Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Internal Audit, Risk, Business & Technology Consulting
Anti-Money Laundering: Getting to Efficient
Anti-Money Laundering: Getting to Efficient · 1protiviti.com
Roadmap to AML Efficiency: Once a financial institution’s AML programme is compliant
with AML/TF regulations, how does it become efficient in meeting its obligations?
Over the last 15 years, financial institutions (FIs) have
faced massive cultural and operational challenges
responding to anti-money laundering and terrorist
financing (AML/TF) regulations. FIs that failed to
implement requirements in the timetable demanded
by governments and regulators have faced significant
fines, regulatory investigations and restrictions such
as limitations on the onboarding of new clients for
periods of time. Many FIs in well-developed regulatory
environments now largely satisfy both their local and
international-equivalent regulatory requirements
following substantial investments in people, processes
and technology. Among the core areas that have seen
major investment are: the capture of ‘Know Your
Customer’ (KYC) documentation; the robust application
of transaction monitoring controls; and the consistent
screening of customers against sanctions and other
watch lists.
In addition, front offices and operations functions have
had to adapt to the cultural shift that ‘knowing your
customer’ must extend beyond narrow commercial
value and into an acknowledgement that they ‘own’
the ML/TF risks associated with each customer and
the consequential systems and processes to identify,
mitigate and manage such risks.
Many FIs have achieved regulatory compliance in
these areas but at very significant cost, including
experiencing commercially punitive degradations to
levels of customer service and increased onboarding
times due to the frequent requests for client data at
multiple stages of the customer lifecycle.
In many cases, FIs have had to engage large numbers of
temporary staff for multiple years to accomplish man-
ual KYC remediations, and siloed system workarounds
have been developed since integrated systematic
solutions could not be developed and implemented
quickly enough to meet regulatory expectations.
Introduction
The challenge for many FIs now is how to make KYC and other AML/TF processes significantly more efficient
and risk-based to deliver cost savings and customer service improvements while still meeting AML/TF
regulatory obligations.
2 · Protiviti
This paper explores seven key areas of AML programmes, highlighted in the diagram, that institutions should focus
on to achieve this goal of ‘Getting to Efficient’.
Optimise the AML/TF Target Operating Model
Shift from ‘Tactical’ to Sustainable, Strategic Solutions in AML Programme Governance
Eliminate Common Inefficiencies in the
KYC Process
Leveraging Data for AML
Efficiency Gains
Accurate Identification of Customer Risk
Decrease Reliance on Manual Processes and
Increase the Application of Technology
Shift Institutional Culture
Anti-Money Laundering: Getting to Efficient · 3protiviti.com
A majority of FIs have adopted a financial crime risk
rating methodology designed to establish whether a
customer poses a high (or higher) risk of being a money
launderer and/or terrorist financier, or is likely to
allow such activities to pass undetected or to be com-
plicit in those activities.
Some of the factors that generally feed into this meth-
odology for an entity include, but are not limited to:
• Country of domicile of the entity
• Type of business/industry the entity engages in
• Transparency of ownership or control of the entity
• Involvement of any Politically Exposed Persons
(PEP) in the ownership, management or control of
the entity
• Negative news impacting the reputation of the
entity and its principals
• Products and services used by the customer and
related delivery channels
Typically, these factors are given a weighting in the
overall calculation of a risk rating of low/medium/
high (some FIs may also have classifications of ‘very
high risk’ or ‘ultra-high risk’). In addition, a number
of individual factors are often deemed to pose such
a risk level that they automatically result in a high/
very high risk classification being attributed to the
customer. Examples of these factors could be a fine or
other regulatory sanction for money laundering, or a
domicile within a high risk jurisdiction.
Failure to correctly identify higher risk elements for
a customer may expose the FI to regulatory fines and
sanctions. Also, the inefficient design or application of
a risk rating methodology can result in FIs undertaking
higher-than-necessary levels of due diligence and
more frequent reviews of customers than are needed.
FIs must make sure the risk rating methodologies and
the results they generate are dynamic and continue to
properly reflect the current financial crime risk posed
by the customer.
