The financial sector has invested billions of dollars into anti-money laundering programs, yet regulators concerned about lax AML compliance continue to impose substantial fines and issue cease-and-desist consent orders against U.S. and foreign banks.
According to PwC US, many financial institutions commit inadequate attention and resources to maintaining and sustaining the core components of AML programs, leaving them vulnerable to the many risks associated with AML noncompliance.
The gradual process of inadvertent noncompliance, or "AML drift," occurs when AML systems aren't constantly monitored, updated, maintained, and repaired to account for changes that occur in an organization, according to PwC.
"Many firms implemented AML surveillance technology systems several years ago, and they were set up as a point-in-time solution," says John Sabatini, a partner in PwC's Risk Assurance practice and leader of the firm's Advanced Risk & Compliance Analytics Services. "However, the enormity of change occurring within these firms (changes in customer activity/behavior, in products being offered, in transactional systems and data warehouses, etc.) makes the initial implementation of these systems obsolete, leading firms and regulators to call for their replacement."
"But such criticism is often short-sighted. Organizations should re-evaluate their systems before replacing them to determine if they are configured appropriately based on recent customer activity. They should then institute governance programs to inform management as to when the systems again begin to drift, causing the alerts they generate to become unproductive," Sabatini says.
Money laundering and terrorist funding activities continue to gain strength and prominence and, as a result, financial institutions need to assure the continued integrity of their AML protocols to prevent drift. Organizations need to implement independent testing of every aspect of their monitoring systems, from the quality and completeness of source data to the productivity of existing and potential scenarios. If companies get this right, they're protecting themselves not only from regulatory fines and censure, but from the potentially costlier reputational risks that could follow it, PwC says.
The costs of noncompliance can be damaging and long-lasting, including monetary losses (i.e. fines, legal costs, etc.), reputational damage related to loss of customer and investor confidence, and operational risk, with legal actions such as cease-and-desist orders taking a bite out of the bank's core businesses.
With regulators stepping up their game and the public increasingly tuned in to compliance failures and their repercussions, financial institutions need to pay closer attention to the gaps in their AML systems. Identifying these gaps is a critical function for businesses in the financial services industry, and when fed with the right information and managed with updated controls, AML programs may protect the business from risks across products, geographies, regulatory regimes, and customers.
AML programs share similar processes, and PwC identifies key questions companies should be asking to prevent drift across the four structural components of the AML process: know your customer procedures, surveillance processes, investigations and reporting efforts, and enterprise foundational and core components.
The more complex a system, the more opportunities for breakdown—a fact that leaves the financial industry vulnerable to AML compliance risk. Process failure may occur at any point along the AML lifecycle, and drift may happen in three key areas:
- Processes and updates: To remain effective and in compliance, an AML program must be constantly updated to keep up with changing regulations and new financial products. If a company sees its peers hit with fines due to a particular AML deficiency, it must have processes in place to evaluate that issue within its own environment and identify any necessary changes to systems, processes, and controls.
- Technology: To prevent breakdowns in AML monitoring, a company's IT change management process must track all systems changes that have the potential to affect AML monitoring.
- Organization: Drift often occurs due to a lack of accountability and ownership over AML issues. The lack of clear ownership rules across and among silos leads to holes going unplugged and, ultimately, may lead to drift.
In an ever more complex and globalized business environment, it is critical that financial institutions use effective data information management practices to assess their specific AML risks. According to PwC, companies need to leverage technology to help prevent drift, such as developing automated tools for rapid decision-making and issue identification. Businesses must take corrective actions to ensure that their AML programs are kept updated and functioning at peak efficiency to manage their risk, protect their customers, and adhere to regulatory requirements, says PwC.