AML strategies keep evolving, and so do the risks

For those tasked with oversight, anti-money laundering compliance and similar controls related to financial crime may seem akin to rolling a giant boulder up a hill. The task is hard, taxing, and ultimately futile once that boulder rolls backwards. Add one more element to the metaphor: that giant rock keeps getting heavier and heavier.

Safeguarding an organization against financial crime is as complicated and time-consuming as it is critical. How do you assess the risks you face, stay compliant with ever-changing regulations, and keep one step ahead of the bad guys? 

The good news is that technology is perpetually adapting to meet the challenge. Big data opens the doors for comprehensive, relatively inexpensive data collection; advances in analytics mean all that information can be strategically applied. Unfortunately not everyone is up to the task.

Among the long list of demands being placed upon financial institutions, one of the latest comes from the Financial Crimes Enforcement Network, the enforcement arm of the Treasury Department. It recently released its most comprehensive AML regulations since 2001. Those rules require that financial institutions adopt customer due diligence procedures to identify and verify legal entity customers’ beneficial owner at the time a new account is opened. Compliance with the new rule begins on May 11, 2018.

“There is regulatory fatigue. Beyond deciphering the regulations and dealing with enforcement actions and audits, there is getting all that work done of investigating all of the related risks,” says Donna Weiss, director of product marketing and case management for NICE Actimize, a firm that provides a financial crime, risk and compliance software platform for the financial services industry. “It is a pain that is felt every day by all compliance officers.”

While new technology can ease and automate that burden, implementations need to be strategic and effective given the nature of the organization. NICE Actimize recently released the results of its "2016 Financial Crime & Compliance Risk Management Survey." It explored financial services professionals’ opinions on those topics, especially in terms of the efficiency of investigations. The bottom line: there is a continued need for improvement.

In 2016, 56 percent of organizations spend more than 30 percent of their time on manual activities; 32 percent spend over half their time on manual processes. When asked what triage and investigative activities that involve “human touch” would their organization benefit from automating, external and internal evidence gathering topped the list among more than half of respondents. Forty-five percent added escalation and reassignments to the list.

On average, how many systems or data sources are accessed during a “typical” financial crime and compliance investigation? The results show that detection and analysis remains fragmented: nearly 30 percent reported seven or more systems, while 43 percent use between four and six. Only 13 percent of those surveyed said that they currently have fully integrated processes and systems based on a unified technology architecture and data mode; 58 percent reported semi-integration; and 18 percent have totally disparate systems. The good news: those companies expect a three-fold increase in integration over the next 24 months.

“While I think compliance being a risk-averse group of people, the pain is so great that they are looking to leverage technology to help. The open checkbook is no longer there and just continuing to hire people is no longer a sustainable business model,” Weiss says. “The question they all have is where to start. Where is the low-hanging fruit? We talk about artificial intelligence and all these major advances that are a little bit scary, but there are still small things compliance teams can do today.”

The challenge many organizations will need to face: compliance employees can “either be doing chores, or they can be risk strategists for the entire organization,” says Chad Hetherington, global vice president and general manager for enterprise risk case management at NICE Actimize. “There are efficiency gains with pooling 1,000 investigators into risk strategists.”

Recent, but separate research by the firm shows that technology, personnel, and lack of quality data are hindering anti-money laundering efforts. Problematic areas include time intensive, manual activities.

“Hopefully, technology is advancing enough so that over the next several years we will get to the point that IT costs will get to the point where it will be a little less cumbersome to gain a better view of the data and be more efficient.”
Chad Hetherington, Global VP and General Manager, Enterprise Risk Case Management, NICE Actimize

The top three areas of investment cited by respondents in a recent survey conducted by the firm were: automation through new technologies (56 percent); training programs (45 percent); and increased staffing (28 percent). Among their concerns, 36 percent said employee skills inhibit accurate collection of beneficial ownership data. The top Know Your Customer (KYC) operational challenges were reported as data availability and data quality.

Nearly half of all financial institutions are having trouble keeping customer information up-to-date and nearly as many have beneficial ownership compliance troubles when onboarding new clients.

“There are all these new regulations and a new focus on enforcement actions and fines,” Hetherington says. “What financial institutions have done over the past several years is hired up people and thrown bodies at this challenge that is in front of them. We have some clients who, over the past three years, have seen growth in the risk and compliance staff of anywhere between 33 percent to, in one case, all the way up to 500 percent. They have incurred all this additional cost into the organization, but they haven’t really driven down efficiency.”

Hetherington describes a tipping point happening, one where organizations can’t continue to absorb these costs, especially in the current revenue environment and tight margins they must manage to.

Adding to regulatory challenges and fatigue, and prompting a greater desire for risk management efficiencies, is the rise of new, technology-driven services, such as mobile banking, that are fueling an increased number of transactions across a greater number of business channels. “Every additional system or channel brings with it a new regulatory focus,” Hetherington says. “The other reality is that there is [organizational] history. Over time, a lot of these institutions have evolved to have many different siloed systems and don’t necessarily have the holistic view. It has exacerbated the fact that they have more and more alerts and they need to figure out a way to deal with them.”

