AML Compliance and Enforcement: Much Maligned but on Path Toward Modernization
With little regard for a "scandal" trumpeted by BuzzFeed, financial firms and regulators pursue fixes based on improved processes and advanced technologies
Friday, November 6, 2020
By Katherine Heires
The FinCEN Files, a series of reports published in September by BuzzFeed News, criticized the anti-money-laundering efforts of global banks and shed some unflattering light on the system of suspicious activity reports (SARs) that the U.S. Treasury's Financial Crimes Enforcement Network relies on to detect illicit transactions and related criminal activity.
For the FinCEN Files, a coalition of investigative journalists obtained some 2,100 SARs accounting for more than $2 trillion of transactions between 1999 and 2017. Linking such payments to numerous examples of crime and corruption, the study concluded that “Western banks could have blocked almost any of them, but in most cases they kept the money moving and kept collecting their fees.” The news headlines briefly drove down the stock prices of JPMorgan Chase & Co., HSBC Holdings and others singled out in the reporting.
But dysfunction in anti-money-laundering (AML) and counter-terrorism-financing (CTF) enforcement was hardly top-secret. Nor had the need for new and better solutions gone unrecognized.
“Illicit proceeds from criminal activity are estimated to account for 2% to 5% of global GDP [up to $2 trillion], yet less than 1% is ever seized or frozen by law enforcement agencies,” says the World Economic Forum, adding that “the current anti-money-laundering regime is not fit to combat a crisis of this scale.”
“Fighting money laundering and terrorist financing is still a humongous battle, with trillions being spent every year to try to solve the problem,” says Charles Delingpole, a former money laundering reporting officer who is founder and CEO of AML technology provider ComplyAdvantage. “We need innovative ideas to win the ongoing battle.”
A Dangerous Leak
While it is hard to dispute that the system for processing ever-growing volumes of SARs - costly for banks and FinCEN alike, with questionable return on the investment - is broken, the value of the FinCEN Files has also been called into question.
“The publication of SAR information is disturbing,” says Julie Copeland, partner of risk and compliance advisory firm StoneTurn. She notes that public exposure of such confidential information meant for regulatory review is illegal, and it only serves to tip off “bad guys” as to who is watching them, what law enforcement knows about them, and how they might cover their tracks.
What's more, the revelations could put people in danger, Copeland says: “There have been instances when the customer discussed in the SAR has showed up at the branch or office to attack - either verbally or, sometimes, physically - the employee mentioned in the SAR.”
John Nowak, a partner at law firm Paul Hastings, which hosted an Anti-Money Laundering Summit in September, points out that “a SAR filing is never going to be the piece of evidence used against someone.” Instead, it is the underlying transaction details and investigative findings - and related communications internally and between financial institutions and with regulators - “that truly matters” when prosecuting money laundering, drug dealing and sex trafficking.
Time to Reset
So, what and where are the AML/CTF fixes?
Many observers agree on the need for a reappraisal of the complex AML regime and its extensive cast of characters - regulated and unregulated entities including banks, brokers, insurance companies and casinos; regulatory and law enforcement agencies on the international, federal, state, county, municipal and tribal levels; the intelligence community and various executive branch departments. In other words, regulatory expectations and guidelines, how information is processed and shared, how those many entities and activities interact, and what tools are utilized in an age of artificial intelligence, machine learning and advanced analytics, are all in need of attention.
The time may be right for such a reset. The U.S. Bank Secrecy Act (BSA), which set the legal framework for AML reporting and enforcement, had its 50th anniversary in October.
In an October 2019 white paper, the Institute of International Finance (IIF) and Deloitte “argue[d] that greater emphasis must be placed on improving the legal and regulatory framework and risk management toolkit to enhance effectiveness. Central to this reframing is the expansion of public-private partnerships and expanding cross-border data exchange.”
Among their specific recommendations: “systemic architectural improvements for financial crime risk management” and “reforming suspicious activity reporting regimes.”
Costs and Benefits
“Huge volumes of SARs of low quality drive poor outcomes and waste valuable resources,” said the white paper. “Poor outcomes are mirrored in poor conversion rates.” It cited a 2017 Europol report that found that between 2006 and 2014, only 10% to 14% of disclosed SARs in the European Union were converted into further action.
