By Ben Rayner, Regional Head UKI and MEA, Silent Eight
If people working outside of financial crime didn’t have much of an understanding of sanctions before February of this year, then chances are they will have become increasingly aware of their purpose and intent following the sanctioning of certain individuals and entities associated with the crisis in Ukraine. The United States alone has designated almost 2,000 individuals and entities since February 2022. Overall, the size of sanctions lists has increased by approximately 25 percent in the last 18 months.
To meet their legal and regulatory obligations, institutions must identify sanctioned individuals and entities (and other high-risk customer categories, such as Politically Exposed People) using some form of a screening process. More often than not, this is automated. In addition to customer themselves, customers’ transactions made to or from their customers must also be screened (primarily those made cross-border).
Screening solutions are built on algorithms that use defined rules to identify potential matches for further investigation. Should that investigation lead to a confirmed match, the institution must take the required actions stipulated by the regulator and/or their policies.
In an ideal world in which data quality is not an issue, these algorithms would just look for exact matches—same name, date of birth, address, etc.; but in reality, data quality is far from perfect, and the information available can be sparse. As a result, “fuzzy” match rules are used to compensate. A strict risk appetite for meeting sanctions regulations often means match rules are very “fuzzy”. The “fuzzier” the rules, the more potential matches (alerts) are produced, which in turn need to be investigated “in a timely manner” (the wording in the majority of regulators’ guidance).
To meet the effectiveness agenda—i.e., ensuring all sanctions exposure is discovered—an institution might implement an algorithm with as many fuzzy-match rules as possible. Faced with the scale of fines being issued to institutions for failing to meet their sanctions obligations, this is the initial approach many took.
However, as you turn the dial on effectiveness, costs increase significantly. Technology costs increase the more processing power is required. Before the advent of Cloud computing (considered later in this article), this would mean buying more servers and the associated costs for maintaining them (quite easily $30,000 per annum per server). Operations costs will also increase, and unlike technology whereby you can install a new server “immediately”, increasing your operations teams will lag significantly due to recruitment and training issues.
So, for the Financial Crime teams responsible for driving the strategy and delivery of an effective and efficient sanctions programme, what approaches have they taken, and what levers have they pulled?
“At any price”
The size and scale of sanctions-related fines over the last 10 or so years have been newsworthy, even outside of banking. Headlines such as “HSBC to pay $1.9 billion U.S. fine in money-laundering case”1 and “ING to pay $619 million over Cuba, Iran sanctions”2 have extended beyond the financial pages to the front pages of major newspapers. With the potential for such fines, many financial institutions have prioritised remediation of their sanctions programmes on a blank-cheque basis until the job is done. For screening, this might mean re-platforming, introducing risk-averse match rule algorithms and hiring as many investigators as required to manage the output.
Without question, this addresses the effectiveness agenda, but once regulators are satisfied, institutions cannot just continue down this path. Costs must be scaled back—but, of course, without undoing what’s been achieved. If there is one thing that financial-crime compliance is not—it is not a commercially attractive proposition (a quarter of a trillion dollars per annum is spent globally fighting financial crime) 3.
In order to deal with the volume of potential matches generated by new and reconfigured screening solutions, institutions have built large-scale operations teams. Over time, many of these institutions have developed strategies to relocate these teams to low-cost locations (primarily India and Eastern Europe), offering significant cost efficiencies. As well as attractive wage arbitrage, these locations offered highly educated investigators, many of whom also carried recognised AML (anti-money laundering) qualifications.
This has been a real success in the main, with large-scale, flexible, cross-trained investigation teams being developed. The challenge currently is for those institutions that have relocated work to India to maintain salary expectations and manage attrition. New work continues to flow into the country, making it an employee’s market, and employers face fierce competition to hire and retain staff.
Recognising their reliance on human investigators, particularly during periods of rapid scaling up of sanctions, organisations have focussed on automation to reduce the variation in the volumes of alerts requiring manual investigation, ultimately reducing overall volumes. This has ranged from screen scraping and robotic process automation (RPA) to statistical models and, more recently, increased usage of machine learning (ML) and artificial intelligence (AI). The key success or failure of these solutions has typically been how transparent they are (versus black-box solutions that institutions can’t explain), how high the costs to maintain are and ultimately, how auditable their outputs have been. Understandably, regulators have taken a keen interest in where automation is being proposed or implemented.
