Looking at the multitude of employment ads placed by executive search firms and large global banks, it becomes clear that the world’s biggest financial institutions are spending lots of money hiring new staff to combat potential money laundering and other illegal activities.
It’s an understandable kneejerk reaction to what has been an onslaught of mega financial penalties and headline risk over violating US rules and sanctions.
But all this hiring won’t be the silver bullet to reduce risk of regulatory enforcement actions, warn AML consultants. Putting aside the issue of fraudulent intent by the financial institution — which is sometimes the case in these violations — the core problem is less about manpower than poor data management, inefficient use of technology, and inadequate training. As a result, even the most prominent banks can be their own worst enemies when it comes to knowing who they are doing business with and whether those customers’ transactions should put them under closer inspection.
None of the AML consultants who spoke with FinOps Report wanted to criticize specific banks — after all they are likely to be trying to clean up those very same institutions — but they did repetitively predict that the risk of regulatory fines will only increase as trading volumes increase, more clients are onboarded, and regulators demand banks follow new more rigorous rules. Granted, AML consultants stand to benefit by putting the spotlight on the failings of global players, but with so many fines handed out over the past few years, they have some indisputable evidence in their favor.
At the core of most AML deficiencies is the left hand not knowing what the right is doing. It starts with the onboarding process — the first line of defense in preventing money laundering by identifying and declining to do business with potential bad actors. The basic process is commonly understood, but the devil is in the details if banks don’t centrally manage the it. “Each unit of a bank has different questionnaires and information required to document just who the client is and how the individual or entity can be classified,” explains Shahryar Shaghaghi, a partner at management consultancy Kurt Salmon in New York and former operations and technology director at Citigroup.
Risk Profiling
Regardless of who is doing it, onboarding is a laborious time-consuming process of data gathering and verification. If the job is completed well, there is confidence that new account applicants really are who they say they are, and the bank can rank the client as low, medium or high risk — for money laundering activities that is. Risk is typically pegged against the country where the individual resides, the type of organization, and the type of financial activity. Case in point: a client opening a certificate of deposit would likely be classified as lower risk than one opening a trading account. Then there are the politically exposed persons (PEPS) — senior ranking domestic and foreign government officials– who will always be ranked as high risk no matter which business line of the bank they use.
Such a widely accepted and practiced form of profiling might work just fine, if it weren’t for two critical lapses. Not only are there no agreed upon market standards for these classifications, but there are also differences even among business lines of the same bank. Classifications might be end up conflicting between units, but when discovered they can be reconciled and even updated over time. Yet to do that the bank would need to request an update from the client, as well as monitor other sources of information. “It comes down to managing Big Data. There is no way the bank’s AML staff could filter through tons of data from news sources to know whether an update is required or not,” says Shaghaghi.
AML experts at some US banks who spoke with FinOps, say they do rely on news wire services, but information is often not sifted effectively, either electronically or manually. The main industry practice, according to Christian Focacci, founder of AML Source.com, a New York-based AML career website and former AML consultant, is to use curated databases containing profiles of individuals or companies that may have significant political exposure or negative commentaries about them. But because such databases are populated manually, the information is limited in scope and be stale. To compensate, AML staffers usually also sift through online archived news databases and commercial search engines, but each of these sources also has its own strengths and weaknesses. If the background is not understood, AML staffers can easily miss critical information. Worse, when it’s found, the information can be rekeyed by hand into one customer onboarding system and not others, or even not at all.
Focacci says that several banks and consulting firms are testing a new platform that aggregates web and news sources in real-time to arm AML and know-your-customer units with more comprehensive negative information about an individual or entity.
More Lines of Defense
If the first line of defense, onboarding, doesn’t work doesn’t work to identify potential bad actors, there is the second line banks count on: the transaction monitoring process. Risk can also be ascertained from details like the number of trades executed, value of cash payments and number of cash payments within a given timeframe. However, such monitoring often has no association with risk profile of the customer. “Surprisingly, monitoring systems don’t always link to onboarding platform as they were likely installed separately with the onboarding system likely implemented first,” says Focacci.
The frequency of monitoring and type of monitoring depend on sophisticated business logic — or so-called detection scenarios — to generate alerts that something smells wrong. The application works only as well as the rules input, and that logic needs to be constantly updated to reflect far more sophisticated criminals. The risk of not paying attention was clarified by the unhappy story of Standard Chartered, which was first US$340 million in 2012 by the New York Department of Financial Services for illegally doing business with Iran, and then was hit by another $300 million fine because its transaction monitoring system wasn’t coded properly to ensure that a sufficient number of transactions were flagged as suspicious.
Assuming a transaction monitoring application works well enough, and leads to a further investigation into a customer’s activities, sufficient information is needed to make a decision on whether or not the customer should be reported to law enforcement authorities. In some cases, law enforcement might have even asked for an investigation into the client. The financial firm must then track down all the necessary information — the initial risk profile, any updates, all of the transactions conducted by the individual or entity, and any change in the risk status of the individual based on updated information.
