Surge in AML Fines - case study

Since the 2008 financial crisis, financial institutions have been on a mission to rebuild their reputation, navigating through a decade-long period of disruption as the industry continued to transform digitally to keep up with the demands the modern economy. As if the task itself was not challenging enough, they must now also consider expectations and needs of the new generation of banking services users, who are looking for an innovative offering to help them sort their payments and finances instantly, without detriment to safety.

FinTech companies and challenger banks are on the rise, prompting traditional financial institutions to change the way they operate and do it sooner rather than later.  And then, we have regulators, who are there to safeguard the public’s interest, making sure that financial service providers are compliant with local and international regulations, with a clear focus on anti-money laundering (AML) and financial crime prevention (FCP) measures. 

Since 2008, standards have grown significantly, driven by changing technological infrastructure, geopolitical developments and the evolving nature of criminal activity, which has taken many new shapes and forms, especially in the last few years. Although AML and FCP regulatory requirements have their local specifics, their core will largely be the same. While transforming and fighting for competitive advantage, financial institutions are expected to:

• know their customers and business they operate
• understand and assess customers’ intended product usage
• verify customers’ source of wealth and funds
• monitor and analyze customers’ activity over time
• investigate and report instances of suspicious activity
• screen customers against bad press, PEPs and sanctions
• comply with relevant reporting obligations

A recent report by Lexis Nexis Risk Solutions, which covered all major regions and financial institutions, quoted a whopping USD 274. 1 billion of projected financial crime compliance costs in 2022. The research showed that this amount has steadily increased year-on-year, especially in Western Europe and the US. While that certainly is a lot, global money laundering consumes between USD 800 billion and 2 trillion annually, of which only a small fraction is retrieved. Either way, despite a growing amount being spent on AML compliance and other financial crime prevention measures, it appears that the next regulatory fine is not a matter of “if” but rather “when”. It won’t necessarily be one of the smaller players, without sufficient funding, but perhaps a medium or high-risk jurisdiction, that hits the headlines. It is likely to be one of the big banks operating worldwide.

The last two years offer plenty of examples which can help understand what the major failings are and determine why they continue to happen. There are certain themes that come through from this analysis and they can largely be grouped in three categories:

• policies and procedures
• systems and infrastructure
• people.

With regards to the first point, it is not enough for policies and procedures to just be in place, it’s whether they are fit for purpose, understood, and executed that makes them effective. On the other hand, no matter how effective and efficient they are, they can still be violated, intentionally or not, when we add a human element on top. All major AML fines from the last 2 years have flagged certain elements of banks’ policy and guidance framework which were not operating properly. An example of this would be failure by a bank to properly risk-assess whole customer sectors, as a result of which the right level of due diligence requirements was not applied to a high-risk portfolio for years. Lack of proper scrutiny of such relationships makes banks susceptible to being used by criminals to launder money or otherwise facilitate financial crime. Procedures and policies were also found to be fragmented and not specific enough for staff to be able to review customers consistently and with the right level of regard for business-specific risks. This resulted in onboarding of customers without proper understanding of their nature of business, expected transactional flows or control framework. In some instances, customers were not even duly verified if the rating they were assigned at onboarding was anything other than high. Furthermore, some banks’ CDD framework did not guarantee proper customer lifecycle management, which meant that errors made at the onboarding stage had little chance of being rectified during a future periodic review as it was either not scheduled or not carried out consistently. Exit procedures have also proven to be ineffective even in light of considerable risks identified in relation to particular customers.

In terms of systems and infrastructure, there seems to be a common challenge with transaction monitoring, which is an integral part of any holistic customer risk assessment. There is no one expected standard of how transaction monitoring is to be executed, as long as it serves its goal of detecting or preventing unlawful or suspicious activity and meets regulatory requirements.  All banks analyzed for the purposes of this article had some form of transaction monitoring in place, both automated and manual. There were also policies in place describing screening and monitoring requirements and procedures guiding staff through the underlying processes and systems. However, it was found that banks’ frameworks were not sufficiently risk-sensitive and the extent to which policies and procedures were followed was questionable. Consequently, monitoring systems were not calibrated to meet changing internal and regulatory requirements. One of the fined banks failed to update its monitoring systems with the right scenarios to match its risk exposure, with was followed by several other system design issues. Another finding concerned thresholds set within a monitoring system and their alignment with scenarios and automated rules to enable proper identification of suspicious activity. Data fed into monitoring systems was incomplete and inaccurate and its quality was not properly assessed and consequently – not rectified. In another example, automated transaction monitoring system failed to duly monitor customers due to outdated data filters that did not take into account the regulatory changes that occurred during the investigation period. As a result, some medium and high-risk customers were not monitored at all. Without good quality transaction monitoring data, complete enhanced due diligence was not possible, which hindered assessment of AML and financial crime risks. 

As far as people are concerned, in neither of the analyzed examples was the main issue insufficient resources. The main challenge was conduct. Perhaps the most concerning outcome of the analyzed sentencing notes is that in 4 out of 5 examples, at some point in time respective financial institution became aware of its deficiencies but either failed to act on that discovery or did it in an unsatisfactory manner. One of the banks sought independent expertise on its compliance with regulations but never quite implemented the suggested remedial actions and ignored further regulatory developments. Another one had self-identified several issues with its transaction monitoring process but despite repeated internal and external reports confirming the need for changes, insufficient action was taken. In yet another example, internal audit performed during the investigation period highlighted deficiencies of transaction monitoring systems and their risk implications but proper read-across in all impacted branches was not undertaken. In one of the analyzed fines, employees repeatedly raised their concerns via an internal reporting channel, but they were not properly assessed or taken forward with the required level of vigilance.  Whether it's a matter of a weak compliance regime or deficient corporate culture, failure to do the right thing by banks’ own employees exposed institutions and their customers to financial crime risks. One of the fines was a result of what appeared to be an archaic organizational structure, with teams operating in silos. AML responsibilities were spread across different teams, which were not communicating and exchanging information between themselves, which made it difficult to assess customer risk holistically. Other people-related failings identified included insufficient oversight from senior managers of higher-risk relationships, overreliance on relationship managers during onboarding process or inadequate employee training.

It is fair to say that a certain level of risk is an integral part of running a business. Each bank has its own risk appetite and needs to put controls in place to effectively mitigate risks it is exposed to. Automation and RegTech often seem like the ultimate solutions to most problems faced by banks today. However, without proper supervision, “tone from the top” management, skilled personnel and effective policy framework, these are merely tools that might give a false sense of security. 
It is important to take note of two things:

• one mistake is all it takes – failures do not need to be occurring over a period of time for a bank to be subjected to a fine. It might just be a one-off with a long-term impact on reputation and customer trust
• reason for the fine might already have been rectified by the time sentencing hits the news but the public perception will be impacted regardless.

Therefore, it is key for banks to learn from not only own past mistakes, but also failings on the part of peer organizations. They need to get on the front foot and critically consider where they are on their journey to regulatory compliance.

Author: Justyna Salawa