If anti-money laundering (AML) officers feel like sitting ducks – waiting, reacting, and improvising – it’s with good reason. Criminals really do want to exploit your systems for their ill-gotten gains. Regulators really do want to make sure there are no gaps in your policies and procedures and no flouting of them. Good customers really do object to being treated like potential criminals.
But if your bank is like most, the AML apparatus you are guarding so carefully is a hodgepodge. For years, you have had to respond serially to a steady drip-drip of new rules as new threats were detected or old rules circumvented. Each time, you added another something – another system, a patch, a process, a report, a team.
That hodgepodge makes you vulnerable from all directions. Aging systems don’t talk to each other very well and manual fixes are error-prone. Employees can make mistakes. So can third parties (hardware and software vendors, armored carriers) whose compliance you are responsible for. Online advances and mobile technology that thrill consumers have made infiltration easier for the bad guys. New products mean more data to aggregate and inspect.
This is not a world where inspired improvisation can continue to be the operating mode. That is why a few banks are stepping back and asking the question: If we could start all over today, what would our AML environment look like? And what is the safest, wisest route from here to there?
No More Disconnects
The ideal AML environment is enterprise in scope. No more disconnect between the business units and the technology teams supporting them. No more AML processes or systems designed for just one business unit. And no more disconnect between the AML hodgepodge and the rest of the compliance alphabet soup: CRA (Community Reinvestment Act), SOX (Sarbanes-Oxley Act), FACTA (Fair and Accurate Credit Transactions Act), Dodd-Frank Act, and more.
It is flexible. As demanding as AML rules are today, they are likely to become even more so down the road. Today’s platform can’t anticipate tomorrow’s “unknown unknowns” but should be able to incorporate them so that future changes don’t restart the patching process.
It is integrated. Gaps and misalignment equal risk. When new products are introduced or old products changed, the future must include seamless integration between the business lines, the technology teams who support them, and the bank’s entire regulatory process workflows.
As for getting there from where you are today, it takes two parallel work paths. Today’s improvised and patched process still needs to be followed scrupulously, but a parallel work path needs to unfold alongside it, correcting for deficiencies and inefficiencies in the old system.
The parallel path starts with a huge eye-opener for most banks: an end-to-end diagnostic analysis of their AML current environment. Even when each business unit handles its own process responsibly, they find vast inconsistencies from one division to another. Whether from old conversions that were rushed or incomplete or poor AML controls from an acquired bank, it is not unusual to find workflows left outside of the consolidated regulatory workflow – to management’s surprise.
The next step is to investigate how new rules are being incorporated into the AML process, a common stumbling block. Often, it can appear that a simple process change will comply with a new rule but usually there are complications with any change in process and a quick fix creates problems down the line. This step should double check the latest rules involving new cash products and the main areas where other banks have recently been found wanting and fined.
Then you need a full library of all the data sources for all the AML aggregation that must take place. Most will be obvious, but you are bound to discover some that are not getting regularly pulled in, leaving you exposed. Old acquisitions are a frequent culprit, but so are outsourced systems and multiple data warehouses, so keep the broadest possible view and a strong tolerance for complexity.
A filtering analysis is next. Is the vendor of your filtering system keeping it up-to-date and to your standards (not the vendor’s preferences)? If there is old COBOL code doing the filtering, is the code being kept current? When suspicious transactions are raised for review, how good are your analysts at assessing them? If you’re like most banks, you will find a wide variety of techniques, approaches, and technologies. In compliance, disparity often means exposure, so the goal is to surface any inconsistencies.
Your next focus involves your back-end reporting. Is it automated, or is it subject to delays and exposed to error by manual steps? How many reporting systems need to be rolled up? Is it fast enough to catch transactions before they go through, or are you always investigating after the fact? Do top executives get the information they need?
Once you have completed these assessments, many of your solutions will start to become obvious. For example, you will detect where a standard interface for new products can solve many of the newer types of exposure. You will learn which systems are most flexible in being able to accommodate new rules. You will learn where you have pockets of deep AML expertise and where you need shoring up. You will see where better analytics can significantly improve judgment. You will be able to compare the relative efficiency of different business units’ AML approaches.
From these insights, you can begin to architect the AML environment you wish to evolve to: enterprise, integrated and flexible. After all, compliance of all kinds will continue to consume more time, resources, and management attention. With the right environment you will be positioned to handle the new demands without excessive risk and expense.
Mr. Evetts is a managing partner with Irving, Tex.-based ABeam Consulting USA, and Mr. Donnelli a principal. They can be contacted at bevetts@abeam.com and rdonnelli@abeam.com.
Stay connected to Expert Perspectives, Research and Intelligence — subscribe to BAI Banking Strategies now!