Richard Gibbons, associate partner and compliance expert in the IBM Financial Services Consulting Practice, takes a long hard look at the issues.
The U.S.A. Patriot Act of 2001 substantially extends financial institutions' pre-existing due diligence and anti-money laundering (AML) programme responsibilities to include the detection, choking-off (to the extent possible) and reporting of terrorists' financing schemes. The basic ingredients for the survival and success of any criminal organisation are recruiting, motivation, funding and sanctuary. Like all criminal organisations, terrorists require financial support to establish and maintain effective financial infrastructures that include:
1. Sources of funding
2. A means of laundering these funds
3. A way to ensure that these funds can be readily used.
Current counter terrorism strategy continues to focus on depriving all criminal groups of as many of these ingredients as possible. Given the global expansion of money laundering, international cooperation is seen as integral to success, by regulatory regimes in the major and emerging capital markets countries. They constantly advise financial institutions - especially those doing business in their respective jurisdictions - to conform to increasingly onerous international AML regulations or face reprisal.
Issues with achieving regulatory compliance
Criminals increasingly vacillate between cash-based money laundering activities, and banking and the financial markets. With the ever-widening range of financial products and services offerings, new money laundering opportunities continue to rear their ugly heads. The derivatives and securities markets seem particularly attractive for recycling organised crime proceeds, because the audit trail is so easily blurred. A broker can launder a sum of money through a perfectly legal transaction, with no need to ever make a false entry. Nevertheless, in order to safeguard further against the off-chance of discovery, money launderers have been known to sequester the help of insiders within the financial institutions - whether through coercion, bribery or simply offering so much up-side potential as to compel the financial institution to turn a 'blind-eye.' Such practices have become widespread, creating a fourth stage in the money laundering process called 'paper-trail avoidance,' which circumvents documentation, record-keeping, detection and reporting through non-collection, falsification, alteration or destruction of data and records.
Once a preferred customer relationship is achieved - the 'brass ring' to the criminal elements - they can then: (1) engage in professional portfolio management and advisory services; (2) enter into international business and financial ventures; and (3) execute complex transactional structures that efficiently complete the stages of the money laundering process.
Many a criminal bent on establishing a preferred customer relationship has first built or bought a cash-intensive 'front' business - a business capable of running vast amounts of tainted cash through its till, without ever raising an eyebrow. Examples of cash intensive businesses run the gamut and can include: restaurants, bars, travel agencies, construction companies, automobile dealerships and jewelry merchants. Such criminals employ techniques such as false invoicing, ghost employees and inflated expenses to create fictitious cash flows and transactional patterns (values and velocities) that appear to be normal and innocuous.
Financial industry regulations continue to stress the installation of the right people, processes and technology to achieve compliance: namely, comprehensive and timely discovery, prevention, and reporting of money laundering and terrorist financing events, pertinent to each financial institution's risk profile. Less-than-adequate commitment to meeting these mandates substantially increases enterprise and operational risks for financial institutions, often culminating in heavy fines, intrusive external oversight, even prison sentences for 'aiding and abetting' and 'willful blindness' convictions. Open-ended risk emanating from public disclosure under the Freedom of Information Act brings additional threats. In response, many financial institutions have taken the necessary steps to install know-your-customer and transaction monitoring solutions, but often fall short of the data requirements and rules-based logic needed to meet minimum requirements.
Recent high-profile enforcement actions
The combination of the progressive regulations, fast moving solutions and highly focused regulators has culminated in significant negative exposure across the financial services industry. Monetary penalties assessed in this environment start in the millions and have been as high as US$100 million for illegal transfer of dollars from a Federal deposit account to Cuba and other countries that were then under U.S. trade embargo. In addition, financial institutions are even being fined for failing to implement effective programmes against money laundering and for not reporting suspicious transactions executed on behalf of various governmental agencies worldwide, resulting in significant media coverage of high profile Wall Street firms being 'slapped on the wrist' by regulators.
If you don't build it, they will come
Every financial institution should expect its regulators to make AML programme effectiveness a high priority. Generally, the regulators look at:
1. Board and management oversight of AML risk and exceptions:
Issuance of management directives related to programme operation
2. Policies and procedures effectiveness
Delegation of duties across business, administrative, and operational lines
Expertise and skill-sets of its AML compliance organisation
Results from representative sample testing
3. Division of duties/responsibilities between
Management and staff
Management, staff and independent contractors
Management, staff and outsourced service providers
4. Remedial actions in response to regulators' deficiency letters
5. Impact of the AML programme effectiveness on an institution's UFIRS ('Uniform Financial Institution Rating System) and URSIT ('Uniform Rating System for Information Technology') ratings:
These component factors (Acronym: 'CAMELS') assess capital adequacy, asset quality, management capability, earnings level and quality, liquidity adequacy and maintenance, sensitivity to risk and sufficiency of its information technology infrastructure.
Composite and component ratings are based on a 1 to 5 numerical scale. A '1' indicates the highest rating, strongest performance and risk management practices and least degree of supervisory concern, while a '5' indicates the lowest rating, weakest performance, inadequate risk management practices and, therefore, the highest degree of supervisory concern.
The composite rating is not derived by computing an arithmetic average of the component ratings. Each component rating is based on a qualitative analysis of the factors comprising that component and its interrelationship with the other components. In general, assignment of a composite rating may incorporate any factor that bears significantly on the overall condition and soundness of the financial institution.
