Globally, fighting financial crime remains a high priority for governments and regulators, with the International Monetary Fund estimating that money-laundering (ML) accounts for between two and five per cent of the world’s GDP.
Hundreds of billions of US dollars derived from criminal exploits are believed to be laundered through UK banks, including their subsidiaries, each year.
For financial institutions, this remains one of the foremost areas for compliance, impacting personnel, procedures and systems, with initiatives to stem the flow of dirty money emanating from The Financial Action Task Force (FATF) – an inter-governmental body that develops policies and standards to protect global financial systems against money laundering and terrorist financing.
The FATF’s most recent recommendations – in 2012 – made an explicit move towards a risk-based approach (RBA) in the fight against money-laundering and terrorist finance.
Government departments and domestic regulators had previously grown dissatisfied with the way institutions were fulfilling compliance requirements and began levying very punitive and very public fines on some of the biggest organisations.
The risk-based approach
The risk-based approach means that countries, regulators and financial institutions are expected to identify, assess and understand the ML/TF risks to which they are exposed and take appropriate measures in line with their degree of risk.
The latest FATF guidance is that a financial institution must develop its AML/CTF programme based on its own risk assessment that will take into account the nature, scale and diversity of its business.
Whatever the size of the institution, there will be a need to access accurate, timely and objective information about ML/TF risks. In most circumstances this will involve financial institutions acquiring the capability to undertake Customer Due Diligence (CDD) and Know Your Customer (KYC) protocols as well as ongoing monitoring that includes transactions and regular reviews to ensure relevance to the latest AML/CTF programmes.
CDD and KYC mean the institution must be able to identify the customer (or beneficial owner) and verify the identification. It must know the purpose and nature of intended business and then screen against watch- and sanctions-lists.
So what does all this mean when regulators expect the institution to evolve its AML/CTF programmes, based on its own risk assessment? The one certain answer is that it requires accountability at executive level. Market research shows how expenditure on AML/CTF compliance is constantly rising, with investment being approved to overcome the separate, silo-based historical development of financial crime and fraud management.
However, these more holistic approaches also provide large, global operators with some specific difficulties to overcome in order to develop a cohesive and comprehensive AML/CTF programme.
Individual processes and procedures may differ from country to country, affecting how any AML software system is configured. This is especially important when the identification of illegal or suspicious transactions or the criminals themselves, relies on multiple sources of structured and unstructured data – as is the case in financial organisations.
Institutions will often have to deal with hundreds of data sources which have to be filtered and classified according to levels of suspicion. Anomalies have to be identified, along with watch-list names and transactions connected to hostile nations. It is then necessary to have alerting capabilities and suspicious activity reports (SARS).
The timing of data-delivery and processing is vitally important in AML/CTF when some of the key activities are considered. The on-boarding of new clients, for example, requires background screening to be undertaken and completed in as little as 15 minutes.
Not all approaches are equal
It is tempting to think that any AML/CTF software solution will meet the functional requirements of the anti-financial crime programme. Not so. As with all software packages, they are largely reliant on the quality of the configuration and the quality of the data coming into the system.
Therefore, a key factor in developing and maintaining an effective AML/CTF programme is understanding what exactly needs to be achieved – and setting performance targets around those requirements.
This has to be accomplished by identifying the important steps of a business flow – where and when key activities should take place. Some steps are so essential that they are accorded a Service Level Target (SLT).
With an SLT, a financial institution can set parameters to help it monitor progress. In the case of AML/CTF a number of business processes and flows have to be supported, such as customer screening and on-boarding, and for each flow the appropriate SLTs are required. In such flows the SLTs are likely to focus on the timely delivery and performance of the data-feed sources, covering both upstream and downstream processes.
Visualisation technology is also essential, allowing the business flows and SLTs to be displayed on real-time dashboards with a red, amber, green status alerting capability – enabling a business to gauge its ongoing performance quickly. It is vital that staff have a monitoring and alerting capability so they can track the system’s performance and to take informed proactive decisions if it appears that targets are being missed or about to be missed.
It is important, too, to have an audit trail, generating reports and target performance history from a central repository.
In a large global bank this approach has facilitated daily receipt and processing of more than 200 files coming into the AML system from 24 different sources at different times. Compare this with its previous monthly processing conducted under a less demanding set of criteria.
This level of performance enables a bank to demonstrate that it is fulfilling a basic demand of the risk-based approach through effective management of the necessary inputs and outputs of its AML system.
It is no good financial institutions believing that all approaches are equal. AML technology relies on being configured and deployed to support appropriate processes, by knowledgeable people. Effective and compliant AML also requires relevant and timely data in order to produce information that enables a financial institution to feel confident about transacting legitimate business with its clients.
It is by setting and effectively monitoring SLTs that an institution can demonstrate it is in full control of its financial crime risk – ensuring that all the component pieces perform to the AML/CTF programme’s objectives under the RBA.