The New Era of Regulatory Enforcement: A Comprehensive Guide for Raising the Bar to Manage Risk

Chapter 4 Money Laundering

Teresa A. Pesce
John F. Caruso

Few industries are more heavily regulated and scrutinized than financial services, particularly in the area of anti–money laundering (AML) and financial crime. In their effort to keep the financial system safe, the authorities have taken enforcement activity to unprecedented heights, in terms of both the level of scrutiny applied to a firm’s AML/Bank Secrecy Act (BSA) Program and the severity of regulatory responses if and when programmatic weaknesses are identified.

The sources of the underlying legal and regulatory obligations are not new. For many years, the BSA was the primary source of AML regulation in the United States. Enacted in 1970, the BSA initially established requirements to report cash transactions to the U.S. Treasury. It evolved over the years to establish, for example, requirements for designated financial institutions, such as banks, to report suspicious activity. In the wake of the September 11, 2001, terrorist attacks, Congress enacted the USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act—the Patriot Act), which amended and enhanced the BSA.¹ The Patriot Act and the regulations enacted pursuant to it not only codified certain AML program requirements, but also broadened them to cover other financial institutions, such as broker-dealers, money service businesses, insurance companies, casinos, and dealers in jewels and precious metals.

These regulations continue to evolve and apply to additional types of entities. In fact, in August 2015, the Financial Crimes Enforcement Network of the U.S. Treasury Department (FinCEN) issued a Notice of Proposed Rulemaking (NPRM) to extend certain of the Patriot Act’s requirements to SEC-registered investment advisors (IAs).² By being added to the BSA definition of “financial institutions,” IAs will be subject to many of the same requirements as banks and broker-dealers. For example, they must establish AML programs as defined in the Patriot Act, implement controls to detect suspicious activity and file Suspicious Activity Reports, and comply with several other BSA requirements around record keeping and reporting, such as Currency Transaction Report filing, the funds transfer and travel rules, and the information sharing provisions of Patriot Act section 314. By virtue of Dodd-Frank’s requirements expanding the types of entities that now must register as IAs, the new rules will cover not only the traditional large IAs, but many hedge funds, private equity firms, and other pooled investment entities. Thus, many of the components of a sound AML program described below will need to be addressed by these additional institutions, many of which have not, to this point, focused as much on AML compliance as their banking counterparts.³

Closely related to these BSA/AML regulations are a range of laws and regulations related to economic sanctions and enforced by the U.S. Treasury’s Office of Foreign Assets Control (OFAC). OFAC administers a number of sanctions programs against both individuals and entities, as well as others directed at specific countries. We mention the sanctions laws here because many, if not most, financial institutions manage sanctions compliance as part of their AML compliance or financial crimes compliance organization, and regulators will typically assess sanctions compliance as a component of the AML examination process. We devote Chapter 5 to sanctions compliance.

Despite the increased codification of laws and regulations covering AML and sanctions, the regulatory landscape is more difficult to navigate than one can master solely by understanding the text of these written requirements. Enforcement activity, while grounded in law, is often based on regulatory interpretation and an expectation of what is actually required as part of a sound AML and sanctions compliance program. Firms must pay close attention to other sources to understand regulatory expectations. These include published guidance from regulators (e.g., the Federal Financial Institution Examination Council’s BSA/AML exam manual); releases from FinCEN; informal guidance obtained during regulatory meetings, conferences, and so on; reports of public enforcement actions against similar institutions; even anecdotal descriptions of peer best practices. All of these must be in a compliance officer’s toolbox to maintain a compliant program.

Regulatory Landscape

Recent years have seen an increasing number of high-value monetary penalties imposed by regulators for sanctions violations or for AML program gaps that may have facilitated money laundering, financial crimes, or possible terrorist financing. This is in contrast to a decade ago. In the early years of the Patriot Act, there was a steady flow of enforcement actions from various federal and state regulators, but many of these involved more discrete programmatic deficiencies. For example, early enforcement actions focused primarily on failures to adequately monitor and report suspicious activity, requiring firms to undertake transaction reviews.

