Deep Pool’s Roger Woolman looks at why getting anti-money laundering processes right has never been more important
New regulatory demands — not least the ESG-related transparency and disclosure obligations now coming to bear — are adding to the pressure on asset servicers’ compliance capabilities. But age-old responsibilities are ramping up too, especially around anti-money laundering (AML).
Authorities around the world are cracking down on dirty money flows, with hefty fines and criminal censure awaiting firms that exhibit AML failures. And any financial institution with an AML/know-your-customer (KYC) responsibility — be it a bank, fund administrator, investment manager, trust company or advisor — is in the regulatory crosshairs.
In the US, the January 2021 introduction of the Anti-Money Laundering Act (2020) represented the most substantial reform of the country’s AML and combat the financing of terrorism (CFT) laws since the USA Patriot Act (2001) almost two decades before.
Among its provisions, the new Act requires corporations and limited liability companies to disclose their beneficial owners to the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN).
The Act also gives US regulators expanded authority to obtain documents from foreign financial institutions and levy higher penalties for AML violations. Meanwhile, proposed bipartisan legislation seeks to make non-financial businesses and professions subject to the same AML responsibilities as financial institutions.
Laws are tightening in Europe too. The European Commission put forward an extensive package of legislative proposals last year, aimed at strengthening the EU’s AML and CFT rules by improving activity detection and closing loopholes used by criminals.
The proposals include a new regulation, plus an update to the Anti-Money Laundering Directive, which will see “aiding and abetting” by money laundering “enablers” become a criminal offence. Extending the criminal liability will mean companies can be prosecuted for any involvement in money laundering or terrorist financing, including where they fail to prevent an individual in their organisation from breaching AML rules and regulations.
Bottom line: AML violations, intentional or otherwise, will not be tolerated. So firms will need to ensure their controls and processes are up to the job.
AML pain points
While getting AML controls wrong is expensive, getting them right can be tough. The rules are often complex, with different jurisdictions adding their own spin.
The new EU legislative proposals, for example, make customer due diligence measures more granular. Politically exposed persons (PEPs) in particular will be subject to enhanced due diligence on a risk-based approach.
Beneficial ownership laws will be tightened as well, with new requirements around nominees and foreign entities, and more detailed rules to identify beneficial owners of corporates and other legal entities. This echoes the US AML Act (2020), under which corporations and limited liability companies must now disclose their beneficial owners.
However, identifying and tracking underlying beneficial owners (UBOs) demands levels of transparency and ongoing monitoring that many institutions struggle to meet. Digging into the details of every UBO behind complex structures is often a manually-intensive exercise that takes up significant time and resources.
Detecting unusual or suspicious transaction activity and customer data changes, and issuing Suspicious Activity Reports (SARs) to the relevant regulatory bodies is another challenge. Definitions of suspicious activity change over time and across jurisdictions, and monitoring capabilities need to keep pace.
At many firms, suspicious activity monitoring depends on manual reviews and is conducted in retrospect. SARs must be filed within 30 days of detecting any suspicious activity, so speed of reporting can be critical.
Identifying fraud involves many steps and is prone to manual error too. The risk of false positive alerts is high. Without an efficient way to identify and discount those false positives, firms will be hit by unnecessary delays and costs.
A fit-for-purpose AML framework starts with onboarding
Given the potential fines and reputational risk, robust AML capabilities that span the entire client lifecycle have become a must. AML compliance depends on complete and accurate information, so data needs to be correct from the get-go. That starts with the client onboarding process.
Risk profiling helps institutions perform the initial due diligence on client accounts. By collating and weighting data such as an investor’s occupation, country of domicile, or the industry an organisation belongs to, firms can build up a risk-based picture of prospective clients.
Screening to check no sanctions are in force against a prospect, that they are not a PEP, or been flagged for any criminal behaviour, is an essential step in onboarding. Systems able to integrate with third-party watchlists, such as LexisNexis, can check for matches against the database and pull that data in to strengthen the risk profiling.
Identifying UBOs is another priority. With beneficial owner disclosure rules tightening up, tools that can capture and track complex, and multi-level ownership structures identifying and verifying customer and beneficial ownership identities, as well as flagging high-risk relationships will save a lot of pain down the line.
Checking the source of a client’s funds is vital. As is getting the right documentary support. Each jurisdiction has its own KYC document checklist that clients need to meet, and those requirements vary by client type and sector. Managing the process manually account by account is both laborious and error-prone, especially when multiplied across thousands of clients. An automated solution able to look across all the accounts, see what documentary evidence is missing against a document checklist, and send automated email chasers requesting any missing documents, can save a huge amount of time and work — allowing staff to focus on less mundane, more value-adding activities.
Client due diligence never stops
Stringent client onboarding processes are essential to a best practice AML framework, but by themselves are no longer sufficient. Client due diligence has become a never-ending obligation, with zero tolerance for error.
That means periodically checking each client’s profile and documentation to ensure everything is current and in order. The frequency of checks will depend on the assessed risk level. For high-risk clients, the refresh process is typically an annual undertaking. For medium-risk clients it is every three years; for low-risk every five.
