Market, credit and operational risk.
It has become common practice for financial firms to measure, monitor and reduce each of these three categories using accepted models, or methodologies, which rely on data inputs to generate the correct results necessary to make the right decisions.
Unfortunately, the same doesn’t apply to money laundering activities even though financial firms have good reason to try their best to adapt the same principles given the recent rash of fines, not to mention public embarrassment. HSBC, Citi, Standard Chartered, Brown Brothers Harriman and BNP Paribas are just a handful of the global players which have faced the regulatory firing squad for their deficiencies with anti-money laundering models and practices.
A 2011 joint communique from the Comptroller of the Currency’s office of the US Treasury and the Federal Reserve discussing how models should be created and validated never specifically mentioned how their guidance should be applied to AML activities, but examiners have been placing greater emphasis on statistically valid procedures and methods for modeling AML systems ever since. They are drawing conclusions about the effectiveness of an AML risk management program based on a more rigorous analysis of just how well a firm can prove it took the right steps to prevent wrongdoing. It had better be prepared to easily answer the five Ws — who, what, when, why and how.
Financial firms are finding it hard to meet such high expectations if for no other reason than their risk management experts may not have as much expertise crafting AML models as they do others. “Although there is a general consensus that an AML transaction monitoring system meets the definition of a model under regulatory guidelines, that’s not the case with other AML systems such as customer risk scoring or sanctions screening,” explains Stuart Feldhamer, senior manager of regulatory compliance for global accountancy Crowe Horwath LLP in New York. Such a shortcoming could lead to a high number of errors should the wrong rules, inputs and evaluations be applied.
None of the dozen banks, broker-dealers or fund managers contacted by FinOps Report wanted to provide any specifics on their AML risk management program other than to say they are “serious” about ensuring its success. They are naturally concerned about tipping off any fraudsters, but were willing to offer recommendations on best practice. So were other consultants specializing in AML oversight.
Recommended Moves
All agreed that a three-tiered approach of accurate model creation, validation and governance is the cornerstone to an effective AML risk management program. “Success depends on creating good models for customer onboarding and transaction monitoring, while validating them to ensure they don’t need any tweaks,” says Micah Willbrand, the London-based director for AML product marketing at NICE Actimize, an AML and know-your-customer technology provider. If just one of the two critical steps goes awry, so do the results.
Hopefully a customer will cough up the correct documentation to prove its identity, but financial organizations cannot take what it says at face value. In addition to requiring abundant documentation, some of the world’s largest financial firms with the deepest pockets are relying on sophisticated data mining techniques to take a deeper dive into social media, such as Facebook, Linkedin and Foursquare. Such digital footprints will not only verify identity, but also show who has a penchant for criminal activity. “The years of history on the popular online sites may offer more details to be plugged into customer risk profiles to fine-tune the focus of transaction monitoring systems to catch deviations from what should be their expected business conduct,” one AML compliance manager at a New York tells FinOps.
If a client is not assigned the correct risk profile the onboarding process there is a far higher potential that wrongdoing through transaction monitoring will be overlooked. “The risk rating of the customer depends on the type of customer, the type of account opened, the types of business activities to be conducted, the amount of monies involved and the origin of the funds,” explains Vasilios Chrisos, principal of the fraud investigation and dispute services unit at EY in New York. “The wrong profile could end up generating an inordinate number of false positives, or alerts, that are not truly indicative of potentially suspicious activity.” Too many alerts — or noise– will make it harder for overworked AML analysts to pinpoint what activity should be further investigated, if not reported.
Yet even if a customer is correctly risk-rated, there is no guarantee a transaction monitoring system will work effectively. It could still generate too many alerts of suspicious conduct or even too few due to coding errors or too many applications inputting stale or inconsistent data. “Should a customer be onboarded to different business lines each of which relies on a different amount of information or even divergent information, disparate customer risk profiles could emerge,” says Willbrand. “Financial organizations are trying to get that single view of the customer. but fall short because of data fiefdoms.”
Given the critical need to design the correct risk models, it is imperative that only the most experienced professionals handle the work. Some financial firms rely on a central risk management team to design all of their risk models, while others rely strictly on an AML specialist team located within the AML unit. The best approach: a combination of the two. “The AML specialists should create and own the risk models while the enterprise risk management unit ensures they are in line with corporate policies,” says Chrisos. Such a segregation of duties allows for quality assurance reviews to be conducted by an unrelated third party.
Independent Checks
Regulators will not hesitate to fault a financial firm for not having an independent validation process, even if its AML modeling is correct. Therefore, the validation team should operate entirely separate from the model creation team to ensure its analysis and recommendations on any changes are legitimate. In some cases, financial firms will even select third-party consultants to do the validation work.
“The goal of the validation process is to ultimately determine whether the AML model is functioning appropriately,” says Feldhamer. Such an analysis should include reviewing its design, configuration, inputs and usage. AML models need to be tested at least annually or more frequently when a merger or acquisition takes place, a new business unit is launched, or an internal application is altered. Any change to parameters could affect the performance of the model. Therefore, tweaking a model would allow for more focused behavioral monitoring through setting correct thresholds and targeting more appropriate segments of a population, according to Chrisos.
Regardless of whether a financial firm’s customer onboarding and transaction monitoring models can adequately catch every money laundering activity, the organization will still need to prove to regulators that it has implemented a solid AML risk management program. That includes the ability to explain why certain rules and data input were used in the modeling process, the results of any testing, and the reasons for any changes. Also critical is determining just who is in charge of which of the steps in an AML risk management process. A weak governance function will ultimately reduce the effectiveness of an AML risk management program even if the model development, implementation and validation are accurate.
Effective model governance requires senior management and the board of directors to set the policies and clear lines of reporting in the process, including who has the authority to change a model or its inputs. While many large financial firms do have AML compliance specialists within each business line, they ultimately need to report to a centralized AML office — and director — who will set enterprisewide policies and procedures for AML, including what events or changes will affect AML risk models. AML directors typically report to chief compliance officers responsible for setting the overall ethical compass of the firm. Ideally, the two units should be in sync with each other, their business lines and their C-suite superiors. AML directors, who face personal liability in the event regulators catch any wrongdoing, can ill-afford to be left without clear support from all corners of the firm.
When all is said and done AML risk management might sound a complicated, costly process. But given the heightened regulatory oversight, an ounce of prevention is well worth its weight in gold.
Leave a Comment
You must be logged in to post a comment.