/ White papers

Arachnys country audits offer an up to date, deep dive investigation into the data and regulatory landscapes of key markets worldwide.

The reports analyse sources such as corporate registries, news and litigation with the aim to educate you about the availability, quality and challenges associated with the data in each market. Some of the regions we have covered so far are Brazil, China, UAE and Nigeria.

/ Blog

Key findings from ACAMS FinCrime conference Las Vegas 2017

Arachnys attended ACAMS FinCrime conference in Las Vegas last week. 

We looked at the following areas:

1. Insights on Oversight: A Regulatory Roundtable on AML Trends and Issues (OCC, FINCEN, FINRA)
2. Updating Client Profiles to ensure customer risk ratings reflect current realities
3. Acceptable risk: formalizing risk tolerance policies to ensure uniform decisions across enterprise
4. Racing to the finish: homestretch strategies for implementing the CDD Final Rule
5. Monitoring the situation - using automation and AI to upgrade KYC, CDD and Ongoing AML Oversight

 Here are some of our key findings.

  • The new CDD rules have resulted in a requirement to collect information at the 25% UBO/ownership threshold: the regulators had to make a determination, and chose 25% because it has become an international standard.
  • BSA officer/AML/CFT are more than cost containment centers: they must help to protect financial integrity of the bank and the US financial system.
  • Investigators should be able to impact a risk score. Annual reviews allow you to learn a lot more than what a model based or tool based approach can do.
  • Regulators expect evolution at the same pace as the data and technology. The partnership between first and second line plays a critical role.
  • Panelists stressed the importance of collecting qualitative but also quantitative data.
  • The first line (relationships managers) do not currently understand they own the risk.
  • There is a real burden on vendors for technology to address these new requirements
  • Keep a healthy dose of skepticism towards AI and ML. It is smarter to talk about intelligence augmentation at the moment. Regulators are starting to look at the algorithms, but they are still struggling to test it properly. They set a standard of red flags to be caught and then question the output. Model validation guidelines have not yet caught up to the algorithms.


Our notes in full:

1. Insights on Oversight: A Regulatory Roundtable on AML Trends and Issues (OCC, FINCEN, FINRA)

The key topic was the introduction of the DoT CDD regulations under the Bank Secrecy Act, which need to be implemented by May 2018. FIs should have made sure they are on track to implement it, and keep time aside for testing before the rules go live!! The majority of banks have begun implementation, but the project is still ongoing.

The CDD rules have 4 components. New provisions are centered on the UBO piece of legal entity identifiable customers, leading to a risk-based CDD programme.

The rule should be a floor, not a ceiling. The regulators are "laser focused" on risk-based examinations. It will force improved customer risk profiles.

All regulators on the panel identified the following problems:

  • Customer risk rating methodologies that do not facilitate reasonable understanding of the customer’s AML risk.

  • Situations where the risk rating did not lead to greater scrutiny.

  • Some CDD Processes had been poorly documented or delayed.

  • FINCEN notes that within the Beneficial Ownership section, FIs are approaching these CDD rules in different ways. Any of these approaches could be effective, but inconsistency will become a problem.

  • Customer onboarding methodologies are still inconsistent with customer risk. The methodologies need to keep up. Client risk ratings methodologies are still being used as check box - not ok anymore. That info needs to complement anything else you do.

The Office of the Superintendent of Financial Institutions (OSFI):

The Office of the Superintendent of Financial Institutions (OSFI) have addressed the problems in the development and application of methodologies. Banks lack a good rationale for client risk ratings.

There is a lack of consistency in decentralised FIs. Some institutions are only developing 3 lines of defense, and in many FIs the 2nd line of defense is still at different stages of maturity. A stronger second line would enable banks to be proactive in their assessment of risk, and manage risk proactively rather than waiting for the third line to come in.

Differences between Canada and US regulation:

  • Ongoing monitoring in Canada does not envision a trigger event for lower risk customers

  • The standard for checking UBOs is higher than US. You need to obtain as well as confirm - the latter is difficult because of lack of corporate registries and obtaining information in Canada.

FINRA on data integrity: lots of FIs are using systems that were built 10 years ago but the data requirements have changed and systems are not always updated. With multiple regulators, FIs have multiple expectations, but so do examiners.

There is a requirement to collect information at the 25% UBO/ownership threshold: the regulators had to make a determination, and chose 25% because it has become an international standard.