Elements of the risk rating methodology which can lead
to inefficiencies include:
• Applying a simplistic industrial classification to
the entity’s business — For example, the supplier
of protective clothing to the oil and gas industry
does not pose the same financial crime risk as
a supplier of major capital goods to the same
industry, but they both could be grouped in the
same higher risk industrial classification. Defining
tolerance for exposure (e.g. x% of revenues)
to a certain industry and where that warrants
classification within a high risk industry may help
to avoid misclassification; however, any areas
of doubt should involve compliance expertise to
assess whether the industry classification and input
to risk rating are appropriate based on the level of
involvement or proximity to a certain industry.
• Failing to re-assess the financial crime risk
that a PEP or former PEP currently poses —
While a PEP’s involvement in an entity may result
in an automatic high risk rating, a complete
assessment of the likelihood that the PEP is using
the customer entity for corrupt purposes is highly
recommended. The assessment would focus on
the ability of a current or former PEP to exert
corrupt influence or to use the entity for corrupt
purposes, or the determination criteria for when
a former PEP is no longer considered to have the
ability or standing to influence the entity.
01 Accurate Identification of Customer Risk
Accurate identification of customer risk underpins a
successful AML programme and allows organisations
to have a view of a proportionate amount of time
and resources that should be focused on areas of the
customer base with the greatest level of potential risk.
– Carol Beaumier, Senior Managing Director, Protiviti
4 · Protiviti
• Failing to maintain up-to-date information
on the customer’s usage of the FI’s high risk
products — If the customer no longer uses high
risk products, or uses them to a non-material
level, then this could reduce the overall risk
rating. As an example, historically many business
types such as restaurants have been described
as ‘cash intensive’ and potentially posing a
heightened risk of financial crime. However,
in many economies, the use of debit or other
payment cards has reduced the use of cash to the
point where some businesses do not accept cash.
• Continuing to apply a high risk rating to a
regulated entity which has satisfied a regulatory
sanction (e.g. enforcement action, fine) and
been allowed to continue with its regulated
activities — It may be appropriate for an FI to
create a specialist team to conduct due diligence
globally on all customers that have been subject
to regulatory sanction at any time in the past to
ensure that they are risk classified in a manner
consistent with their current status.
Generally, it is important that senior staff from the
first and second lines review all high risk customers
to confirm that the elements driving the risk rating
are still in place and the FI is not relying solely on the
‘mechanical’ rating generated by raw inputs. Equally,
the FI must put in place mechanisms to ensure that low
and medium risk ratings are accurate to avoid misclas-
sifying high risk customers.
The involvement of senior FI staff in this process may
appear onerous but applying a higher risk rating than
required would have significant inefficiency implica-
tions. On the flip side, the regulatory risk of applying
a lower rating than appropriate is very serious when
considering the requirements to maintain a compliant
AML programme, particularly as the risk rating sets the
tone for ongoing management of the customer.
Common Areas of Inefficiency Getting to Efficient
Model-driven risk rating — Relying solely on the ‘mechanical’ result of the rating model.
Outdated risk rating — Feeding the risk rating methodology/model with outdated and/or incomplete customer information.
Blanket PEP rating — Failing to establish the current risk posed by an existing or former PEP in the context of their role within a customer’s ownership structure or related parties.
Blanket high risk rating — Continuing to apply a blanket high risk rating to a customer which has been subject to regulatory sanction in the past, even where a regulatory enforcement action has since been satisfied.
Accurate rating reflective of current risk factors —
• Require senior first line staff with detailed knowledge of the customer to review the inputs to the risk rating methodology to ensure that they properly reflect the customer’s current circumstances.
• Review risk ratings (at least on a sample basis) to ensure that they properly reflect the actual current risk posed by that customer.
Risk-based PEP relationship assessment — Analyse the individual’s current status as a PEP, their role within the customer relationship, and other factors to determine if they currently pose a heightened risk.
Risk-based adverse media assessment — Consider establishing a senior specialist team to review customers with past issues on adverse media (e.g. enforcement actions) globally. This could include senior first and second line staff and their review may include liaising with senior customer staff to establish the current status of the regulatory enforcement action.
Anti-Money Laundering: Getting to Efficient · 5protiviti.com
KYC processes have often been developed ‘tactically’
in response to the need to implement regulatory
standards quickly and, in many cases, in direct
response to regulatory mandates. These tactical
solutions often become regarded as business-as-usual
(BAU) processes despite the fact that they were initially
designed for a short-term project objective, such as
remediation of the existing book of customers.
