How banks and financial institutions can manage their compliance risks at a minimal cost.
Banks and other financial institutions need to verify their customers and transactions to protect themselves from money laundering, terrorist financing, and fraud. This process is called Know Your Customer (KYC) and is a part of anti-money laundering (AML) regulations.
AML compliance is important for banks and financial institutions for at least two reasons:
1. Regulatory compliance. Banks and other financial institutions are obliged to fulfill national AML/CFT laws, such as the Bank Secrecy Act in the US, the Anti-Money Laundering Act (Geldwäschebekämpfungsgesetz-GWG) in Germany, and the Payment Service Act (PSA) in Singapore.
In case of non-compliance, financial institutions expose themselves to legal, operational, and reputational risks. In 2021, penalties that financial institutions incurred for non-compliance with AML regulations totaled $5.35bn. So while AML regulations have existed for quite a long time, banks and financial institutions still have significant weaknesses in their compliance programs.
The Financial Conduct Authority (FCA), the UK’s regulatory body, sent a letter to the CEOs of retail banks, identifying common failings in the AML frameworks of their organizations. These include:
Experts state that the regulatory landscape will continue to demand greater vigilance and enforcement, challenging banks to step up their focus on regulatory compliance.
2. Fraud protection. An effective AML compliance program won’t let suspicious customers and transactions enter the financial system. However, fraudsters constantly invent sophisticated methods of money laundering and fraud to fly under the radar. Therefore, it’s essential to develop an AML program that can handle new and complex fraud attempts. Otherwise, businesses expose themselves to financial and reputational losses.
Money laundering (ML) refers to concealing the existence, source, movement, and destination of illicitly-obtained funds to make them appear legitimate. Usually, there are three stages of money laundering that can be considered as red flags for banks and financial institutions.
Some of these stages may be skipped, depending on the circumstances. For example, there is no need to place money that is already in the financial system.
Banks are particularly at risk of being abused for ML purposes, since they may be used for “layering” or “integration” purposes. Meanwhile, credit card or ATM services can be used for the “placement” of illegal funds.
Correspondent banking is also vulnerable to ML because it involves cross-border payments, where the parties involved in the payment chain aren’t always well known. To mitigate ML risks, banks and financial institutions must establish and maintain proper AML compliance.
Banks have to develop and maintain an effective AML сompliance program. This encompasses a variety of policies, controls and procedures related to the prevention and reporting of money laundering and terrorist financing.
As part of their AML compliance program, banks should perform a KYC (Know Your Customer) process, which is an umbrella term for everything that they should know about a customer. The KYС process is another part of Customer Due Diligence, which is required by AML regulations.
In line with AML regulations, financial companies must conduct CDD measures such as:
The CDD process may vary depending on the level of risk in a given scenario. For low-risk cases, such as dealing with publicly-owned enterprises or individuals from low-risk jurisdictions, banks can apply Simplified Due Diligence.
But for the Politically Exposed Persons (PEP) and individuals from high-risk jurisdictions, Enhanced Due Diligence (EDD) is required. PEPs are high-risk customers due to their high-profile political or public function. PEP status doesn’t always mean that an individual is corrupt or involved in any criminal activity. Still, close attention must be paid to them, especially if they are from a country known for bribery, corruption, and financial irregularity.
When it comes to evaluating risks associated with customers, AML screening solutions can help. For instance, these can determine whether users are present on global watchlists (ex. sanctions lists, PEP lists, adverse media lists). By using such solutions, companies can reduce manual work, protect themselves from crime, and get reliable data from trustworthy sources.
AML regulations require that all countries and businesses operate using a risk-based approach to AML. This means that the financial institutions should consider and understand the ML risks to which they are exposed in a given situation (as well as the business specifics thereof), and apply appropriate AML measures to mitigate these risks.
More specifically, the risk-based approach includes the following:
Transaction monitoring helps banks understand the source of incoming funds, clarify their counterparties’ purposes of payment, and enhance trust between affiliate financial institutions and correspondent banks.
Banks and financial institutions should obtain and assess at least the following data on the transactions:
The implementation of transaction monitoring systems is difficult due to the complexity of the underlying analytics used. This is especially the case with banks and financial institutions conducting millions of transactions daily. Automated solutions can make this process easier.
According to ML regulations, an AML Compliance Officer is responsible for the development, monitoring, and implementation of a company’s AML compliance program. The main responsibility of the Money Laundering Reporting Officer (MLRO) is to keep the financial institution in line with AML regulations and prevent it from getting fined, debarred from the financial industry, or having its license revoked.
A company MLRO should have the following powers:
In addition, the MLRO is responsible for external reporting and arranging AML training for relevant employees.
Bank employees should be aware of AML compliance and its importance for regulatory compliance. Usually, employees are the first ones who deal with all suspicious activities, and their decision-making is crucial in high-risk situations. Therefore, companies should provide ongoing training for those who have AML-specific responsibilities and deal with transactions and accounting. This will keep such employees aware of red flags, suspicious activity, and the relevant legal obligations when dealing with high-risk customers.
The management of a financial institution needs to work together with its AML team to create a solid compliance culture. This furthers the identification and reduction of ML risks and leads to more effective compliance solutions.
Banks need to evaluate the risks specific to their customers, which are determined after the identification and verification processes. Customers indicating a high level of risk may be subject to further investigation.
Customers are assessed over the course of a business relationship with their bank or financial institution. Such assessment determines if it is possible to continue working with the customer as well as the risk mitigation procedures to be applied, where necessary. Customer risk assessment will often result in the categorization of risk: high/medium/low.
A customer risk assessment is a relationship-based evaluation of the factors related to:
Financial institutions should take into account the following risk variables relating to all previously mentioned risk factors:
These variables, either alone or in combination, may increase or decrease the potential risk posed, thus impacting the appropriate level of CDD measures.
Customer risk assessment is needed in the following situations:
Customer risk assessment should be conducted periodically in an ongoing business relationship. In this regard, banks and financial institutions need to determine the customer’s level of risk and update their risk profiles regularly.
Banks should have a process in place to identify suspicious transactions and report them. For example, in the UK it is stated by the National Crime Agency (NCA) that all company staff has to file an internal report if they know or suspect something related to money laundering and terrorist financing.
Accordingly, the company’s MLRO considers all such reports and makes an external report to the NCA in case there are reasonable grounds that the suspect is involved in money laundering. In addition, the MLRO documents their decision to not file a report and the reasons for that decision. The company waits for the NCA’s consent before proceeding with the suspected customer and must freeze funds in case suspicions are confirmed.
AML regulations require banks and financial institutions to keep records concerning customer identification and transactions. For instance, the EU Money Laundering Directive requires retaining records of certain information for 5 years from the end of a business relationship or the completion of an occasional transaction. However, retention periods may vary in different jurisdictions.
These records show that the company is compliant with regulations and may be used as evidence in any investigation conducted by law enforcement.
Automated screening processes such as ID verification, face authentication and AML screening save time and resources. If combined, they provide fraud-proof security in accordance with global and local regulatory compliance standards.
To conduct AML quickly and properly, banks and financial institutions usually delegate to specialized third-party solutions. The best option is to choose one solution that covers all the AML needs of the business, rather than using a combination of different solutions.
To be successful in 2022, banks and financial institutions should consider investing time and resources in creating AML compliance programs using automated solutions. Also, banks need to track changes in regulations and keep their AML compliance programs up to date.