Data integrity and integration. The popular terms used in trade and post-trade operations are quickly making their way into the world of anti-money laundering compliance as financial firms prepare for more stringent regulatory exams.
With the number and value of fines growing, buy-side and sell-side firms are returning to the basics of evaluating their data sources, rules and technology along each part of their AML programs. They know that inconsistent, incorrect or stale data can boomerang even the best-crafted AML program and lead to hefty penalties.
Change comes none too soon. In 2018, worldwide fines for AML violations grew to US$3.4 billion from US$2.12 billion the previous year, according to Dublin-headquartered global regulatory risk intelligence firm Corlytics. The New York State Department of Financial Services (DFS) helped US regulators lead the global charge, accounting for US$1.87 billion of total amount of regulatory fines in 2018 compared to US$1.53 billion of the overall figure in 2017.
Corlytics predicts that in 2019 European regulators could follow the example of their US peers and crank up their penalties even more. For now at least, financial firms are paying the closest attention to keeping US watchdogs at bay. Four of the ten global AML compliance managers who spoke with FinOps Report say that they are including data architects and chief data officers in their preparations for US AML exams. The remainder say they will do so over the next year as regulators, including the Securities and Exchange Commission, Office of the Comptroller of the Currency, New York State’s DFS, Financial Industry Regulatory Authority and Federal Deposit Insurance Corporation continue to pay close attention to whether financial firms meet the four original pillars of an effective AML program. Their common goal: to catch potential for criminal conduct, namely financing of terrorist or drug-related activities.
The latest addition to the four required pillars for a US AML program will generate substantial data collection requirements. The US Treasury’s FinCEN unit now wants financial firms to determine the underlying beneficial owners of their corporate customers. Effective in January 2017, New York DFS’ requirement for proper AML monitoring and sanctions screening also emphasizes the need for solid data quality and governance processes.
Naturally, regulators won’t accept a firm’s reassurances it is compliant with AML regulations at face value. “Regulators will want to see the data and results from a particular timeframe for multiple processes ranging from customer onboarding all the way to transaction monitoring and submission of a suspicious activity report,” says Claudia Ranieri, a director at Alaric Compliance Services, a New York-headquartered regulatory compliance consulting firm. Financial firms file SARs with FinCEN which further investigates them and sends copies to other regulators.
Those who haven’t done their data homework by now, had better start immediately. “Regulators are coming to the exam table with an army of their own experts in risk, data and IT management,” says Natasha Taft, an AML compliance specialist who runs her own consultancy in New York. “To prove their AML programs are effective, financial firms have to show that the results match their own and regulatory expectations.”
Financial firms can’t do that unless they understand the origin of all of the data they use and its flows. If the customer’s information is incorrect then its risk profile could be wrong. As a result, the thresholds and frequencies used by transaction monitoring systems to keep track of a customer’s business activities will be skewed. The financial firm might end up not filing enough SARs, thus violating its regulatory requirements. On the flip side, a transaction monitoring system that is not finetuned or using the wrong data can generate too many false positives, leading the financial firm to conduct unnecessary investigations. Last but not least, a SAR could have the wrong information about a customer or its transactions. Of course, if the financial firm’s own risk assessment is incorrect, it can’t establish the appropriate policies and procedures in the first place.
Ultimately the logic and models– aka the operating rules — of any tech platform– rely on a firm’s underlying customer data and overall risk assessment. “Regulators want financial firms to explain the logic or models used,” says Debra Geister, a financial crime business strategy consultant for NICE Actimize, a financial crime and compliance technology firm headquartered in Hoboken, New Jersey. “How did you come up with the frequency and thresholds are common questions.”
Geister suggests that financial firms conduct annual or more frequent internal testing to catch any potential tech glitches before a regulator does. “Internal testing requires taking samples to ensure accuracy,” she says. “Then comes the more comprehensive internal audit which should take place at least once a year to determine whether policies and procedures are being followed.”
Bonding with internal auditors might not be a bad idea for AML compliance managers wanting to get a leg up on regulatory exams. However, internal audits aren’t all they are cracked up to be, cautions Ross Delston, an AML attorney and compliance expert in Washington DC. Internal auditors might not sufficiently understand AML rules, might not be using a large enough sample from all of their business lines, might not understand test results, or might not know how to correct shortcomings. “The most common red flags for an independent AML audit are that it makes no recommendations or contains statements that are taken from the firm’s compliance manual without any additional scrutiny,” says Delston.
Financial firms can always turn to external consultants, such as Delston’s company and Alaric Compliance, which make it their business to be up to speed on AML regulatory requirements. “It is up to internal compliance folks to make certain that any auditors have the requisite experience in AML,” says Delston. “Regulators will closely scrutinize the bona fides of internal and external personnel used in any independent AML audit.”
Once financial firms have uncovered shortcomings through one or more audit procedures, they must quickly figure out how to resolve them. Delays make for unhappy regulators. Regulators might not financially penalize a firm for submitting too many SARs, but they could warn them to pay closer attention to their analyst training. If the cause is determined to be too many false positives from a transaction monitoring system, the firm could be cautioned about the need for further testing and tweaks.
