Get the best out of BSA technology (Oct. 09)

NEXT MONTH'S MAGAZINE

Editorial content organized by topic

Sponsored content from industry partners

PRODUCT/CONTRACT ANNOUNCEMENTS
Latest offerings by category

CAREER CENTER/ POSTINGS

Articles submitted by industry partners

Online Edition

Get the best out of BSA technology (Oct. 09)

26 tips from bankers and vendors on how to improve the results of BSA/AML software

By This e-mail address is being protected from spam bots, you need JavaScript enabled to view it , executive editor. This article was spurred by a session at ABA’s recent Regulatory Compliance Conference. To read our online coverage of that session, go to http://tinyurl.com/BSASoftware.

Many banks need to better manage their BSA/AML software, while others have just started shopping for it. Both will benefit from advice

BSA/AML software used for screening customers and monitoring transactions comes in differing styles, sizes, and scalabilities, but experts agree that one common denominator is that all of them can be better utilized, whether the bank has been using the software for years or just finished installation.

“The criticism I’ve heard is that there are too many false alerts [also called “false positives”], so that you and your staff are spending a lot of excess time investigating things that are not going to generate legitimate Suspicious Activity Reports,” says John Byrne, president, Condor Consulting LLC, and ABA BJ’s AML blogger.

Longtime participants in this compliance subset say that regulators don’t give much official guidance regarding monitoring software. Technically, it’s not even required, although field examiners are said to frequently ask those banks with any significant transaction volume why they don’t use it, if they have not adopted it.

“It’s all meant to be part of the risk-assessment process,” says Robert Rowe, ABA vice-president and senior counsel.

“The regulators are concerned about achieving a reduction in false positives, but for slightly different reasons than the banks,” says S. Ramakrishnan, CEO at Oracle Mantas Products at Oracle Financial Services Software.

“The banks require increased efficiencies to save costs. The regulators want fewer, but more targeted, alerts to help ensure that the banks are not missing anything.”

“The weak spot is if you don’t tell the software to do the right thing,” warns Rick Small, a former federal anti-money-laundering official and vice-president at American Express in charge of enterprise-wide anti-money laundering and sanctions risk management.

Here are 26 tips from bankers, consultants, and vendors:

1. Understand what technology you are working with. Various systems came from different directions. Some were designed for BSA/AML work, some started as anti-fraud packages, some began as add-ons to core systems from core vendors, others were acquired from independent developers into core families.

Whatever the source, there are various software elements you are dealing with. One is rules engines, according to Erik Stein, vice-president, solutions architecture, in Fiserv’s Fraud & Compliance Solutions section. In very simple terms, these are an “if, then” evaluation of behavior against preset types. Such software would be used to look for structuring, for instance. Another element is predictive analytics. Stein explains: This is frequently used to generate typical patterns of bad behavior from a large transaction base; those patterns become a template to check against. Predictive analytics and rules-based monitoring can also be combined, and then there are other techniques, such as profiling. That refers to establishing a given customer’s normal behavior, for future comparison.

2. Don’t turn it on and go to sleep. “You can’t just set it on autopilot,” says Doris Waldman, senior vice-president, Salem Five Cents Savings Bank, Salem, Mass. Waldman’s $2.8 billion-assets institution is a satisfied user of GlobalVision’s Patriot Officer. But she likes redundancy, so the bank also runs a system of its own that was developed using reports generated by its core system’s software and developed by Salem Five’s IT department. This can help in performing one of Waldman’s recommendations—periodic review of the rules the bank has set in its software. Updating, pruning, replanting, rethinking—it all comes with the use of software. (GlobalVision is one of two vendors endorsed by ABA for such software.)

“There’s tremendous importance in the human eye,” says Lucy Griffin, ABA BJ contributing editor and president, Compliance Resources, Inc.

“The process is a combination of systems and manual input, which you can’t avoid at all,” agrees María De Lourdes Jiménez, senior vice-president and manager of the corporate compliance division at San Juan’s $23.8 billion-assets Banco Popular de Puerto Rico. She says that automated monitoring is used as a check on branch staff, but at the end of the day, “there’s always human intervention.”

3. Don’t settle for a “one size fits all” approach—it doesn’t exist. No matter how average your customer base may seem to be, there have got to be factors that require you to fine tune your screening software. “I’ve never walked into any two banks that had the same business,” says Todd Cooper, head of the Financial Intelligence unit at Wolters Kluwer Financial Services. On top that, he says, “it’s a very fast-changing dynamic.”

4. Understand—but don’t accept as unalterable—that false positives are a fact of life. “Every rule has a false positive rate,” declares Fiserv’s Erik Stein. What helps is learning where and how to tweak a rule, and, at times, when to drop a rule completely, says Stein.

Some experts say that old typologies are passé and that rules designed to catch them can be deleted, because criminals and terrorists have moved on. But others suggest wrongdoers will revisit old habits if they don’t think you’re watching.

5. Don’t make any change too quickly or without backup. “Examiners are always looking for your ‘state of mind’,” says Waldman. You need to keep documentation of why you made the change and what you did.

