Anti-Financial Crime
Introduction
The threat of money laundering has become a major problem for financial institutions worldwide. Both banks and non-bank financial institutions, such as insurance or investment companies, are under increasing regulatory pressure to implement effective and efficient anti-money laundering (AML) solutions to prevent illicit financial activities. These institutions must not only protect their business and reputation, but also ensure that they do not become unwitting accomplices of criminal individuals or organisations. In the following article, we provide a brief overview of the key components of AML compliance, but also give a detailed insight into the challenges of implementing software solutions and their realisation in regular operations, as well as future trends in the industry.
Minimum requirements on AML Solutions
Founded in 1989 by the G7 countries, the Financial Action Task Force (FATF) has published and continues to develop strategies to combat money laundering, terrorist financing and other related threats to the integrity of the international financial system. The FATF sets international standards and works to ensure that its member countries implement these standards effectively. The Wolfsberg Group, an association of global banks, sets out comprehensive guidelines for the implementation of effective AML solutions. The Wolfsberg Group guidelines are designed to help financial institutions develop and maintain effective AML programs that not only meet regulatory requirements, but also effectively mitigate the risks of financial crime.
Here are the key minimum requirements that make the deployment of an AML solution based on the FATF and Wolfsberg recommendations essential:
1. Risk-Based Approach
A risk-based approach to combating money laundering involves identifying, assessing and prioritising risks based on customer profiles and business relationships, products and services, transaction types and geographical locations. The inherent risk must first be determined, compared with the existing controls and the resulting residual risk assessed.
2. Customer Due Diligence, Simplified and Enhanced Due Diligence
Companies subject to money laundering obligations are required to verify the identity of their customers (CDD) and collect detailed information on the nature and purpose of their business relationships. For higher-risk customers, enhanced due diligence (EDD) is required, which includes stricter verification processes and ongoing monitoring. For low-risk customers, on the other hand, a so-called simplified due diligence can be applied.
3. Transaction Monitoring
The transaction monitoring is the introduction of effective systems to monitor transactions for suspicious, unusual or unexpected activity is crucial. These systems should analyse transaction patterns and identify anomalies that could indicate money laundering.
4. Sanctions Screening
Sanction Screening consists of ad hoc and regular reviews of customers and other parties involved, as well as transactions, using global sanctions and other watch lists to ensure compliance with international sanctions regulations. Continuous updates and monitoring are essential to maintain effectiveness.
5. Reporting Suspicious Activities
Each company should have clear procedures for identifying and reporting suspicious activities to the competent authorities, usually the central reporting centres (Financial Intelligence Units, FIUs). This essentially includes the timely and complete transmission of Suspicious Activity Reports (SARs).
6. Record Keeping
Each company should Keep detailed records of all transactions, customer interactions and AML processes for a specified period, usually five or six years. Record retention management ensures that there is a clear and reasonable audit trail for regulatory reviews.
7. Independent Testing and Auditing
Each company should conduct regular independent tests and audits of the AML programme, and the solution(s) used to assess their effectiveness and compliance. Correct any identified deficiencies immediately.
8. Senior Management Oversight
Each company should ensure that top management is actively involved in the AML programme and is committed to compliance and controls.
Key Challenges in AML Implementation
Once a financial institution knows its inherent risk, the existing controls and therefore the residual risk, further components still need to be taken into consideration before taking the first steps towards implementing a solution.
Key questions are e.g.
- Are there any single technical components of AML controls already in place, such as a list screening, a client risk rating methodology, a workflow tool or tools to monitor transactions from an AML and/or fraud perspective.
- Shall a one-fits-all solution be implemented?
- Is there an IT strategy for a cloud solution in place or already in progress?
- Are there any preferences or constraints on vendors/solutions?
In general, we recommend collecting some key requirements on the vendor and the solution before shortlisting the relevant ones. We usually use a database to help the client select up to 6 different possible providers and their offered solutions out of many hundreds. Afterwards we send a structured questionnaire to the provider to assess the pros and cons of their solutions.
Once the decision, either for a full AML suite or for partial components, e.g. for KYC only, has been made by the client, the general challenge (besides the ‘normal’ project management challenges) is to get the most out of the solution. This includes not only, but especially, providing the necessary data to a) comply with regulations, but also b) to be able to use the full power of the solution and embed it into the first (e.g., sales, operations, finance, HR) and second line of defence (compliance/risk). The culture of the organization should holistically support such absolutely necessary and valuable solutions. The best solution is worth nothing without the necessary data and its proper use.
We have experienced in various implementation projects (from small to very large) that data management is the key to success, but at the same time, the most time-consuming step. Integrating and managing data from different internal and external sources is complex and requires many resources from compliance, IT and business. Companies also need to ensure that data from different sources and systems is comprehensive, accurate and consistent in order to effectively monitor customers and transactions and identify and assess the associated risks.
