Internal Audit, Risk, Business & Technology Consulting

Anti-Money Laundering: Getting to Efficient

Anti-Money Laundering: Getting to Efficient · 1protiviti.com

Roadmap to AML Efficiency: Once a financial institution’s AML programme is compliant

with AML/TF regulations, how does it become efficient in meeting its obligations?

Over the last 15 years, financial institutions (FIs) have

faced massive cultural and operational challenges

responding to anti-money laundering and terrorist

financing (AML/TF) regulations. FIs that failed to

implement requirements in the timetable demanded

by governments and regulators have faced significant

fines, regulatory investigations and restrictions such

as limitations on the onboarding of new clients for

periods of time. Many FIs in well-developed regulatory

environments now largely satisfy both their local and

international-equivalent regulatory requirements

following substantial investments in people, processes

and technology. Among the core areas that have seen

major investment are: the capture of ‘Know Your

Customer’ (KYC) documentation; the robust application

of transaction monitoring controls; and the consistent

screening of customers against sanctions and other

watch lists.

In addition, front offices and operations functions have

had to adapt to the cultural shift that ‘knowing your

customer’ must extend beyond narrow commercial

value and into an acknowledgement that they ‘own’

the ML/TF risks associated with each customer and

the consequential systems and processes to identify,

mitigate and manage such risks.

Many FIs have achieved regulatory compliance in

these areas but at very significant cost, including

experiencing commercially punitive degradations to

levels of customer service and increased onboarding

times due to the frequent requests for client data at

multiple stages of the customer lifecycle.

In many cases, FIs have had to engage large numbers of

temporary staff for multiple years to accomplish man-

ual KYC remediations, and siloed system workarounds

have been developed since integrated systematic

solutions could not be developed and implemented

quickly enough to meet regulatory expectations.

Introduction

The challenge for many FIs now is how to make KYC and other AML/TF processes significantly more efficient

and risk-based to deliver cost savings and customer service improvements while still meeting AML/TF

regulatory obligations.

2 · Protiviti

This paper explores seven key areas of AML programmes, highlighted in the diagram, that institutions should focus

on to achieve this goal of ‘Getting to Efficient’.

Optimise the AML/TF Target Operating Model

Shift from ‘Tactical’ to Sustainable, Strategic Solutions in AML Programme Governance

Eliminate Common Inefficiencies in the

KYC Process

Leveraging Data for AML

Efficiency Gains

Accurate Identification of Customer Risk

Decrease Reliance on Manual Processes and

Increase the Application of Technology

Shift Institutional Culture

Anti-Money Laundering: Getting to Efficient · 3protiviti.com

A majority of FIs have adopted a financial crime risk

rating methodology designed to establish whether a

customer poses a high (or higher) risk of being a money

launderer and/or terrorist financier, or is likely to

allow such activities to pass undetected or to be com-

plicit in those activities.

Some of the factors that generally feed into this meth-

odology for an entity include, but are not limited to:

• Country of domicile of the entity

• Type of business/industry the entity engages in

• Transparency of ownership or control of the entity

• Involvement of any Politically Exposed Persons

(PEP) in the ownership, management or control of

the entity

• Negative news impacting the reputation of the

entity and its principals

• Products and services used by the customer and

related delivery channels

Typically, these factors are given a weighting in the

overall calculation of a risk rating of low/medium/

high (some FIs may also have classifications of ‘very

high risk’ or ‘ultra-high risk’). In addition, a number

of individual factors are often deemed to pose such

a risk level that they automatically result in a high/

very high risk classification being attributed to the

customer. Examples of these factors could be a fine or

other regulatory sanction for money laundering, or a

domicile within a high risk jurisdiction.

Failure to correctly identify higher risk elements for

a customer may expose the FI to regulatory fines and

sanctions. Also, the inefficient design or application of

a risk rating methodology can result in FIs undertaking

higher-than-necessary levels of due diligence and

more frequent reviews of customers than are needed.

FIs must make sure the risk rating methodologies and

the results they generate are dynamic and continue to

properly reflect the current financial crime risk posed

by the customer.

Elements of the risk rating methodology which can lead

to inefficiencies include:

• Applying a simplistic industrial classification to

the entity’s business — For example, the supplier

of protective clothing to the oil and gas industry

does not pose the same financial crime risk as

a supplier of major capital goods to the same

industry, but they both could be grouped in the

same higher risk industrial classification. Defining

tolerance for exposure (e.g. x% of revenues)

to a certain industry and where that warrants

classification within a high risk industry may help

to avoid misclassification; however, any areas

of doubt should involve compliance expertise to

assess whether the industry classification and input

to risk rating are appropriate based on the level of

involvement or proximity to a certain industry.