While one should not oversimplify these actions, they addressed basic program elements and appeared more targeted than some of the more recent enforcement actions. Recent actions seem to hit at virtually every aspect of firms’ AML programs, from governance and oversight to customer due diligence, monitoring and detection systems, reporting, staffing, training, and independent testing. While banks have borne the brunt of these penalties, enforcement activity is increasing against other financial institutions as well, such as broker-dealers and money service businesses. Figure 4.1 provides a sample of the more prominent, publicly announced cases.

Figure 4.1. Banks Penalized Under AML Regulations

*Source:* Author; compiled from official sources and news accounts

Consistent with the focus of enforcement efforts in other areas such as anti-bribery and corruption, another trend in this industry is a stated intent to hold individuals accountable for the compliance failures of their institutions. In public addresses, representatives from financial regulators have made it plain that they intend to pursue individuals for the shortcomings of the institutions they work for. “[I]n my opinion, if in any particular instance we cannot find someone, some person, to hold accountable, that just means we have stopped looking. . . . [R]eal deterrence, in our opinion, means a focus not just on corporate accountability, but on individual accountability,” said Benjamin M. Lawsky, former superintendent of financial services for the State of New York, in February 2015.⁴

The intended targets appear to be personnel in charge of compliance, presumably for causing the institution to fail to have an adequate AML program. Within the past year, in fact, we have seen instances where compliance officers have been subject to enforcement proceedings in their personal capacities, and specifically to individual monetary fines, in one case a fine of $1 million and potentially a bar from working in the industry. This move to penalize individuals seemingly echoes political calls to find criminal culpability on the part of firms and their employees, as politicians argue that no bank and no bank employee is too important to punish.

A final trend of note is the increasing use of court- or regulator-appointed monitors to oversee a firm’s compliance with enforcement actions. Monitorships have been imposed in a small number of cases to date, and there is speculation that this tool will be used more widely going forward, including in a capacity to increase a regulator’s examination resources.⁵ While courts have appointed monitors in different industries for different reasons, their increased use in AML matters raises additional challenges. First, having a monitor oversee enhancements to an AML program is likely to make the program more difficult to manage from day to day. A compliance department will need to address the often strict demands of the monitor on top of implementing program enhancements and running a complex AML program. Second is the simple matter of cost. In the standard arrangement, the monitor is appointed by, and operates under the direction of, the court or regulator. Yet the costs are covered by the institution. Such costs are considerable: the typical monitorship is a multiyear engagement, and the monitor will be an experienced, highly skilled attorney, consultant, or other professional who may employ others to assist.

External threats of financial crime and terrorism may not be the sole cause of increased expectations on financial institutions. As external threats and missteps by financial institutions grab headlines, the pressure on the agencies themselves has increased. Recently the legislative branch has become more actively involved in the regulatory process; in one case a congressional inquiry into HSBC’s program deficiencies included a focus on whether a federal regulatory agency effectively oversaw the AML program at the bank.⁶ As a result, regulators are likely to turn up the heat on the banks they examine.

We could not fully convey the impact of the issues described above without discussing the growing costs of AML compliance. Experts see little likelihood that they will stabilize anytime soon. In a survey⁷ of global AML practitioners conducted by KPMG and released in 2014, KPMG asked participating firms to compare their 2014 AML compliance costs to those of 2011. Some 27 percent of respondents reported increased spending of 50 percent or more. Seventy-four percent of respondents said they expected costs to increase further in the following three years.

The KPMG survey identified three main causes of rising costs: transaction monitoring systems; the collection of customer due diligence information or “know your customer” (KYC) information; and recruitment of compliance staff. The first two factors will be discussed later in this chapter; recruitment requires special mention here, due to its impact on the financial services industry, where companies have been scrambling to hire professionals with the relevant experience. This has pushed up costs and made it difficult for financial institutions, both large and small, to build a sustainable program, when employees frequently leave for higher-paid jobs elsewhere. Faced with these challenges, financial firms are advised to design and implement a sound AML program that is tailored to the specific risks inherent in their businesses, to prevent, detect, and respond to illicit activity. Such a program should be based on the foundation of a well-defined risk assessment.

