In an effort to improve the effectiveness and efficiency of anti-money laundering (AML) programs, the Financial Crimes Enforcement Network (FinCEN) announced in September that it was soliciting comments regarding potential regulatory amendments to the Bank Secrecy Act. This development is a welcome opportunity to improve at the institutional level what is widely viewed as a broken system—not due to lack of effort or commitment but due to systemic shortcomings in how AML is approached. Understanding those shortcomings is essential for designing changes that will bring about the desired improvements. (Addressing interjurisdictional issues is another matter entirely.)

Currently, institutional AML programs are based on the “five pillars”: internal policies, procedures and controls; designation of an AML officer; employee training; independent testing; and customer due diligence (CDD). On the surface, these pillars seem comprehensive, but they are actually heavily skewed toward AML management rather than the actual AML risks that exist within an institution. Even the two pillars that come closest to addressing risk—internal policies, procedures and controls, and CDD—fail to cover the scope of the money laundering problems that organizations face.

According to a United Nations Office on Drugs and Crime report,¹ it is estimated that 99% of illicit funds elude detection, which means that institutions need to assume there is a substantial amount of dirty money already in their organization. No matter how diligent onboarding efforts may be, there will likely always be a percentage of current customers engaged in financial crime. Thus, continual monitoring as well as analysis of customers and transactions are essential. Even if a customer base is static, those customers will evolve. A customer classified as low risk when onboarded five years ago may have had changes in circumstance, outlook or personal network, which could elevate their risk profile. But there is nothing within the five pillars that reinforces the idea that CDD needs to take place continuously and across the customer lifecycle, from onboarding to termination of the banking relationship.

Therefore, the model that emerges from this new round of rulemaking must be centered on the customer lifecycle; AML planning, management and benchmarking would follow from that. An instructive example of a lifecycle-focused approach can be found in the National Institute of Standards and Technology’s Cybersecurity Framework.² As cybersecurity transitioned from being a problem deep in the IT department to a board-level concern, there was a growing realization that prevention, in spite of being critical, was not an adequate reflection of what was needed for organizations to confront cybercrime.

As cybercrime became more ubiquitous, cybersecurity leaders had to adapt to the fact that breaches were not a matter of “if,” but “when.” This critical shift in perspective drove the evolution of cybersecurity best practices, as encapsulated in the cybersecurity framework’s five functions: identify, prevent, detect, respond and recover. However, these functions do not describe cybersecurity management but rather the capabilities needed in an environment of pervasive cyberthreats. The five cybersecurity functions are then broken down into two levels of subcomponents to allow for more granular analysis supported by extensive standards, guidelines and best practices.

Importantly, the cybersecurity framework does more than reflect a holistic, lifecycle-based philosophy of cybersecurity. It provides a structure by which cybersecurity leaders can benchmark variables like resource allocation, system performance and vulnerability so that decision-makers can readily see, for example, if they are overweighting one element at the expense of others. This benefit of the cybersecurity framework makes it a relevant example in connection with the stated goals of FinCEN’s initiative, which is “to provide financial institutions greater flexibility in the allocation of resources and greater alignment of priorities across industry and government."³

Since financial crime has existed as a major challenge for financial institutions for considerably longer than cybercrime, it might seem ironic to consider cybersecurity for guidance. But cybersecurity may have an advantage in developing its crimefighting response: Having begun as a technical problem, it was largely solved by technologists who approached it with a systems-based approach. On the other hand, financial crime has always been fundamentally viewed as a regulatory problem to be tackled with a compliance-based approach—a mindset that is reflected in the current five pillars.

Unfortunately, a compliance-based approach has two vulnerabilities. First, it is naturally inclined toward fighting the last war: Compliance follows regulation, which in turn is set to prevent a recurrence of specific incidents. While a systems-based approach has a similar goal, it also uses past events and creative thinking to identify problems before they occur. Second, a compliance-based approach, not surprisingly, emphasizes compliance at the risk of undercutting true knowledge of the matter in question. So while this approach can fulfill CDD requirements, the business address that the customer provided and whether the business site produces the goods and generates the revenue that the customer represents can remain unknown.

Advances in artificial intelligence and machine learning technologies, such as robotic process automation, have the potential to improve AML efforts greatly by increasing bandwidth and accuracy and by flagging areas for closer inspection. But technology itself does not provide a system-based perspective; it needs to come from the decision-making process through which the institution sets its AML priorities and strategy. In addition, the dissemination of these priorities throughout the institution makes all the difference.

FinCEN’s re-examination of AML requirements provides the opportunity for a much-needed reset not only of requirements but also of the underlying thinking fostered by those requirements. Seizing that opportunity means constructing guidelines focused on AML risk as it exists at each point in the banking relationship and in each transaction. While this will not solve every challenge AML faces, it will go a long way in helping institutions maintain the essential holistic perspective that is necessary to improve the effectiveness and efficiency of AML programs—and that is easy to lose when the emphasis is on compliance.

John Arvanitis, managing director, Kroll, a division of Duff & Phelps, New York, NY, USA, John.arvanitis@duffandphelps.com

1. “Estimating illicit financial flows resulting from drug trafficking and other transnational organized crimes,” United Nations Office on Drugs and Crime, October 2011, https://www.unodc.org/documents/data-and-analysis/Studies/Illicit_financial_flows_2011_web.pdf
2. “An Introduction to the Components of the Framework,” National Institute of Standards and Technology, https://www.nist.gov/cyberframework/online-learning/components-framework.
3. “FinCEN Seeks Comments on Enhancing the Effectiveness of Anti-Money Laundering Programs,” Financial Crimes Enforcement Network, September 16, 2020, https://www.fincen.gov/news/news-releases/fincen-seeks-comments-enhancing-effectiveness-anti-money-laundering-programs