I got a shock the other day.
We were discussing transaction processing with one of the banks, when the head of transaction processing turned to me and said: “Chris, you know what? We now have more people checking what we are doing than we have doing what we are doing!”
I think I was supposed to be surprised, but I didn’t quite get it and asked what he meant.
“Well, now we have all these rules and regulations on Know Your Client (KYC), Anti-Money Laundering (AML), tracking and tracing Politically Exposed Persons (PEPs) and identifying and notifying authorities of suspicious transactions with SARs (Suspicious Activity Reports) means that we have more people employed in money laundering, compliance, audit and control than we have employed in the actually business of running the bank.”
This seems ridiculous, I say.
“Automate all this stuff, you say? And how do we do that? Most of this is making disparate connections between fragmented data and much of it involves actually seeing people to ensure they are who they say they are.”
So it’s a matter of document proofs and data analysis, both of which I was dealing with back in the 1990s when AML was just an evolving art and KYC we being introduced.
“It is that but, if you’ve been dealing with this since the 1990s, then it’s obvious that it cannot be computed as, if it could have been, it would have been by now.”
Hmmm … I’m now sure I believe that. After all, there are many elegant AML solutions out there so perhaps the issue is not automation but organisation.
For many banks, payments and operations are dispersed over many organisational functions and locations.
A multinational or global bank will often be the result of mergers and acquisitions, and little will have been integrated on a globalised basis.
Potentially you can put into play overlay systems, data mining tools, aggregating services, but the issues will still be there of organisation and operation.
There is also the question of priority: is catching the odd awkward transaction a priority for the bank’s senior management team?
For example, the UK has some of the toughest AML legislation anywhere in the world where, under the Proceeds of Crime Act 2002, you can get fourteen years in jail if found guilty of laundering.
Wow!
And yet a 2011 report by the Financial Services Authority (FSA) found that: “three quarters of the banks in our sample failed to take adequate measures to establish the legitimacy of the source of wealth and source of funds to be used in the business relationship.”
So this area of the business is not as relevant to banks as it may at first appear.
Certainly this was the case historically, as I don’t know of many management teams who have cut through the silos, operations and global spaghetti to create an integrated single platform view of the customer.
It’s just not something that justifies the operational pain of change or the cost to warrant it.
Unless you get into deep doo-doos, like Standard Chartered and HSBC did recently.
Then the awakened concerns of bank management around reputational risk arise.
And when you add on to this the prospect of stinging fines of anything from $300 million to over $1 billion, the cost of implementing such change becomes warranted.
So I reckon AML will be a major focus for at least the next year.
Watch this space.
Thanks for this post Chris. It explains so much about the people who are supposed to have the responsibility for ensuring a 'best practice' standard in AML/STF interdiction. There are perfectly good AML systems available in the market which will enable practitioners to take the AML compliance process through from A to Z. Thomson Reuters have Accellus, which will do the job superbly. However, there is no solution available in the market which will work well if the institution itself has not undertaken a proper 'Risk-Based Approach (RBA) analysis, and this is where the vast number of institutions fall down badly. They are unwilling to spend the time or the money to undertake a proper and effective RBA analysis, so they cannot map their AML interdiction systems to their RBA closely enough, which means they end up pulling down hundreds if not thousands of false positives, all of which need to be excluded, which is time consuming and labour intensive. If only these people who are doing all the moaning would bother to bring in some decent analytical consulting skills who could advise them on the proper mapping process, and help them calibrate their risk appetite, and a great deal of these problems would go away. As it is, most of these banks just implement expensive systems, but never use them properly. They do it because all they are looking for is a 'tick-box' solution because they think that is what the FSA wants to see. They can achieve so much of their needs if they employ the right solutions and implement the correct processes, but all too often, they don't want to spend the money to achieve those ends. Your commentator was just evincing the typical negative bank-response to AML/STF needs, all of which were so well enunciated quite recently at an evening event I attended!
Posted by: Rowan Bosworth-Davies | October 15, 2012 at 02:28 PM
Compliance and AML people are often caught between a rock and a hard place. In large organizations their function is often specialized and fragmented when they need a larger picture. In smaller organization their attention is often divided between on-boarding, compliance reviews, rating and reviewing products and services, monitoring trades and traders, monitoring and reviewing relationship managers, writing policies and procedures and so on. As you so rightly remarked; you can’t automate everything. Even the smartest system needs quality data to work with. That data is often spread over dozens of systems, sometimes in different jurisdictions with different management and different agenda’s. That is why compliance needs to be an integral part of the business model of a bank. You don’t obey the law because you have to but because you want to. All too often this is forgotten under the pressure of shareholders that want to see results and of clients who don’t want to be bothered with awkward questions from their banks. ABN AMRO has felt the sting of the regulator threw vast amounts of money, time and resources at the compliance function and almost wrote the book on anti-money laundering and anti-terrorist financing. I’m sure HSBC and StanChart will do the same. The issue is to keep the standard high, even when priorities change. Compliance people are like teeth, if you ignore them, they go away.