KYC WOES

Below are some findings from the NICE Actimize survey, “Beneficial Ownership & CDD Imperatives in a Dynamic Regulatory Environment.
Among the findings: “customer information issues were cited as the number one concern. Approximately 43 percent of the global survey respondents stated that the increased length and complexity of the onboarding process was the number two factor that made achieving compliance difficult.
About 39 percent of the institutions noted concerns with the skillset or experience levels of personnel collecting the information as a leading factor in securing accurate beneficial ownership data.
The survey also addressed broader challenges when it comes to Customer Due Diligence/Know Your Customer compliance, specifically highlighting data collection processes and related issues. In order of concern, respondents cited data availability/quality; reliance on manual processes; and new risk scenarios as their greatest operational challenges related to their current CDD/KYC programs.
Additional beneficial ownership challenges currently addressed by the institutions include, in order of priority: information that cannot be validated; updating existing IT systems to be able to hold the information; the increased cost of compliance programs; and the difficulty associated with using the data for risk assessment purposes.
Other general CDD/KYC issues cited by survey respondents as impacting compliance capabilities included difficulties with maintaining or updating existing IT infrastructure, a lack of qualified AML compliance staff, and the complexities with enforcing risk policies on a consistent basis.
The survey was conducted in May 2016 by a third-party, anti-money laundering-focused industry trade group. Nearly half the survey respondents came from financial institutions across North America, with EMEA and APAC comprising the balance of the 345 total survey respondents. In terms of market segment, about two thirds of the respondents represent financial institutions (about 40 percent retail and 40 percent commercial), with an additional eight percent from money service bureaus, five percent from securities firms and four percent or less from other industry segments.
Source: NICE Actimize

Firms that have completed numerous acquisitions in recent years are even more likely to have overly complex systems in place and laborious compliance and data analysis.

Advances in FinTech, Big Data, blockchain, and artificial intelligence all bring opportunities for the ultimate solution: replacing manual processes with automation, freeing up compliance and risk personnel to escape grunt work and focus on risk mitigation and strategy.

“The good news is that there is a lot of new technology over the past five years,” Hetherington says. “You can look at Big Data and other technologies focused on advanced analytics that help us see a path forward for institutions as they start to break down some of their silos and bring the data together.” The reality, however, is that for now there is no perfect approach and institutions are still trying to wrap their arms around the best approach. His advice: recognize the importance of automation, take the small steps you can now, make sure relevant employees are properly trained, and plan for larger efforts in the future.

“Hopefully, technology is advancing enough so that over the next several years we will get to the point that IT costs will be a little less cumbersome to gain a better view of the data and be more efficient,” he says. For now, at many institutions that have invested in employees but not training or technology, the problem with that plan is becoming obvious. “We’ve seen AML and compliance teams that need to ask IT to run a report, one they won’t get it back for another 2-5 days. It is incredible what they may need to go through.”

International operations face added challenges with a panoply of various data and privacy laws to follow, many of which conflict with each other. “Fortunately, we are seeing more regulators across different jurisdictions working together,” Hetherington says. “I’m hopeful that over time we will break down those barriers.”

Foreign financial institutions can face dire consequences from the increase of regulations focused on AML, KYC, and beneficial ownership and the struggle to keep up with all the needed data. Increasingly, ignoring the advice of domestic prudential regulators, banks are cutting loose entire categories of customers and geographies rather than attempting to manage or mitigate the risks they pose.

“In an effort to lower their risk they de-risk a whole segment or a whole sector, either geographically or industry-wide,” says Ellen Zimiles, head of global investigations and compliance for at Navigant Consulting. “That has a very detrimental effect on the financial institutions in those countries and the people who have to use them.”

By necessity, these firms and geographies are fighting back as best they can. “What we are seeing quite a bit of now, and we are seeing it seen it in different countries around the world, is that their regulators want a review their own regime,” says Zimiles, a consultant who has worked internationally with troubled banking systems to help restore their reputation. “They then have a third party come in, apply their regime against U.S. standards.”

That process of regulatory equivalency can take a lot of time and effort. An institution may be requiring more of a client than its in-country peer banks that don’t deal with the U.S. as much.

“There is no question that in most situations the financial institutions in those countries won’t fare well, because they haven’t been subjected to the U.S. standards and will need to develop and enhance their programs,” Zimiles says. “Once they do, they need to go back to a U.S. institution that may have de-risked them or exited a relationship to say, ‘We understand that there is an issue in this country, but if you look at us, specifically, we are able to address your concerns and this is how we mitigate those high risks for financial crime.’ We see one country after another taking that approach.”

Compliance then gets flipped back to the U.S. institution. How much is it willing to spend clearing each client, maintaining a relationship, and administering related controls? “Sometimes it just becomes a cost benefit analysis,” Zimiles says. “If it is not worth the extra cost of monitoring those clients and doing investigations, if it costs too much to keep them, they just end the relationship. At the end of the day, they may feel they are spending too much time and, when relying on someone’s judgment, there is always the risk that the regulators might disagree with that judgment.”