Anti-Money Laundering (AML) in Banking and Finance: Compliance Outlook
How banks and financial institutions can manage their compliance risks at a minimal cost.
Banks and other financial institutions need to verify their customers and transactions to protect themselves from money laundering, terrorist financing, and fraud. This process is called Know Your Customer (KYC) and is a part of anti-money laundering (AML) regulations.
In this comprehensive guide, we will explain what AML compliance entails for financial institutions and how to stay compliant.
Why is AML compliance a top priority for financial institutions?
AML compliance is important for banks and financial institutions for at least two reasons:
1. Regulatory compliance. Banks and other financial institutions are obliged to fulfill national AML/CFT laws, such as the Bank Secrecy Act in the US, the Anti-Money Laundering Act (Geldwäschebekämpfungsgesetz-GWG) in Germany, and the Payment Service Act (PSA) in Singapore.
In case of non-compliance, financial institutions expose themselves to legal, operational, and reputational risks. In 2021, penalties that financial institutions incurred for non-compliance with AML regulations totaled $5.35bn. So while AML regulations have existed for quite a long time, banks and financial institutions still have significant weaknesses in their compliance programs.
The Financial Conduct Authority (FCA), the UK’s regulatory body, sent a letter to the CEOs of retail banks, identifying common failings in the AML frameworks of their organizations. These include:
- lack of oversight of controls outsourced to third parties;
- lack of evidence of senior management approval in certain higher-risk situations;
- lack of sufficient detail on financial crime risks and/or mitigating controls;
- improper performance of Customer Due Diligence (CDD) processes, particularly in relation to the purpose and intended nature of the customer relationship;
- Enhanced Due Diligence (EDD) does not mitigate the customer risks, particularly in relation to Politically Exposed Persons (PEP);
- lack of understanding of the technical setup of transaction monitoring systems;
- risk of ‘tipping off’ a suspected money launderer regarding an investigation due to lack of training.
Experts state that the regulatory landscape will continue to demand greater vigilance and enforcement, challenging banks to step up their focus on regulatory compliance.
2. Fraud protection. An effective AML compliance program won’t let suspicious customers and transactions enter the financial system. However, fraudsters constantly invent sophisticated methods of money laundering and fraud to fly under the radar. Therefore, it’s essential to develop an AML program that can handle new and complex fraud attempts. Otherwise, businesses expose themselves to financial and reputational losses.
How do criminals launder money through banks and financial institutions?
Money laundering (ML) refers to concealing the existence, source, movement, and destination of illicitly-obtained funds to make them appear legitimate. Usually, there are three stages of money laundering that can be considered as red flags for banks and financial institutions.
Some of these stages may be skipped, depending on the circumstances. For example, there is no need to place money that is already in the financial system.
Banks are particularly at risk of being abused for ML purposes, since they may be used for “layering” or “integration” purposes. Meanwhile, credit card or ATM services can be used for the “placement” of illegal funds.
Correspondent banking is also vulnerable to ML because it involves cross-border payments, where the parties involved in the payment chain aren’t always well known. To mitigate ML risks, banks and financial institutions must establish and maintain proper AML compliance.
What does AML compliance entail for banking and finance?
Banks have to develop and maintain an effective AML сompliance program. This encompasses a variety of policies, controls and procedures related to the prevention and reporting of money laundering and terrorist financing.
As part of their AML compliance program, banks should perform a KYC (Know Your Customer) process, which is an umbrella term for everything that they should know about a customer. The KYС process is another part of Customer Due Diligence, which is required by AML regulations.
Customer Due Diligence (CDD)
In line with AML regulations, financial companies must conduct CDD measures such as:
- identifying and verifying the customer using documents, data, or information provided by a reliable and independent source;
- identifying and verifying the beneficial owner’s identity;
- obtaining information on the purpose and intended nature of the business relationship;
- conducting ongoing monitoring of the business relationship and scrutinizing ongoing transactions.
The CDD process may vary depending on the level of risk in a given scenario. For low-risk cases, such as dealing with publicly-owned enterprises or individuals from low-risk jurisdictions, banks can apply Simplified Due Diligence.
But for the Politically Exposed Persons (PEP) and individuals from high-risk jurisdictions, Enhanced Due Diligence (EDD) is required. PEPs are high-risk customers due to their high-profile political or public function. PEP status doesn’t always mean that an individual is corrupt or involved in any criminal activity. Still, close attention must be paid to them, especially if they are from a country known for bribery, corruption, and financial irregularity.
To maintain compliance with CDD requirements, banks can use multilingual, OCR-powered ID verification + face authentication solutions to securely identify and verify their customers.
When it comes to evaluating risks associated with customers, AML screening solutions can help. For instance, these can determine whether users are present on global watchlists (ex. sanctions lists, PEP lists, adverse media lists). By using such solutions, companies can reduce manual work, protect themselves from crime, and get reliable data from trustworthy sources.
Implementing a risk-based approach
AML regulations require that all countries and businesses operate using a risk-based approach to AML. This means that the financial institutions should consider and understand the ML risks to which they are exposed in a given situation (as well as the business specifics thereof), and apply appropriate AML measures to mitigate these risks.
