AML Transaction Monitoring: Five Steps to Getting it Right AML Transaction Monitoring: Five Steps to Getting it Right If you think your anti-money laundering transaction monitoring software isn’t working correctly, what should you do? a) blame your vendor and replace the software b) blame your analysts and tell them to work harder c) review your data feeds and inputs d) throw your hands up and think you can’t do anything e) doubt your instinct and do nothing If you picked any one of the answers above you would be wrong. And you wouldn’t be alone. Reading between the lines of the regulatory settlements involving colossal fines levied on financial institutions over the past five years, some of the world’s largest organizations also tried these cures for concerns about their AML monitoring systems. HSBC, Standard Chartered, JP Morgan and Citi are among the string of global banks who discovered belatedly the correct answers would have been to validate the results of their AML transaction monitoring technology and train their staff correctly in handling the alerts — that is, the red flags that the transaction monitoring systems generate. Anti-money laundering regulations require financial institutions to prevent their customers from conducting illegal business activities, such as money-laundering, financing terrorist organizations or even drug trafficking through their services. AML transaction monitoring software works using artificial intelligence of sorts to sift through tons of data and identify what deviates from the norm as defined by the rules programmed into the software. Alerts could be generated by anything from a cash deposit or withdrawal, funds transfer, foreign currency exchange or even the purchase or sale of securities. When investigators find evidence of wrongdoing, a suspicious activity report (SAR) or suspicious transaction report (STR) will have to be filed with the Financial Crimes Enforcement Network of the US Treasury or the UK’s Financial Conduct Authority respectively. Not all alerts indicate wrongdoing. In fact, the monitoring system could be generating far too many that are “false positives,” but that doesn’t mean the financial firm shouldn’t try its best to research each one. Ideally, it should ultimately find a way to reduce the excessive number by improving the accuracy of its AML analysts. Investigating the System When it comes to monitoring the AML software itself, the rule of thumb is never trust and always verify, AML specialists tell FinOps Report. “The idea that installing an expensive AML transaction monitoring system will be sufficient to weed out illegal activity is a fallacy,” says Andrew Davies, director of financial crime risk management for Fiserv. “Technology alone is never enough.” When investigators discover infractions that were not caught by the monitoring system, it might be tempting to blame the system and start shopping to replace it. However, buyer’s remorse can be expensive. The process of finding a new one, doing all the IT integration and coding work, and testing all over again can be harrowing to say the least. Adding more analysts to the AML monitoring team may help, but that is only if they are know what they are looking for. They could end up filing too few or too many SARs or STRs. So what’s a financial institution to do? That’s a question five US AML compliance specialists tell FinOps Report they must now address. As one says “We can’t afford a regulatory fine, not to mention the hit to our reputation.” Based on interviews with AML compliance consultants and those internal AML experts, FinOps Report has come up with the following five steps. 1. Start Off on the Right Foot Selecting the best AML software package to begin with would go a long way to eliminating the risk of either too many false alerts or no alerts at all. Although there are plenty of technology firms which claim to specialize in AML, not all are equal. Picking an AML package that focuses on customer onboarding as well as transaction monitoring could be a good idea, because it may be able to more efficiently analyze transactions based on the customer profile data from onboarding information. Alternatively, good integration between the customer onboarding system, the multiple customer activity systems and the transaction monitoring system may be more complicated at the onset, serve the same purpose. “Either way, not all systems are designed for all customers, products, services and geographies,” explains Davies. “What’s more, even the best system might need to be configured depending on how much it falls short of meeting the firm’s requirements.” 2. Use the Correct Rules Every transaction monitoring system needs parameters to determine what is”normal.” The rule of thumb is never let the vendor decide what is normal and what is not, and don’t take a one size fits all approach to every business line, recommends Jeff Sklar, managing director of AML consultancy SHC Consulting in Bellmore, New York.”The goal is to create rules which reflect the type of customer, business activity, business unit and even the risk appetite of the bank,” he says. Such rules, AML compliance managers at two banks tell FinOps Report, will often take into account standard deviations for peer groups at competing organizations. The most common reasons for false positives are poor rules and inadequate tuning of the software, according to Carol Beaumier, executive vice president of financial services consultancy Protiviti in New York. Case in point: the thresholds for transaction values that generate alerts may have initially been set too high or too low or not adjusted when the risk profile of the customer or risk category of the business line changed. 