“You don’t go in and change something willy nilly,” says Brian Wimpling, senior vice-president at $2.5 billion-assets Capital City Bank. Examiners will review the reports your system produces, and will want to know what indicated a change was necessary. They will also ask why patterns they spot weren’t spotted, or, being spotted, not investigated.

6. Be clear why you are doing what you are doing. There are two levels of activity going on in BSA screening. One is the wider net a bank casts to be sure it is catching what examiners expect it to be catching. And then there are the items valuable to the authorities.

Filing of “defensive SARs” still goes on, and some just aren’t of use to law enforcement.

“You’ve got a lot of things that will give you positive regulatory hits, but not necessarily generate positive law enforcement hits,” says Wimpling.

7. Be willing to change the process to fit the tool. Todd Cooper of Wolters Kluwer believes adoption of software implies more than buying a box and turning it on. “You need to look at your own overall BSA/AML program,” he says, and rethink approaches, rules, etc. Cooper says this will help the bank take best advantage of the software. A staff reorganization may even be indicated, as discussed next month in “Compliance Clinic.”

8. Consider whether your bank runs checks often enough. A debate in the field is over the utility of monitoring done after the fact. Many banks don’t run their software in real-time, points out Nancy Derr-Castiglione, ABA BJ contributing editor and head of D-C Compliance Services, Inc. Instead they run routines at the end of the day or week.

Some practitioners get exercised about this. One is John Meyer, vice-president and general manager, branch and electronic channels at Harland Financial Solutions.

“If you don’t run an OFAC check at the time of purchase,” he argues, “what is the use of a day later? The money’s gone.”

9.Take the longer view. Experts warn that there is more to the monitoring challenge than simply checking for structuring. That’s almost baby steps nowadays. Rick Small, now of American Express, recalls how at a previous employer accounts would be monitored such that behavior over a rolling 13-month period would be evaluated. This helped identify patterns of potential trouble that wouldn’t show up over shorter periods, and also gave a comfort level when supposed anomalies began repeating themselves, establishing a routine to investigate.

10. Don’t get customer tunnel vision. Several experts urged users to think horizontally, that is, to monitor not only at the individual level, but from the perspective of similar customers. Harland’s John Meyer gives an example. Looking at a dry cleaner by itself, in monitoring wire transfers through software, a bank might spot nothing of concern. But if the software not only looked at the cleaner’s own transactions, but also compared it to all dry cleaners served by the bank, then an unusual number of wire transfers as compared to peers could be kicked out for human followup.

11. Don’t ignore geography. Experts stress that neither U.S. nor international markets are homogenous, so software must recognize local issues. Rick Small says one of his pet peeves is failure to adjust settings for high-risk markets where many transactions may resemble potential problems.

“Instead of finding one needle,” says Small, “you’ve instead buried 1,000 needles.” When he was using some high-end software at a former employer, he recalls, over a 30-day test period the program generated thousands of alerts just based on geography. Samplings were taken and investigated. There was nothing suspicious.

“So we enhanced the rule,” he says. “We still looked at high-risk countries, but there also needed to be some type of behavior that stood out.”

12. Don’t ignore demographics. To use software right, the BSA/ AML officer must adapt the rules and approaches of the package to the market the bank serves. Experts point to some markets where large amounts of business are traditionally conducted in cash. There’s nothing wrong going on, it’s simply cultural. Asian-American markets are one example.

13. Don’t forget FATF typologies. John Atkinson, director of regulatory risk consulting at Protiviti, and a former senior compliance regulator at the Fed, suggests periodically checking the Financial Action Task Force website, www.fatf-gafi.org. Patterns identified there but not yet seen in your markets can be considered for addition to your routines, (or activation, if the software already recognizes such activity).

14. Think groupwise. Transaction patterns can be sliced and diced many different ways. Experts say you should always look for comparative data within your transaction base.

15. Watch out for turnover. Software that does a stunning job after installation is much like a plant—someone has to keep tending it, and it’s best if they understand the species. But experts say some banks don’t maintain continuity when those originally trained on the systems retire, change jobs, or, especially these days, get laid off. This lack of follow-through, which can mean no attention to updates or revised settings for software, can be especially troublesome where the banker formerly in charge served multiple functions, says Shelba Mack, retail delivery sales manager at Jack Henry & Associates.

16. Revisit hiring parameters. Because the human element is an essential complement to the software, consider carefully who is going to fill the gumshoes of your investigatory positions. Capital City Banks’ Brian Wimpling, senior vice-president, notes that many banks tend to place bankers in these jobs. But as a former IRS investigator, he maintains that’s it’s easier to teach an investigator the systems and the processes of the bank than it is to train bankers in the ins and outs of white-collar crime.

17. Pay attention to training. As noted earlier, many interviewees stressed that the human element is critical because software can’t do the job alone. This means that staff must be continually educated in what to watch out for, and that is a moving target. “Awareness of the broad spectrum of risks and behaviors is important,” says Norberto Molina, BSA/AML deputy manager at Banco Popular de Puerto Rico. “You have to keep them updated.”