• Failing to re-assess the financial crime risk

that a PEP or former PEP currently poses —

While a PEP’s involvement in an entity may result

in an automatic high risk rating, a complete

assessment of the likelihood that the PEP is using

the customer entity for corrupt purposes is highly

recommended. The assessment would focus on

the ability of a current or former PEP to exert

corrupt influence or to use the entity for corrupt

purposes, or the determination criteria for when

a former PEP is no longer considered to have the

ability or standing to influence the entity.

01 Accurate Identification of Customer Risk

Accurate identification of customer risk underpins a

successful AML programme and allows organisations

to have a view of a proportionate amount of time

and resources that should be focused on areas of the

customer base with the greatest level of potential risk.

– Carol Beaumier, Senior Managing Director, Protiviti

4 · Protiviti

• Failing to maintain up-to-date information

on the customer’s usage of the FI’s high risk

products — If the customer no longer uses high

risk products, or uses them to a non-material

level, then this could reduce the overall risk

rating. As an example, historically many business

types such as restaurants have been described

as ‘cash intensive’ and potentially posing a

heightened risk of financial crime. However,

in many economies, the use of debit or other

payment cards has reduced the use of cash to the

point where some businesses do not accept cash.

• Continuing to apply a high risk rating to a

regulated entity which has satisfied a regulatory

sanction (e.g. enforcement action, fine) and

been allowed to continue with its regulated

activities — It may be appropriate for an FI to

create a specialist team to conduct due diligence

globally on all customers that have been subject

to regulatory sanction at any time in the past to

ensure that they are risk classified in a manner

consistent with their current status.

Generally, it is important that senior staff from the

first and second lines review all high risk customers

to confirm that the elements driving the risk rating

are still in place and the FI is not relying solely on the

‘mechanical’ rating generated by raw inputs. Equally,

the FI must put in place mechanisms to ensure that low

and medium risk ratings are accurate to avoid misclas-

sifying high risk customers.

The involvement of senior FI staff in this process may

appear onerous but applying a higher risk rating than

required would have significant inefficiency implica-

tions. On the flip side, the regulatory risk of applying

a lower rating than appropriate is very serious when

considering the requirements to maintain a compliant

AML programme, particularly as the risk rating sets the

tone for ongoing management of the customer.

Common Areas of Inefficiency Getting to Efficient

Model-driven risk rating — Relying solely on the ‘mechanical’ result of the rating model.

Outdated risk rating — Feeding the risk rating methodology/model with outdated and/or incomplete customer information.

Blanket PEP rating — Failing to establish the current risk posed by an existing or former PEP in the context of their role within a customer’s ownership structure or related parties.

Blanket high risk rating — Continuing to apply a blanket high risk rating to a customer which has been subject to regulatory sanction in the past, even where a regulatory enforcement action has since been satisfied.

Accurate rating reflective of current risk factors —

• Require senior first line staff with detailed knowledge of the customer to review the inputs to the risk rating methodology to ensure that they properly reflect the customer’s current circumstances.

• Review risk ratings (at least on a sample basis) to ensure that they properly reflect the actual current risk posed by that customer.

Risk-based PEP relationship assessment — Analyse the individual’s current status as a PEP, their role within the customer relationship, and other factors to determine if they currently pose a heightened risk.

Risk-based adverse media assessment — Consider establishing a senior specialist team to review customers with past issues on adverse media (e.g. enforcement actions) globally. This could include senior first and second line staff and their review may include liaising with senior customer staff to establish the current status of the regulatory enforcement action.

Anti-Money Laundering: Getting to Efficient · 5protiviti.com

KYC processes have often been developed ‘tactically’

in response to the need to implement regulatory

standards quickly and, in many cases, in direct

response to regulatory mandates. These tactical

solutions often become regarded as business-as-usual

(BAU) processes despite the fact that they were initially

designed for a short-term project objective, such as

remediation of the existing book of customers.

When evaluating the efficiency of KYC processes, the

key principles outlined below should be considered:

• Connectivity of KYC and front office functions

— KYC is often seen as disconnected from actually

‘knowing the customer’ from a commercial

perspective, but this can lead to duplication of effort

and inefficiencies in customer contact and other

processes. This is particularly true for relationship-

managed customers, where significant knowledge

about the customer sits in the front office.

If the KYC team is geographically remote from the

front office functions, consider creating a cost and

operational model to place the KYC function along-

side the front office. The first line of defence owns

the ML/TF risk of a customer; therefore, placing

KYC analysts in the front office can help reinforce

this ownership of risk and ensure a wholly con-

nected approach to ‘knowing the customer’ and the

relative risk it poses for ML/TF.

• KYC team experience — Rather than having

‘generalist’ KYC analysts handle some of the

more complex entity types and risk spending a

significant amount of time understanding and

navigating the risks of such structures on a case-

by-case infrequent basis, a dedicated KYC team

can apply specialist knowledge and experience

to minimise and standardise the time spent on

customers. Specialist KYC teams can be established

to deal with complex structures such as trusts,

special purpose vehicles, government entities and

multi-layered structures and serve as SMEs in their

respective area for the front office.

