Lessons in preventing AML failures

Earlier this month, Santander was fined 107.8 million pounds (then-U.S. $132 million) by the U.K. Financial Conduct Authority (FCA) for “serious and persistent” gaps in its AML controls. Last December, the FCA imposed a £264.8 million (then-U.S. $350 million) fine on NatWest for failures in relation to money laundering.

The NatWest case represented a significant step, marking the first time the FCA had gone to the courts to pursue a criminal case against a financial institution regarding money laundering.

Also in December 2021, the FCA fined HSBC £63.9 million (then-U.S. $84.3 million) for transaction monitoring failures.

Asking questions

We might sit and ponder why banks continue to be fined, given the ubiquity of staff training; the adoption of new, more effective technology; and the growth and expansion of professional expertise and knowledge that today characterizes financial services.

But there is no need for an inquiry or bout of introspection and soul-searching. The truth is simple: fundamental steps can be deliberately or accidentally overlooked, basic controls not implemented, manual processes not updated, and monitoring insufficient.

These are, of course, not universal failures, with most banks and the staff within them abiding by regulation, legislation, and internal procedures. The problem is a failure need only happen once, and in one place, to result in a regulatory penalty.

Nor are failures always acts of deliberate foul play. Anybody working in financial services will know enormous effort is made to ensure their institution is on the right side of the law. So, failure is very often not for a lack of consideration or due diligence.

Why, then, do such failures continue to exist? And crucially, what can be done to prevent their recurrence?

Moving forward

First, we should recognize risk is an unavoidable part of financial services. That means those risks that are acceptable to a particular institution can be taken on, granted there are measures in place to minimize the potential for abuse.

Some risks are more potent than others. Having examined prominent AML failures, it is clear more attention needs to be paid to the risks inherent to manual transaction monitoring. Not only is manual monitoring liable to human error; it can also be cumbersome and slow. Those financial institutions overwhelmingly relying on such a monitoring system invite inconsistency, particularly with respect to customer due diligence (CDD).

Automated risk tools for CDD can reduce costs, improve efficiency, and help flag issues early. It is an asset that, used properly, can furnish an institution with pertinent information in good time. That information must then be assessed and an evaluation made by a member of staff. It is therefore crucial such an employee is cognizant of those patterns that are suggestive of unusual or suspicious activity. Without this knowledge, it is immaterial what automation is being employed.

There is another key aspect that underlines the utility of human engagement: automation is not foolproof. Interestingly, the FCA, in its explanation of the fine imposed on NatWest, highlighted the bank’s automated transaction monitoring system “incorrectly recognized some cash deposits as check deposits.” Automation should be used in tandem with human intervention and should be regularly checked to ensure it is fit for purpose.

Applying knowledge

A know your customer (KYC) analyst needs to be able to critically analyze information. This demands the skills of seeking out patterns, comparing data, scrutinizing documents, and detecting anomalies. Each of these are attributes that are honed by experience, but they can be developed and sustained through pointed, specific training tailored to an employee’s role.

It’s vital key information and skills obtained via training are then applied appropriately. It is of little use being in possession of a certificate having completed a course, only to seldom apply the knowledge acquired.

To help staff do this, it is useful to encourage a sense of creativity within onboarding or monitoring transactions; in other words, theirs is a proactive role. Such a mindset is far more likely to uncover wrongdoing as it seeks to expose that which isn’t always immediately obvious.

Patterns

If we return to the NatWest case, we see staff within the bank did raise their suspicions with senior management. This included red flags like the high volume of Scottish notes within English branches, an unusual smell emanating from the money itself, and the suspect behavior of those depositing the cash.

That staff spotted and raised these red flags is encouraging; that their concerns were not acted upon is not. In her sentencing remarks at Southwark Crown Court, Justice Sara Cockerill noted that, though an experienced staff member had raised their concerns about the pattern of activity of the offending customer, a manager had decided there were “sufficient explanations on the file.”

These are the fine margins within which staff today at financial services firms are expected to operate. Even with controls in place and workers alert to the presence of red flags, it only takes the adverse and misguided judgement of one or more individuals to hamper an institution’s efforts to prevent money laundering.

This is not a problem specific to NatWest—it can afflict any financial services firm. As we approach a new year, it is wise to reflect upon the lessons of such cases as a reminder of why vigilance, diligence, and patience will always need to be drawn upon to prevent a firm from being abused by criminal activity.

The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.