2013
The introduction of the Bank Secrecy Act (BSA) in 1970 created the need for anti-money laundering (AML) compliance. Since then, regulatory enhancements and a slew of other regulations have been created to combat illegal financing and, in particular, terrorist financing.
How useful was this article?
ServicesFinancial institutions (FIs) have certain obligations under AML laws to implement internal controls, validate the proper functioning of their controls through independent testing, provide AML training for staff, and designate officers whose sole responsibility is to manage and run the firm’s BSA/AML compliance programmes.
BSA/AML programs have evolved with increasing regulations over the years, but are they keeping pace with regulators’ expectations and the strategies used by creative (illegal) financiers? Trends in AML-related enforcements indicate they are not.
Earlier this year, an AML-focused survey issued by Veris Consulting unveiled some interesting statistics. Out of 284 senior management and compliance professionals surveyed across 46 countries, 66% of respondents had seen an increase in their AML and Office of Foreign Assets Control (OFAC) compliance budgets, but 32% percent of them felt the increases were either inadequate or severely inadequate.
Furthermore, 61 % reported an increase in their AML and OFAC headcount and yet 70% still claimed they require assistance from other functional areas within their institutions to fulfill their BSA/AML duties. These results clearly indicate that automated systems are needed to help AML compliance teams keep pace with demands.
As financial markets and their compliance challenges become more complex, we see an increase in the need for automated solutions that are flexible enough to keep pace with changing regulatory demands. BSA/AML solutions generally cover three main areas, though challenges exist with each.
1) Know Your Customer (KYC) and Customer Due Diligence (CDD)
FIs are responsible for knowing their customers (hence KYC) for purposes of making appropriate investments. Firms are also responsible for validating the customer’s true identity and knowing what potential criminal activity risk a customer could potentially expose the firm to, whether intentional or not. This requires an assessment of the customer at the beginning of the relationship, as well as periodic assessments thereafter to generate and track changes of their profile. Effective assessments will scan a variety of watch lists, including politically exposed persons (PEP), negative news, Office of Foreign Assets Control (OFAC), known aliases, regulatory sanctions and criminal actions, and then track and identify changes over time.
Persons should be analysed for citizenship, residency and any other geographic background that might indicate ties with countries, jurisdictions, regions or organisations that are under embargo, economic sanctions or other financial dealing that may be prohibited by governments or other law enforcement organisations. High-end AML compliance systems will track personal, financial and business associations and increase the customer’s risk potential based on those relationships. For non-person entities, systems should identify the entity type and business dealings in which they are involved. Identifying an entity’s beneficial owners for personal assessment is also critical since the goal is to identify the individuals associated with any questionable activity.
The most significant challenge facing KYC and CDD processes is how to effectively reduce the ‘noise.’ Most systems produce numerous false positives, because they are not intelligent enough to differentiate immaterial anomalies from something more significant. Some systems use entity data from subscription service list providers. These lists need to be scrubbed and inconsistencies need to be validated so the same issues are not repeatedly flagged, diverting the reviewer each time a list is reprocessed.
Firms are also looking for ways to broaden the data set used for analysis beyond traditional subscription lists. To solve this, AML providers are looking at how ‘big data’ can be leveraged to further uncover risks. The best way to detect if an individual presents a risk is to understand the dynamic world around the individual. This means consuming social media and other large sets of unstructured data to better establish personal relationships, associations and connections, then apply that information to more flexible and intelligent risk models. Enhanced due diligence (EDD) procedures can then focus on individuals with the highest risk scores, enabling BSA/AML officers to take action where it is most needed.
2) Suspicious Activity Detection
Suspicious activity detection is the process of reviewing all transactions for anomalies that may indicate foul play. Like KYC processes, detecting potential transaction issues requires the creation and analysis of a transaction profile. This profile determines attributes such as transaction type, payment methods, associated entities or persons, time, locations and values. Traditional rules-based approaches prescribe defined scenarios, which systems can readily detect. The more difficult cases are those which on the surface are not obvious but, once uncovered, yield surprising connections.