• Risk acceptance — Analysts often spend

significant amounts of time discounting adverse

media screening ‘hits’ (particularly around tier 1

FIs and large, regulated financial institutions with

past AML enforcement actions, fines, etc.) where a

global governance body can readily discount those

issues at the relationship level and can be factored

into the institution’s appetite to continue to do

business with the customer.

Consider establishing a global KYC governance

body, which includes the second line of defence,

to maintain and manage a ‘white list’ of relation-

ships with global FIs that have been subject to

fines or other regulatory sanction and on which

significant negative news exists. This ‘white list’

would require standardised and approved language

for audit trails, and should be built into KYC and

screening systems so it is clear up to which date

of results the ‘white list’ status would be covered.

This would allow KYC analysts to focus only on

new issues identified through screening and any

adverse media.

02 Eliminate Common Inefficiencies in the KYC Process

Many FIs are often lost in the KYC struggle to meet both compliance obligations whilst upholding an acceptable level

of customer experience.

– Erin Gavin, Senior Manager, Protiviti

6 · Protiviti

• Cost/benefit analysis — Many organisations

are unable to gauge the cost of KYC and the time

and resources needed to onboard a new customer

and perform ongoing due diligence. The cost is

often difficult to quantify, as it includes time

spent on KYC by onboarding teams, front office,

compliance, remediation teams and senior

governance committees, as well as time spent

on system builds and maintenance and AML

screening subscriptions, among others.

Adopting a process/activity-based accounting

methodology to calculate the fully loaded cost of

onboarding a customer, using process mining to

identify inconsistencies in approach, or under-

taking a periodic review using current processes

can be extremely valuable in identifying potential

areas for improvement.

Also, having the ability to perform a cost benefit

exercise prior to implementing any new processes

or solutions may have longer term efficiency gains.

Common Areas of Inefficiency Getting to Efficient

Siloed KYC and front office functions — Disconnect between KYC and front office leads to duplication of effort.

Generalist KYC team — Non-specialist analysts may use time inefficiently to understand customer structure and its risks.

Discounting of adverse media — Disproportionate amount of time spent discounting hits on global FIs with past regulatory fines or AML enforcement actions.

No cost/benefit analysis — Poor understanding of actual cost of new customer onboarding and periodic reviews.

Unite KYC and front office functions — Closely align these functions to improve understanding of customers’ needs and risks, and reduce needless customer touch points.

Specialist KYC team — Designated KYC team will improve efficiency of managing complex client onboards and periodic reviews.

Standardised ‘white list’ — Maintain and govern a ‘white list’ of relationships with global FIs subjected to fines/regulatory penalties to improve the screening process for those FIs that have resolved their regulatory enforcement actions/penalties.

Clear cost/benefit analysis — Activity-based accounting methodology prior to process implementation is recommended.

Anti-Money Laundering: Getting to Efficient · 7protiviti.com

Many FIs struggle to implement and improve an AML

programme that is both strategic and sustainable,

as they are often consumed with ‘fighting fires’ and

implementing tactical, short-term solutions. This

enduring ‘tactical’ solution mentality and culture in

an FI’s AML programme governance are often under-

pinned by a sense of reactiveness, siloed approaches

across various business divisions/geographies, an

overwhelming number of priorities and a lack of

clarity on future state. This is an understandable

challenge that many organisations face, given the

ever-changing global landscape of regulatory and

AML/TF obligations. Transitioning the mindset of the

organisation and teams or individuals involved from

tactical (task and delivery based) to strategic thinking

(bigger picture) will take time but ultimately provide

a competitive advantage for those AML programmes

that are forward-looking and agile in their ability to

adapt to regulatory, consumer and operational trends

in the industry.

Below are common challenges and areas that can be

improved upon to implement sustainable, strategic

solutions in an AML programme and its related

governance model.

• Lack of strategic action and thinking — It is

important to challenge the status quo and think

innovatively to identify new solutions, rather than

operating in a manner just because ‘it’s always been

done that way’. AML governance structures must

have a view of impending regulatory decisions,

market shifts, industry trends, consumer prefer-

ences and emerging technologies, as well as known

weaknesses in their AML framework, to proactively

prepare for such challenges, opportunities and

impending changes to operations and customers.

Understanding the highest value areas within an

FI and how to protect and enhance those areas

by gaining a better understanding of current and

future AML/TF opportunities and obstacles are

essential. In addition, having an open discussion

of areas of AML programme weaknesses or blind

spots is critical to the long-term goals of any

organisation that wishes to meet its AML obliga-

tions and improve customer satisfaction.