18. Run a “test” bank. Ann Marie Tarantino, vice-president for compliance/BSA at Bank of Smithtown, N.Y., uses Jack Henry’s Yellow Hammer. To test new routines, and sometimes to verify longstanding ones, to make sure they function as intended, Tarantino runs a “test bank.” Her holding company actually has its systems set up, as if it were a two-bank holding company. The second “bank” is used to process hypothetical “live” transaction data through Yellow Hammer. “You can’t take anybody’s word for it that new features will work,” says Tarantino. Depending on the scope of the function being tested, the test might run a week or a month.

19. Don’t ignore any channel when using the software. Bankers new to the AML/BSA area may not realize that they are virtually always in catchup mode, much as computer security experts are always just a trifle behind the latest virus, according to Jeff Margolies, senior executive in the Accenture Technology Consulting Security Practice. While traditional channels like branch transactions will be used, and must be watched, there are always bad guys on the leading edge.

Margolies points out that banks need to be watching atypical areas such as call center transactions, internet banking, and other web-based transactions these days. Harland’s John Meyer sees stored-value card transactions as an area that must at least be better understood, and likely monitored, going forward. He points out that many in-branch card sales involve noncustomers, often people who are “unbanked.” Collecting data from them can be problematic; many lack taxpayer ID numbers. He poses the question: Why don’t they have the numbers? Many don’t recharge cards at the bank, leading to other questions.

20. Pay special attention to correspondent transactions. A key channel to pay attention to, because of the large amounts of money that can be involved, are correspondent banking transactions, warns Paul Henninger, head of the financial crimes product group at Actimize, which recently acquired Fortent (an ABA-endorsed provider). Henninger believes this will be the next major area that the regulators begin delving deeper into.

Monitoring software requires special attention to handle correspondent transactions because they are a multi-layered. A single transaction can involve one or more intermediary banks, and sometimes the data that the bank needs tracked can be hard to intercept. Henninger points out that key information may reside in the memo field of an interbank document.

21. Don’t forget to include new products! Monitoring software doesn’t read the employee newsletter, even if it is delivered electronically. If the bank develops a new product that has BSA/AML implications, part of that development must be determining how to connect your monitoring software into its transaction stream, says David Gilles, director, forensic and dispute services, Deloitte Financial Advisory Services.

22. Network locally and beyond. Many of the software providers maintain user groups, which meet periodically. Your area may also have a BSA or compliance peer group organized. Bank of Smithtown’s Tarantino says she’s attended Jack Henry user group meetings to keep up with Yellow Hammer-related issues, and is going to try to organize a local Yellow Hammer group.

23. Investigate what assistance your vendor can provide on an ongoing basis, besides software updates and revisions. For example, Patriot Officer, from GlobalVision Systems, Inc., Chatsworth, Calif., offers a daily monitoring service that ensures that each client’s data integrity is being maintained, according to Catherine Lew, executive vice-president. This helps financial institutions pass audits and regulatory examinations without any question about data accuracy.

24. Be clear how much your vendor will do for you. Some software tweaks and changes can be made by the client using “dials and levers” preset in the software, but other changes require new programming by the vendor. “The willingness of the vendor to do what you want is key,” says consultant Lucy Griffin. In fact, she says the inability to get what the bank needs on a timely basis is a good reason to change vendors.

Bankers’ experience varies widely in this regard. One mid-sized institution reported that customized help used to be easier to obtain when the vendor’s software was new, and the bank was an early adopter. After many more banks bought in, changes became subject to majority rule—if enough other banks wanted it, you could get a new feature. If not, it might be a long wait.

25. Consider alternatives to off-the-shelf software. There are many offerings among the vendors, but even today some banks, and not the largest, grow their own electronic approaches. At $5.7 billion-assets Johnson Financial Group, Racine, Wis., John Topczewski, vice-president and compliance officer, says his institution didn’t just start shopping around as volume made automation essential. Staff studied the data embedded in transactions and developed an internal approach piggybacked on existing core system reporting mechanisms. Topczewski says this effort gives the bank ultimate flexibility when it needs changes (either staff or vendor employees can write code for new reports); and costs far less than a purchased package that comes with the ongoing cost of updates and other charges.

Topczewski estimates it would cost his bank around $150,000 annually to keep a vendor-written package up to speed. And for that kind of money, he said, he would be able to have three more analysts on the bank’s payroll, working the information generated by the system.

“Our examiners are fine with this,” says Topczewski. “They understand its pluses and its minuses. We took our time and built it right. We put four or five people in a room for 120 days and said, ‘Build it’.”

26. Consider alternatives to handling all of BSA/AML yourself. Deloitte’s David Gilles says that some institutions are exploring “FIUs for hire.”

“It’s a fairly new approach,” says Gilles. Nonbank financial companies, such as hedge funds, have tended to use the tool more than banks, but bank usage could develop. Gilles likens it to a “timeshare” taken in software and support and investigative staff. BJ

View October 09 digital edition