Regulators are calling for more principled or risk-based approaches to help reduce noise and lead reviewers to the most important issues. This level of analysis often requires neural networks for advanced risk and probability modeling or predictive analysis. These systems have learning or adaptive capabilities, so unlike rules with static thresholds they self-adjust. In this way, risk values update dynamically as activities are evaluated over time rather than alerting only point-in-time situations. The result is fewer and more targeted alerts which help prevent reviewers from becoming overwhelmed. These types of systems are very advanced, extremely expensive, and often out of reach for firms with only limited budgets.
3) Case Management and Reporting
Regulators frequently perform audits and want to see evidence of supervision and actions taken in accordance with a robust, well-defined BSA/AML policy. Investigations may remain open for weeks or months with several individuals participating in the review. Investigations often reference historical reviews where correlations may exist. This means results must be memorialised and remain accessible to reviewers and auditors to provide supporting information for more effective investigations.
Regulatory bodies responsible for enforcing and investigating BSA/AML incidents have standard reporting requirements and procedures. Effective solutions provide automated reporting when the system or a firm’s employees detect a potential incident. The Financial Crimes Enforcement Network (FinCEN) coordinates with most US regulatory bodies to facilitate a consistent suspicious activity reporting (SAR) process. Where possible, much of this information can be pre-populated, increasing the efficiency of users as well as indicating which items require reporting and tracking, whether or not those reports have been filed.
Conclusion
As BSA and AML compliance becomes more challenging, expectations for real-time or near-real-time systems are increasing. Compliance processes need to be run frequently and reviewers must be able to take action as soon as risks are identified. With so few resources, time wasted trying to manually organise and prioritise issues means red flags could be dropped or ignored, reports may not get filed, and firms could be at greater risk of regulatory fines or reputational damage.
Holistic and well-integrated AML compliance systems will simplify operations for reviewers to consolidate and prioritise issues, saving precious time and ensuring consistent follow-up. While many solution providers diligently troubleshoot issues related to more effective detection, increasing the ability to act and follow-up must also remain a priority
Rex Gooch, SunGard Protegent - 8 Oct 2013
The introduction of the Bank Secrecy Act (BSA) in 1970 created the need for anti-money laundering (AML) compliance. Since then, regulatory enhancements and a slew of other regulations have been created to combat illegal financing and, in particular, terrorist financing.
How useful was this article?
ServicesFinancial institutions (FIs) have certain obligations under AML laws to implement internal controls, validate the proper functioning of their controls through independent testing, provide AML training for staff, and designate officers whose sole responsibility is to manage and run the firm’s BSA/AML compliance programmes.
BSA/AML programs have evolved with increasing regulations over the years, but are they keeping pace with regulators’ expectations and the strategies used by creative (illegal) financiers? Trends in AML-related enforcements indicate they are not.
Earlier this year, an AML-focused survey issued by Veris Consulting unveiled some interesting statistics. Out of 284 senior management and compliance professionals surveyed across 46 countries, 66% of respondents had seen an increase in their AML and Office of Foreign Assets Control (OFAC) compliance budgets, but 32% percent of them felt the increases were either inadequate or severely inadequate.
Furthermore, 61 % reported an increase in their AML and OFAC headcount and yet 70% still claimed they require assistance from other functional areas within their institutions to fulfill their BSA/AML duties. These results clearly indicate that automated systems are needed to help AML compliance teams keep pace with demands.
As financial markets and their compliance challenges become more complex, we see an increase in the need for automated solutions that are flexible enough to keep pace with changing regulatory demands. BSA/AML solutions generally cover three main areas, though challenges exist with each.
1) Know Your Customer (KYC) and Customer Due Diligence (CDD)
FIs are responsible for knowing their customers (hence KYC) for purposes of making appropriate investments. Firms are also responsible for validating the customer’s true identity and knowing what potential criminal activity risk a customer could potentially expose the firm to, whether intentional or not. This requires an assessment of the customer at the beginning of the relationship, as well as periodic assessments thereafter to generate and track changes of their profile. Effective assessments will scan a variety of watch lists, including politically exposed persons (PEP), negative news, Office of Foreign Assets Control (OFAC), known aliases, regulatory sanctions and criminal actions, and then track and identify changes over time.