Ongoing PEP and sanctions screening provides a further check. The status of people and institutions change, and screening needs to reflect that. A change of circumstance such as a name or address update, or any information modification (revising the name on a bank instruction, for instance) can be a red flag. Automating ongoing screening and risk profiling processes frees end-users to manage by exception.
There is also the need to monitor for suspicious transactions and changes to customer and static data. Real-time activity monitoring capabilities can identify behaviours that breach certain user-defined parameters. They can spot AML risks, trigger automated alerts of suspicious activity, block accounts or transactions when suspicious events occur, and create comprehensive reports of all the suspicious activity that has taken place at a given point in time.
Monitoring tools can help users deal with potential issues before they become an actual breach and, where required, ensure a SAR is sent to the relevant regulatory body within the stipulated time.
Automation is the only solution
Proper AML control depends on multi-step processes integrated at each stage of the client journey. Nuances based on circumstance and jurisdiction add to the complication. Carrying out the necessary checks for an individual is one thing. Monitoring numerous corporations with complex entity structures, a legion of directors and investments in multiple vehicles, in a range of jurisdictions, takes the challenge to a whole new level.
Without an automated, scalable and customisable AML framework, able to flex to different scenarios and evolving jurisdictional requirements, asset servicers will struggle to combat money laundering risks effectively while fulfilling their own compliance responsibilities, as well as their clients’.
However, undertaking that digital transformation — to get firms from where they are (often reliant on fragmented technologies and complex manual steps) to where they need to be (working off integrated systems and automated processes) — is no easy feat, entailing change across four key areas.
1: Process
A successful digital transformation requires firms to assess and often redefine their AML processes to fit with an automated workflow. The goal should be to eliminate manual steps and, where possible, move to a self-service model for activities such as investor onboarding and trade placement.
Adapting ongoing client due diligence processes is similarly vital. Manually checking for any changes in name, address and updates to bank details is time-consuming and leaves room for oversights and mistakes. Software can automatically flag any change in circumstance or suspicious transactions when they happen, and prompt a review of the account. Freeing staff from manual processes also allows firms to redirect resources to more value-adding compliance activities.
To be effective, automated processes must be scalable and easily customisable to keep pace with regulatory changes. A configurable set-up that enables system administrators or users to tune rules on the fly allows firms to stay abreast of AML/KYC developments without the need for constant vendor involvement.
2: Technology
Demand for device-agnostic, web-based software has been turbocharged by the COVID-19 pandemic. Moving from on-premise to cloud-based AML solutions introduces greater working flexibility and resilience by giving staff access to the applications they need anywhere and at any time, and it is often cheaper. However, people working from home and using their own devices creates a technology risk. Organisations worry about a lack of oversight and potential exposure of sensitive data. Firms will need tight controls to mitigate such risks.
Digital transformation projects also bring build-versus-buy technology questions to the fore. In-house systems offer the prospect of greater control and bespoke development, but they can eat up huge resources and become bogged down in painful delays.
Vendor systems tend to be quicker and easier to implement, while offering built-in scalability. Plus, dedicated AML vendors have extensive experience of the global regulatory environment and will likely employ best-in-class technology.
3: Data
Where data is housed is critical to effective AML.Investor-related data is often siloed across multiple systems, and may be formatted and stored in different ways across different divisions and jurisdictions.
This risks errors, process bottlenecks, and a lack of investor and beneficial owner transparency.
The goal should be a central repository of golden source data that can feed consistent information to all parts of the business.
Applications sit on top, and query and call the cleansed data they need on demand.
Moving databases into the cloud can help, allowing for a centralised data store with unlimited scalability accessible from anywhere. However, location remains a consideration.
Luxembourg laws, for instance, require client data to be held in the country. A private cloud — with the server based in that jurisdiction to house the relevant data — offers one solution.
Another solution is to employ a hybrid model, where the database is kept in a physical server on site, with the application layer deployed in a public or private cloud. Applications can then retrieve the data and display it to the user without storing it.
4: Culture
AML-related activities, such as account opening, that were once conducted face-to-face are moving online. Creating the digital infrastructure to support this shift demands buy-in from key stakeholders across the enterprise. Yet organisations are often slow to change, and some parties may be resistant to the transformations needed. Managing these stakeholders and bringing them along is key.
Keeping system implementations agile is similarly vital. Business demands, workflow requirements and regulatory rules may all diverge from the initial project scope.
An iterative development approach enables firms to use data and feedback from user pilots to guide the next steps and reach achievable goals.
Software that gives users the flexibility to make updates on the fly can also help firms’ meet their evolving AML and KYC responsibilities.
Time to get your AML in shape
Automated AML capabilities are now a must-have. With money laundering schemes becoming ever more sophisticated and regulatory actions stepping up a gear, firms can no longer rely on fragmented, outdated tools.
Moving from haphazard manual processes to a robust, automated environment may be a challenge, but it has never been more important.
