Banks Take AML Compliance for Granted
Standard Chartered Bank has finalized a $340 million settlement with New York's top banking regulator to settle charges the bank laundered hundreds of billions of dollars for banks and others in Iran.
Can corporate policy training feel like an episode of CSI? Cristobal Conde believes it can in a big way. The former SunGard chief arrives at True Office, a firm that uses elements of gaming to help institutions teach corporate employees about how to prevent data breaches, money laundering and other standards and compliance issues that reside inside banks and other businesses.
The banking industry has been charged with record fines for anti-money laundering and Office of Foreign Assets Control violations this year. Since February 2012, OFAC has levied over $623 million in penalties and settlements against various financial institutions. Additionally, the Department of Justice and various regulators have vowed to continue their scrutiny of financial institutions in the fight to combat money laundering and terrorist financing.
Even with substantial regulation, risk management and compliance systems in place, the banking community seems to lack the appropriate measures to safeguard their institutions from facilitating suspicious transactions. Is this because AML policies are not stringent enough? Are they not rigorously enforced? Or is it both? Are these recent enforcements caused by human error or a failure of the technology systems in place to monitor massive numbers of transactions?
From our 20 years of combined experience working on both the corporate and prosecutorial sides of AML and OFAC compliance, we have historically seen two common themes over and over again. First, banks are either stripping out key information from transactions to avoid triggering alerts for possible sanctions violations, or failing to properly design and implement filters that capture potentially suspicious transactions. Secondly, banks are too reliant on automated compliance systems and overly confident about their abilities to run on their own.
Many financial institutions struggle with their current transaction monitoring technologies and how they are implemented within their institutions. For example, we have seen banks' monitoring systems create too many false positives and unnecessarily waste resources to clear alerts. A backlog is often created, which generates other regulatory challenges. It also leads to a problematic numbers game, where the Financial Intelligence Unit is more focused on clearing alerts quickly to reduce the backlog instead of focusing on the unusual and/or suspicious transactions.
The rules utilized to identify red flags or potentially suspicious behaviors are often not robust or continually reviewed. A common mistake is that rules may not always accurately reflect the customer's appropriate risk profile based on Know Your Customer information, which is aggregated by conducting extensive due diligence and is increasingly vital in preventing financial fraud and abuse in client relationships.
The compliance function should be held accountable for vigorous monitoring and testing programs to ensure those controls are operating properly. The heart of true compliance is the everyday activity of the business. Most banks have a compliance policy in place, but how is it implemented? Is compliance a separate silo or hard-wired into every business line? Are compliance policies enforced on a daily basis? Do line managers and all relevant staff know the policies and contribute to updating them regularly?
Technology also plays an important role in the disconnect between compliance policies and business priorities. Too many firms mistakenly imagine that their software systems can handle the AML/OFAC compliance on their own with little or no human intervention. The business lines are the frontlines of true compliance, and the technology is the tool that helps identify potential red flags.
How can banks improve their compliance programs?
We believe the answers lie in the development of robust compliance policies and more importantly the implementation and continual monitoring and testing of these programs.
One way to counteract compliance alert quotas and identify the real risk is to improve the internal alert escalation process. Banks should integrate the compliance process with the business process so risk is identified earlier and addressed promptly. Regulators also recognize this, which is why examiners are looking under the hood at firms to see how well they perform this process.
Banks must conduct appropriate enterprise-wide AML and OFAC risk assessments. They must have a keen understanding of where the AML and OFAC risk lies within each business line – which products, geographies, customers, types of transactions or even future products pose a vulnerable point of entry. Then the organization has to design the right controls to mitigate that risk.
If your bank was built through acquisition, you could be unknowingly letting risk creep in through the back door. It is likely that you have customers — perhaps long-standing and valuable customers — that have never been properly vetted. It is only natural that a business unit will not want to disturb an established, profitable relationship. But that is how risk enters a business, making the whole firm vulnerable to financial crimes or regulatory violations.
Tom Bock and Dana Irvis are Managing Director and Director, respectively, with K2 Intelligence, an investigative and risk analytics consulting firm.