URSIT dates back to 1978 and is the regulators' supervisory tool-of-choice for evaluating the condition of a financial institution's or vendor's information technology functions. Ever since, changes in information technology - as well as in the financial institution agencies' supervisory policies and procedures - have forced the regulators to rethink the original language, steadily adding more requirements.
AML programme considerations
Evolving AML programme considerations currently fall into four categories and consist of:
1. Enterprise AML risk profiling and management: Reviewing the enterprise's business and clients to determine areas for enhanced due diligence (EDD) in the following categories:
Retail/individual clients
Institutional/corporate clients
Domestic and foreign correspondent banking relationships
Linked relationships ('householded,' implicit/explicit, hidden [linked only by transaction])
Risk weighing and alert prioritisation
Applied Basel II/COSO risk measurement standards to each financial institution's risk categories:
- Operational risk
- Legal/regulatory risk
- Strategic
2. Customer and correspondent bank validation and categorisation: KYC high-risk profiling and transactional-risk scoring; peer group benchmarking; service-level profiling; existing client/account behaviour and new account behaviour benchmarking:
Atypical behaviour
Suspected terrorist financing schemes
Unsuitability and demographic anomalies
Exceeds historical benchmarks above thresholds
Exceeds PEER group benchmarks above thresholds
Suspicious transactions of logical entities
Fraud
3. Transaction monitoring/applied detection scenario categories:
Follow-the-money transactions
Structuring/aggregation - Count, value and frequency over varying 'look back periods,' across products and services
Suspicious account stencil changes - For example, add/delete a beneficial owner; hold mail; switch to a P.O. Box address
Secured/unsecured debt default and manipulation
Behavioural anomalies
Anomalous investment activity
Correspondent financial institution validation and transaction monitoring
Other stored-value/value-transferable
Statistical analysis
4. AML programme administration:
Management policies and procedures; reporting
SAR/CTR reporting
Case generation and management
Programme testing and validation
Audit trail record retention
Staff training
The AML challenge
In creating an effective AML programme, financial institutions must install a variety of intervention and transformation layers to address money-laundering issues. These include frontline staff trained to identify potential money laundering, coordination with government agencies to identify persons blocked from making transactions, identification of high-risk transactions and advanced data analysis capabilities to identify unusual or abnormal patterns of activity.
Financial institutions must locate, extract, warehouse and assimilate specific data to better understand and predict patterns of customer behaviour and discover suspect situations. Financial institutions require solutions that can evaluate transactions in multiple dimensions - often at a granular level of detail - within the context of each customer's background, demographics, normal behaviour patterns and peer groups.
To be effective, financial institutions must be able to do all of this analysis across all business lines at the transaction, account, customer and household levels. Not only must data be collected and analysed, this must occur across the enterprise. In most financial institutions, it is uncommon to have an aggregated 'single view' of each customer's activity - although this continues to be a common industry goal.
Leveraging AML for business advantage
An AML solution essentially provides an enhanced customer resource management system, one that is designed to allow financial institution personnel to monitor, analyse and act - enterprise wide - on customer information in a timely manner. Often, much of the required information - such as the source of funds, how the customer uses these funds, basic account information and product preferences - has already been gathered in areas of the financial institution. The challenge is to aggregate this information into a more behaviourally oriented context to support broader mandates.
This is achievable with a robust, automated AML solution - one that can perform analysis, detection and advanced data mining to provide a context and 'basis-in-facts' to anomalous transaction patterns, whether over a selected time span or at a single point in time. Such an automated solution should, at a minimum, contain:
Sophisticated business rules that can analyse customers' transactional behaviour patterns in comparison to 'normalised' activity and known money laundering techniques in batch and real time, providing KYC-based models that can learn about customers and their behaviour patterns (KYC), while 'alert detection scenarios' can use domain knowledge and pattern detection to generate 'suspicious activity alerts'
Risk - scoring and prioritisation of 'alerts' in support of work flow and case management
Linking of customer relationships, by transaction flows, whether 'Householded', explicit, implicit, or hidden, to optimise resource deployment and reduce 'false positives'
Comprehensive drill-in/drill-out capability to complete investigations, in a timely and efficient manner
Advanced work-flow and case management, covering a broad range of end users, products and services, with a facility for tracking, follow-up, resolution, reporting, and audit trail documentation
Accurate timely SARs/CTRs filing support, whether electronically or manually filed, within regulator-prescribed windows
Adaptability and extensibility, to quickly adjust to new and changing regulatory requirements and rapidly deploy new detection capability.
Conclusion - A risk-based approach
Financial institutions realise that they must invest in IT solutions if they are to meet minimum regulatory requirements. Nevertheless, a company's investment, however big or small, may still not be sufficient to prevent monetary losses and dispel the results of negative regulatory findings. In order to effectively meet the requirements, every effort has to be made to acquire full knowledge of the different, new and emerging methods and techniques of money laundering, in the context of each institution's particular risk profile. 'Non-bank' money laundering techniques, corporate money laundering and the new payment technologies should be given particular attention. In the current context of globalisation, AML initiatives must extend to the cataloging of laundering typologies found in other regions of the world - Asia, Africa, Latin America, and Central and Eastern Europe. Moreover, the executive management of each financial institution needs to not only consider their own institution, but, also the cumulative impact of law enforcement and regulation in different jurisdictions upon the financial services industry-at-large - which has culminated in hundreds of millions of dollars spent on AML initiatives, driven mostly by the leading financial institutions. In other words, to be competitive, don't ever get caught holding the 'dirty money' bag.
© Banker Middle East 2005
