By Sven Stumbauer, Senior Advisor, Norton Rose Fulbright
The uptick in money-laundering scandals continued in 2019, and as has been the case during the past two decades, financial institutions continue to struggle with anti-money-laundering (AML) compliance issues and risk-management challenges. While this is certainly not surprising, one must question why sophisticated organizations such as financial institutions continue to grapple with solving the challenges of AML compliance and face ever-increasing regulatory-enforcement actions.
While some may suggest bad faith, the apparent root causes are much more mundane and operational in nature and require a “step back to the basics”.
After years of focusing on AML compliance, financial institutions have built large (but not always robust or fully streamlined) compliance control processes and systems. Some AML compliance departments function reactively rather than identifying future problems and responding to them preventively or avoiding the problems altogether—with some compliance departments resembling “factories” more than agile, independent control and oversight departments.
For more than 20 years, the AML compliance processes and systems at many financial institutions have grown too large and too clumsy to be able to react swiftly to changes to regulatory expectations, geopolitical events and scandals at their reactive counterparties. For many financial institutions, the time is now to recalibrate their efforts and to refocus their often scarce compliance resources better and more effectively. Outlined below are the top key areas that financial institutions should consider.
Risk assessments: revisited
Customer risk-rating models are one of the primary tools to determine a financial institution’s overall money-laundering risk and exposure, and they are used globally. The risk-assessment models deployed at most financial institutions are based on classifications of basic customer risk criteria. These factors include geography, business or entity type, to name a few. These data points are collected at the onset of a relationship and are weighed to create an initial customer risk score.
However, this methodology often leads to miscalculations of true customer risk, potentially incorrectly classifying higher-risk customers, which in turn creates inefficiencies and in tandem increases risk exposure for the financial institution. An additional challenge for most financial institutions is the deployment of different risk-assessment methodologies across different business lines and geographies—this can produce unintended results. For example, when the same client receives a different risk rating because of different geographical or business-line considerations, the financial institution may be criticized, and its entire AML internal-control structure questioned.
Because of this, progressive financial institutions are deploying more holistic customer and overall risk assessments. They are using enhanced common sets of risk factors for customers and products, ones that are consistent across geographies and lines of business to create more accurate customer AML-risk baselines.
Our client work in this space indicates that senior management and members of the board of directors are often frustrated when presented with risk assessments that follow a static “checklist” model rather than a dynamic assessment of the true risks posed by customers and the operations of the financial institutions. This model can be more challenging to execute against strategic business goals.
Given that a sound AML-risk assessment serves as the baseline for developing and enhancing robust internal controls for AML compliance, the importance of adequately assessing money-laundering risk cannot be overstated. Additionally, by deploying more dynamic risk-assessment models, compliance departments can become more effective and efficient, shifting from “factories” back to their initial goal of achieving an agile oversight function and ultimately decreasing the pressure on the bottom line—“risk assessment 2.0” should be considered by both members of compliance departments and senior management.
IT: Are we sophisticated enough?
Robust information-technology (IT) systems have always been critical parts of AML compliance. However, as recent enforcement actions have shown, legacy IT systems and siloed processes appear to be ongoing struggles for financial institutions—a trend that will likely continue unless financial institutions focus on the robustness of their IT systems.
Ideally, a financial institution should be able to see the full picture by monitoring and sharing its customers’ transactions across businesses and, potentially, jurisdictions, which will help facilitate the identification of any unusual transactions and behaviors as well as potential sanctions violations. Many financial institutions continue investing in systems or people to manage the output; however, those institutions should consider what will be sustainable for the long term instead of aiming only to meet today’s minimum regulatory standards.
Many financial institutions around the world are plagued by dated IT systems that exhibit the following drawbacks, including but not limited to:
- not all customer data (historical or current) is currently available in digital format;
- due to acquisition activity, legacy systems exist that are siloed and/or cannot handle the increased demands of compliance due to their inherent limitations;
- in-house systems do not have a common interface to exchange information, often leading to siloed solutions in certain geographies and lines of business; and
- central customer-data repositories lack the level of sophistication required to create dynamic, agile AML compliance models.
As a result of increased regulatory enforcement and activity and the focus on regulatory reporting of suspicious transactions and activities, many financial institutions worldwide have invested heavily in state-of-the-art, sophisticated monitoring systems. However, the saying “garbage in/garbage out” continues to apply. While monitoring solutions have significantly evolved, the “input” from financial institutions often seems to be lacking. This has led to a new reality of not fully utilizing state-of-the-art solutions, exposing the financial institutions to further criticism by regulators.
The buck stops here: the board of directors
Although ultimate responsibility for AML compliance lies with the board of directors (BoD), its role should consist of active oversight and strategy setting. And an AML program’s day-to-day management and implementation should rest with the designated AML compliance officer.
An active, involved and knowledgeable BoD is essential for the successful implementation of an organization’s robust AML and sanctions compliance program. Boards that thoroughly understand the applicable legal and regulatory requirements are in the best position to provide oversight and allocate sufficient funds and staffing.
However, boards also need to be vigilant and not step back from day-to-day compliance matters or adopt a “head-in-the-sand” policy that leaves AML compliance solely in the hands of senior management. BoDs do have ultimate oversight and responsibility, and the time is now for many of them to examine fully their companies’ compliance strategies and how well senior-management teams execute and implement those strategies.
A top priority and the time to act for financial institutions
Given the clear indications that regulatory bodies around the world will continue to enforce aggressively AML compliance, financial institutions are advised to take an immediate look at their AML compliance efforts. These organizations need to do so not only from a pure compliance perspective but also from the perspective of operational efficiencies, effectiveness and solutions—how to operate smarter and more agilely as the current marketplace demands.
Financial institutions must continue to build their brands and aim to be synonymous with above-average service levels, innovation and promotion of financial success—after all, the lack of adequate AML risk management can lead to association with human trafficking, drug smuggling, corruption and other criminal activities.