BSA officer/AML/CFT are more than cost containment centers: they must help to protect financial integrity of the bank and the US financial system.

2. Updating Client Profiles to ensure customer risk ratings reflect current realities

CRR (customer risk rating) process is an integral part of an FI’s AML program. CRR results should inform key elements of the overall program: EDD process; KYC refresh; inherent customer risk data for enterprise risk assessment process; potential segmentation of customer by risk level.

Most FIs have a model tool process which are very subjective, making the controls even more important. FIs even have a panel of experts to make sure sound judgments are applied. Not one size fits all. Controls must be documented clearly.

A CRR is not:

  • the same as the BSA / AML risk assessment

  • A one size fits all approach to segmenting customers by risk level

  • The same across all institutions

  • Disconnected from the overall risk framework

A CRR is:

  • A regulatory expectation

  • A mechanism for segmenting the customer base to inform risk-based CDD

  • A tool to support relationship acceptance and risk mitigation strategies

  • Consistently applied across the enterprise

  • Commensurate with FI’s risk profile.

Collaboration between 1st and second line of defense is imperative. Most lines of business (LOBs) don't know their high risk customers (HRCs). Establish an integrated conversation with your first lines of defense.

Most programmes follow a similar process:

Develop a CRR model or tool > Score portfolio to identify HRCs > Feed transaction monitoring > Determine EDD cadence by level of risk (HRCs determine most recent EDD review) > Refresh KYC info > Perform EDD review > Escalate to SAR review or close account.

Best practices:

  • Emerging practice: panelists advocated for a more dynamic risk review. Leverage your transaction monitoring data to inform your CRR. Look at customer behavior and link it to KYC profile.

  • Investigators should be able to impact a risk score. Annual reviews allow you to learn a lot more than what a model based or tool based approach can do.

Key components of a proper CRR Program:

Customer
  • PEP

  • Adverse media

  • Prior SARs

Geography
  • Physical address / residence

  • Location of business operations

  • Country of citizenship

Industry
  • Type of industry (may require specialised treatment and monitoring)

Product / services / transactions

  • Presence of higher risk products and services, corresponding transaction volume


Common challenges:

  • Data availability and quality - because of complex data environment.

  • Customer level view across enterprise

  • Judgmental nature of CRR process

  • Model management (the governance of the model is so important because it's so judgmental)

  • Potentially high costs of managing CRR (because of high false positives)

  • Evolving regulatory guidance

  • Timing of running a customer screening.

While HRCs are reviewed yearly, one should also have trigger events that require a review in the midst of the review cycle. During the transaction monitoring process, you find suspicious activities and bad actors, and the more effective you are the more comfort you have in your CRR program.

Regulators expect evolution at the same pace as the data and technology. The partnership between first and second line plays a critical role.

Leverage the output of your CRR to inform your first line to make better decisions early. Tight integration between the modelling and investigative teams is important.

3. Acceptable risk: formalizing risk tolerance policies to ensure uniform decisions across enterprise.

The first line (relationships managers) do not currently understand they own the risk.

risk appetite statement should be a living document - it should be iron-clad document that articulates clearly what the risks are, what they apply to and who owns the risk. It's important to create uniformity to understand risk acceptance. This does not mean that the document should not be adapted with regulatory changes but It cannot be subject to interpretation.

Panelists suggested establishing a governance framework in place. Recommended members would be from your legal, compliance, operations, financial crime teams. On a monthly or quarterly basis this governance framework should review the stats of all work done within AML: review the number of closed alerts, and the number of HRCs escalated.

A governance framework would allow you to mitigate the risk and keep the pulse of the entire organisation. How many ‘aged’ alerts are there?

Panelists urge FIs to have a governance framework that monitors those trends with different stakeholders: they can help identify underlying issues or whether the scenarios aren’t tuned correctly.

Compliance operations and senior leadership from LOBs need to have a seat at the risk governance framework table. Audit is often not involved - they have to be, since they see control failures andgaps. First line of defense looks at revenue streams, but they need to be included in enterprise-wide risk assessment.

Panelists stressed the importance of collecting qualitative but also quantitative data.

Further to that documentation needs to be clear and auditable. On qualitative data: it's hard to tell how an algorithm comes up with a decision. Machines can learn but they asses data differently than humans. It’s hard to explain this to regulators.

Having good procedures is great but adherence is more challenging to achieve. Decisions need to be documented.

