Nothing like a couple of high-profile money laundering cases to bring the entire industry into regulators' crosshairs.
As the Standard Chartered money laundering investigations pick up steam, close on the heels of HSBC's debacle, the government is now looking closely at how banks are preventing the practice. Simply deploying technology that electronically identifies possible money laundering transactions isn't enough. Experts say the entire culture of how banks vet business partners and flag activity to prevent fraud and money laundering is being called into question.
"The tech staff only exists to enable business. There needs to be a continuous process from the back office to the front," says Doug McKibben, a research director at Gartner.
Anti-money laundering technology typically uses electronic tracking of transaction processing to flag suspicious payments or transfers, either by size or destination, against the history or profile of a customer. The job of the technology is to spot unusual activity or relationships with third parties that are counter to the banks' business rules and compliance mandates. "Know your customer" provisions of anti-money laundering laws can include ties to firms or governments on terrorism watch lists.
Where these tech-heavy strategies can stumble is when the bank's business line people are part of the money laundering scheme or aren't fully aware of the laws and regulations governing money laundering. Additionally, these staff members may not be communicating properly with other bank departments that store or process transfers, vet business partners, or monitor other financial transactions.
At many banks, a chief information security officer is charged with protecting the bank from money laundering risks, though that still places responsibility in the hands of a piece of software or a policy based on identifying suspicious transactions, rather than an enterprise-wide system of checks and balances that examines who is accessing transactions and data and how staff or departments at a bank are using that data.
McKibben suggests a course of action that provides greater context to the rules and the investigation of suspicious activity, making reporting of transactions, internal and external behavior broader and more transparent to more people.
That could mean extra staffing for compliance or AML prevention, or a change in strategy and culture to make more business lines responsible for checking to make sure the tech reports are being followed up by broader investigations into possible money laundering, and corrective actions.
"Compliance can't be managed in isolation. A lot of companies are looking at AML as an IT or a business rule, but are not contextualizing the rules, or looking at whether they have controls in place or processes that are being ignored or controls that failed," McKibben says.
David Kwan, director of AML product management for NICE Actimize, contends that the recent spate of AML incidents, as well Congressional accusations that the Department of Treasury didn't take more proactive actions against Barclays in the LIBOR fraud case, will lead to more government scrutiny as the government seeks to improve its own performance. The government has faced heat over poor oversight of systemic money laundering risk in the past,
Kwan also says this trend takes AML beyond compliance and into banking soundness, looking at issues such as corporate processes, and company culture. "Much of what financial institutions know about what they need to do about issues such as money laundering comes from enforcement actions, where the regulators say there were shortcomings at a particular bank," Kwan says, adding that that can inform corrective measures at other banks.
In the recent cases, Kwan says the direction is pointing toward a corporate culture that centralizes vetting to spot and prevent possible money laundering across departments via rules or best practices that the entire organization must follow.
Kwan recommends a group compliance unit that's empowered to standardize processes across a bank's departments and the various national or regional jurisdictions that are inside an institution's footprint. In theory, this would create centralized and standardized oversight of activity in a region such as Asia or the Middle East, where money laundering concerns are higher than other regions.
Jeroen Dekker, a senior product manager of financial crime risk management for Fiserv, argues for a more dynamic approach that determines whether a bank's activities make sense, rather than simply checking against a list of barred activity.
He says technology can enable a broad risk-based approach, by using automated monitoring as a blanket that checks all transactions, rather than leaving some categories considered to be "lower risk" completely unchecked, which can create maneuverability for money laundering. Instead, all categories are checked, but with tolerance levels dependent on an institution's enterprise wide policy.
"Next to that, systems should be able to flag transactions for review even if there is no hit against a sanctioned entity, [such as] the countries involved, the cumulative amounts involved or a lack of valid customer information. Compliance departments should be looking to prove that large money flows make sense, instead of just assuming that they do if the individual transactions do not contain the names of sanctioned entities," he says.