• Accurate information and involvement from key

stakeholders — Decisions on budget and strategic

investment in AML programmes are sometimes

made in a siloed environment without considering

a) other efforts or initiatives that may already

be in place; and b) what the impact of including

certain areas and excluding others would be on the

day-to-day operations, downstream implications

and customer experience. For instance, the idea

of scaling down budget for onboarding systems

improvement may seem cost effective on the

surface; however, a deeper dive may reveal that

improvements are needed to enhance the customer

experience and/or meet regulatory requirements for

all correspondent banking relationships. Similarly,

dedicating resources, time and effort to the review

and tuning of transaction monitoring rules may

seem costly or tedious initially; however, proper

tuning can reduce the number of false positives that

require further investigation. The implications of

missing potentially suspicious transactions due to

incomplete or inaccurate scenarios built into the

transaction monitoring system may result in both

financial and reputational repercussions for the FI.

By bringing the right mix of people (and therefore

information) to the table, decisions on budget

allocation and strategic investment in areas for

AML/TF are likely to be more effective. All too

often, the rollout of a new tool to improve a certain

function (e.g. sanctions screening) is announced

by senior leadership who are more removed from

customer experiences and day-to-day activities.

Meanwhile, the staff on the ground may be content

with the process and the time it takes to execute

the sanctions screening, but actually need a better

tool to perform other functions (e.g. customer risk

rating, adverse media/negative news screening, PEP

screening, etc.).

03 Shift from ‘Tactical’ to Sustainable, Strategic Solutions in AML Programme Governance

8 · Protiviti

Working in silos, especially from an AML pro-

gramme standpoint, is oftentimes rooted in the

need to develop strategic solutions for a particular

department, geography and team and to navigate

and adhere to competing local AML/TF regulatory

requirements. Where the strategic plans for an

AML programme fail to consider the overarching

strategy and goals of the entire organisation,

and when communication is lacking and strat-

egy is not aligned, it can result in duplication

of efforts to solve the same problem. However,

when strategies are aligned to the core values and

goals of the organisation, it is easier to identify

duplication of work and shared goals to enhance

collaboration across common platforms/initiatives,

functional teams, lines of defence, operations and

departments. For instance, the development of a

regulatory reporting function for country-specific

regulators should be part of an overarching global

regulatory reporting team’s responsibility. This

important AML function would encourage consistent

communication (internal and external-facing

to regulators) and a well-coordinated structure

to share regulatory requests and insights. This

important AML programme function must ulti-

mately tie to the ‘tone from the top’ from the firm’s

executives, and information should be disseminated

to relevant regional and local functions to maximise

awareness and streamlining of efforts for effec-

tive AML programmes at global FIs.

Taking analysis from external resources (e.g.

market analysis, benchmarking, etc.) and tapping

into internal resources of an organisation (e.g.

leadership levels as well as staff in compliance,

anti-financial crime, risk management, opera-

tions and customer-facing roles) to understand

different AML and business viewpoints, priorities

and perspectives will assist leadership in making

informed decisions and understanding the impli-

cations of those decisions if the right people are

involved and consulted.

Common Areas of Inefficiency Getting to Efficient

Reactive in nature — Being distracted from overall AML programme strategy by fighting fires and an overwhelming number of priorities (e.g. regulatory visits or reviews, last-minute adoption of regulation changes, de-prioritising investment in AML/TF, etc.).

Misalignment of strategic solutions — Working in silos (e.g. local AML requirements); no view of shared goals or common challenges across certain areas of the organisation.

Uninformed decisions — Decision making without the appropriate information to influence and inform the decision makers.

Forward-thinking — Strategic thinking to enhance high value areas of the business model, particularly around meeting AML/TF obligations for the most critical areas of the business model (i.e. targeted spending of AML resources, time and costs on the business divisions and customers that align to the strategic vision).

Alignment of strategy — End-to-end view of how the AML programme fits into the strategic goals across an FI organisation (organisation-wide, regional, department-wide, etc.), and may include a shift toward a more global and harmonised approach to AML/TF.

Informed decisions — Making informed strategic decisions for the AML programme based on consideration of widespread perspectives and consultation with key individuals to understand the impact to operations and customer experience.

Anti-Money Laundering: Getting to Efficient · 9protiviti.com

Data held by FIs can be a powerful combatant in

fighting ML/TF if it is available, formatted and used

in a meaningful way. This is often not the case for

many FIs that are plagued by legacy data with poor

quality which is fragmented across many systems.

For instance, the number of false positives generated

in transaction monitoring from incorrect/incomplete

legacy data increases the time it takes analysts to

review and discount false positives, with the risk that

genuine money laundering alerts could be missed.