“The initial information may not be identical among multiple business lines and may not have even been updated correctly,” says Luis Leb, chief executive of AML consultancy Aperilex Consulting Group in New York. Add the possibility that a bank through mergers, acquisitions and takeovers has inherited dozens of KYC applications and the entire data management process resembles a Tower of Babel.
Then comes the third and final line of defense: the AML staffers assigned to “investigate” potential money-laundering activities. What that phrase means is anyone’s guess; it depends on each bank. Presumably they will be able to read the transaction monitoring alerts and manually match that up with all of the data the bank has on the particular customer or organization to determine whether or not their activities are legal or at least fishy enough to bring the matter to the AML compliance director.
They can’t handle that job, warns Nickie Bellinger, senior advisory consultant for BSA AML Compliance, a New York-based AML consulting firm. “They [banks] are just throwing bodies around with little to no skill set,” she gripes. One large money center bank, she declines to identify, often relies on untrained offshore staff to do customer due diligence, while yet another money center bank is counting on AML operations specialists to write intricate high-level compliance procedures.
“There is a mismatch between supply and demand,” acknowledges Focacci. “There are too many AML spots to fill as banks react to regulatory requirements and too few AML specialists around to fill them. With AML being a relatively new field, banks are still catching up with what the necessary experience and training should be.”
AML experts agree that the ideal AML operative should be able to detect that an individual or entity might be conducting illegal activities based on the information generated from the transaction monitoring reports and all other data collected from multiple applications. The background is needed to do that job is a matter of debate. Bellinger insists that law school graduates are better, because they think analytically and won’t simply check off the compliance boxes. Leb counters that law enforcement specialists — former police, security or FBI executives –are more suitable because they can catch criminal conduct faster.
Conflicting Demands
Regardless, as banks struggle with the necessary processes, technology and staffing necessary to ensure correct AML procedures they have one more hurdle to overcome. And it could well be the most difficult mountain to climb — eliminating suspected high risk clients from customer rosters. “Banks don’t want the reputational risk of closing down accounts and surprisingly regulators also frown on it because they don’t want AML risk transferred to another bank,” says Leb.
But the most common reason for not acting quickly: it conflicts with the bank’s goal of making money as shown in the $8 million fine the US Financial Industry Regulatory Authority levied against Brown Brothers Harriman in February. Although its AML compliance director Hal Crawford, also fined and suspended for a month, did warn the bank it should cease trading penny stocks with certain foreign clients — an activity which could easily equate to money laundering — it continued the practice for several years.
So what’s a bank to do? Creating what’s often called a culture of compliance would certainly help. So would establishing a single global policy and process for client onboarding, says Shaghaghi. Just who is doing that? Citi, for one, has initiated the design and development of a single unified approach to onboarding customes and managing the know-your-customer process through multiple relationships across the bank, thereby creating a clearer single view of the customer, says Shaghaghi.
Based on what some internal AML staffers tell FinOps, most small to mid-tier banks are not even close to thinking about such a project. “We’re far too busy going through and remediating customer accounts with correct information,” says one compliance director at the US branch of a foreign bank.
Yet another solution: require AML specialists to go through an accreditation process, such as the certification offered by the Association of Certified FInancial Crime Specialists. Passing the exam does indicate understanding of basic regulatory requirements, even if it is rudimentary. However, procedures when a crime is suspected depend entirely on bank policy so the ACFCS examination consists of multiple-choice questions, not what-if-scenarios.
AML specialists may be quick to file suspicious activity reports for no other reason than they wish to avoid the legal liability of doing nothing. Even if they are not really sure what constitutes illegal activity, they would rather play it safe than sorry. This is a training issue. Banks need to spend a lot more time explaining just who to contact about suspicious activity, when to contact and how to document the contact was made, say AML specialists.
Even with the best intentions and efforts, a large bank might fall short of meeting every single regulatory requirement. For all the brouhaha about poor AML procedures, the experts say that most global banks are doing the best they can with limited resources and hundreds if not hundreds of thousands of clients and accounts to monitor.
“There is no perfect AML program and there will always be something slipping through the cracks,” says Jeff Sklar, managing director of SHC Consulting Group in Bellmore, New York, which helps banks review their AML policies. And that creates enforcement risk that may or may not be fair. “In the current environment, regulators will place a great emphasis in any deficiency they find in a financial institution’s AML program, no matter how small or large it is.”
There is one silver lining. That latest rules are relatively, and banks will eventually catch up with the necessary staffing , technology and procedures required, acknowledge consultants. No doubt, the recent string of regulatory penalties will encourage the banks get there a little faster.
Leave a Comment
You must be logged in to post a comment.