In Software We Trust—or do we?

A current upward trend in global regulatory initiatives is increasing the burden on banks and other institutions to ensure that their anti-money laundering (AML) and compliance programs are not only robust, but also tested. The message from regulators for non-compliance with OFAC, BSA and U.S. Patriot Act regulations is loud and clear: huge fines, intense screening and additional monitoring requirements.

More requirements mean more due diligence. More due diligence increases the number of alerts and consequently leads to an uptick in false positives. Despite automation, managing alerts remains a formidable challenge for watch list filtering—an expensive one at that. The rising costs of manually analyzing and determining which alerts warrant additional investigation exacerbates the problem.

Regardless of their size, regulators expect all institutions to have effective and efficient controls and technologies in place for screening customers and transactions. While institutions work to optimize their risk-based processes, software providers in this market have spent years developing algorithms and rules-based logic to help manage the "alert factories." But this approach, which focuses primarily on quantity not quality of alerts, falls short. There are still far too many alerts for institutions to handle in a timely manner. Nonetheless, banks and other institutions have wholeheartedly embraced these software solutions. While not completely solving the deluge of alerts, they do facilitate compliance with know your customer (KYC), enhanced due diligence (EDD) and transaction monitoring requirements.

The Double-Edged Sword of Fewer Alerts

"Reduce false positives and enhance investigator performance." "Reduction of false positives is key to achieving efficiency in sanctions and politically exposed persons (PEPs) screening." "Reduce workload with reduced false positives." How many times have you read these statements in a marketing brochure or heard them in a sales pitch? It is almost impossible to discuss watch list filtering without mentioning false positives. Or is it?

We are beginning to see that the focus on reducing the quantity of alerts is having unintended consequences in ways that institutions, regulators and software vendors never anticipated. In an environment of intense regulatory scrutiny, delivering "too few" alerts can cause senior management and regulators to suspect that something is being missed. As a result, institutions are hesitant when determining where to set their filtering thresholds and are reevaluating their risk levels. If filtering thresholds are set too high generating fewer alerts, there is concern that the system is not effectively identifying risk. Consequently, important alerts will indeed be missed. Set too low and filtering will return an overabundance of low-quality alerts that will consume valuable investigative resources while potentially higher risk alerts remain at the bottom of the pile.

Reducing false positives and the overall quantity of alerts, once the holy grail of mitigating risk, is suddenly thrown into question. It therefore begs us to ask whether an alternative that also considers the quality of alerts as a primary factor is a more effective approach to managing risk.

Charting a New Direction

By now, regulatory examiners have been exposed to a variety of watch list filtering solutions when conducting their examinations and have devised rigid name-matching tests to gauge the effectiveness of an institution's compliance software. The institution under examination is expected to understand the software application. They must be able to articulate how it is tuned and what methodology they use to determine if a hit is true or false.

Technology grounded in mathematical and scientific principles to draw conclusions about the likelihood of an alert being true can have a tremendous impact on an institution's ability not only to manage risk effectively and efficiently, but also to demonstrate a sound compliance program to the regulators. A glimpse of the future? On the contrary. It represents a new paradigm that has found its way into forward-thinking institutions with a holistic view of managing risk.

Using specific data elements to rate the relative strength of potential matches returned by a filter and then corroborating this data with other information sources empowers institutions to prioritize those alerts that are most likely to be true. The vast majority of false positive alerts returned from name matching software can then be eliminated by using points of conflict to rule out matches without the need for manual intervention. Risk thresholds are clearly defined and the compliance analyst now has a preponderance of evidence supporting the quality of the alert.

Building Confidence

Challenging the status quo and changing the way compliance professionals look at alert management might be considered a bold move in a traditionally conservative industry. But can institutions really expect to keep pace with the money launderers, fraudsters and perpetrators of other financial crimes if they continue to choose the path of least resistance?

The dynamic nature of AML, fraud and compliance and its regulatory requirements, coupled with the perpetual problem of too many alerts, is reason enough for institutions to seek out technology partners whose alert reduction techniques are designed around the new paradigm and already tested in real-world scenarios with proven results.

The following guidelines will help facilitate a suitable evaluation and ensure confidence:

  • Request a proof of concept to measure results against current metrics
  • Validate that the screening processes are consistent and repeatable
  • Verify the relevance of the prioritized alerts
  • Run various scenarios to determine risk tolerance
  • Understand how the software is tuned and the potential impact at different settings and thresholds
  • Ensure that the methodology is defensible to regulators
  • Build a trusting relationship with the vendor that is open to knowledge sharing

The next step is to educate senior management, regulators and others that the goal of achieving fewer alerts is still valid but only if the focus is on delivering alerts that are both high-quality and relevant. Reliable metrics will gain their trust in the validity and success of this approach.

A sound AML and compliance program must demonstrate its ability to execute on plan. This requires an operating infrastructure that combines technology with human intelligence. There is no doubt that an institution's first line of defense to combat financial crime and guard against reputational, financial and operational risk is well-trained staff who understand the nuances of the applications they use on a daily basis. Equally important is a culture within compliance at all levels that is willing to question the status quo and accept new solutions to old problems. Finally, strong working relationships with technology partners built on mutual respect and trust that the software provided does what it is supposed to.

Carol Stabile, CAMS, senior business manager, Safe Banking Systems LLC, Mineola, NY, USA,

Leave a Reply