Over the last few years, most institutions have adopted one, some or all of these solutions. The approach has typically been adapted over time, dealing with the problem of the day—regulatory failings, P&L (profit and loss) challenges, people costs and challenges. The cliche says that hindsight is 20:20, but most financial-crime professionals, if asked, would agree that if they had the chance to go back to Day 0 and knew what they know now, they would take a different, more considered and complementary approach, which would potentially achieve the balance sooner and at a lower cost.
Taking the learnings of the last decade, institutions have developed some key methods to strike a balance between effectiveness and efficiency when delivering on sanctions obligations.
- Addressing data quality: Whatever is done in terms of automation and match rules depends on data quality. The better the data, the narrower the match rules can be, and the fewer false positives are produced for automated or manual adjudication. Firms are developing analytics that determine what critical data elements are required and then measuring their completeness and accuracy. This enables the quantification of the cost of poor quality and the prioritisation of remediation. Remediating poor data quality is a time-consuming process and should be done in parallel with other solutions.
- Embrace Cloud computing: Screening alert volumes are both unpredictable and volatile. As a result, to ensure sufficient capacity to manage peaks, traditional server-based computing utilisation might sit at sub 20 percent regularly, compared to 65 percent plus for large-scale Cloud providers4. Institutions can, therefore, significantly reduce the number of servers required whilst also making broader savings from switching to the Cloud.
- Automation: Across the industry, a lot of lessons have been learned:
- Be very wary of black-box solutions;
- Choose solutions that everyone can explain to a regulator;
- Take the regulator on the automation journey;
- If the solution is based on machine learning, is extensive re-learning required following policy or risk-appetite changes?
- Ensure that the output doesn’t need to be translated by a data scientist; rather, it can be understood and reviewed by existing assurance resources.
- Rules: Rules drive all of this—meeting regulatory requirements and compensating for poor data quality. Repeatedly assessing match rules and undertaking testing and tuning, particularly when policies change or data is remediated, reduces the false positives at the heart of the efficiency and, therefore, cost agenda.
- More automation: The cycle never stops. Automation solutions can be reviewed and optimized as data improves and match rules are reconfigured. Ideally, automation solutions that can be reconfigured by the client immediately following a change will give immediate value, as opposed to those that require significant periods of re-learning or vendor intervention.
- Optimised operations: Creating an operation of 1,000 investigators in a low-cost location means it’s relatively easy to deal with operational challenges. Divert resources to high-priority areas, flex SLAs (service-level agreements) to create capacity, and cross-skill to create fungible resources. If an organisation has worked hard at the items above, the reliance on human investigators is reduced dramatically but is unlikely to be eliminated. Therefore, dealing with a spike in alerts or an immediate business priority with a much smaller team means planning and forecasting, and cross-skilling becomes more and more important. Many institutions have deployed operational excellence programmes in-house or utilised external vendors to address this precise issue.
Some say that imposing sanctions doesn’t achieve the desired goals of the sanctioning entity; but on the basis that they’ve been around since 432 BC, in the days of the Athenian Empire, it’s reasonably safe to assume that they will continue to be imposed, and financial institutions will be expected to adhere to them. The more Financial Crime teams are expected to be both effective in meeting obligations and efficient in satisfying those owning the budget, the more holistic the approach will need to be.
1 Reuters: “HSBC to pay $1.9 billion U.S. fine in money-laundering case,” Aruna Viswanatha, Brett Wolf, December 11, 2012.
2 Reuters: “ING to pay $619 million over Cuba, Iran sanctions,” Karen Freifeld, June 12, 2012.
3 LexisNexis Risk Solutions: “True Cost of Financial Crime Compliance Study 2021.”
4 AWS News Blog: “Cloud Computing, Server Utilization, & the Environment,” Jeff Barr.