In a recent American Enterprise Institute blog, visiting fellow Jim Harper suggested “ensur[ing] that we keep successful programs in place while discarding the ones that sully privacy and stand in the way of economic growth and technological innovation.” That would entail “a clear and articulate comparison of costs and benefits,” wrote Harper, a former congressional committee counsel and co-editor of Terrorizing Ourselves: Why U.S. Counterterrorism Policy Is Failing and How to Fix It.
“Direct costs are the easy part,” he said. “The Bank Policy Institute found in 2018 that banks it surveyed spent $2.4 billion and employed 14,000 individuals for anti-money-laundering regulatory compliance.”
Harper would also bring in “the cost of 'de-risking' - avoiding certain customers, markets, and even countries,” and “costs to innovation. That is clearest to me in the area of cryptocurrency and 'decentralized finance,' where untold projects and companies have not advanced because of financial surveillance rules and other regulatory requirements.”
IIF and Deloitte stressed a collective, public-and-private sector response. They posited a “'priority SAR' approach [that] would seek to balance the tension between privacy and investigation through alignment of capabilities and national priorities. It would also enhance existing SAR regimes, based primarily around a single institution, reporting with the power of the collective helping to ensure that the most serious threats to society were dealt with effectively in a manner that was consistent with a risk-based approach.”
For its part, FinCEN in early 2019 launched the BSA Value Project, described by agency director Kenneth A. Blanco in a December 2019 speech as “a study and analysis of the value of the BSA information we receive. We are working to provide comprehensive and quantitative understanding of the broad value of BSA reporting and other BSA information in order to make it more effective and its collection more efficient.”
Blanco explained that a “value quantification model will help us assess how the regulatory and compliance changes we are considering making with our government partners will affect the value of BSA reporting - we want any changes to lead to more effective outcomes and increase the value of BSA reporting, not just provide greater industry efficiency.”
This September, FinCEN issued an “Advance Notice of Proposed Rulemaking to solicit public comment on a wide range of questions pertaining to potential regulatory amendments under the Bank Secrecy Act.” Blanco said in a speech to the ACAMS (Association of Certified Anti-Money-Laundering Specialists) AML Conference that the effort revolves around such questions as “How do we achieve, and measure, and examine for, effectiveness in our AML regime? How do we work together to adequately provide the flexibility industry needs to allocate resources according to risk and priorities to help law enforcement and others with actionable information? How do we communicate our needs and information to each other and feel confident that something will come of it?”
Attorney Nowak sees the FinCEN notice as “an attempt to modernize the regulatory regime and the requirements that go along with developing and maintaining an effective AML program. It's a game changer that has the potential to align the interests of institutions with the interests of the regulator in terms of what an effective AML program should be and how best to identify and convey potential money laundering activity.”
On October 23, FinCEN and the Federal Reserve put out for comment changes in BSA recordkeeping and travel rule regulations that would lower to $250 from $3,000 the threshold for financial institutions to “collect, retain, and transmit certain information related to funds transfers and transmittals of funds.” That applies to international transactions; the $3,000 threshold would still hold for domestic transactions.
Funding and Other Reforms
“Don't Blame FinCEN - Congress Has Left it Underfunded for Years” is the headline on an October 3 article on the website of RegTech Consulting, whose founder, Jim Richards, supports increasing the agency's budget.
Beyond that, he favors extending AML reporting requirements to professional services - lawyers and accountants - as is the case in the U.K.
He also wants to see action on corporate transparency, namely a “national corporate registry” along with beneficial ownership information that makes clear to law enforcement who owns shell companies.
Richards, a former prosecutor and BSA officer, says most European countries have such databases, and he believes that greater transparency would keep wrongdoers from “hiding behind shell companies that are created in the British Virgin Islands, Delaware and Wyoming.” To that end, he supports the Anti-Money Laundering Act of 2020, sponsored by Senators Mike Crapo, Republican of Idaho, and Sherrod Brown, Democrat of Ohio.
“Nothing in the bill lowers the expectations for banks or the penalties associated with failure to properly carry out BSA/AML compliance,” Bank Policy Institute said in a response to the BuzzFeed articles. “Law enforcement and national security experts have endorsed the legislation as a meaningful step in improving the prevention of money laundering and illicit activities. Provisions in the bill that encourage law enforcement to set and share priorities and information with banks, and push banks to adopt technology, will move our system forward.”