Prior to implementing new AML technologies or fully

optimising existing solutions and being able to reap

the efficiency rewards of such tools and analytics,

a data structuring exercise should be undertaken to

understand existing data flows, and to cleanse and

format the data so that it may be used in a meaningful

way. Inputting data with poor integrity into data

management systems, machine learning scenarios or

analytics will skew the output. The term ‘garbage in,

garbage out’ is commonly referenced, so the impor-

tance of this data structuring exercise in the process

cannot be underestimated.

• Understanding data — Misinterpreting certain

data fields could have negative consequences down-

stream. For example, when classifying a customer as

active or inactive, the same data field may be popu-

lated by different teams in varying jurisdictions.

However, if those teams have different definitions of

‘inactive’, the data will not be interpreted correctly

when assessed at a holistic level.

Subject-matter experts familiar with the data being

collected may be required to analyse, interpret

and communicate what the data means within a

particular function, report or data field (e.g. tech-

nical definition of a data field from system build

requirements vs. business definition and use of that

same data field).

• Cleansing customer data — Many organisations

have extensive amounts of legacy customer data

but cannot trust that the data is reliable and

may therefore discount data-based outcomes

or reporting. The data may lack credibility due

to missing or partial fields and conflicting or

outdated information held across various systems.

An exercise to analyse and update incomplete,

inaccurate or irrelevant data by replacing, modi-

fying or deleting may be necessary to cleanse a

data set and improve data integrity. An example

of this could be the validation of a city’s zip code

through public records to correct an error in the

input of an address. Any adjustments to data

during cleansing should be closely aligned with

teams familiar with the purpose and context

of the data fields so the information is adjusted

as intended and used in a consistent manner,

ultimately improving the cleanliness of the data

to get to a ‘single source of truth’.

• AML system and data mapping — Many

organisations do not have a holistic view of

how data flows throughout their organisation

horizontally and vertically at a local or functional

level, let alone at a global view. All too often,

customer inputs of data during the onboarding

process get passed out to the various divisions

of an organisation and stored in siloed systems,

databases or offline spreadsheets (e.g. trading

systems, KYC case management tools, regulatory

reporting databases, etc.), creating a fragmented

data environment.

A data mapping exercise to understand system

inventory and data flows (inputs/outputs) is critical

to assess the benefits of any system consolidations

or redundancies and to understand the data sources

and flows. Maintaining an environment where com-

plex data silos exist in an FI can be time-consuming

and expensive and can hinder an organisation’s

ability to leverage the benefits of the data in deci-

sion making and combating ML/TF.

• Enrich data — After data has been cleansed,

refining and enhancement of the data can be applied

so it may be used for analysis and decision making.

The data must also be assessed for its veracity.

04 Leveraging Data for AML Efficiency Gains

10 · Protiviti

Increasing an organisation’s confidence in the data

it holds will improve its view on existing systems.

Processes can then be optimised to clear the path

to future implementations of AML technology. This

may include the use of third-party data sources to

enhance the efficiency of data gathering as well as

the independence, reliability and integrity of the data

used to identify and verify customers. Third party

data sources may include onboarding platforms,

verification vendors and resource subscriptions

used throughout the client onboarding and ongoing

customer due diligence lifecycle.

Making an effort to understand and enhance data

integrity through some of the steps outlined above

will allow an organisation to empower leadership to

make data-driven business decisions and to optimise

automated capabilities in existing systems or new

technology, such as robotic process automation

(RPA), artificial intelligence (AI) and machine

learning. To truly improve efficiency and target their

AML/TF efforts, organisations must rely less on judg-

ment and take a clear risk-based approach supported

by facts and valuable data on risk to their business.

Common Areas of Inefficiency Getting to Efficient

Misinterpretation of data — Misinterpretation of data amongst jurisdictions/business lines may lead to inconsistencies in the handling of AML alerts, KYC, screening results, etc.

Lack of veracity of data

• Missing/conflicting information reduces its integrity.

• Lack of confidence in data reduces its commercial value.

Siloed data — Siloed and disconnected storage of customer data creates a fragmented data and system environment.

Manual sourcing and verification of data — This often is a time-consuming exercise for staff and can result in incomplete or inaccurate information.

Understanding the context of data — Establish a universally consistent understanding of captured data.

Cleansing the data — Enrich and validate data through public and subscription-based sources, where possible, to reduce unnecessary customer outreach.

Reliable data — Assess veracity of data to allow for valuable analysis of AML programme key performance and risk indicators (KPI, KRIs).

Data mapping — Map data flows to assess benefits of system consolidations/redundancies.

Optimising third party data sources — Automation of the data gathering exercises increases efficiency as well as the reliability, independence and integrity of data. Staff can then spend more time on complex issues requiring attention.

Anti-Money Laundering: Getting to Efficient · 11protiviti.com

Following the structuring of data, the efficiency gained

from decreased use of manual and offline processes

and increased use of technology can begin to be fully

realised. Years of offline computing and manual

workarounds in AML programmes have proven to be a

barrier to gaining full advantage of current technology.