Compliance Program Controls

Considering the high level of regulatory attention and risks to financial institutions, the fundamental elements of a BSA/AML compliance program should be familiar to all professionals in the industry. Given the maturity of the Patriot Act, regulated institutions should have in place the so-called “four pillars” of an AML program as mandated in Section 352 of the Act. These include:

A competent BSA/AML compliance officer and support staff
Robust policies, procedures, and controls
AML training modules of adequate depth
An annual independent review of the program

If any of these elements is lacking or falls short of expectations, the institution will face significant challenges during regulatory examinations.

Preventive Controls

Risk Assessment. A successful program that will withstand regulatory scrutiny in this harsh environment must be tailored to the institution’s specific clients and products, lines of business, and risk profile. This is best achieved by starting with the BSA/AML risk assessment. When properly designed, a risk assessment can identify all the compliance obligations applicable to a firm’s business. It can determine which of the firm’s business lines face a measurable degree of risk associated with these obligations and whether the firm’s existing control structure is designed to address these risks. Based on this information, the firm can then develop a sound AML compliance program. It can undertake remedial measures to address any gaps, and it can help drive a “business as usual” program that is fit for that purpose. The risk assessment outcomes should also provide guidance for other control areas (audit, quality assurance, compliance desk reviews, and training) as they set their agendas.

The first step in the risk assessment process is to understand the laws, regulations, and other forms of regulatory guidance that will inform a thorough compilation of all of the legal obligations a firm must meet in order to be compliant in BSA/AML. BSA/AML compliance is unique and challenging, as the landscape does not present a set of documented precise, rule-based requirements. Rather, the key obligations of AML/BSA come in broad strokes. Written regulatory requirements require banks and certain other financial institutions to collect and verify customer identification information (known as CIP for customer identification program). Regulators, however, expect banks not only to identify but also to know their customers, by performing sufficient risk-based due diligence prior to the opening of an account. The purpose is to understand who the client is and what risk the client and his or her activity may pose. Banks must then monitor accounts and transactions for unusual or suspicious activity. The requirement to monitor for and report on suspicious activity is a critical mandate, but the regulations do not offer definitive guidance on which transactions to monitor, which rule typologies to measure against, or what makes a transaction suspicious enough to warrant reporting. Thus, it is critical for the legal and compliance staff to have a high level of understanding of money laundering and financial crimes to assist the bank in meeting the expectations of regulators.

This depends on building a solid risk assessment framework involving key persons in all business areas of the firm. All business divisions must be brought into the assessment process as stakeholders. It is they who best understand the products they offer and clients they serve. They can explain where and how they solicit clients, what client types they serve, and the value and volume of transactions that their divisions handle. These points will determine the levels of risk of certain activities and whether mitigating controls are needed. Furthermore, it is the business divisions that must understand they are the true owners of this risk. By aligning the legal obligations to the activities of the particular business area, the risk assessor will be able to identify the legal requirements applicable to the business line and determine which products, clients, and business divisions entail the most risk.

The next step is to assess the controls that are in place to mitigate the risks. Controls take many forms, from broader concepts such as written policies and training, to more specific controls such as transaction monitoring, data analysis, supervisory review protocols, and the schedule for reviewing client data.

A disciplined process of (1) identifying your legal requirements and inherent risks and (2) determining whether the controls properly address any risk is the key to identifying whether there are gaps in the program. Many institutions have faced formal enforcement actions or private regulatory findings related to inadequate monitoring of correspondent banking, which is considered to be a high-risk line of business. But the risk assessment should reveal, for example, if the rules used for automated transaction monitoring cover suspicious types of activity. It should also determine whether the institution is capturing sufficiently detailed information about its correspondent banking customers to understand what kinds of activity are normal. Indeed, if the analysis is comprehensive, it is bound to find gaps in coverage of its risks. Identifying these improvement opportunities and tracking them to full remediation is a primary objective of the risk assessment.

