Despite perpetual talk of deregulation in the U.S., compliance officers at financial institutions are finding little reprieve from their anti-money laundering programs.
Experts expect an escalated pace of AML-related enforcement heading into 2019. The Office of the Comptroller of the Currency, for example, said it will increase its examination focus on the effectiveness of Bank Secrecy Act programs and AML systems and controls in its report on Fiscal Year 2019 priorities.
More importantly, AML enforcement in the U.S. continues unabated. “A flurry of new cases have hit the headlines since the beginning of the year, and the US remains the jurisdiction that levies the most AML fines globally,” says a client advisory from ACA Compliance Group, a provider of governance, risk, and compliance advisory services.
Recent enforcement trends, it says, include: severe civil monetary penalties reaching mid-size and small financial institutions; jurisdictions imposing mandatory certification programs for compliance personnel; and compliance violations resulting in civil prosecution and debarment for compliance executives.
In the mix is the Financial Crimes Enforcement Network’s new “Customer Due Diligence Requirements for Financial Institutions.”
Known as the CDD Rule, it went into effect in May. It requires financial institutions to maintain written policies and procedures that are reasonably designed to identify and verify the identity of customers; identify and verify the identity of the beneficial owners (controlling 25 percent or more of a company holding a corporate account); develop customer risk profiles; conduct ongoing monitoring to identify and report suspicious transactions; and, on a risk-based basis, to maintain and update customer information.
“The large volume of financial crime cases this year has given the impression that there are growing weaknesses in institutions’ anti-money laundering controls,” says Aaron Kahler, director of AML and financial crimes for ACA Compliance Group. “The reality is that these cases will continue to surface unless the industry keeps apace with the growing sophistication of regulatory examiners.”
The OCC “is continuing to evolve by hiring highly skilled professionals with technology, data, and analytical expertise to grow the agency’s capabilities to look into the overall compliance model of an AML program, including a deeper dive into the technology, systems, and analytics utilized in supporting the model,” he adds.
Anti-money laundering controls should be considered “a continuous process that is consistently fine-tuned, not a box-ticking exercise once or twice a year.”
“As regulation continues to develop and improve, firms must allow time to catch-up and then stay on the front foot of the examiners,” he suggests.
FinCEN’s CDD Rule “has caused increasing numbers of firms to shift their hiring and focus of compliance staff toward more efficient customer due diligence practices, rather than addressing and managing regulatory change,” concludes the authors behind Thomson Reuters’ “U.S. Anti-Money Laundering Insights Report” for 2018.
The report, compiled with the Association of Certified Anti-Money Laundering Specialists, provides data on how financial institutions are addressing these challenges.
The CDD Rule, the report says, “already has, had, and will continue to have, a dramatic impact upon the operations and practices of firms.”
An accompanying survey found that 28 percent of respondents (253 AML compliance leaders took part in the exercise) anticipate an increase in staffing for AML compliance purposes, a sizable increase compared to 8 percent in 2017.
The FinCEN rule might continue to require substantial time and investment, but improving data management and data quality, investing in new technology, process automation, and streamlining business processes also are areas of focus, Thomson Reuters says. For these, the biggest challenges are increased regulatory expectations, properly trained staff, and outdated technology.
Doubling down on AML compliance can be a costly proposition, especially given that recent research estimates the total cost to domestic institutions is roughly $25.5 billion a year, LexisNexis Risk Solutions reports in a recently released series of studies covering the “True Cost of AML Compliance in the U.S.”
Survey responses included more than 150 decision makers at banks, investment, asset management, and insurance firms.
The report shows that smaller firms are hit hardest, relative to their bottom lines. The cost of AML compliance reaches up to .83 as a percent of their total of assets, compared to larger firms, which see costs up to .08 percent of total assets. These costs are driven by the fact that certain overhead investment requirements exist when implementing an AML program, regardless of scale.
