By Sven Stumbauer, Managing Director, AlixPartners
Banks and other financial institutions entered 2017 facing an increasingly daunting framework of anti-money-laundering (AML) laws and regulations. During the past several years, regulatory agencies have been aggressively stepping up their enforcement actions, and they’ve levied huge fines for compliance failures.
For instance, the New York State Department of Financial Services (NYDFS) and the UK Financial Conduct Authority recently issued penalties of more than $600 million for AML failings at Deutsche Bank from 2011 to 2015 in connection with securities trades originating in Russia. In addition, the Financial Industry Regulatory Authority’s 2017 Regulatory and Examination Priorities Letter indicated that AML will remain a focus—especially in areas where the agency has observed shortcomings. The letter expressed specific concern about lapses in data integrity and inadequate surveillance systems that have caused gaps in firms’ automated trading and money movement surveillance systems.
Having a comprehensive compliance program in place is becoming more critical than ever. Here are five steps financial institutions can take in 2017 to confront today’s growing challenges.
1 KEEP ABREAST OF CHANGES AND NAVIGATE THEM DILIGENTLY
AML rules and regulatory expectations are constantly evolving, and financial institutions have to make sure their compliance programs keep up with each new change. Heading into 2017, financial institutions should review their AML programs, assess their effectiveness, and enhance them as necessary. For example, they have to address recent regulatory changes like the NYDFS anti-terrorism and anti-money-laundering rule, which requires that regulated institutions ensure that their transaction monitoring and filtering programs are designed to comply with regulatory standards and expectations. Another recent regulatory change from the NYDFS says financial institutions must adopt and submit either an annual board resolution or a senior officer compliance finding that confirms compliance with the NYDFS regulation beginning April 15, 2018.
2 KNOW YOUR CUSTOMER
In recent years, financial regulatory bodies in the United States and Europe have increasingly emphasized customer due diligence (CDD) as a means of combating money laundering and terrorist financing. In May 2016, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) imposed formal CDD requirements, and US financial institutions will have until May 11, 2018, to comply with those rules. Most of the regulations that are now codified in the CDD rule have already been considered regulatory expectations for some time, yet in light of the formalization of those regulations, financial institutions should consider taking the following actions.
- Review AML risk assessment, with particular focus on how current legal entities are being
- Review automated transaction-monitoring systems and procedures to make sure the results of their monitoring efforts get considered when reassessing or refining customer
- Make sure that CDD rule requirements are implemented seamlessly across the entire global operation.
- Develop—and periodically enhance—existing policies and procedures to meet the technical requirements of the CDD rule and to align the technical rule requirements with the financial institution’s risk appetite.
The CDD rule represents a key development in the continued evolution of AML compliance, and regulators today may place even greater focus on the nature of customer relationships and transactional activity. It is critical that covered institutions determine far in advance of the deadline whether additional resources will be required.
3 ESTABLISH A CULTURE OF RESPONSIBILITY— FROM THE TOP DOWN
To be successful, an AML compliance program should have clear support from the management team. The board of directors and senior management executives should set the tone for their organization by creating a culture of compliance. If compliance officers have to beg, borrow, and steal to obtain adequate support and resources, then it’s likely that the company’s leadership itself is not seriously engaged in AML compliance.
Boards of directors should keep in mind that they have a duty to ensure that the company reaches not only its financial goals but also its regulatory compliance goals. In light of recent enforcement actions, in which certain AML compliance officers were personally sanctioned, we expect management teams and boards of directors to deepen their involvement in anti-AML efforts rather than merely ticking the box.
4 CONDUCT A THOROUGH RISK ASSESSMENT AND AN ACCURATE RISK QUANTIFICATION
Another important step that financial institutions should take this year is to broaden the scope of their risk assessments. Several regulatory bodies have mandated risk assessments that should be tailored not only to a company’s operations but also to its third- party relationships. That means a financial institution should assess its potential risk exposure across the entire organization, across its counterparties, across its affiliates, and with regard to the products its affiliates use.
For example, recent enforcement actions point out that some financial institutions are still treating their affiliates as part of the same organization, and they’re not giving much consideration to potential AML risks as they conduct business with affiliates in certain jurisdictions. Therefore, it may be necessary for a financial institution to revise policies and procedures based on the regions where it conducts business. In another example, financial institutions might want to consider adjusting their transaction-monitoring efforts when conducting business in jurisdictions that impose currency restrictions. Further, financial institutions should evaluate both inherent and perceived risks associated with certain business activities and relationships. This approach would be far more prudent than ignoring problems or exiting certain relationships wholesale and calling it “de-risking,” as we have seen in recent times.
5 IMPLEMENT A SOPHISTICATED INFORMATION TECHNOLOGY SYSTEM
Robust information technology systems have always been critical parts of AML compliance. However, as recent enforcement actions have shown, detecting and reporting suspicious activity appear to be ongoing struggles for financial institutions—and the trend will likely continue.
Many financial institutions are saddled with legacy IT compliance systems that were built piecemeal and can no longer meet current needs and regulatory expectations. That situation results in many cases of manual workarounds, which usually lack accuracy and efficiency and can cause head count to spike unnecessarily. In light of FinCEN’s CDD rule, sophisticated IT systems that are well integrated into a company’s day-to-day operations will be critical for keeping up with regulatory requirements in 2017 and beyond.
Financial institutions should evaluate whether their current systems can handle the additional information and field requirements, which some legacy systems may not be able to do. Given the kinds and volumes of customer information required under the new CDD rule, narrowly designed systems might prevent financial institutions from being able to comply. Closing those gaps effectively will require potentially significant investments and close partnerships between compliance, IT, and senior management.
Recent AML enforcement actions pinpoint the danger of failing to recognize potential risk and respond appropriately. Although the evolving regulatory landscape poses significant challenges to financial institutions, it might also present opportunities. By performing comprehensive risk assessments and establishing a culture of compliance throughout the organization, a financial institution can position itself to better recognize, identify, and avoid potential risk exposure. At the same time, by making full use of technology solutions, a financial institution can develop a better understanding of its underlying customer base and ensure it complies with AML regulations at a lower cost.
The opinions expressed are those of the author and do not necessarily reflect the views of AlixPartners, LLP, its affiliates, or any of its or their respective professionals or clients. This article regarding Five steps for anti-money-laundering compliance in 2017 (“Article”) was prepared by AlixPartners, LLP (“AlixPartners”) for general information and distribution on a strictly confidential and non-reliance basis. No one in possession of this Article may rely on any portion of this Article. This Article may be based, in whole or in part, on projections or forecasts of future events. A forecast, by its nature, is speculative and includes estimates and assumptions which may prove to be wrong. Actual results may, and frequently do, differ from those projected or forecast. The information in this Article reflects conditions and our views as of this date, all of which are subject to change. We undertake no obligation to update or provide any revisions to the Article. This article is the property of AlixPartners, and neither the article nor any of its contents may be copied, used, or distributed to any third party without the prior written consent of AlixPartners.
- Department of Financial Services Superintendent’s Regulations Part 504, Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications, http://www.dfs.ny.gov/legal/regulations/proposed/rp504t.pdf.