The most interesting part of the entire implementation and configuration phase is the tuning of the system or individual modules. Balancing the sensitivity of transaction monitoring systems to minimize false positives while ensuring that no suspicious activity goes undetected is a major challenge. Too many false positives can overwhelm compliance teams, while false positives can lead to threats being overlooked. The solution must be both effective and efficient. The aim is not to get as many hits as possible. Rather, it is important to recognize the right alerts and know which alerts are being suppressed and why!
This is not a one-off exercise. It requires continuous monitoring and adjustment. But the initial tuning is the most challenging part. The compliance department must not forget that it must always be able to explain and defend the solution to the supervisory authority.
Steps to Implementing AML Solutions
The implementation of an AML solution requires traditional project management once the risk has been identified, the solution selected, the data sources determined, and the IT strategies considered.
The main responsibilities and duties in managing such an AML implementation project include mainly, but are not limited to, project planning and initiation. This includes, for example defining the scope of the project according to the SMART principle (specific, measurable, achievable, relevant and time-bound). All necessary stakeholders must be identified and involved, and – very importantly – the right resources must be identified and allocated.
In general, all implementation projects, regardless of whether they are relevant to AML or not, require the following 5 main phases
- Definition of the requirements
- Design of the target solution
- Development and implementation
- Testing
- Go-Live and warranty.
All phases require special attention, but what the project team forgets or ignores at the beginning will often have an even greater impact later. An experienced project manager is essential, especially in a regulatory environment.
Operations and Maintenance
The responsibility does not end with the implementation of an AML solution. The operation and maintenance of such software must also ensure that the entire solution incl. its input and output processes remain effective, compliant and in line with the evolving regulatory environment.
AML regulations are constantly evolving. Regular AML software updates, including patches and upgrades, are essential to keep the system effective and compliant with the latest technical and regulatory requirements.
Data quality is becoming increasingly important, especially accuracy and integrity, but also quantity.
The company must ensure and prove that the data fed into the AML system is accurate, consistent and up to date. BAFIN in Germany assesses and monitors the controls implemented in accordance with its BAIT, VAIT or KAIT regulations as part of MA-Risk (so-called Mindestanforderungen an das Risikomanagement).
Furthermore, poor data quality can lead to false positives or suspicious activities being overlooked. And as the organization grows or sometimes changes, new data sources may need to be integrated into the AML system. Ongoing efforts should be made to ensure seamless data integration.
AI and AML Solutions
The hottest topic almost everywhere is how to utilize the possibilities of artificial intelligence. This is also the case here in the field of AML solutions. Many providers are emphasizing the AI functions of their applications.
But what does this mean in detail? And is it necessary or useful to use them? This short chapter is not intended to provide a comprehensive overview, but it will give you a brief insight into the topic.
First of all: AI cannot do magic. Poor data quality cannot be transformed into good data quality. Neither can false positives be magically reduced to zero, nor can unidentified true positives suddenly be made visible. The basis (the right data quality, the right configuration and tuning of the system, a comprehensive understanding of the solution) must always be in place.
Regulatory aspects (see EU AI law and internal guidelines) aside, companies can use AI in AML solutions where available. So-called Large Language Models (LLM) can help to summarize complex situations and highlight the main reasons why a transaction monitoring alert has occurred. LLMs can summarize complex KYC investigations and reasoning. Such evidence can be standardized and professionalized through AI, allowing KYC analysts or AFC compliance officers to customize the text proposal.
AI can help identify and harmonize redundant data sets and enrich such data sets with data attributes from other internal or external databases.
AI can recognize patterns of how and why cases are always closed in a certain way and can make suggestions to better fine-tune the system. However, for any AI, a lot of data is required to train the system and, more importantly, it can never assume the responsibility and liability of humans. Also, the company should always be able to understand what the AI component is doing and be able to explain it to the regulator.
Conclusion
Implementing an effective AML solution is complex and complicated.
Given the multi-layered challenges described above, financial institutions need to recognise that successful AML implementation is not just a matter of adopting the latest technology. It requires a deep understanding of the regulatory environment, understanding of business processes, technology and data management expertise and professional project management. As a rule, this specialised knowledge and available capacities are hardly available in-house.
External AML consultancies such as WIACON have the necessary expertise and experience to manage this complexity effectively.
In this ever-evolving landscape, we recommend working with specialised AML consultancies as this is a strategic necessity to protect the integrity and reputation of financial institutions.
Other articles
Sources:
https://db.wolfsberg-group.org/assets/ce0c1862-f0d6-4068-93e0-10736d6268a8/Wolfsberg%20Group_Demonstrating_%20Effectiveness_JUN21.pdf
https://www.fatf-gafi.org/content/dam/fatf-gafi/recommendations/FATF%20Recommendations%202012.pdf.coredownload.inline.pdf
https://db.wolfsberg-group.org/assets/ae8ec2d1-da45-4cef-b6c6-166e2cf17c03/Wolfsberg%20Principles%20for%20Using%20Artificial%20Intelligence%20and%20Machine%20Learning%20in%20Financial%20Crime%20Compliance.pdf
https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence