Developing an effective and holistic AML structure

Getting your AML program right is an important issue in today’s business environment – not only do regulators need to be appeased, but more importantly the deadly risk of international terrorism remains real and ongoing. Meghan Hodge, Director of AML Compliance at RBC Centura explains what banks and financial institutions need to do to develop an effective AML structure

Building on a Risk-Based Approach
Perhaps the single-most critical component to creating an effective Anti-Money Laundering (AML) program is understanding the AML risk within the organization. Through the FFIEC (Federal Financial Institutions Examination Council) BSA/AML Examination Manual, regulators have made it clear that they expect banks to first assess their AML risk as part of a comprehensive AML Program. This evaluation is critical for a number of reasons. In addition to identifying areas of higher risk or breakdowns in the AML program, a full understanding of AML risk within your particular organization goes a long way towards earning the trust and respect of auditors and regulators; also, by understanding areas of concern and weakness, you’re able to create a roadmap to focus scarce technology and human resources on the areas most likely to cause issues.

Generally, there are three main categories that are evaluated from an AML risk standpoint: geography, products/service, and client. While these three components are straightforward on their own, the application of these factors in various assessments can prove to be more complex due to the high level of interrelatedness, as depicted in diagram 1. An assessment for a particular component can stand on its own, as well as support other, more holistic assessments. For instance, the inherent risk of products and services offered by a bank may, on a standalone basis, determine prioritization for transaction monitoring. The product/service risk may also be used in combination with other factors at a macro level, as an input into the assessment of AML risk for various business units or at a micro level in assessing the AML risk of individual clients. Generally a scored model, which assigns more or fewer points based on various risk attributes, will provide a straightforward way to make ‘apples to apples’ comparisons.

It is important to clearly document an overall risk assessment strategy to articulate how the various AML risk factors will be applied with different lenses and what steps will be taken based on the results. The strategy should also include doing more for some areas, as opposed to always using low risk as a trigger to reduce the amount of diligence required; otherwise, the term ‘risk-based approach’ may ring a bit hollow with auditors and regulators. While quantification of risk and the use of Risk Models can be extremely helpful for putting a certain amount of rigor around the complex analysis, at the end of the day, it is still just a tool to quantify instincts. An overall reality check (“does this make sense?”) should take place to ensure that the risk assessment matches subject matter expert expectations for the definition of AML risk.

End-to-end view of AML program
Once the assessment is complete, the AML Program should include processes to manage BSA/AML regulatory requirements and expectations, with a special focus on higher-risk areas or areas of concern, as identified through the risk assessment. While distinct processes and procedures will be established for each major area (filing suspicious activity reports (SARs), account opening, etc.) it’s important to consider an end-to-end view of the AML program. In other words, each process should work in concert with the others, complementing and strengthening them by leveraging intelligence gained from one process as a critical input into other processes (see diagram 2). Always be mindful when there are handoffs between processes to ensure that information does not slip through the cracks. While many people within the organization may own or manage various processes, as the AML Officer it is critical to keep an eye on the big picture and ensure that all connections are made.

Prevention and detection
A basic breakdown of an AML program is often articulated as prevention and detection, although increasingly the lines between the two become blurred as information is better leveraged between various components of the program to strengthen the whole (see diagram 3).

Prevention typically covers measures taken with the intent of preventing an organization from being abused by launderers and often focuses on front-office initiatives, such as policies or training. Detection historically has focused on measures to identify suspicious activities and report those events to law enforcement, often using complex technology solutions to identify unusual transactional activity. Banks are becoming more attuned to the fact that these aspects of the AML program must work seamlessly together in a holistic fashion in order to minimize regulatory risk. For example, the know your customer (KYC)/client due diligence (CDD) program (which is reinforced by training/communication and clear polices and procedures) must be strong in order to surface the right information about a client which will make it possible to discern if the client’s actual transactional activity is normal and expected for that particular client, or unusual in some way. Frequent, large cash deposits for a business would be very abnormal for an entity that owns a small bakery, but might be extremely normal for a client who owns a chain of upscale coffeehouses located in a bustling metro area. A cursory, generic description of the client’s industry as ‘foodservice’ in the CDD file is not sufficient to reach the proper conclusion.