The main output, which should inform the list of improvement opportunities, consists of a series of residual risk ratings for the many components of this exercise. The expectation on the part of examiners is that each risk element for each line of business be measured both qualitatively and quantitatively, that the controls be viewed in light of that risk, and that a residual risk score is arrived at. Thus a risk score should be set for each geographical region, business activity, product, or client category that is being assessed. Most firms have done this by assigning quantitative values⁸ to a number of items: the inherent risk of a given activity/product/client; the strength of the targeted controls; and the residual risk (i.e., the risk that remains even after the controls are factored in).⁹ The residual risk ratings should drive a number of aspects of the AML program, including:

Staffing. Business areas that pose the highest residual risks should have relatively significant levels of staffing. This is not satisfied by numbers alone, but by trained and knowledgeable resources.
Technology. If the risk assessment exposes the need for new or improved technology solutions, these upgrades are not only costly, but time consuming. In fact, the increasing importance of data analytics for monitoring transactions means that this should be a primary focus of the risk assessment.¹⁰
Compliance testing. The compliance department should have its own team to review the results of the risk assessment in setting the risk-based testing approach.
Internal audit. This function should review its testing approach and, in part, rely on this information when developing its annual testing plan. But regulators now expect internal audit to review the risk assessment and conduct its own risk assessment to inform its testing plan.

A sound risk assessment should inform the development of the overall AML program. If done correctly, it will show the compliance officer what is needed in terms of policies, procedures, and targeted training programs. It will help determine where resources should be deployed. It will drive the design of the KYC program by identifying the unique client risks of the various business areas, and it will make clear where transaction monitoring needs to be deployed and at what levels of complexity. All of these components are required to prevent, detect, and respond to money laundering risks.

Due Diligence. One of the broad concepts inherent in a risk assessment is customer risk—that is, lines of business that serve a larger number of high-risk customers will be considered to present a higher risk to the institution. The collection of this information is facilitated by a firm’s KYC program, or the customer due diligence (CDD) program, which has seen the development of a substantial amount of guidance for the practitioner. The idea of knowing one’s customer forms the basis for preventing a financial institution from being used for illicit activities. In theory, the institution should learn enough about potential customers to turn them away if they present a foreseeable risk.

As mentioned above, the Patriot Act is specific in some areas, including delineating the required elements of customer identification information and verification in the CIP provisions.¹¹ These include the collection of basic elements such as name, physical address, date of birth for an individual, and a government-issued identification number. Similarly, the law is more prescriptive when discussing special due diligence requirements for correspondent bank accounts or private bank accounts.¹² FinCEN issued a notice of a proposed rulemaking for obtaining beneficial ownership information for those natural persons that are behind legal entity accounts. The notice, if ultimately adopted as proposed, will require firms to verify the identity of all natural persons with beneficial ownership of at least 25 percent of an entity, but sets a process whereby the firm need only obtain certification from the client in order to identify those owners.

That said, there are many facets of the KYC process that remain subject to interpretation and customization at each firm. At the outset, the firm must decide which third parties will be viewed as “customers,” so that the CIP and KYC procedures apply. In any jurisdiction, a client who wishes to open an account relationship is subject to KYC procedures. In the United States, what constitutes a “customer” and an “account” is defined in the CIP regulation. Expectations for KYC may not be so clear-cut, however. In certain jurisdictions, such as those in the European Union,¹³ counterparties to certain transactions, entities with which the institution enters into a business contract, or mergers-and-acquisitions advisory clients are generally treated in the same way as customers and are required to be placed in the KYC process. In the United States, entities with which business is regularly conducted may be considered customers even if they do not meet the technical definition.

Once the “customer” is defined for KYC purposes, risk-based and customer-segment-specific KYC information should be collected. While the information collected will initially be determined based on customer type and initial risk ranking, additional facts can be learned during the course of due diligence that increase the risk rating of the customer, such as relevant negative media information. This should drive the process of enhanced due diligence review, and in some cases may cause a firm to decline to do business with the prospect. Key baseline KYC questions include: (1) What accounts or relationships should be deemed high risk? (2) What is the effect of the high-risk (or medium- or low-risk) designation? and (3) How does the firm’s AML transaction monitoring platform incorporate both this risk designation and customer-specific information to drive true risk-based monitoring of customer activity?