When evaluating the efficiency of KYC processes, the
key principles outlined below should be considered:
• Connectivity of KYC and front office functions
— KYC is often seen as disconnected from actually
‘knowing the customer’ from a commercial
perspective, but this can lead to duplication of effort
and inefficiencies in customer contact and other
processes. This is particularly true for relationship-
managed customers, where significant knowledge
about the customer sits in the front office.
If the KYC team is geographically remote from the
front office functions, consider creating a cost and
operational model to place the KYC function along-
side the front office. The first line of defence owns
the ML/TF risk of a customer; therefore, placing
KYC analysts in the front office can help reinforce
this ownership of risk and ensure a wholly con-
nected approach to ‘knowing the customer’ and the
relative risk it poses for ML/TF.
• KYC team experience — Rather than having
‘generalist’ KYC analysts handle some of the
more complex entity types and risk spending a
significant amount of time understanding and
navigating the risks of such structures on a case-
by-case infrequent basis, a dedicated KYC team
can apply specialist knowledge and experience
to minimise and standardise the time spent on
customers. Specialist KYC teams can be established
to deal with complex structures such as trusts,
special purpose vehicles, government entities and
multi-layered structures and serve as SMEs in their
respective area for the front office.
• Risk acceptance — Analysts often spend
significant amounts of time discounting adverse
media screening ‘hits’ (particularly around tier 1
FIs and large, regulated financial institutions with
past AML enforcement actions, fines, etc.) where a
global governance body can readily discount those
issues at the relationship level and can be factored
into the institution’s appetite to continue to do
business with the customer.
Consider establishing a global KYC governance
body, which includes the second line of defence,
to maintain and manage a ‘white list’ of relation-
ships with global FIs that have been subject to
fines or other regulatory sanction and on which
significant negative news exists. This ‘white list’
would require standardised and approved language
for audit trails, and should be built into KYC and
screening systems so it is clear up to which date
of results the ‘white list’ status would be covered.
This would allow KYC analysts to focus only on
new issues identified through screening and any
adverse media.
02 Eliminate Common Inefficiencies in the KYC Process
Many FIs are often lost in the KYC struggle to meet both compliance obligations whilst upholding an acceptable level
of customer experience.
– Erin Gavin, Senior Manager, Protiviti
6 · Protiviti
• Cost/benefit analysis — Many organisations
are unable to gauge the cost of KYC and the time
and resources needed to onboard a new customer
and perform ongoing due diligence. The cost is
often difficult to quantify, as it includes time
spent on KYC by onboarding teams, front office,
compliance, remediation teams and senior
governance committees, as well as time spent
on system builds and maintenance and AML
screening subscriptions, among others.
Adopting a process/activity-based accounting
methodology to calculate the fully loaded cost of
onboarding a customer, using process mining to
identify inconsistencies in approach, or under-
taking a periodic review using current processes
can be extremely valuable in identifying potential
areas for improvement.
Also, having the ability to perform a cost benefit
exercise prior to implementing any new processes
or solutions may have longer term efficiency gains.
Common Areas of Inefficiency Getting to Efficient
Siloed KYC and front office functions — Disconnect between KYC and front office leads to duplication of effort.
Generalist KYC team — Non-specialist analysts may use time inefficiently to understand customer structure and its risks.
Discounting of adverse media — Disproportionate amount of time spent discounting hits on global FIs with past regulatory fines or AML enforcement actions.
No cost/benefit analysis — Poor understanding of actual cost of new customer onboarding and periodic reviews.
Unite KYC and front office functions — Closely align these functions to improve understanding of customers’ needs and risks, and reduce needless customer touch points.
Specialist KYC team — Designated KYC team will improve efficiency of managing complex client onboards and periodic reviews.
Standardised ‘white list’ — Maintain and govern a ‘white list’ of relationships with global FIs subjected to fines/regulatory penalties to improve the screening process for those FIs that have resolved their regulatory enforcement actions/penalties.
Clear cost/benefit analysis — Activity-based accounting methodology prior to process implementation is recommended.
