What U.K. bank CEOs can do now to close gaps in their anti-money laundering controls

Introduction

The Financial Conduct Authority (FCA), the regulator of financial markets in the U.K., flexed its muscles in March of this year when it launched its first attempted prosecution for anti-money laundering (AML) failings against NatWest. A couple of months later, David Geale, the Director of Retail Banking and Payments Supervision for the FCA, sent a letter to CEOs of retail banks. In this letter he outlined common themes coming out of the regulator’s recent assessments of retail banks’ financial crime systems and controls. He noted that the FCA was disappointed to identify weaknesses in key areas of firms’ anti-money laundering systems and controls and detailed specific issues in governance and oversight, risk assessments, due diligence, transaction monitoring, and suspicious activity reporting.

The letter advised CEOs to “take the necessary steps to gain assurance that your firm’s financial crime systems and controls are commensurate with the risk profile of your firm and meet the requirements of the MLRs” (the Money Laundering, Terrorist Financing, and Transfer of Funds Regulations 2017). He called for CEOs to complete a gap analysis by September 17, 2021, and to “take prompt and reasonable steps to close any gaps identified.” The letter ended with a warning—“Where we assess firms’ actions in response to this letter to be inadequate, we will consider appropriate regulatory intervention to manage the financial crime risk posed.”

While some of the specific anti-money laundering issues raised must be addressed through management practices, many of the issues identified can be addressed through technology. Therefore, this blog post will discuss specific tools and capabilities that can address some of the issues identified in the letter.

Set up issues

The letter highlights a need for employee visibility into and understanding of anti-money laundering transaction monitoring systems in order to ensure data completeness and accuracy. The letter states that “…in one firm we were informed that the UK branch had no oversight of the transactional data feed into its transaction monitoring system and lacked management information to verify that the transaction data input at Group level was complete, accurate or segmented appropriately… We also find a lack of understanding of the technical set up of the transaction monitoring systems from those individuals that have responsibility for its operation and effectiveness. Some firms fail to undertake regular appropriate assessments of the data feeds and data integrity of the systems.”

These data transparency issues can be avoided by working with vendor that offers an enterprise-wide data model built specifically for anti-money laundering. The data model should allow segmentation of data by products/services, lines of business, or jurisdiction. This can be a game-changer in factoring in country/branch-specific risk information while providing an enterprise view. Also, pre-packaged data quality checks can help enforce enterprise data standard policies at the country/branch level. Additional configurations should provide the ability to tailor enterprise policies to meet geographic-specific data gathering procedures.

The end-to-end process flows can be managed by using a pipeline designer which provides details about provisioned data, quality checks applied, processed data, and outcomes—as well as an audit trail for ingested data. Intuitive dashboards are key for annual model risk review and management, and for validating model performance, especially from a data quality perspective.      

Comprehensive scenario management

Another anti-money laundering issue highlighted in the letter pertains to banks not being granular enough in their controls and neglecting to assess specific risks within individual subsidiaries, jurisdictions, or customer types. This can lead to inaccurate assessment of the risk within these groups and lead to inaccurate business-wide risk assessment. 

A key tool for assessing risk within segments is comprehensive scenario management. For monitoring transactions across subsidiaries or jurisdictions, the process should begin with a clear understanding of local regulations. For each jurisdiction, the local regulations should be mapped into risk themes and then translated into scenarios. As for customer risk assessment, the risks of individual customer types should be mapped into risk themes and translated into scenarios.

While this might seem quite labor-intensive, some tools can make the creation and maintenance of anti-money laundering scenarios for different subsidiaries, jurisdictions, and customer types a streamlined and manageable process:

• Out-of-the-box scenarios: Work with an anti-money laundering vendor that provides a wide variety of out-of-the-box scenarios so that you are not building models for each group from scratch.
• Thresholds: Keep the number of scenarios manageable by reusing them across segments and applying different thresholds to different product/service and jurisdictional segments. Look for a vendor that provides a GUI-based tool to add as many thresholds as you like. Don’t use off-the-shelf thresholds—you should calibrate them based on country/branch risk profile and enterprise risk appetite. Leverage polyglot model authoring, which allows for model calibration using the industry’s champion/challenger concept. An intuitive canvas can fully govern the end-to-end process flow, including data provisioning, applied quality checks, monitoring, and case disposition outcome. Meanwhile, an easy to plug-in model calibration framework should expedite the threshold tuning process. Additionally, machine learning can be leveraged to automatically tune scenario thresholds by factoring in case disposition outcomes to enhance monitoring effectiveness.         
• Dashboards: All scenarios should be tracked in a dashboard that conveys what has been implemented for each subsidiary, jurisdiction, or customer type. This allows for efficient updates as regulations and risks change.
• Sandboxing: Most anti-money laundering vendors do calibration outside of the core processing system, which can be a costly procedure as you have to replicate production. Instead, look for a vendor that can let you tune scenarios and deploy models to production from a single system that documents everything.

Integrations

The letter also notes that “We often identify instances where CDD [customer due diligence] measures are not adequately performed…”. On that note, a key way for banks to ensure they are performing adequate CDD is by assessing adequate data. Banks should look for an anti-money laundering vendor that can bring in data from third-party sources like negative news to get a holistic view of each client. Additionally, they should look for a vendor that can integrate with their banking platform to automate client communication during onboarding.

Documentation

The letter notes that “…we frequently find that the rationales supporting the discounting of transaction monitoring alerts require strengthening” and “We often identify instances where CDD measures are not adequately… recorded... Where expected activity has been recorded, firms do not always demonstrate that they have assessed whether actual account activity is in line with expectations or that they have undertaken appropriate investigations with the customer when it is not in line with expectations.” This creates problems because bank staff and regulators can’t understand why a suspicious activity report (SAR) was created.

Banks should look for an anti-money laundering vendor that can use natural language processing to create case narratives about why a case was created, red flags, and more. Look for a vendor that can summarize findings in a report for use internally and by law enforcement, saving time and increasing effectiveness.

Conclusion

While the call to action from the FCA may seem daunting at first, collaborating with a technology partner can resolve many of the pain points in an organization’s anti-money laundering systems and controls. The right vendor can offer tools and capabilities such as an enterprise-wide data model that will alleviate data transparency issues, coprehensive scenario management for accurate risk assessment, and the use of natural language processing for in-depth case narratives and insights.