The approach to each of these variables must be defined by the institution itself. While there are some well-established approaches from which no firms would deviate (e.g., correspondent bank accounts and private wealth accounts for foreign government officials are deemed high risk), ultimately the parameters established should be tailored to the particular institution based on a number of factors, such as the characteristics of its client base, operational locations, products offered, and size of institution.

Regulators have focused on some key aspects of an acceptable KYC program. These include the documentary requirements for all information collected and a well-defined audit trail for all due diligence processes. The Patriot Act provides that CIP and other records be collected, retained, and readily available for internal purposes or if requested by a regulator or a representative of law enforcement. Requirements for documentary verification must be articulated and followed. Negative media searches, OFAC searches, and searches to determine if a customer is, or is affiliated with, a politically exposed person (PEP) should be executed for potential clients and the results retained. The entire work flow, and the documentation collected, must follow strict procedures.

Collecting KYC information on a customer or counterparty is not a one-time exercise. Frequency of reviews of customer files must be dictated by the risk category. Such reviews will inform the firm whether relevant information about the customer has changed and whether a risk profile has increased. In such a case, additional due diligence should be collected and the new risks should be evaluated by both compliance and the unit doing business with the customer. Any increased risk should be documented and accepted, and transaction monitoring may need to be adjusted. Even the most comprehensive KYC programs are vulnerable to gaps, however. Compliance departments should develop a plan to test the work and performance of the KYC teams to ensure that they are working as intended and, if necessary, develop a plan to address deficiencies.

Detective Controls

Once customer and product risks are defined, a critical element of any AML program is transaction monitoring and the detection, investigation, and reporting of potentially suspicious activity. Detection of potential money laundering within the wide range of transactions conducted by today’s financial institutions can be a daunting task. Finding those transactions that may be unusual, or potentially suspicious, requires complete, accurate, and relevant data, a strong methodology, sound transaction processing systems, a robust transaction monitoring and case management system, and a validation process that ensures the transaction monitoring system and related models are functioning as intended.

Auditing and Monitoring. Regulators’ expectations have increased sharply in the area of transaction monitoring. Regulatory agencies have deployed quantitative analysts to conduct exams of firms’ transaction monitoring systems and capacities. The expectation is that firms will conduct model validation exercises with respect to their monitoring capabilities to ensure that systems are working as intended and capturing suspicious activity. Firms falling short will be subject to criticism or worse.

A fundamental issue for financial institutions is the quality of the data available to identify potential money laundering issues. Transaction monitoring is only effective if the data inputs into any system are complete and accurate. This includes the customer information collected in the KYC process, as firms must understand who or what a customer is before they can determine if related activity is unusual. In many cases, transaction records are incomplete with critical data elements missing. Or the data is spread across multiple transaction processing systems and there is incomplete data in each system, or the data is inconsistent across systems. Without a sound foundation of data, decisions regarding the validity of transactions may be compromised. Thus any transaction monitoring program should begin with a validation of data inputs. This entails ensuring that the data is collected in a uniform format and/or is normalized to be in such a format and that all relevant data is being properly fed into the systems used for monitoring.

Working with sound data, financial institutions need a sound methodology to identify transactions that may present a risk. This methodology should address the risks inherent in the portfolio of customers, products and services, and geographies, and how those risks translate into the transactions conducted. For example, a system may incorporate certain behavioral typologies that indicate red flags for risks in a certain product line, or a system may profile the ordinary activity of a customer base to detect when anomalies occur. A sound risk assessment, as discussed above, provides the foundation necessary to build effective processes for detecting unusual, potentially suspicious activity. Data around customers and the expected usage of products and services maintained in customer databases should be analyzed to aid in the assessment of risk at the customer and institutional level. This methodology is the foundation for the transaction monitoring system engine.

