The worldwide regulatory wave to enhance compliance programs and address the broader sources of money laundering and financial crimes has clearly begun to wash over U.S. credit unions.
With the Financial Crimes Enforcement Network
Perhaps surprisingly, some of this impact on credit unions is coming from European regulators. Not only are they strengthening compliance standards, they are also pushing financial institutions in Europe to develop a risk-based, holistic approach to compliance that encompasses the array of regulations and threats. The recent attack on Paris will only strengthen this regulatory scrutiny.
For example, the European Union's recent Fourth Directive to fight money-laundering and terrorism financing is increasingly impacting U.S. financial institutions that do business in Europe—and their members and customers. The broad-based regulation expands the framework for compliance across the entire financial institution while mandating a risk-based approach largely at odds with tradition.
This trend is filtering down to U.S. credit unions as regulators worldwide try to extend the safety net across the entire financial system. Risk-based procedures as proposed by FinCEN are essential and also referred to as the "fifth pillar" in AML compliance under the Bank Secrecy Act.
All these trends are prompting increased focus by U.S. financial institutions of all sizes and charters, and their IT departments and customers. Compliance that is already challenging, particularly for smaller institutions with fewer resources, is going to get tougher.
The new approach is expected to push more compliance obligations on consumers. As a potential example of things to come, the recent FIFA-related indictments snared not only banks but private companies and individuals involved with soccer's governing body, including the tiny Delta National Bank & Trust Co. in Miami. As compliance strengthens in larger, multi-national banks, regulators reasonably expect criminals to target smaller financial institutions such as credit unions. This calls for stronger Know Your Customer processes—both at onboarding and periodically over time—that perform money-laundering check procedures based on risk classification.
Faced with increased regulation, heightened complexity and sophistication among customers and products, IT managers and regulators are increasingly grappling with how to get from here to there.
Based primarily on our experience worldwide, but particularly in Europe, here are some key questions for senior business and IT managers at U.S. credit unions (as well as board members) to address in meeting the challenge of compliance:
Defining a risk-based approach
The traditional approach to compliance is often siloed by regulatory regimen, with a focus on "rules-based" analysis of known threats. The holistic approach is based on assessment of all potential risk, leading to a single "picture" of centralized risk across the enterprise, which incorporates the various regulatory regimes, individual member profiles and potential exposures.
This approach steers efforts to high-risk cases and streamlines subsequent investigation and decision processes. It increases the effectiveness and efficiency of the compliance process and helps to focus limited resources where they will have the biggest impact.
The expansion of regulation, as well as sophisticated threats, is increasingly stressing the rules-based approach, which is inherently backwards-looking, toward an expanded analytics-based approach that focuses on risk assessment.
Compliance functions today often suffer from piles of alerts and the challenge of quickly identifying the few that actually merit real attention. Thus an essential part of the risk-based approach is embedded analytics that incorporate a variety of data sources and relative "rank scoring" to more reliably and automatically raise the most likely needles to the top of the haystack for further evaluation. This approach generates alerts of higher quality and reduces "false positives." Analytics also allows identification of anomalies in data that can lead to identification of new, previously unknown threats.
Transaction monitoring not enough
Traditionally, compliance personnel follow a two-step alert process, which is highly manual and time-consuming. Automating most of this with a unified case-management process with investigation capabilities and workflow features is more efficient. It should fully support decision processes ranging from invalidating a suspicion to submitting suspicious activity reports (SARs) to FinCEN. The centralized case management process aggregates various types of alerts and uses automated, high-level graphical dashboards with centralized overviews of priority variables, risks and actions.
How do we pay the bill?
Maintenance costs for supporting anti-financial-crime systems can be onerous, not least because of the ever-changing nature of regulatory requirements. Credit unions should consider standardized, configurable solutions to account for changing regulations. These solutions can quickly adapt to new threats, and can easily add data feeds.
Credit unions should also consider compliance applications as cloud-hosted services. This eliminates investment in hardware, and sidesteps much of the traditional installation and configuration costs and delays. The software can be used immediately and is always up-to-date.
What's the best way to implement?
Credit unions certainly have the option of re-inventing the wheel and moving ahead on their own. This may be an opportunity for a service-bureau type of approach.
For example, German savings banks, roughly comparable to U.S. credit unions, have already approached this challenge. In collaboration with the IT service provider for many German savings banks, TONBELLER rolled out a centralized solution to approximately 450 institutions with over 50 million customers. The software checks about 130 million accounts and 70 billion transactions annually for money laundering. A similar approach has been taken in Tunisia.
The regulatory wave is bearing down on credit unions in the United States. Now is the time to consider how to meet the challenge of increased compliance, and how to identify and implement the right solution at the best cost.
Frank Holzenthal is a member of the management team at TONBELLER, which was acquired in 2015 by FICO.
