Four years after the financial crisis, trust in the banking industry continues to plummet. While institutions struggle to keep reputational risk in check, a number of high-profile scandals this year have not only exacerbated the already negative public perception of banking but have also prompted increased regulatory scrutiny and punitive actions.
In July 2012, the United States Senate Permanent Subcommittee on Investigations, Committee on Homeland Security and Governmental Affairs issued its report on U.S. Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing. HSBC was cited as a case study to examine the anti-money laundering (AML) and terrorist financing vulnerabilities created when a global bank uses its U.S. subsidiary to provide high-risk affiliates, correspondent banks and clients access to the U.S. financial system. The report was unprecedented — not only documenting the unacceptable anti-money laundering practices at HSBC and its U.S. subsidiary but also pointing to the need for accountability at the Office of the Comptroller of the Currency (OCC), which is the responsible examining regulator. Following this very stern admonition and in anticipation of more challenging examinations by the regulators, financial institutions are compelled to re-evaluate the effectiveness of their governance, risk and compliance (GRC) programs.
A Comprehensive Approach
We live in a digital world where global opportunities for fraud, money laundering, terrorist financing and other criminal activities continue to increase exponentially as technology becomes more sophisticated. The complexity and intelligence behind these financial crime schemes make it significantly more challenging for the AML community to keep up. The need for new methodologies and collaboration among the financial industry, law enforcement and regulators has never been more critical. Now more than ever, regulators expect institutions to reinforce their commitment to compliance and risk management by implementing an integrated, holistic approach for managing financial crime. “Adopting a Comprehensive Approach to Financial Crime Prevention” was no doubt a fitting title for this year’s ACAMS 11th Annual AML & Financial Crime Conference in Las Vegas where the theme echoed throughout the conference sessions and panel discussions. The topic of risk modeling was of particular interest since banks are expanding their use of risk analytics and modeling for decision making on a broad range of activities including AML and compliance.
With more emphasis on testing and monitoring controls, traditional know your customer (KYC), enhanced due diligence (EDD) and transaction monitoring processes are no longer effective. Budget constraints and staff reductions further complicate the situation, making it increasingly difficult to meet regulatory expectations. KPMG’s ‘Global Anti-money Laundering Survey’ cites high false positive rates and system expenditures as the biggest contributors to rising compliance costs. More often than not, filtering software will be tuned to generate alert volumes that are consistent with staffing levels. This approach fails on several counts because it does not utilize qualitative data, it increases the risk of false negatives from over tuning and it invites regulators to further scrutinize monitoring governance. Regulators are requesting more detailed information how system thresholds are being set, how filtering engines are being tuned and how institutions are sourcing requisite data for monitoring and investigations. This line of questioning places additional stress on already overburdened compliance departments.
Modeling to Reduce Risk
Risk models should be a key component of all AML and fraud programs because they can be leveraged to achieve an integrated approach to financial crime and compliance management. Models can be defined as a quantitative method, system or approach for processing data. Statistical and mathematical techniques are applied to transform data inputs into quantitative information that can then be translated into business intelligence. Models are simplified representations of the real world.
Effective risk models for combating anti-money laundering and other financial crimes should analyze geography and country risk, business and entity risk and product and transaction risk. This systematic, three-pronged approach to risk can be used for KYC, EDD and transaction monitoring activities. For example, politically unstable or corrupt governments, countries with inadequate AML regulations and drug-producing and trafficking regions are significant factors when ranking country risk. Potential red flags for business accounts are high volumes of cash activity or money-laundering targets such as casinos, gaming or broker-dealers. Understanding what is considered normal operations for business accounts will ensure a more accurate risk assessment. Politically Exposed Persons (PEPs) pose some interesting challenges when analyzing entity risk because the regulatory definition of a PEP is somewhat broad and hidden links to family members and close associates are often missed. Finally, offshore shell and trust accounts as well as products and services that support frequent movement of funds through a variety of money transfer mechanisms can be easy conduits for money laundering and terrorist financing.
AML software with sophisticated risk models capable of analyzing reams of data to identify non-obvious links and relationships has been instrumental in pre-empting risk and helping financial institutions to generate higher quality alerts while reducing false positives. This is a better solution than forced tuning to control operational capacity. Understanding the data elements that determine whether an alert will lead to a productive investigation and then utilizing advanced analytic and probability models to eliminate unnecessary human intervention in the decision process reduces the labor-intensive tuning of individual rules and increases the quality of alert output. Financial Investigation Units can focus their attention on those alerts that pose the highest risk while compliance departments can manage a few models instead of hundreds of rules. This principle versus rules-based methodology makes ongoing monitoring processes more effective and less costly.
Model validation is an increasingly important process as regulators now look for integration of sophisticated analytics with robust risk management. Institutions should be prepared to verify that models are performing as expected and to validate their design, data, process and system as follows:
Model Design: Validate conceptual soundness and document evidence of key assumptions and mathematical calculations, if applicable. Design should be consistent with published research and sound industry practice.
Data: Data architecture and IT infrastructure should support the institution’s risk model. Data integrity from source systems is an important factor that will impact system output as are data quality and relevance when vendor or other third-party information is used. Testing should include a sampling of alerts to validate.
Process: Controls for workflow, decision actions and documentation must be monitored closely and updated for any changes to the model or software.
System: There should be an appropriate balance between automated and manual systems. Institutions should consider the following when validating AML software solutions:
- Functional specifications to identify risk
- Known limitations that can affect desired results
- Workarounds to mitigate potential risks
- Mapping and integration of the decision process
- Tuning and software optimization
Moreover, AML and compliance units should not only understand how their software applications work but also be able to articulate validation details when questioned by auditors or regulators.
Strong compliance, security and risk management can be a competitive differentiator that impacts customer acquisition and retention. Financial institutions will continue to be under the regulatory microscope as they are called upon to do more with less. As financial crime schemes pose increasing business and reputation risks, re-evaluating existing technology to ensure your systems support continued improvement of AML and compliance programs is paramount. Risk models for AML and compliance can improve business decisions and optimize an institution’s approach to combating financial crime.