It is essential that transaction monitoring systems are robust and flexible. Even with good quality data, ineffective transaction monitoring systems may not identify those transactions that present a risk to the institution. The transaction monitoring systems and the underlying rules or profiles need to be tied to the institution’s inherent risks both overall and at the customer level. And these transaction monitoring systems must link to a comprehensive case management system. Case management systems or tools allow a firm to keep track of alerts, cases, and investigations conducted on individual or related clients. Thus if subsequent activity gives rise to suspicion or concern it can be tied to earlier activity and either cleared as normal or alerted for further review and investigation. Such a system will allow for the timely tracking of investigations, a complete and accurate assessment of all relevant documentation, and an audit trail. It should additionally link related cases and parties to enable a firm to view customer and activity risk over time and across related entities.

The information gleaned from risk assessments can and should provide the framework for the transaction monitoring system. The overall risk assessment may be useful in setting up initial rules and/or thresholds for transactions. Customer-specific risk assessments could then be used to target specific customers and activity types for further review. For example, the overall risk assessment may be useful for establishing rules (transaction types) and thresholds (dollar values) used to generate alerts for more homogenous customer segments and for individual retail transactions. Customer-specific profiling rules might be very difficult to manage in such an area and may not yield more effective results.

Customer-specific rules, however, are more effective for less homogenous groups such as commercial banking, trade finance, or correspondent banking. In these areas, a clear understanding of the risks associated with the customer and the customer’s anticipated normal activity is critical to setting rules, thresholds, or behavioral patterns that can help to highlight anomalies for further review.

The ultimate goal of any transaction monitoring system is to provide a firm with a mechanism to detect potentially suspicious activity, then to investigate that activity, and to report that activity to regulatory and law enforcement authorities. Moreover, detecting suspicious activity on the part of a customer should trigger a review of the customer relationship and an evaluation of whether the risk presented by keeping the customer exceeds the firm’s risk appetite or its ability to control the risk.

Regardless of the method for identifying transactions for further review, a robust transaction monitoring system must also have, or tie to, a robust case management system. Such a case management system should fully document the transaction or transactions and all relevant parties to the transactions. This will allow for supporting documentation to be maintained both for cases where suspicious activity reports (SARs) are filed and for those cases where a determination has been made that the activity does not warrant the filing of an SAR.

Data Analytics. Regulatory expectations regarding data quality continue to rise. The integrity of the data feeding AML transaction monitoring systems is critical to a system’s success. A financial institution’s collection and use of data must be fully defined and understood by those who are responsible for the AML transaction monitoring system. For those who oversee AML compliance, and in particular the AML transaction monitoring systems, a series of questions require answers:

What relevant data is available?
Who provides, collects, and records the data?
When is it collected?
Where does it reside?
Is the data accurate?
How is the quality determined?

Data relevant to each customer, each product and service used by that customer, and each transaction conducted by, through, or to that customer needs to be identified. While all data may be important, each data element that affects or measures AML risk needs to be further identified. For example, jurisdictions where the customer is resident or conducts business as well as the location of the counterparties to the transactions should be identified and documented.

For these AML data elements, a financial institution needs to understand who provides, collects, and records the data, as a means to assess the integrity of the data. Data provided by a customer should be subject to independent verification. Data collected and recorded by the financial institution should be subject to standard controls to ensure completeness and accuracy such as segregation of duties and input/output verification controls.

Understanding when data is collected is important when assessing the timeliness of detection afforded by AML transaction monitoring systems. While all data collected is important, data collected at the time a transaction is conducted will be more relevant in the timely detection of potential money laundering than data collected at, say, the opening of an account.

Perhaps the greatest challenge for a financial institution is gaining an understanding of where data is resident. There may be multiple data sources that contain relevant data for a single transaction or for a single customer. Wire transfer data may be housed in a wire transaction or correspondent banking database, while related SWIFT messages are housed in a separate database. Additionally, once found, a question arises as to whether the data is consistent across the various sources, and whether it is source data or data that has been manipulated in some manner as it migrates from a source system to a data repository.