Anti-Money Laundering: Getting to Efficient · 7protiviti.com
Many FIs struggle to implement and improve an AML
programme that is both strategic and sustainable,
as they are often consumed with ‘fighting fires’ and
implementing tactical, short-term solutions. This
enduring ‘tactical’ solution mentality and culture in
an FI’s AML programme governance are often under-
pinned by a sense of reactiveness, siloed approaches
across various business divisions/geographies, an
overwhelming number of priorities and a lack of
clarity on future state. This is an understandable
challenge that many organisations face, given the
ever-changing global landscape of regulatory and
AML/TF obligations. Transitioning the mindset of the
organisation and teams or individuals involved from
tactical (task and delivery based) to strategic thinking
(bigger picture) will take time but ultimately provide
a competitive advantage for those AML programmes
that are forward-looking and agile in their ability to
adapt to regulatory, consumer and operational trends
in the industry.
Below are common challenges and areas that can be
improved upon to implement sustainable, strategic
solutions in an AML programme and its related
governance model.
• Lack of strategic action and thinking — It is
important to challenge the status quo and think
innovatively to identify new solutions, rather than
operating in a manner just because ‘it’s always been
done that way’. AML governance structures must
have a view of impending regulatory decisions,
market shifts, industry trends, consumer prefer-
ences and emerging technologies, as well as known
weaknesses in their AML framework, to proactively
prepare for such challenges, opportunities and
impending changes to operations and customers.
Understanding the highest value areas within an
FI and how to protect and enhance those areas
by gaining a better understanding of current and
future AML/TF opportunities and obstacles are
essential. In addition, having an open discussion
of areas of AML programme weaknesses or blind
spots is critical to the long-term goals of any
organisation that wishes to meet its AML obliga-
tions and improve customer satisfaction.
• Accurate information and involvement from key
stakeholders — Decisions on budget and strategic
investment in AML programmes are sometimes
made in a siloed environment without considering
a) other efforts or initiatives that may already
be in place; and b) what the impact of including
certain areas and excluding others would be on the
day-to-day operations, downstream implications
and customer experience. For instance, the idea
of scaling down budget for onboarding systems
improvement may seem cost effective on the
surface; however, a deeper dive may reveal that
improvements are needed to enhance the customer
experience and/or meet regulatory requirements for
all correspondent banking relationships. Similarly,
dedicating resources, time and effort to the review
and tuning of transaction monitoring rules may
seem costly or tedious initially; however, proper
tuning can reduce the number of false positives that
require further investigation. The implications of
missing potentially suspicious transactions due to
incomplete or inaccurate scenarios built into the
transaction monitoring system may result in both
financial and reputational repercussions for the FI.
By bringing the right mix of people (and therefore
information) to the table, decisions on budget
allocation and strategic investment in areas for
AML/TF are likely to be more effective. All too
often, the rollout of a new tool to improve a certain
function (e.g. sanctions screening) is announced
by senior leadership who are more removed from
customer experiences and day-to-day activities.
Meanwhile, the staff on the ground may be content
with the process and the time it takes to execute
the sanctions screening, but actually need a better
tool to perform other functions (e.g. customer risk
rating, adverse media/negative news screening, PEP
screening, etc.).
03 Shift from ‘Tactical’ to Sustainable, Strategic Solutions in AML Programme Governance
8 · Protiviti
Working in silos, especially from an AML pro-
gramme standpoint, is oftentimes rooted in the
need to develop strategic solutions for a particular
department, geography and team and to navigate
and adhere to competing local AML/TF regulatory
requirements. Where the strategic plans for an
AML programme fail to consider the overarching
strategy and goals of the entire organisation,
and when communication is lacking and strat-
egy is not aligned, it can result in duplication
of efforts to solve the same problem. However,
when strategies are aligned to the core values and
goals of the organisation, it is easier to identify
duplication of work and shared goals to enhance
collaboration across common platforms/initiatives,
functional teams, lines of defence, operations and
departments. For instance, the development of a
regulatory reporting function for country-specific
regulators should be part of an overarching global
regulatory reporting team’s responsibility. This
important AML function would encourage consistent
communication (internal and external-facing
to regulators) and a well-coordinated structure
to share regulatory requests and insights. This
important AML programme function must ulti-
mately tie to the ‘tone from the top’ from the firm’s
executives, and information should be disseminated
to relevant regional and local functions to maximise
awareness and streamlining of efforts for effec-
tive AML programmes at global FIs.