3. Check the Data Inputs Garbage in, garbage out is always the motto when it comes to managing data. The inputs can go wrong in three ways: the risk profile of the customer could be wrong, not all of the transactions of the activity of the customer are captured by the monitoring system, or the transactions are coded incorrectly. If the risk profile of the customer is incorrect, the rules related to when alerts should be generated will likely be wrong. The number and value of the thresholds will be either too high or too low. If the AML transaction monitoring system doesn’t catch all of the customer’s activity or the activity is marked incorrectly, the technology may also be taking the blame for what is really a data integration problem. 4- Test and Tweak If financial firms do nothing else, checking the accuracy of their transaction monitoring system on an ongoing basis will go a long way to reducing the illegal activity that goes undetected. The recommended timeframe: six months after a system is installed and each year thereafter regardless of whether the system appears to be working correctly or not. Relying on rigid quantitative metrics — a percentage of alerts which turn into investigations and suspicious activity reports– to determine whether an AML transaction monitoring system is working correctly is a remedy for disaster. At the same time, consider inefficiencies. Too many alerts escalated into investigations and suspicious activity reports could indicate that staffers are erring on the side of caution, rather than the system working correctly. One recommended approach is a combination of quantitative and qualitative analysis based on the number of alerts alone. “If the system does not generate any alerts to indicate the possibility of suspicious activity, there is a red flag the platform may not be working as intended,” says Beaumier.”The same applies if there are too few or too many alerts based on the number of transactions, the risk profile of the customer, and the type of business activity involved.” Testing can typically take place via two basic means: reviewing a sample of the alerts to determine their accuracy and changing — raising or lowering — the number and dollar value of thresholds which trigger alerts for a few days, says Sklar. Depending on the answer, the financial firm will need to make one of four adjustments: either change the rules for the system, change the customer risk profile, correct the coding of the transactions feeding the AML transaction monitoring software, or add data feeds to the platform. Testing also needs to take place far earlier if the rules to the system are changed or rules are added. Such will be the case if the financial firm alters the products, business lines or geographies of operation, or changes the risk category of a business line. 5- Monitor the Monitors If the AML transaction monitoring system either passes the test with flying colors or tweaks must be made, now what?. It cannot be presumed that analysts reviewing the alerts will do their jobs correctly. At a minimum, they need to understand, how the AML transaction monitoring technology works, any changes made and the reasons why. Previous investigative and forensic accounting training, a healthy dose of skepticism and knowledge of the business line should be part of the job description, explains Beaumier. Equally important is having a solid controls process. “An experienced analyst might know when to escalate an alert to an investigation but an inexperienced one will easily escalate too few or too many,” explains Sklar. A better option: relying on two analysts to make a decision on when an alert should be escalated. The results of AML analysts — as in whether the alerts merited investigation and generation of suspicious reports — should also be verified with peers and superiors to determine whether the job was done correctly. Do two AML analysts come up with the same results or not, or what about an analyst and his or her supervisor? What about addressing backlogs? Obviously, financial firms don’t want to have too many alerts go uninvestigated. It doesn’t look good to regulators. Therefore, there should be a gameplan for the number of unresearched alerts considered acceptable, and the order in which any extra ones should be tackled. Common sense dictates that those from high-risk business units should be handled first. Even the most effective transaction monitoring system or program can’t prevent some criminal activity from slipping through the cracks. Therefore, there is one final step financial firms should take to ensure that at the very least regulators won’t think they were lax with their technology and procedures. It’s the dreaded D-word: documentation. “Keeping a record of just why a transaction monitoring system was selected, why the rules were chosen, how testing was done, how tweaks were made and how analysts were trained and overseen are key to either avoiding a regulatory exam or even a fine,” advises an AML compliance manager for a New York bank.