Persons should be analysed for citizenship, residency and any other geographic background that might indicate ties with countries, jurisdictions, regions or organisations that are under embargo, economic sanctions or other financial dealing that may be prohibited by governments or other law enforcement organisations. High-end AML compliance systems will track personal, financial and business associations and increase the customer’s risk potential based on those relationships. For non-person entities, systems should identify the entity type and business dealings in which they are involved. Identifying an entity’s beneficial owners for personal assessment is also critical since the goal is to identify the individuals associated with any questionable activity.
The most significant challenge facing KYC and CDD processes is how to effectively reduce the ‘noise.’ Most systems produce numerous false positives, because they are not intelligent enough to differentiate immaterial anomalies from something more significant. Some systems use entity data from subscription service list providers. These lists need to be scrubbed and inconsistencies need to be validated so the same issues are not repeatedly flagged, diverting the reviewer each time a list is reprocessed.
Firms are also looking for ways to broaden the data set used for analysis beyond traditional subscription lists. To solve this, AML providers are looking at how ‘big data’ can be leveraged to further uncover risks. The best way to detect if an individual presents a risk is to understand the dynamic world around the individual. This means consuming social media and other large sets of unstructured data to better establish personal relationships, associations and connections, then apply that information to more flexible and intelligent risk models. Enhanced due diligence (EDD) procedures can then focus on individuals with the highest risk scores, enabling BSA/AML officers to take action where it is most needed.
2) Suspicious Activity Detection
Suspicious activity detection is the process of reviewing all transactions for anomalies that may indicate foul play. Like KYC processes, detecting potential transaction issues requires the creation and analysis of a transaction profile. This profile determines attributes such as transaction type, payment methods, associated entities or persons, time, locations and values. Traditional rules-based approaches prescribe defined scenarios, which systems can readily detect. The more difficult cases are those which on the surface are not obvious but, once uncovered, yield surprising connections.
Regulators are calling for more principled or risk-based approaches to help reduce noise and lead reviewers to the most important issues. This level of analysis often requires neural networks for advanced risk and probability modeling or predictive analysis. These systems have learning or adaptive capabilities, so unlike rules with static thresholds they self-adjust. In this way, risk values update dynamically as activities are evaluated over time rather than alerting only point-in-time situations. The result is fewer and more targeted alerts which help prevent reviewers from becoming overwhelmed. These types of systems are very advanced, extremely expensive, and often out of reach for firms with only limited budgets.
3) Case Management and Reporting
Regulators frequently perform audits and want to see evidence of supervision and actions taken in accordance with a robust, well-defined BSA/AML policy. Investigations may remain open for weeks or months with several individuals participating in the review. Investigations often reference historical reviews where correlations may exist. This means results must be memorialised and remain accessible to reviewers and auditors to provide supporting information for more effective investigations.
Regulatory bodies responsible for enforcing and investigating BSA/AML incidents have standard reporting requirements and procedures. Effective solutions provide automated reporting when the system or a firm’s employees detect a potential incident. The Financial Crimes Enforcement Network (FinCEN) coordinates with most US regulatory bodies to facilitate a consistent suspicious activity reporting (SAR) process. Where possible, much of this information can be pre-populated, increasing the efficiency of users as well as indicating which items require reporting and tracking, whether or not those reports have been filed.
Conclusion
As BSA and AML compliance becomes more challenging, expectations for real-time or near-real-time systems are increasing. Compliance processes need to be run frequently and reviewers must be able to take action as soon as risks are identified. With so few resources, time wasted trying to manually organise and prioritise issues means red flags could be dropped or ignored, reports may not get filed, and firms could be at greater risk of regulatory fines or reputational damage.
Holistic and well-integrated AML compliance systems will simplify operations for reviewers to consolidate and prioritise issues, saving precious time and ensuring consistent follow-up. While many solution providers diligently troubleshoot issues related to more effective detection, increasing the ability to act and follow-up must also remain a priority