However, nothing will generate a regulator’s ire more than not filing a SAR that it believes should have been. “A financial firm needs to document its reason for not submitting a SAR,” says Ranieri. “It might have ultimately determined that there was a legitimate reason for a transaction, but must clearly record why.”
Will the financial firm’s reasoning win over a regulator? Maybe not. But at least the firm can show that it did its homework. Once again, having the right data and knowing how to analyze the data helps. A firm’s transaction monitoring system must have the correct customer and transactional data needed to determine all of the activity belonging to the same customer. “A financial firm could be missing information identifying related customer accounts and beneficial owners within multiple business lines,” says Taft. “As a result, the firm may be missing the full picture of suspicious activity and not file a SAR.” Yet other reasons for an oversight: changes in customer data might not make their way into a transaction monitoring system or a financial firm’s wire department might receive a transfer of funds from a correspondent bank that is missing customer data or has incorrect data.
Following FinCEN’s new customer due diligence rule could end up causing AML compliance managers plenty of grief. Knowing whether beneficial ownership hits a 25 percent threshold or knowing the identities of those in control of firm is a slippery slope, particularly if examiners do peer comparisons. “The financial institution can take the client at its word unless it has reason to believe otherwise,” says Delston. “However, such a stance can work against the financial firm because a regulator can always say the firm should have known better when money laundering or other illegal activity is uncovered later on.” FinCEN could always argue that a perfunctory search of a third-party database could have easily raised red flags on any data submitted by clients.
Even if a firm does manage to file the correct number of SARs based on its risk assessment, business lines and customers, it must still ensure the information on its SARs is accurate. Regulators can easily find out if it isn’t by matching up the data on SARs to source data during their exams. There are plenty of reasons for disrepancies and plenty of types of discrepancies. A transaction monitoring system can be fed information from either more than one customer onboarding system from multiple business lines using disparate data. “A typo, previous address, role in a company in the case of beneficial ownership can sometimes be misstated or input incorrectly<‘ says Geister. “Errors such as these can open up the financial firm to further scrutiny.”
Wrong data could also lead a financial firm to miscalculate its own risk assessment. Everything can go downhill from that point onward. The firm’s risk assessment, which is open to interpretation, is based on the details of its customers, business lines and geographic reach which can vary from database to database. “Even things as simple as definitions can cause issues,” says Geister. Case in point: business lines might differ in how they define an “active” account. Ideally, it should be defined on an enterprise-wide level, she says.
Given the importance of having accurate and consistent data to ensure a solid AML program, one would think that financial firms would be investigating their own data warehouses. Data management managers at some US banks tell FinOps Report that so far they are often called on to participate in AML programs at the last minute — once the firm has already received a letter from a regulatory agency about an upcoming AML exam in one or two months.
Ideally, the firm might have started corrective measures to reassure a regulator it is on the right track. However, if the shortcomings are related to data inaccuracies caused by the use of too many customer and transaction databases with disparate information or data not making its way transaction monitoring systems there might not be sufficient time to execute a thorough data reengineering program.
“Mergers and acquistions can often result in multiple customer databases and transaction monitoring systems,” says Betty Santangelo, a partner in the AML compliance and white-collar crime practice of the law irm of Schulte Roth & Zabel in New York. “Databases in one system might not be consistent with those in the systems of the newly created entity, potentially resulting in data integrity issues.”
What to Do
What then? All a financial firm can do is either take a patchwork approach or prove it can fix all the shortcomings within a designated timeframe. The shorter the timeframe the more satisfied the regulator will be. Hence, a lower fine if one at all.
AML compliance managers at some US banks and broker-dealers tell FinOps Report that they are doing their best to improve data quality and integration but are often overwhlemed with creating the right policies and procedures for too many business lines. Selling chief executive officers on the need for an extensive new data governance program to satisfy AML regulatory requirements is an uphill battle. If the firm hasn’t gotten already fined or warned for AML deficiencies, its CEO could be lulled into a false sense of security. Nothing could be worse. “Data is often the last thing we think about but maybe it should be the first,” acknowledges one AML compliance manager. “The risk of getting fined is way too high.”
Geister recommends that AML compliance managers partner with their chief data officer or officers to make certain their organizations are collecting, managing and maintaining information appropriate for effective AML programs. Working with individual business lines, data officers can be responsible for data access, management, measurement, quality and standardization. As cross-functional groups, data governance committees should create data policies, standards and controls.
“Given the growing focus by regulators on data quality, and modeling as well as technology, even some smaller banks are creating dedicated AML analytics, technology and data governance departments to support their AML programs,” observes Taft. Those centralized departments can also help generate accurate reports for regulatory examiners who will go through all of the data and test results with a fine toothcomb.
When it comes to data, there is no such thing as perfection, but financial firms need to come as close as possible to nirvana or risk the ire of one or more regulators. “Poor data, lack of chain of custody of data, data gaps, and errors will always be present,”says Geister. “Augmenting data, standardizing it and filling in the gaps can help improve the overall quality of an AML program.”