Finally, a firm must determine how to assess the overall quality of the data. The use of standard controls, such as the segregation of duties and input/output verification controls, has already been mentioned. In addition, data analytics can be helpful in assessing data quality. For example, are customer relationships connected throughout the firm? Are naming conventions uniform? Are related accounts linked? With the abundance of data that may be available to a financial institution, data quality cannot be effectively assessed in a manual environment alone. No doubt, manual intervention will be necessary to make a final determination on specific data quality issues, but data analytics is a powerful tool in this effort.

As noted, a risk assessment is critical to identifying and controlling risk in a program, as it pertains to both overall risk and customer risk. There are simply too many customers and transactions to review each and every one. Nor should time be wasted reviewing customers and transactions that present minimal risk and where information would be of little value to law enforcement.

Data analytics should be used as a means to support overall and customer risk assessments, and its complexity will vary. Simply identifying the number of customers by type and number of transactions to and from certain jurisdictions has long been an expectation of regulators. Nowadays, however, a more robust analysis is expected. This may include analyzing the frequency of transactions and patterns or linkages among parties to the transactions. Such an analysis helps in forming a baseline from which anomalies can be more easily detected and analyzed.

Data analytics is not the only area that requires robust testing. It is vitally important that regulatory expectations be met in the area of model validation and that a robust process is used to ensure an effective means for detecting unusual, potentially suspicious activity. Models should be validated on a regular basis to ensure that they are functioning as intended.

Guidance issued by financial regulators defines a model as “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.”¹⁴ Regulators apply this definition to a broad range of models from the more simplistic, rules-based models to more complex, algorithmic models. In AML compliance, this is most often applied to technologies such as transaction monitoring and automated customer risk rating.

The simplest model validation involves all manner of system testing to ensure that the right data is being reviewed and measured, that it is being measured against the proper criteria, and that the model applies appropriate parameters to achieve optimal results. Thus, model validation of a transaction monitoring system will look at such things as whether all relevant and correct data is being fed into the systems, whether it is being run against all proper rules, scenarios, or profiles, and whether these rules, scenarios, or profiles are sensitive enough to achieve optimal results without being so broad as to generate an unmanageably large number of alerts.

Responsive Controls

Financial institutions must be continuously alert to the risks posed by financial crimes and be aware that regulators’ expectations are rising. However, despite best efforts, firms often find themselves responding to the findings of regulators. Such findings can be informal, as in a report of examination or nonpublic memorandum of understanding, or in the form of a public formal agreement, regulatory order, court-ordered settlement, or worse. In each case, a firm must respond efficiently and effectively.

When regulatory findings are in the form of a report of examination, they are generally framed in the form of “Matters Requiring Attention” or “Matters Requiring Immediate Attention.” These require a written response and action plan to address the deficiencies. Firms are advised, however, not just to remediate the problems identified, but also to determine the root cause of the deficiency and put in place program enhancements to ensure that the problems will not recur. If a regulator identifies deficiencies in client due diligence, for example, companies should not just remediate existing customer files, but ensure that their customer due diligence program is enhanced appropriately to ensure that customers are properly risk ranked.

Firms subject to formal regulatory or law enforcement orders often do not have the ability to set the time frame for a responsive action plan. Such orders generally impose strict timelines and stringent remediation and/or investigation requirements, often requiring the firm to bring in the assistance of an independent third party. More recently, firms under regulatory orders have been subject to the oversight of a court or a monitor appointed by the regulator, which was discussed above.

In almost all cases, remedial measures can be time-consuming and costly. They detract from business as usual and may distract compliance officers from proactively addressing risk. Firms are advised to understand risks and the resources needed to address such risks and to anticipate issues before they become the subject of intense scrutiny. Overall, maintenance of a functional AML program requires vigilance.

Conclusion

With regulatory expectations rising, financial institutions must move to meet them. It is no longer feasible to wait for the regulator to find issues in the firm’s BSA/AML/sanctions programs or to view the programs in silos. What is required is constant diligence and the effective use of data analytics and other tools to assess and mitigate the BSA/AML/sanctions risks. The new regulatory paradigm is to identify and mitigate risks across all program areas and to correct potential weaknesses.

Chapter 4

Money Laundering