Part 504 of the US Department of Financial Services Superintendent’s Regulations seems to significantly up the requirements for firms to conduct ongoing review and continuously improve their approach to anti-money laundering (AML) monitoring. But is it really very different from the intergovernmental Financial Action Task Force's broader suggestions to introduce a continual review and improvement process for transaction monitoring?
AML transaction monitoring solutions cut to the core of an organisation. They cross traditional boundaries such as lines of business, cost centres and customer accounts. The risk-based approach requires an unprecedented level of transparency across platforms. And integration of these platforms into a single system presents both risk and significant challenge. But even after the organisation has overcome these challenges and completed the deployment, the work is not over.
As soon as an organisation introduces a transaction monitoring solution, it needs a team and process in place to ensure ongoing compliance and fitness for purpose. The challenge for firms is maintaining this, because it can be very easy for business-as-usual activities to out-compete new initiatives.
The most effective AML alerting systems use a hybrid approach for detection of suspicious activity, automatically combining multiple data points to improve accuracy. Such techniques can range from business rules (Currency Transaction Report (CTR) limit being a classic) through to use of sophisticated analytical techniques to detect anomalies and outliers.
Sophisticated techniques require someone with a level of knowledge and understanding -- more than just ‘an analytics person.’ The ideal person will understand the business problems and underlying business process, but also have knowledge of transactions and analytics. They will need to be able to debate approaches, manage stakeholders, and deal with large volumes of data (raw transactional and alerts) to identify the most appropriate way to improve platform performance while also maintaining compliance. The job is much more than just turning down the volume of cases to a manageable level -- a compliance-oriented data scientist perhaps.
Generating dramatic improvements
If the approach to system improvement is completed appropriately, the improvements can be dramatic. False positives can be significantly reduced, which in turn improves the effectiveness of the investigations team and makes risk management more transparent. Overall, the disclosure rate is more effective. This can apply to legacy and new platforms.
But beware. An ongoing improvement model is missing key components -- quality feedback from the investigative authorities. The proxy for feedback from the authorities then becomes disclosures made by the institution. But should the lack of accurate feedback stop firms from using the information at hand to drive improvement? It would sound like an excuse if it was.
The 504 regulation also outlines the need for greater transparency relating to system improvements, and documentation relating to why the system is set up as it is. Transparency regarding the use of certain analytical techniques is more important, so companies need to review and potentially reconsider their use of non-transparent techniques and approaches. For example, would neural networks provide an easily transparent view of decision making processes? The regulation also shines a light on threshold-based settings, so it’s important to be able to justify why particular thresholds have been chosen.
Finally, requirement 504.4 outlines the need for an annual certificate. This could focus and drive much-needed attention from senior compliance officers to the importance of having robust processes in place. Might this support firms in requesting additional resources for improvement?
A matter of time?
The final thought has to be 'how long?’ Is it only a matter of time before this type of regulation becomes widely adopted across the EU and UK? Will some firms try to counter the move to increasing regulation? Generally, regulation from the US is adopted in some form, and at some point, in Europe. Perhaps the question is how many years or months will it be, and will there then be a mad dash to comply when it does arrive?
If you're wrestling with the challenges around ongoing improvement of a transaction monitoring system, I’d be happy to discuss it further.