The ability to use structured data to identify redundant

processes/systems/tools and understand what an

‘optimised’ environment looks like in current systems

for customer onboarding, screening and transaction

monitoring can add value to an AML programme.

• Informed technology decisions — Many times,

technology solutions (either custom-built or out-of-

the-box from a vendor) have been patched together

with an FI’s existing core systems to keep pace

with the changing regulatory environment and

reporting requirements, creating fragmented

systems of records and data. The RegTech market

alone includes thousands of providers, some

offering customer lifecycle management systems

(end-to-end), while others are focussed only on

specific areas (e.g. screening, transaction moni-

toring, etc.). It is not uncommon for organisations

to add technology solutions on a tactical basis and

end up with an ecosystem of various providers.

• Understanding your ecosystem — The ability to

consolidate information and streamline data flows

through the ecosystem can provide FIs a competi-

tive advantage in the market. For instance, having

a single customer relationship view globally and

being able to visualise such data for clear and quick

decision making for first line purposes (e.g. expan-

sion of products offered, global view of customer

accounts) and second line (e.g. KYC approvals,

regulatory reporting) is still a target that most

traditional FIs are working toward. Achieving

this target allows for operational efficiency gains

and cuts operating costs across all lines of defence.

It also can improve the customer experience in

that the customer will not be asked for the same

information multiple times from various teams and

can be provided a better level of service if the front

office actually knows the customer.

• Technology investment — Investments in AML

programme technology must be strategic, rather

than tactical. Strategic investments must be

determined after an organisation’s data has been

appropriately structured and formatted to enable

informed decision making. Data management

should not be a one-time activity, as the main-

tenance of data integrity must be an ongoing and

sustainable activity to maintain the efficiencies in

new and existing technology.

05 Decrease Reliance on Manual Processes and Increase the Application of Technology

Focussing technology investment in areas where you

will see the greatest return — time- and cost-wise — will

allow employees to concentrate their skills and specialist

knowledge in areas of greatest value add.

– Jonathan Wyatt, Managing Director — Global Head of Protiviti Digital

12 · Protiviti

Common Areas of Inefficiency Getting to Efficient

Disconnected technology — Patchwork technology developments create disconnected systems of information which do not ‘speak’ to each other.

Siloed ecosystem — Fractured view of data/systems reduces efficiency and increases costs of AML compliance and reporting.

Short-term fixes — ‘Tactical’ investments prohibit long-term efficiency.

Manual processes — In addition to being time-consuming and inefficient, manual processes leave room for human error.

Informed technology decisions — Assess compatibility/effectiveness of systems to better inform key decision makers.

Streamlined data — Ability to consolidate information and streamline data flows in system ecosystem provides a competitive advantage by improving customer experience and operational efficiency across the three lines of defence.

Strategic technology investment — Revisit technology investment strategies early and often as internal (systems, organisation changes, self-identified issues, etc.) and external factors (regulatory requirements, technology solution offerings) change.

Process automation — Consider opportunities within current processes to utlise RPA and machine learning to enhance process efficiencies and accuracy.

The reality is that regulatory requirements are evolving for all FIs, but having technology and data that can adapt

in an organised, efficient manner will provide organisations with a competitive advantage in the market.

Anti-Money Laundering: Getting to Efficient · 13protiviti.com

The need to implement AML/TF processes tactically

has often resulted in target operating models (TOM),

which satisfy short-term requirements but fail to

deliver on a strategic basis. Key issues in the three

principal components of a TOM are:

• People — Employees have been hired in ‘factories’,

often in lower-cost locations, to undertake KYC and

AML/TF activities. Their geographic location and

time zone are disconnected from core operations

and front office functions, which leads to signif-

icant inefficiencies in communication and failure

for commercial KYC information to be leveraged

to satisfy regulatory KYC requirements. Viewing

KYC as a factory-driven process has led to the

tracking of metrics that focus on throughput

(number of files reviewed, delinquency rates,

etc.) but do not consider how these processes are

reducing risk, improving quality or affecting the

customer experience.

• Processes — Processes often remain largely

manual and a key source of information on

the customer is the customer themselves. The

exponential growth in reliable and independent

information sources in the public domain must

be leveraged to minimise intrusive, unnecessary

and time-consuming customer contact. AML/TF

regulation across the European Union in particular

is also moving in the direction of maximising

the use of publicly available records (including

subscription-based sources) to meet the criteria of

being ‘independent and reliable’ to the customer.

• Technology — Technological advancements may

have been developed outside of mainstream

systems, leading to significant challenges of KYC

information being shared across countries/entities,

often resulting in unnecessary, duplicative and

time-consuming onboarding of the same customer.