More specifically, the risk-based approach includes the following:
- Risk identification and assessment—identifying the money laundering risks faced by banks or financial organizations (including relevant legal, regulatory, and reputational risks) according to the profile of their customers, products, and services;
- Risk mitigation—identifying and applying effective measures to mitigate significant risks arising in the course of monitoring;
- Risk monitoring—following up on changes in the customer’s risk profile by monitoring changes in the customer’s business processes;
- Documentation—documenting the customer’s risk assessment, company’s policies and procedures, strategy for handling risks.
Transaction monitoring
Transaction monitoring helps banks understand the source of incoming funds, clarify their counterparties’ purposes of payment, and enhance trust between affiliate financial institutions and correspondent banks.
Banks and financial institutions should obtain and assess at least the following data on the transactions:
- the volume of funds involved;
- the geographical origin of funds involved;
- the frequency of the transactions;
- if the transaction matches the customer’s usual financial behavior.
The implementation of transaction monitoring systems is difficult due to the complexity of the underlying analytics used. This is especially the case with banks and financial institutions conducting millions of transactions daily. Automated solutions can make this process easier.
An appointed AML compliance officer/Money Laundering Reporting Officer (MLRO)
According to ML regulations, an AML Compliance Officer is responsible for the development, monitoring, and implementation of a company’s AML compliance program. The main responsibility of the Money Laundering Reporting Officer (MLRO) is to keep the financial institution in line with AML regulations and prevent it from getting fined, debarred from the financial industry, or having its license revoked.
A company MLRO should have the following powers:
- the authority to act independently;
- access to all required information databases;
- sufficient resources, such as technology and staff members.
In addition, the MLRO is responsible for external reporting and arranging AML training for relevant employees.
AML training for employees
Bank employees should be aware of AML compliance and its importance for regulatory compliance. Usually, employees are the first ones who deal with all suspicious activities, and their decision-making is crucial in high-risk situations. Therefore, companies should provide ongoing training for those who have AML-specific responsibilities and deal with transactions and accounting. This will keep such employees aware of red flags, suspicious activity, and the relevant legal obligations when dealing with high-risk customers.
The management of a financial institution needs to work together with its AML team to create a solid compliance culture. This furthers the identification and reduction of ML risks and leads to more effective compliance solutions.
Customer risk assessment
Banks need to evaluate the risks specific to their customers, which are determined after the identification and verification processes. Customers indicating a high level of risk may be subject to further investigation.
Customers are assessed over the course of a business relationship with their bank or financial institution. Such assessment determines if it is possible to continue working with the customer as well as the risk mitigation procedures to be applied, where necessary. Customer risk assessment will often result in the categorization of risk: high/medium/low.
A customer risk assessment is a relationship-based evaluation of the factors related to:
- types of customers (close relatives of a PEP, customers who are non-residents, etc.);
- countries or geographic areas (countries under sanctions, high-risk third countries, etc.) associated with the customer;
- products, services, and transactions.
Financial institutions should take into account the following risk variables relating to all previously mentioned risk factors:
- the purpose of an account or relationship;
- the level of assets to be deposited by a customer;
- the size of transactions undertaken;
- the regularity/duration of the business relationship.
These variables, either alone or in combination, may increase or decrease the potential risk posed, thus impacting the appropriate level of CDD measures.
Customer risk assessment is needed in the following situations:
- at the beginning of a new business relationship;
- in case of occasional transactions.
Customer risk assessment should be conducted periodically in an ongoing business relationship. In this regard, banks and financial institutions need to determine the customer’s level of risk and update their risk profiles regularly.
Suspicious activity reporting
Banks should have a process in place to identify suspicious transactions and report them. For example, in the UK it is stated by the National Crime Agency (NCA) that all company staff has to file an internal report if they know or suspect something related to money laundering and terrorist financing.
Accordingly, the company’s MLRO considers all such reports and makes an external report to the NCA in case there are reasonable grounds that the suspect is involved in money laundering. In addition, the MLRO documents their decision to not file a report and the reasons for that decision. The company waits for the NCA’s consent before proceeding with the suspected customer and must freeze funds in case suspicions are confirmed.
Record-keeping
AML regulations require banks and financial institutions to keep records concerning customer identification and transactions. For instance, the EU Money Laundering Directive requires retaining records of certain information for 5 years from the end of a business relationship or the completion of an occasional transaction. However, retention periods may vary in different jurisdictions.
These records show that the company is compliant with regulations and may be used as evidence in any investigation conducted by law enforcement.
What is the best AML compliance solution for banking and finance?
Automated screening processes such as ID verification, face authentication and AML screening save time and resources. If combined, they provide fraud-proof security in accordance with global and local regulatory compliance standards.
To conduct AML quickly and properly, banks and financial institutions usually delegate to specialized third-party solutions. The best option is to choose one solution that covers all the AML needs of the business, rather than using a combination of different solutions.
To be successful in 2022, banks and financial institutions should consider investing time and resources in creating AML compliance programs using automated solutions. Also, banks need to track changes in regulations and keep their AML compliance programs up to date.