Perhaps the best way to illustrate how preventative and detective processes reinforce each other is through the referral of unusual activity by client-facing personnel, which is an invaluable tool in the fight against money laundering. When employees really understand and embrace the idea of KYC and can apply their knowledge of the client in a practical way, they are able recognize suspicious client activity (either transactional or behavioural) and refer their observations for further review by the AML Investigations department. Often the most useful SARs originate from observations or discussions branch personnel have had with clients, which would never surface, no matter how sophisticated a bank’s transactional monitoring software. It is generally amazing what clients will tell your staff, so there’s a tremendous benefit to the AML Program by creating a mechanism for branch personnel to report their suspicions, and often very little financial cost.

Compliance oversight
One of the four required elements of an AML program mandates policies, procedures and a system of internal controls designed to ensure compliance with applicable laws and regulations. An AML program may have all of the requisite elements by design, but the true measure of the program is in the ability to execute. It’s one thing to create policies and procedures, but an entirely different thing to have confidence that they are more than just words on paper; they need to be being followed in spirit and in practice. Therefore, it is critical for the compliance function to create a framework which enables oversight of the various AML processes and functions, which are frequently performed in a decentralized environment (Customer Identification Program (CIP) conducted within the branch network) or by other departments (Currency Transaction Report (CTR) filings done by the operations team) and then clearly communicate the overall effectiveness of the program to management and the board.

The development of a compliance testing program enables AML Compliance to proactively identify AML issues prior to audit or regulatory reviews, by conducting periodic tests of key AML processes. Historically compliance testing, or compliance reviews, has consisted of a blank page and a knowledgeable subject matter expert to critique the process and offer suggestions for improvement. While these free-form reviews are helpful, there is limited ability to trend issues over time or succinctly communicate to management how well the process is performing. However, by clearly outlining a series of steps that should be performed within a particular process, Compliance is able to then test against those expectations and present the department with a ‘grade’ for how well they have executed compliance standards for the process. Unlike an independent audit, which often has the perception of a ‘gotcha’ exercise, compliance testing should be a collaborative effort between Compliance and the unit performing the AML function with the objective of constantly improving the process to pre-empt audit or regulatory criticism.

Metrics that measure the ‘health’ of the AML program are an extremely powerful tool for communicating program performance and any issues that require their attention to management and the Board. Often, metrics related to AML tend to be more statement of fact – how many accounts were opened, how many alerts the transaction monitoring system produced – rather than commentary on the performance of individual processes or the overall program. But what do static metrics really tell us? For instance, knowing the transaction monitoring system produced 100 alerts in a given month is moderately helpful. However, to determine if your transaction monitoring system is functioning effectively, it’s more useful to know how many of those alerts produced valuable intelligence by way of referrals for investigation or SARs that were ultimately filed (one SAR out of 100 alerts may mean you have too many false positives, but 90 SARs out of 100 alerts may mean the system parameters are too tight and you’re missing other unusual activity). The goal then is to define a performance level for a process and then measure against it, the result of which is a percent that describes how close to the target the process is performing. This method can be applied to nearly every AML process to produce interpretative metrics that speak to the health of the various processes, including timeliness of processes.

As the Board embraces their role as having ultimate accountability for AML risk, increasingly they ask for additional information and assurances that the bank’s program is in good working order. These metrics and the results of compliance testing are extremely powerful for communicating to management the state of the AML program and any areas that require their focus. Management responds especially well to metrics that take a complicated, nebulous situation and boil up the pertinent pieces. The ability to assign Red/Yellow/Green definitions to the AML metrics is especially powerful.

Independent audit
Although the Compliance function has oversight of the AML program to ensure day-to-day operational compliance, each bank must also provide for independent testing (audit) of the program. The independent audit function is charged with identifying areas of weakness in the overall program. In order to properly structure the review and focus on the critical areas, the audit team should first understand the AML risk profile of the organization, drawing upon risk assessments that have been completed. As depicted in diagram four below, the risk assessment drives the scope of the audit, which should encompass the overall AML program to verify the soundness of policies, procedures and design; as well as provide for transaction testing to confirm that the bank is properly executing on policies and procedures. Critical to the audit process is the reporting of issues and follow-up to ensure that matters are promptly resolved.