The Governance, Assurance and Automation that Financial Services Organizations Need

In response to the recent Russian invasion of Ukraine, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a set of expansive economic measures designed to incapacitate the Russian financial system. At their core, these sanctions will cripple the ability of Russia’s largest financial institutions and state-owned and private entities to raise capital. Furthermore, these cohesive global sanctions also banned the Russian banking system from the global SWIFT payment platform, as well as froze assets of supposed politically exposed persons (PEP’s). The US government’s move is part of a concerted global effort to throttle the Kremlin’s access to foreign capital.

For global banks, the stakes could not be any higher. As the New York Times reported, such severe financial measures have never been applied to an economy of Russia’s size. There are no two ways about it – these banks must boost their client due diligence and transaction monitoring controls. Turning a blind eye to their important obligations could lead to heavy fines, criminal proceedings, or long-term brand damage. The aim of this blog post is to revisit one of the cornerstones of anti-money laundering and combating the finance of terrorism (AML/CTF), as well as to provide practical guidance to reduce risk.

What are Money Laundering and KYC?
Simply put, money laundering is the process of introducing the proceeds of crime into the legitimate economy. Anti-money laundering (AML) controls are therefore collective efforts by governments, financial institutions and citizens at large to prevent and detect this risk. To date, the banking system has provided the most efficient and accessible channel to distribute value. With opportunity, though, comes risk. Criminals exploit the same systems to move funds by using opaque structures and identities and therefore evading prosecution. Regulators have a vital role to play, imposing measures on intermediaries (banks, brokerage firms and exchanges) to promote diligence when executing clients’ financial mandates.

One of the more foundational practices in mitigating financial crime is Know Your Customer (KYC). Under KYC laws, financial services firms are required to maintain an intimate knowledge of their customers, ascertain the legitimacy of funds, and constantly assess money laundering risks associated with customers. Such due diligence covers the identity of key decision-makers and customers, the nature of business, cashflow cycles, business addresses, shareholders, or ultimate beneficial owners (UBO), and suppliers.

It follows that ascertaining the KYC credentials of clients prior to establishing a trading relationship is crucial. Below I delve into the more common shortcomings in implementing AML programs and managing KYC responsibilities.

What could go wrong?
In implementing AML programs, financial services organizations (FSOs) face myriad issues, but the following three stand out for their pervasiveness and recurrent nature:

1. Limited visibility into AML risks – FSOs continue to engage a range of suppliers and third parties as they aim to shift their cost models from fixed to variable, tap into innovative offerings, or simply focus on their core differentiating competencies. Enforcing robust AML/ CTF regimes over a complex web of suppliers, often located across several jurisdictions, places untenable pressure on FSOs, struggling to keep up with transaction monitoring activities for an innumerable number of transactions. These complex supply chains reduce visibility to AML blind spots, exposing the business to risk.
2. Data quality – Small teams often struggle to keep up with the sheer volume of AML alerts generated by poorly configured systems, archaic processes and disparate data sources. Sifting through thousands of false positives often feels unrewarding and impairs staff vigilance. Consequently, bonafide warnings are lost in the noise. These issues also elevate stress levels, increasing the probability of human error.
3. Redundant training programs – The compliance focus several FSOs have on AML/CTF has compromised their ability to deliver engaging training to their employees. AML training programs have not evolved with time; they are repetitive (most employees simply click through the predictable multiple-choice exam, which can be taken repeatedly until a pass mark is attained), while some are focused on new starters. As a result, employees remain unaware of their important obligations and the probability of reporting suspicious matters is adversely affected.

What can be done?
These challenges are not insurmountable. With appropriate governance structures, assurance programs and automation, FSOs can materially uplift their AML/CTF programs without breaking the bank. Here are four practical strategies for FSOs to improve their AML risk profiles:

1. Tighten governance processes
   At the heart of any effective risk management process lies effective governance, and AML/CTF is no exception. To lay strong foundations, FSOs must have a clearly documented AML program covering key roles and responsibilities, risk management process, supply chain risk management, customer due diligence, transaction monitoring, independent review, enhanced KYC, employee training, record keeping and data integrity. Policies on their own are of little value.
   
   Management must develop a comprehensive list of non-negotiable AML/CTF controls and overlay them with a robust independent audit program to ensure each control operates as intended. Material gaps must be reported to executive risk management committees regularly and tracked for resolution. Equally important, AML/CTF should have a standing agenda at key governance committees and have a designated executive sponsor. Furthermore, the role of the AML/CTF officer should be clearly assigned, and the officer empowered to veto any business decisions that contravene the board-approved risk appetite statement.
   
   Last, but by no means least, FSOs should build AML/CTF into their supply chains. This starts with including detailed schedules of contractually enforceable clauses in new contracts, mandating suppliers to have their AML programs independently audited and maintaining a risk-based assurance program over suppliers that carry material AML/CTF risks.

2. Embed AML/CTF into the systems development lifecycle (SDLC)
   Several FSOs run into regulatory trouble because they make AML/CTF an afterthought. Leading organizations think differently. They embed AML/CTF controls deeply into their SDLCs. Requirements are gathered as part of the design phase, coded into new programs and their implementation is signed off by the AML/CTF officer before going live. Equally important, new AML/CTF transaction monitoring rules must be thoroughly tested, false positives eliminated, and any gaps remediated before implementation. That way, FSOs can boost their program effectiveness and lower ongoing operational overheads.

3. Streamlined training programs
   FSOs should complement strong operational processes and technology with a robust AML/CTF awareness culture. This requires supplanting traditional mandatory training with risk-based programs, focusing on six elements:
1. 1. Articulating the key AML/CTF risks the organization faces and what is expected of each employee, from the board to customer-facing personnel.
   2. Creating an environment where employees can openly report suspicious matters without fear of negative repercussions.
   3. Contextualizing AML training to the specific risks faced by employee segments, with intensified efforts toward high-risk staff, transactions and customer groups.
   4. Simplifying the suspicious matter reporting for staff through automation, because if the process is cumbersome, most employees will sweep issues under the carpet.
   5. Diligently maintaining employee training records, as well as a zero-tolerance culture toward non-compliance.
   6. Humanize training by breaking it down into micro learning modules (3-5 minutes) and use relatable case studies to make the training memorable to staff.
4. Leveraging reg-tech and automation
   FSOs should leverage the convergence of machine learning, big data and the public cloud to replace error-prone manual processes with smart algorithms that can screen millions of transactions, eliminate false positives and promptly report suspicious activity. Advanced machine learning techniques allow resources to focus on high-risk activity by automating the detection of alerts that are likely to require investigation and auto-closing alerts that are non-suspicious. Furthermore, FSOs can also automate KYC processes to quickly validate identifying documents, capture biometric data and automatically cross-reference paperwork with third-party databases.

Looking ahead
As many high-profile case studies continue to prove, implementing effective AML/CTF regimes remains a huge challenge for many FSOs. However, by ruthlessly focusing limited resources on a select number of high-impact controls, FSOs can rapidly improve their risk profiles.

About the author: Shingi Mushangwe is a big-four trained group finance manager within the Australian insurance sector. He boasts almost two decades of experience working across multiple geographies and industries, helping businesses optimize their finance, governance and risk management functions. He has also led statutory reporting across several listed companies.