There is a lot of speculation about deregulation under President Trump, and it may be valid in certain areas. But since nobody likes a terrorist, don’t look for an easing by his administration of anti-money laundering/anti-terrorist financing (AML/ATF) laws and regulations, including Office of Foreign Assets Control (OFAC) sanctions. In fact, if you look at history and take into account President Trump’s Cabinet choices, one might suggest that things will get even more interesting. He has made clear his goal of defeating terrorism, and one way might be to continue to heavily rely on financial institutions subject to AML/ATF laws and OFAC sanctions.
But it’s not all about the new president. My projection for 2017 also reflects the Financial Action Task Force’s recent criticism of U.S. laws to combat money laundering and terrorist financing, in its December 2016 Mutual Evaluation Report. While acknowledging that the financial sector bears most of the burden of measures required under the US Bank Secrecy Act, the report also cites significant regulatory gaps. These include minimal coverage of certain institutions and businesses, such as investment advisers, lawyers, accountants, real estate agents, and trust and company service providers (though not trust companies themselves). Also criticized is a lack of timely access to adequate, accurate, and current beneficial ownership information, regarding shareholders and other individuals with effective control of banks’ business customers. Nor is there a uniform AML prioritization or approach among states, the report says. Notably, it recommends that the US AML system would benefit from ensuring that a range of tax crimes are predicate offenses for money laundering.
Meanwhile, at the state level, recent activity and statements indicate that the New York State Department of Financial Services will maintain its proactive posture of helping to ensure that bad guys remain in check. The department has already set a stake in the ground saying that it will continue requiring institutions under its jurisdiction to have robust compliance programs, regardless of what happens at the federal level.
Altogether, looking back at the timing of new legislation and enforcement activity, it is abundantly clear that no matter which party is in power, the expectations for companies to comply with AML/ATF laws and OFAC sanctions always remain high. Addressing these expectations starts with robust compliance programs.
Nine Steps to Keep AML Risks at Bay
So what can financial services executives do to ensure your company doesn’t have a bull’s eye on its back? Keep calm and get back to the basics. First, don’t over-engineer your AML/ATF program so that it’s impossible for the first-line-of-defense functions to comply and the second-line-of-defense functions to manage. Understand your risks, implement your system of internal controls to mitigate those risks, and periodically provide assurance that your controls are working. In other words, implement, document, and test.
Easier said than done, right? I might agree but in most cases the single biggest challenge is implementing and maintaining the tools required for an effective, and even efficient, monitoring and screening program. Just about every enforcement action is rooted in some form of breakdown in a company’s monitoring or screening processes. A robust monitoring and screening program is a world unto itself. It often requires involvement and ownership by multiple parties within, and even outside, the institution.
Documentation. Document, document, document. This can’t be said enough. Everything you do needs to be supported by documentation. For monitoring and screening programs, this starts with how you’ve identified your risks and runs all the way through the dispositioning of your alerts.
Risks. Years ago, when company managers wanted to know what an institution’s risks were, they would ask the legal department. After all, their attorneys had all the law books and dealt with the traditional corporate risks, such as contract risk. Later on, managers would ask the compliance officer, who would tell them to relax because she knew the risks of the institution and had them all covered. Today institutions need to begin with an inventory of laws to show definitively what it is they need to comply with. From there institutions need to build their risk assessment based on factors such as products, services, and geographies. This is the foundation for your AML/ATF and OFAC programs.
Data. Not having clean, complete, and normalized data is a huge problem. It is the old story of “garbage in, garbage out.” Too many companies don’t pay attention to data integrity and data lineage. They focus on optimizing the rules or setting the fuzzy logic, which is equally important but relatively meaningless if the data is incorrect. Also, sound data management is important. Companies that rely on data from sources that are leveraged for multiple uses don’t always have adequate controls in place— for instance, to assess the impact that changes to data warehouse processes can have on data that is also used by AML/ATF monitoring and screening tools. Robust data management procedures and processes are needed to minimize such disruptions throughout the data supply chain. If a compliance officer is relying on other sources, within or outside of the company, she needs to be well-versed on exactly what goes on with the data and periodically kick the tires to ensure that procedures and processes are being followed. The secret word, here, is “oversight.”
Tools. Every vendor may seem to offer “just the thing” for your AML/ATF monitoring and OFAC screening needs. But which thing is right for you? It depends on a number of factors: your risks, institution size, and geography, for example. Not all tools are alike. Some may be better for retail banking while others are better for corporate and investment banking or broker-dealers. One thing is certain—there is no turnkey solution. If you are being sold this concept, know that it doesn’t exist. Every solution needs refinement. And every refinement takes time, money, and the right people. A risk assessment is critical to understanding your specific needs across the company. Alerting rules and screening methodologies should be mapped back to your risk assessment to evidence monitoring and screening processes that have been well-thoughtout to mitigate your company’s risks. Documentation is extremely important, since evidence of how you got from point A to point B will be required by auditors, examiners and in the worse-case scenario, enforcement investigators. Know your risks and how your tools mitigate those risks.
Rules and Scenarios. It’s critical to have a documented procedure and process for tuning or optimizing the program’s rules and scenarios. Merely setting thresholds and running the tools will get you into trouble. Running rules and testing output in pre-production are extremely important to ensure that you have the right rules in the first place and that those rules are reasonably optimized prior to moving to production. It also provides insight about whether you will have enough staff in the financial intelligence unit (FIU) to manage the alerts. Hint: Backlogs are not good. They get you in trouble.
People. You may think you have the best information technology (IT) department in the industry. But unless your IT specialists understand AML/ATF and OFAC tools and data needs, rules and fuzzy logic, and alert review challenges, they are not right for you. Get the right subject matter experts for this job, since without them you will slip, fall, and possibly fail. It’s wonderful to have new alerting tools but they are useless if you don’t set them up right. When running your tools in a pre-production environment, look at the output against the staffing in the FIU. Do you have enough staff? If not, now you have the data to justify more staff. Do not go into production mode without the right number of FIU staff. You will end up in a world of hurt with a backlog. Once you begin alerting in production mode, you have to disposition the alerts. You can’t push them aside and start over.
Third Parties. You are responsible. Let me repeat that—you are responsible. If anything is done anywhere outside your institution, you’d better know who, what, where, when, and why. Again, document, document, document. You absolutely need to oversee every third party as if it were part of the institution. So many institutions outsource and rely on third parties for their data management (e.g., data warehouse). You can’t just point to ABC Company when an examiner comes in. It is on you to ensure that data is sound for use.
Internal Audit. Believe it or not, the internal audit department is your friend. While the department has to remain independent, stakeholder management on both sides of the fence is extremely important. And you would much rather have internal auditors identify a potential or actual problem than a regulator. Find time to work the relationship and build it into a mutually constructive one. Internal audit should not be a “gotcha” department, either. If yours is, speak to your chief risk officer or chief executive about the right approach for both sides. Internal auditors need to be trusted advisors while ensuring the system of internal controls is operating effectively. It’s a tough role and one that takes patience and partnership.
Conduct. Maintain an effective code of conduct or ethics. Leverage your code when anyone doesn’t follow policy. I’m not suggesting drastic disciplinary action on every matter, but if someone—employee or vendor—does something that jeopardizes the program, take appropriate and immediate action. There is simply no room for mistakes in this space, and everyone needs to know it.
The AML/ATF and OFAC compliance environment is tough for every line of defense—from the business units to the compliance department to the internal audit team. And it will continue to be at the top of regulators’ lists of priorities for their teams. The best approach is to continuously self-assess your programs to help ensure they are in line with both your goals and the supervisors’ expectations.