In the last year, several large fines were issued to financial institutions by regulators for failure to comply with AML regulations. In this article, three of them will be explored to find similarities and key learning points for other financial institutions. The three examples are listed below with a very high-level summary of each case:
Example 1: American bank
Earlier this year, an American bank received a $140 million civil money penalty for failure to comply with AML regulations over a period of around 4 years. During a period of significant growth, the bank failed to grow its compliance program at a similar pace. As a result, the bank (wilfully) failed to accurately and timely report a large number of suspicious transactions.
Example 2: UK bank
At the end of 2021, a UK bank was fined over £250 million by FCA for AML failures. The bank was functionally vital in money laundering conducted by one of its commercial customers. This is the first time FCA has pursued criminal charges for money laundering failures.
Example 3: Global bank
A global bank was fined close to £64 million by FCA late last year for failings in its automated AML processes. During a period of 8 years, the bank failed to review scenarios to ensure all risks were covered, test parameters and ensure data quality. These factors combined were found unacceptable by the regulator and exposed the bank and community to avoidable risks.
A few areas stand out when looking at the detailed reports:
- In all three instances, the financial institution had failed to test and tune their transaction monitoring systems. This allowed unintended transactions to slip through without creating an associated alert and as such no SAR or STR was submitted.
- Group policies were not adequate and appropriate to meet regulatory AML responsibilities. Even when leadership was aware and large budgets were dedicated to remediating policies and test their effectiveness, improvements were not seen as adequate by regulators.
- Parameters of the transaction monitoring systems were not appropriate:
- There were repeated examples of extreme thresholds, meaning a customer would have to increase their spending by over 500.000% to trigger an alert.
- Suppression rules suppressed genuine alerts that should have resulted in a SAR.
- There was to too much reliance on the judgement of single members of staff, who repeatedly provided misleading information.
- Investigations showed human and machine error in terms of risk rating:
- For unknown reasons the risk rating of the client (in example 2) was incorrect (Low, then Medium when it should have been High) for a period of nearly three years which resulted in periodic reviews being missed. The bank also failed to review KYC information upon trigger events (such as change in business purpose and new directors’ appointments).
- There was no differentiation of the transaction monitoring for high-risk customers.
- Automated transaction monitoring misidentified one type of transaction for another (cash transactions for cheque deposits) which had less stringent rules. This resulted in high-risk transactions being accepted by the bank without being reviewed and investigated.
- The financial institutions repeatedly failed to check the accuracy and completeness of the data being fed into, and contained within, monitoring systems. If the data is not high quality, the automated screening systems will be unable to capture the required transactions and create related alerts.
Key takeaways from the findings of the regulators are:
- Regulators have a significant focus on their relationship with the banks and whether the banks are transparent and honestly attempting to improve. If the financial institution was able to demonstrate a real effort to improve, this caused a milder judgement by regulators.
- Transaction monitoring systems must be tested before implementation of the system but also post implementation at regular intervals.
- Scenarios must be routinely reviewed to ensure they remain adequate to cover all relevant risks facing the firm / financial institution.
- Thresholds and suppression rules must be sense checked to ensure they trigger alerts at an appropriate level and do not suppress genuine alerts.
- Data quality must be assured before being input to monitoring systems. As no data can be expected to be perfect, an accepted level of quality or completeness must be agreed upon and data that does not meet this requirement flagged. Inadequate data quality or completeness results in lower quality of matching, opening firms up to regulatory censure. The introduction of ISO20022 will provide a standard format, making it easier to ensure data quality as compared to the various formats currently used for transactions.
- Rigorous procedures must be incorporated to ensure investigations (or event driven reviews) are undertaken when SARs are submitted repeatedly by independent sources. The reassurance of single members of staff cannot count as a reason to close down an investigation.
- Ensure procedures are in place to trigger a review if a customer’s situation changes. In example 2, a risk rating amendment should have triggered a review (particularly when lowered).
- Develop policies to ensure investigators have access to all required information when reviewing alerts and conducting event driven reviews. They should be able to access all KYC information and history of previous alerts, SARs, investigation notes and reviews.
- All involved staff members should receive appropriate training to ensure they understand the purpose of policies and have the right mindset. Ensuring a safe environment to ask the right questions and do the right thing is also essential.
- Effectiveness of remediation programs can be assessed by third parties to avoid large budget spending on severely delayed programs that are deemed ineffective by regulators and are unsuccessful at avoiding penalties for non-compliance.
High level regulatory focus in the short term
In addition to specific takeaways from recent regulatory fines, it is helpful to look at high-level regulatory movements to predict and pro-actively plan AML program development and improvements in the coming year.
One of the focus points for FATF this year is digital transformation. They have reviewed the implementation and effectiveness of AML programs / policies of around 100 nations and concluded that systems need to be improved in order to comply with FATF standards. Financial Institutions are actually at the forefront when it comes to effectively complying with FATF standards and local regulatory requirements in comparison with designated non-financial professions such as accountants and estate agents. The conclusion that digital transformation is needed can be confirmed when looking at the details of the reports associated with the large fines issued by regulators.
More specifically, AI and Machine Learning are ways of increasing effectiveness and efficiency of AML systems, including transaction monitoring which has been the focus above. If AI and Machine Learning is going to be incorporated in screening and monitoring systems, data quality is particularly important, and to ensure high quality data these tools should be implemented on a small scale and their usage should grow organically. AI and Machine Learning uses analyst behaviour to learn what to do. It will then keep repeating this behaviour, including any mistakes made by the analyst to begin with, but it will make no new mistakes. Therefore, once a mistake is discovered it should be quite easy to correct and future human error can be avoided. This topic is discussed in more detail in this ACAMS video.
If your team needs help in the areas identified in this article, you can reach out to our team on LinkedIn or you can contact us via our website. It can be reassuring to know you are not alone in combatting financial crime risk and a second set of eyes might add the extra level of expertise to ensure your financial crime compliance program meets the increasingly high demands of regulators. Our team has decades of technical and strategic experience creating and improving effective AML and FCC programs for financial institutions of all levels of complexity.