Taking analysis from external resources (e.g.
market analysis, benchmarking, etc.) and tapping
into internal resources of an organisation (e.g.
leadership levels as well as staff in compliance,
anti-financial crime, risk management, opera-
tions and customer-facing roles) to understand
different AML and business viewpoints, priorities
and perspectives will assist leadership in making
informed decisions and understanding the impli-
cations of those decisions if the right people are
involved and consulted.
Common Areas of Inefficiency Getting to Efficient
Reactive in nature — Being distracted from overall AML programme strategy by fighting fires and an overwhelming number of priorities (e.g. regulatory visits or reviews, last-minute adoption of regulation changes, de-prioritising investment in AML/TF, etc.).
Misalignment of strategic solutions — Working in silos (e.g. local AML requirements); no view of shared goals or common challenges across certain areas of the organisation.
Uninformed decisions — Decision making without the appropriate information to influence and inform the decision makers.
Forward-thinking — Strategic thinking to enhance high value areas of the business model, particularly around meeting AML/TF obligations for the most critical areas of the business model (i.e. targeted spending of AML resources, time and costs on the business divisions and customers that align to the strategic vision).
Alignment of strategy — End-to-end view of how the AML programme fits into the strategic goals across an FI organisation (organisation-wide, regional, department-wide, etc.), and may include a shift toward a more global and harmonised approach to AML/TF.
Informed decisions — Making informed strategic decisions for the AML programme based on consideration of widespread perspectives and consultation with key individuals to understand the impact to operations and customer experience.
Anti-Money Laundering: Getting to Efficient · 9protiviti.com
Data held by FIs can be a powerful combatant in
fighting ML/TF if it is available, formatted and used
in a meaningful way. This is often not the case for
many FIs that are plagued by legacy data with poor
quality which is fragmented across many systems.
For instance, the number of false positives generated
in transaction monitoring from incorrect/incomplete
legacy data increases the time it takes analysts to
review and discount false positives, with the risk that
genuine money laundering alerts could be missed.
Prior to implementing new AML technologies or fully
optimising existing solutions and being able to reap
the efficiency rewards of such tools and analytics,
a data structuring exercise should be undertaken to
understand existing data flows, and to cleanse and
format the data so that it may be used in a meaningful
way. Inputting data with poor integrity into data
management systems, machine learning scenarios or
analytics will skew the output. The term ‘garbage in,
garbage out’ is commonly referenced, so the impor-
tance of this data structuring exercise in the process
cannot be underestimated.
• Understanding data — Misinterpreting certain
data fields could have negative consequences down-
stream. For example, when classifying a customer as
active or inactive, the same data field may be popu-
lated by different teams in varying jurisdictions.
However, if those teams have different definitions of
‘inactive’, the data will not be interpreted correctly
when assessed at a holistic level.
Subject-matter experts familiar with the data being
collected may be required to analyse, interpret
and communicate what the data means within a
particular function, report or data field (e.g. tech-
nical definition of a data field from system build
requirements vs. business definition and use of that
same data field).
• Cleansing customer data — Many organisations
have extensive amounts of legacy customer data
but cannot trust that the data is reliable and
may therefore discount data-based outcomes
or reporting. The data may lack credibility due
to missing or partial fields and conflicting or
outdated information held across various systems.
An exercise to analyse and update incomplete,
inaccurate or irrelevant data by replacing, modi-
fying or deleting may be necessary to cleanse a
data set and improve data integrity. An example
of this could be the validation of a city’s zip code
through public records to correct an error in the
input of an address. Any adjustments to data
during cleansing should be closely aligned with
teams familiar with the purpose and context
of the data fields so the information is adjusted
as intended and used in a consistent manner,
ultimately improving the cleanliness of the data
to get to a ‘single source of truth’.
• AML system and data mapping — Many
organisations do not have a holistic view of
how data flows throughout their organisation
horizontally and vertically at a local or functional
level, let alone at a global view. All too often,
customer inputs of data during the onboarding
process get passed out to the various divisions
of an organisation and stored in siloed systems,
databases or offline spreadsheets (e.g. trading
systems, KYC case management tools, regulatory
reporting databases, etc.), creating a fragmented
data environment.
A data mapping exercise to understand system
inventory and data flows (inputs/outputs) is critical
to assess the benefits of any system consolidations
or redundancies and to understand the data sources
and flows. Maintaining an environment where com-
plex data silos exist in an FI can be time-consuming
and expensive and can hinder an organisation’s
ability to leverage the benefits of the data in deci-
sion making and combating ML/TF.
