Risky business

Brian Kloostra is an Executive at Crowe Chizek and Co. LLC, a top 10 accounting and consulting firm,who specializes in assisting banking clients with their efforts to comply with the most recent AML requirements brought about by the USA PATRIOT Act. Here he talks to FST about the value of taking a risk-based approach top AML compliance.

FST. Recent research shows that many institutions are still unsure of how to respond to the challenges of AML. Why is AML such a difficult topic for financial institutions to get right?

BK. There are really two reasons that AML is challenging for any institution. The first reason is the maturity of the AML regulations themselves. The Bank Secrecy Act (BSA) regulations have been around for decades, but new requirements under the USA PATRIOT Act have only been around for five years. While the latest examination manual from the FFIEC goes a long way toward bringing consistency to examinations, there are still evolving expectations that vary across regulatory agencies and differences in interpretation even among examiners from the same agency. Over time, updates to the guidance and additional commentary from the regulators will make the expectations clearer and give institutions more direction on the specifics needed for their individual situations.

The second reason is that responding to the AML challenges has significant impact on an organization’s operations and technical infrastructure. Prior to the Patriot Act, the BSA was viewed primarily as a compliance requirement that had minimal impact on an institution’s front-office and back-office operations. Until a financial institution recognizes that AML compliance is not just an exercise for the compliance team, and that it requires them to enhance procedures and technology across the enterprise, they will struggle to get it right.

FST. What are the risks of not complying with AML laws such as the BSA and the Patriot Act?

BK. The risks of not complying can be significant. These include fines, reputational damage and enforcement actions. While large civil money penalties have received a significant amount of attention by the news media, a larger issue for institutions is dealing with the implications of enforcement actions that limit an institution’s ability to pursue its business strategy. This may include having to focus significant financial and human resources on non-revenue-generating activities, or if the non-conformance is severe enough, formally limiting an institution’s ability to open branches or acquire new businesses. Ultimately, a financial institution could be forced into being acquired or closing its doors.

FST. Why do you think it is important to take a risk-based approach to AML compliance?

BK. Taking a risk-based approach is the only way that an institution can manage the expense and effort involved. You can’t focus on everything. You can’t afford to treat everyone equally and subject each customer to an identical level of scrutiny. If you don’t take a risk-based approach you have to set an unrealistic bar that requires each customer to be looked at the same way, with the same amount of monitoring and due diligence.

Anti-money laundering programs are designed to meet one specific regulatory compliance requirement. Financial institutions are subject to many regulatory compliance requirements, which are just one of many types of risks that organizations manage as part of an enterprise risk management (ERM) program. It is important for institutions of all sizes to manage their compliance efforts using consistent methodologies and approaches – from risk assessment, to controls, to testing and monitoring.

FST. What role can best practices play in addressing the anti-money laundering challenge?

BK. The term ‘best practices’ in the context of AML programs has the potential to be dangerous. Our experience is that a best practice represents a particular response to a specific risk factor at a point in time. Given the rapid change in money laundering techniques and associated risk factors, it is important to realize that a best practice may not remain a best practice for very long.

Because each institution conducts its own risk assessment and builds a program that is appropriate for its risk profile, implementation can vary significantly. Not every organization needs to invest to the level of best practice. We prefer to focus our clients on developing ‘sound practices’ that build a strong foundation and are flexible enough to address the current risk profile and also to adapt to changes in services, products, geographies and customers.

FST. How can your firm help alleviate the burden of tackling some of the issues surrounding anti-money laundering?

BK. We help our clients understand the impact of the various regulations and what they mean at an operational level. Crowe has developed our Closed Loop Anti Money-laundering Program (CLAMP) to model all the components of an effective AML program. Our clients use this to organize and structure their programs and to consistently communicate both within their organizations and with their regulators. We help clients put programs in place that meet their specific risk-based requirements without overwhelming their people or negatively impacting the customer experience. Crowe provides a unique combination of deep AML subject matter and technology expertise to design, implement and optimize solutions in areas such as transaction monitoring, AML case management and customer due diligence and risk rating.

FST. Beyond compliance, are there any additional business benefits to implementing an effective AML solution?

BK. Financial institutions are finding that the investments they’ve made in better understanding both who their customers are and what their customers do are paying off in other areas. AML’s know your customer (KYC) requirements are requiring institutions to put in place processes and technologies that gather information about the customer that can be used to better understand his or her preferences and bring insight to the relationship. An institution’s investment in collecting all customer activity for suspicious activity monitoring can also be used to uncover specific sales opportunities and build more focused and targeted event-based marketing capabilities.