Given the various data privacy and sharing regula-

tions that global FIs face, even sharing data within

the same organisation has become challenging

when interpreting compliance between different

AML/TF and data regulations. A common issue

across organisations is the understanding in the

front office systems of the details of how/how much/

how frequently the customer will transact with

the FI. This needs to be reflected in transaction

monitoring systems to avoid poor data definition

that results in the triggering of transactions as being

‘unusual’ which are not so and missing truly unusual

transactions which require subsequent review.

06 Optimise the AML/TF Target Operating Model

The target operating model must be viewed as a ‘living’ document, something that can grow and adapt as an

organisation changes.

– Matt Taylor, Managing Director, Protiviti

14 · Protiviti

Common Areas of Inefficiency Getting to Efficient

Disconnected staffing model — Outsourced KYC activities to third parties/remote parts of the institution, leading to communication inefficiencies.

Manual processes — Overuse of tactical manual/semi-manual processes.

Siloed technology — Siloed technology development/data privacy regulation hindering effective sharing of KYC information across the organisation.

Quantified cost of KYC — Activity-based cost modelling to establish an optimal solution to apportioning KYC activities and minimising customer touch points.

Streamline processes integrated with technology —

• Use of automation (e.g. RPA) and optimised use of existing systems to use publicly available, reliable and independent information sources to collect/update customer data and increase efficiencies of process for KYC, onboarding, alert discounting, etc.

• Consider ‘off-the-shelf’ solution to standardise technology across the organisation.

A TOM must be developed on a global basis for AML/

TF and recognise the importance of the integration

of AML operations into other operational and front

office functions to maximise efficiency and minimise

costs and onboarding times. The TOM must be viewed

as a ‘living’ document, something that can grow and

adapt with the organisation’s changes. The TOM must

be subject to ongoing governance to ensure that it

continues to provide the optimal operating model as

circumstances change, such as the increasing maturity

of the AML programme, adapting to new regulation and

supporting the implementation of new and emerging

technologies/automation, etc. AML/TF must become

part of mainstream operations and not a necessary

irritant disconnected from other functions.

Anti-Money Laundering: Getting to Efficient · 15protiviti.com

Achieving a sustainable cultural change within any

large organisation is always a major challenge and

can take a significant amount of time. In the area of

financial crime, this has been particularly challenging

since the requirement to undertake strenuous and

systematic AML/TF procedures was forced from outside

of FIs by legislation and regulators.

Many organisations’ front offices have been slow to

accept that they ‘own’ ML/TF risk and regard it as the

responsibility of the second line compliance functions.

Front offices have also been slow to integrate

commercial KYC information into the KYC for AML/

TF purposes in circumstances where it can be used

for dual purposes. This has been exacerbated by the

creation of KYC ‘service centres’ which are often remote

from the front office function and may be outsourced to

a third party. These generally have separate reporting

lines and are measured on throughput and volumes

for point-in-time activities (often used to catch up on

delinquent records) rather than supporting the under-

standing of the underlying customer, its relationship

with the institution and their ML/TF risk.

Other aspects of a lack of clarity of ownership of ML/

TF risk include poorly defined (in some cases completely

undefined) roles and responsibilities across the front

office and other elements of the first line of defence

or ineffective sanctions imposed internally where

procedures and standards are not applied consistently

to the required level.

Top leadership of the organisation has a crucial role

to play in providing the ‘tone’ in this area. Clear,

unequivocal messages from the top concerning the

responsibilities of the three lines of defence are

required, as is a commitment to implement what

is required to satisfy regulatory obligations across

the organisation to ensure that heavily damaging

regulatory sanctions are avoided and that customer

intrusion and negative service impacts are minimised.

Clear communications from leaders within each of the

three lines of defence is essential in driving the shared

responsibility for AML/TF controls and the differing

activities owned by each line of defence in delivering a

structured and systematic approach. The organisation

must work collaboratively to achieve an optimal op-

erating model. Another key message to be delivered is

that the AML/TF requirements are not transient — they

are here to stay, and regulatory requirements are likely

to only become more stringent. It is essential that

the organisation therefore applies the most efficient

methodologies to the issue, since that will deliver a

commercial advantage over a less efficient organisation

in terms of both cost and customer experience.

07 Shift Institutional Culture

Common Areas of Inefficiency Getting to Efficient

Lack of clarity in ownership of risk — Reluctance by front office to accept responsibility for ML/TF risk.

AML is deprioritised — Without a strong tone from the top, AML controls, awareness and operational effectiveness may be viewed as a chore or ‘tick the box’ exercise.

Roles & responsibilities — Clarity of ownership of ML/TF risk and roles of each line of defence is the shared responsibility of AML/TF controls through development of an optimal operating model.

AML programme as a priority — Clear ‘tone from the top’ on the need to prioritise AML programmes and detect, prevent and deter ML/TF.

The message is, ‘Everyone has to do it — let’s do it best!’