“The reality of financial crime is that criminals are happy to combine accounts from different institutions,” and thus elude detection for their illicit acts, according to Joe Robinson, CEO of AML compliance technology company Hummingbird. The solution lies in eliminating data silos that make it difficult to detect criminal transaction patterns.
“The key to better AML effectiveness is the ability to share data in a privacy preserving manner,” says Robinson, both within and between financial firms as well as with regulators.
O'Melveny & Myers partner Laurel Loomis Rimon agrees that there needs to be better communication between financial firms and FinCEN. “Feedback and more information from FinCEN would be helpful,” she says, so banks can know what type of activity to be on alert for, or what is of current concern to the regulator.
“Currently, FinCEN's guidance tends to be pretty generic, and I don't think they have the resources to do this right now,” she says. “But given the volume of SARs they are dealing with, it would be a worthwhile investment.”
Rimon adds that better training for examiners and more of a risk-based approach would get past a check-the-box approach to reviewing SAR filings, and banks can deploy new technologies to filter through high-risk transactions in an automated fashion.
“What you have in the U.S. is a kind of defensive SAR filing phenomenon, where if a compliance person is not sure something is suspicious, they file a SAR anyway,” says Delingpole of ComplyAdvantage. The result is more SARs than necessary, and more than the regulators can cope with.
“We need a way to find the real risks and mitigate those, without tipping off alleged criminals,” he says. Given that “key parts of the AML process are all about understanding who your customers are and who they are transacting with,” he adds, “my advice for risk managers and compliance teams is to invest further in technology to advance your risk analysis of customers and entities and to provide better insight from an adverse media and political exposure perspective.”
AI and Other Tools
An irony of the FinCEN Files reporting, says Aite Group's Subrt, is that banks were shown to be performing their SARs obligations. “It's up to law enforcement to take the information from SARs and act on it,” Subrt says.
He believes that risk-based customer assessments, aided by artificial intelligence, machine learning and advanced analytics, would go a long way to righting AML deficiencies. “Tools such as dynamic segmentation, entity resolution and network link analysis can help financial institutions unlock the potential within data by ingesting and reconciling a large volume of data from multiple sources and build holistic view and networks of relationships,” says the latest Aite report.
Subrt notes that while established vendors like NICE Actimize, SAS, Fiserv and Fico are aiming for higher levels of technology performance, newer players such as FeatureSpace, Feedzai and Quantexa are introducing leading-edge capabilities in contextual intelligence and behavioral analytics.
While legacy AML systems typically assign customer risk scores based on information gathered at the time of onboarding, the Aite analyst points out, advanced analytics and machine learning can facilitate risk-based behavioral assessments and dynamic profiling in real time.
Network link analysis and network-generation technologies can find relationships and connections - often unknown or hidden - among parties, accounts, and transactions and graphically display them in user-friendly and easily digestible images and diagrams. “They enrich know-your-customer and customer due diligence practices by identifying and tracking underlying beneficial owners and their associations and facilitate customer risk evaluations and due diligence reviews,” says the Aite report.
Elsewhere on the AML/CTF leading edge, Oracle Financial Services has made machine learning and graph analytics part of its Financial Crime and Compliance Management services, which, by way of the cloud, are bringing “big bank anti-money-laundering protection to smaller institutions,” according to an October 28 announcement.
K2 Intelligence Financial Integrity Network has partnered with Giant Oak, a developer of behavioral-science-based machine learning systems, to form Consilient. Its DOZER technology leapfrogs others “us[ing] transfer-learning so that models can be trained across multiple sets of training data, allowing financial institutions to collaborate without putting private data at risk,” the companies said on October 29.
Copeland of StoneTurn recommends using the SAR as an early warning system and reviewing the transactions before and after the filing. Among her other suggestions: Be sure to have an enterprise-wide view of customer relationships; subject relationships in a high-risk category to more frequent reviews; and perform periodic SAR “health checks” that review specific regions, dollar thresholds or types of business for quality, timeliness, and potential follow-up.
“Whenever there is this type of scrutiny by media or the government on risk and compliance activities, it's an opportunity for risk and compliance folks to make sure senior executives are paying attention to their needs. The risk in AML efforts comes from not having appropriate resources, not having the right data across the business, and not having recognition from the highest levels within the bank. Use this opportunity to bring focus to these important matters.”
Katherine Heires is a freelance business journalist and founder of MediaKat llc.