“As compliance costs rise, mid- to large-sized firms are using a wider array of newer technologies and data sources to prevent financial crime,” says Daniel Wager, vice president, global financial crime compliance, at LexisNexis Risk Solutions. “While these firms report a higher average compliance spend per year ($18.9 million), they are actually lowering the cost of compliance. The overarching goal is to achieve compliance with greater efficiency and with less human capital."
Financial institutions are looking to leverage AML compliance processes to better understand/manage their customer relationships, the survey says, observing that, “AML compliance processes can improve financial risk management and benefit other business functions, when more technologies are used.”
Implementing a layered approach to AML compliance technology “may not only be necessary, but also crucial to improving AML compliance processes,” it adds. “Firms that use a layered solutions approach, using multiple services like cloud-based KYC procedures, shared interbank databases and machine learning/AI, take significantly less time to complete due diligence than those using just one of these alone.”
Nevertheless, many firms are still relying on manual efforts with their AML compliance technology, “which is not optimal for either performance or cost-effectiveness.”
The need for firms to invest more in AML programs is separate from whether enforcement actions rise or fall in either number or cost.
“Financial institutions are doing a good job of complying, and the enforcement actions have kind of backed off,” says Jennifer McEntire, director of financial crime compliance strategy for LexisNexis Risk Solutions. “How we've seen the market shift is a trend toward wanting to become more effective in their compliance programs. By effective, I mean really catching bad guys. These are no longer the days of just wanting to go through false positives in every possible workflow and having thousands of analysts just reviewing these things all day. They now want to be making a difference and actually narrowing and targeting risk.”
Financial institutions, McEntire added, want to be more cost-effective, especially as the bottom line for compliance, driven in large part by labor costs, continues to rise every year.
“They want to streamline their workflows using the right technology and the right vendors to make their process smooth and automated,” she says. “That is really where we've seen customers of all sizes heading.”
A key observation from the research: large financial institutions are using more technology, more enhanced data sets, and have more robust programs.
“While they are spending more, they're actually getting a better economy of scale than the smaller financial institutions,” McEntire says. “The cost of AML compliance, as a percentage of their total assets, is actually much higher for the small banks than the large banks.”
The focus on technology also bears out that the manual aspect of compliance has proven to be inefficient and not effective.
“You tend to get less than productive and less satisfied employees,” McEntire says. “By implementing technology, you are really allowing yourself to use your employees for brainpower and being able to leverage them for what a machine can never do.”
Even the smallest financial institution can benefit from data or technology that they're not currently using, she adds.
Technology implementations are also getting much easier (and less risky) now that regulators are increasingly supportive.
“Look back a few years ago, the idea of implementing, for example, machine learning into a compliance process,” McEntire says, “there was no appetite for that, because the regulators didn't have an appetite.” Now, they are looking to implement machine learning and artificial intelligence, evaluating those solutions for their own processes.
“They are opening their eyes to something like machine learning and passing that information down to their financial institutions, saying, ‘This is really good stuff. You can still understand what the technology is doing, you can still explain it, you can still have model validation around it if necessary,’” McEntire says.
Regulators are also learning to trust compliance officers, confident they will approach new and emerging technology with caution.
“Compliance people will never be classified as the risk-takers, right? They're not going to go off the rails and suddenly implement things that get out of control, or where they don't understand the implementation process,” McEntire says.
Among the advice LexisNexis Risk Solutions has for financial institutions looking to reduce cost while improving the effectiveness of AML programs, know-your customer policies, and BSA compliance in general: improving communication across the bank’s various units and departments.
“You've got your mortgage department, your loan department—maybe auto lending and deposit accounts. You might also have a group for high net worth individuals. All of these different lines of business can be on different banking platforms,” McEntire says. “It is always astounding to see how many banks, internally, have trouble getting a consolidated view of their customers, as a whole and across lines of businesses.”
Think about how that increases your compliance expenditure, she suggests. Compliance processes, including verifying, screening, and other customer due diligence activities, are continually duplicated on whatever platform or system a particular task might be established on.
“By just sharing data internally, you're getting cost savings,” McEntire says. “Work isn't duplicated.”