16 · Protiviti

By applying the enhancements discussed in this

paper to the seven key areas noted, an FI can progress

along the roadmap to AML: Getting to Efficient.

The roadmap to an efficient AML programme will

require continuous improvement, with some changes

having more immediate effect than others; however,

FIs should pursue the model described below when

looking for industry leading efficiency practices to

gain a competitive advantage in the efficiency of an

AML programme.

Roadmap to AML Efficiency

Optimise the AML/TF Target Operating Model

Shift from ‘Tactical’ to Sustainable, Strategic Solutions in AML Programme Governance

Eliminate Common Inefficiencies in the

KYC Process

Leveraging Data for AML

Efficiency Gains

Accurate Identification of Customer Risk

Decrease Reliance on Manual Processes and

Increase the Application of Technology

Shift Institutional Culture

Increased understanding and accuracy of the

identification of the risk within your customer

base is critical to know the proportionate

amount of mitigation required.

Legacy data is streamlined, system ecosystem is clearly

mapped and redundancies are removed to allow

for informed technology decisions and strategic

investment for AML systems/tools.

KYC processes are updated to support the effectiveness of

resources and provide measurable cost savings

as well as improved customer experience.

Reduction in ‘fighting fires’ and the AML programme strategy is clear,

aligned and forward-thinking.

Customer and transaction data held or being collected/updated

by FIs is cleansed, formatted and enriched, as needed, to be used as a powerful combatant in

fighting ML/TF.

Anti-Money Laundering: Getting to Efficient · 17protiviti.com

How We Can Help

At Protiviti, we continuously explore how advances in AML programmes can be achieved. We have deep subject-

matter expertise around global AML/TF regulatory requirements and have extensive experience in designing and

implementing all areas of AML programmes across many Tier 1 and Tier 2 FIs.

Since 2002, Protiviti has rallied itself around a set of values that encourage innovation and collaboration; in

this regard, we collaborate with various lines of defence and regulatory technology vendors to bring our clients

creative solutions to meet their regulatory compliance obligations.

ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 75 offices in over 20 countries. 

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Carol BeaumierSenior Managing Director+1 212.603.8337carol.beaumier@protiviti.com

Shaun CreeganManaging Director+1 212.708.6336shaun.creegan@protiviti.com

Michael BrauneisManaging Director, Americas Financial Services Leader+1 312.476.6327michael.brauneis@protiviti.com

Matthew MooreManaging Director+1 704.972.9615matthew.moore@protiviti.com

Bernadine ReeseManaging Director+44.20.7930.8808bernadine.reese@protiviti.co.uk

Matt TaylorManaging Director+44.20.7930.8808matt.taylor@protiviti.co.uk

Ken IrvingDirector+44.20.7930.8808ken.irving@protiviti.co.uk

Erin GavinSenior Manager+44 207 930 8808erin.gavin@protiviti.co.uk

CONTACTS

© 2019 Protiviti Inc. PRO-0919-103139I-IZ-ENG Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

*MEMBER FIRM

THE AMERICAS UNITED STATES

Alexandria

Atlanta

Baltimore

Boston

Charlotte

Chicago

Cincinnati

Cleveland

Dallas

Denver

Fort Lauderdale

Houston

Kansas City

Los Angeles

Milwaukee

Minneapolis

New York

Orlando

Philadelphia

Phoenix

Pittsburgh

Portland

Richmond

Sacramento

Salt Lake City

San Francisco

San Jose

Seattle

Stamford

St. Louis

Tampa

Washington, D.C.

Winchester

Woodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro Sao Paulo

CANADA

Kitchener-Waterloo Toronto

CHILE*

Santiago

COLOMBIA*

Bogota

MEXICO*

Mexico City

PERU*

Lima

VENEZUELA*

Caracas

EUROPE, MIDDLE EAST & AFRICA

FRANCE

Paris

GERMANY

Frankfurt

Munich

ITALY

Milan

Rome

Turin

NETHERLANDS

Amsterdam

SWITZERLAND

Zurich

UNITED KINGDOM

Birmingham

Bristol

Leeds

London

Manchester

Milton Keynes

Swindon

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

QATAR*

Doha

SAUDI ARABIA*

Riyadh

UNITED ARAB EMIRATES*

Abu Dhabi

Dubai

EGYPT*

Cairo

SOUTH AFRICA *

Durban

Johannesburg

ASIA-PACIFIC AUSTRALIA

Brisbane

Canberra

Melbourne

Sydney

CHINA

Beijing

Hong Kong

Shanghai

Shenzhen

INDIA*

Bengaluru

Hyderabad

Kolkata

Mumbai

New Delhi

JAPAN

Osaka

Tokyo

SINGAPORE

Singapore

© 2

018

Proti

viti

Inc.

An

Equa

l Opp

ortu

nity

Em

ploy

er M

/F/D

isab

ility

/Vet

eran

s. P

RO-0

918