Posted by: Erik W | October 16, 2012 at 06:36 AM
AML/CTF regulations effectively conscript banks as unpaid policemen in
respect of financial commerce. Why banks should be policemen of the
state in this manner is an interesting philosophical question that
receives too little attention. For some reason, it's just assumed that
because banks can monitor commerce, they should monitor it for state
police purposes so that the state can interdict commerce it disapproves
of or seize financial assets of people, entities or countries the state
takes a dislike to.
Requiring banks to freeze payments and assets associated with AML/CTF
targets allows the state to interdict commerce and seize property
without due process of law. Evidence? Prosecution? Trial? Why bother
when you can just grab the money or assets by adding a name to list with
no process of appeal or review?
The costs of the AML/CTF systems are high, the penalties are high, but
the banks earn no revenues and achieve no commercial benefit from
AML/CTF policing. It's not even clear the state achieves a benefit, as
the millions of SARs filed seem to vanish into a black hole, resulting
in no prosecutions of evildoers.
If AML/CTF makes the news, it's not because it has ever proven
successful in catching evildoers, but because banks are being fined for
not being strict enough. And the enforcement actions often seem highly
selective, especially in the US, where it seems only non-US banks are
investigated and sanctioned, and non-US entities are the main targets of
AML/CTF enforcement. US enforcement actions, particularly against EU
banks, smack of protectionism masking as compliance. US sanctions
against countries smack of economic aggression without diplomatic recourse.
The situation isn't helped by shifting goalposts. One of the challenges
in AML/CTF is the constantly shifting and growing scope of sanctions,
particularly as the US shifts its "axis of evil" around to new countries
with startling regularity and expands the "war on drugs" and "war on
terror" to hundreds of thousands of unreviewable targets. There is no
mechanism for appeal against the US blacklist, and so no way for a bank
to gain comfort that someone legitimate with an unfortunate name will
not cause them grief. All AML/CTF systems have to be constantly undated
against multiple target databases to stay current, a very expensive
reconciliation challenge in itself.
Countries that were legitimate business partners a few years ago are now
off-limits, and banks have to re-evaluate all business relationships
constantly to be secure against retroactive enforcement. The current
actions against UK banks doing perfectly legitimate, longstanding
business with enterprises linked to Syria and Iran, accepted as okay by
previous US administrations but now selectively prosecuted, are a good
example of this.
If the police and compliance burdens on banks now exceed the business
rationale for banks, perhaps it is little wonder that the commercial
banking business model has failed. Payments are a commodity business,
with narrow margins, and those margins are eroded by the high costs of
AML/CTF systems, maintenance and compliance. If banks are central to
state police powers, however, and particularly to the arbitrary and
unreviewable exercise of state powers of expropriation without due
process, it may also explain why states need to bail out banks rather
than let them fail.
Posted by: Anonymous | October 16, 2012 at 09:20 AM
The AML/CTF etc thing is going nuts and some of the rules are too big to understand.
For example, payment processors (PSPs) are required to check out that the purpose of a bill payment is legit. E.g. if the fund transfer is a top-up payment as a result of a vendor under-pricing his goods on the official invoice (so as to avoid tax), with the balance of the funds coming some different way – then the regulated PSP who sends the top-up is breaking the law and hence could lose his operating licence which is game over.
So before he makes the payment, he is required to a) know it’s part of a bigger picture b) understand that the bigger picture is clean. This is at the ‘mild’ end of things.
If a PSP got involved in paying for refrigerators destined for someone in an sanctioned country, then it’s the other end. It’s called ‘third-party’ payments and requires ‘enhanced due diligence’.
Quite how the PSP is supposed to know or find out in a cost-effective way (given that anyone dodgy will obfuscate), is beyond me.
The G8 may want money transfer fees to be halved (the 5x5 initiative), but they better go talk to the G8 about its AML policies.
I think the regulators have missed a trick here – the guys who make most money in this business (and hence are best placed to carry some of the weight), and see the transaction before the PSP and hence know most about what’s really going on, are the FX houses.
However the regs focus on the PSPs. I have seen the FX guys lobby to land the regulatory pain on the PSPs – they know exactly what they are doing.
These regs are being imposed by the post-developed economies and like FATCA are an extension of their national policy thru’ the global banking system. Wonder if that will break it?
Posted by: Irritated beyond my tether | October 16, 2012 at 10:33 AM