Process and procedures may be more important than the decisions.

Tips

  • Risk framework the ways to capacity, appetite, tolerance, targets and limits.

  • Risk appetite framework and statements need to be linked and communicated.

  • Document escalations, procedures and process owners for deviations

  • Develop metrics for targets for measuring, monitoring and reporting.

 

4. Racing to the finish: homestretch strategies for implementing the CDD Final Rule

Speakers:

Megan Hodge Davis, Ally Bank
Anna Rentschler, Central Bancompany
Joe Soniat, Union Bank and Trust

The core elements of CDD:

  1. Customer identification and verification (the current CIP model)
  2. Beneficial ownership identification and verification (new)
  3. Understanding the nature and purpose of customer relationship
  4. Ongoing monitoring

For effective CDD, compliance professionals need to take into consideration two prongs:

Ownership prong: Each individual who directly or indirectly owns 25% or more of the equity interests of a legal entity customer.

Control prong: a single individual with significant responsibility to control, manage, or direct a legal entity customer including an executive officer or senior manager e.g CEO, CFO or any other individual who performs similar function.

No bank chooses the 25% threshold without analysis; each bank needs to look at its HRCs, its products & services. You need to trust your customer risk scoring system to effectively triage the alerts, with risk-based determination.

How should banks manage the data collected?

The data ‘flow’ is an important factor in data management for FIs. Where does it come in? Where does it need to go? How do we monitor it? Where does it get scored?

Do you need to do a refresh, or can you reuse a grandfathered piece of information? Do you need to redo the check entirely or can you reuse info received in the past as long as the customer confirms its still accurate? Document, document, document. Collaborate with your AML officer, go through the most difficult possible scenarios ahead of the CDD rule deadlines.

There is a real burden on vendors for technology to address these new requirements

FIs need to have a plan B if vendors are not ready to address new regulations. The new rules state you don’t have to follow the 25% rule for an existing account unless there is a trigger event. You need to have a discussion about what triggers these events, and be careful which of the triggers you list. Making a SAR a trigger event, for example, could overwhelm the process.

5. Monitoring the situation - using automation and AI to upgrade KYC, CDD and Ongoing AML Oversight

There is increasing pressure from managers to disposition alerts, rather than throwing bodies at them. The industry is now moving towards virtual robotics & process automation that will change the white collar workforce. The impact of this will be huge, automating the investigation management and data retrieval process.

Anti financial crime framework is facing threats. Budgets are increasing but fines are also increasing, creating more and more pressure for FIs.

Here are some relevant findings from a recent study by McKenzie:

  1. 80% of time is spent on issues of low or moderate material risk, with only 20% spent on high risk issues.
  2. No integrated view across enterprise.
  3. There is little consistent understanding of material risks due to different standards and different teams.
  4. Senior management are not in position to obtain reliable view of compliance risks or controls.

Machine-learning and AI will be the most important general purpose technology of our era. Perception and cognition will be the areas of greatest advance, indicated by recent improvements in voice and image recognition. In the end, AI is based on machine-learning. Machine learning is based on analytics. Analytics is based on data infrastructure.

False positive reduction is possible with 3 approaches:

  1. Combining external with internal data
  2. Segmentation - taking huge datasets and finding out what the right clusters and segments are. (looking at customers , accounts and transactions)
  3. Hard coded rules will fail, they need to be adaptive.

BSA/ AML Domain: AI and ML has opportunities to be used in monitoring/screening, as well as management of false positives, alert dispositioning and risk assessment. These areas are amenable to AI / ML Techniques. However, the transition to AI and ML should be managed carefully to ensure transparency and regulatory buy-in. FIs are also investing in RPA.

People are automating assessment of negative news, using algorithms to help make decisions. To make this work, it is imperative to break down the decision points.

In several areas, the application of this technology has been less than successful:

  1. Automating decisions on sanctions alerts and applying those decisions to risk scoring. There is not enough training data in that domain for it to work.
  2. Pitfalls of automation - Google or another vendor may block you. Protocols are not in place to warn of bots which block data retrieval.

Keep a healthy dose of skepticism towards AI and ML. It is smarter to talk about intelligence augmentation at the moment. Regulators are starting to look at the algorithms, but they are still struggling to test it properly. They set a standard of red flags to be caught and then question the output. Model validation guidelines have not yet caught up to the algorithms.


 

Subscribe