• Enrich data — After data has been cleansed,
refining and enhancement of the data can be applied
so it may be used for analysis and decision making.
The data must also be assessed for its veracity.
04 Leveraging Data for AML Efficiency Gains
10 · Protiviti
Increasing an organisation’s confidence in the data
it holds will improve its view on existing systems.
Processes can then be optimised to clear the path
to future implementations of AML technology. This
may include the use of third-party data sources to
enhance the efficiency of data gathering as well as
the independence, reliability and integrity of the data
used to identify and verify customers. Third party
data sources may include onboarding platforms,
verification vendors and resource subscriptions
used throughout the client onboarding and ongoing
customer due diligence lifecycle.
Making an effort to understand and enhance data
integrity through some of the steps outlined above
will allow an organisation to empower leadership to
make data-driven business decisions and to optimise
automated capabilities in existing systems or new
technology, such as robotic process automation
(RPA), artificial intelligence (AI) and machine
learning. To truly improve efficiency and target their
AML/TF efforts, organisations must rely less on judg-
ment and take a clear risk-based approach supported
by facts and valuable data on risk to their business.
Common Areas of Inefficiency Getting to Efficient
Misinterpretation of data — Misinterpretation of data amongst jurisdictions/business lines may lead to inconsistencies in the handling of AML alerts, KYC, screening results, etc.
Lack of veracity of data
• Missing/conflicting information reduces its integrity.
• Lack of confidence in data reduces its commercial value.
Siloed data — Siloed and disconnected storage of customer data creates a fragmented data and system environment.
Manual sourcing and verification of data — This often is a time-consuming exercise for staff and can result in incomplete or inaccurate information.
Understanding the context of data — Establish a universally consistent understanding of captured data.
Cleansing the data — Enrich and validate data through public and subscription-based sources, where possible, to reduce unnecessary customer outreach.
Reliable data — Assess veracity of data to allow for valuable analysis of AML programme key performance and risk indicators (KPI, KRIs).
Data mapping — Map data flows to assess benefits of system consolidations/redundancies.
Optimising third party data sources — Automation of the data gathering exercises increases efficiency as well as the reliability, independence and integrity of data. Staff can then spend more time on complex issues requiring attention.
Anti-Money Laundering: Getting to Efficient · 11protiviti.com
Following the structuring of data, the efficiency gained
from decreased use of manual and offline processes
and increased use of technology can begin to be fully
realised. Years of offline computing and manual
workarounds in AML programmes have proven to be a
barrier to gaining full advantage of current technology.
The ability to use structured data to identify redundant
processes/systems/tools and understand what an
‘optimised’ environment looks like in current systems
for customer onboarding, screening and transaction
monitoring can add value to an AML programme.
• Informed technology decisions — Many times,
technology solutions (either custom-built or out-of-
the-box from a vendor) have been patched together
with an FI’s existing core systems to keep pace
with the changing regulatory environment and
reporting requirements, creating fragmented
systems of records and data. The RegTech market
alone includes thousands of providers, some
offering customer lifecycle management systems
(end-to-end), while others are focussed only on
specific areas (e.g. screening, transaction moni-
toring, etc.). It is not uncommon for organisations
to add technology solutions on a tactical basis and
end up with an ecosystem of various providers.
• Understanding your ecosystem — The ability to
consolidate information and streamline data flows
through the ecosystem can provide FIs a competi-
tive advantage in the market. For instance, having
a single customer relationship view globally and
being able to visualise such data for clear and quick
decision making for first line purposes (e.g. expan-
sion of products offered, global view of customer
accounts) and second line (e.g. KYC approvals,
regulatory reporting) is still a target that most
traditional FIs are working toward. Achieving
this target allows for operational efficiency gains
and cuts operating costs across all lines of defence.
It also can improve the customer experience in
that the customer will not be asked for the same
information multiple times from various teams and
can be provided a better level of service if the front
office actually knows the customer.
• Technology investment — Investments in AML
programme technology must be strategic, rather
than tactical. Strategic investments must be
determined after an organisation’s data has been
appropriately structured and formatted to enable
informed decision making. Data management
should not be a one-time activity, as the main-
tenance of data integrity must be an ongoing and
sustainable activity to maintain the efficiencies in
new and existing technology.
05 Decrease Reliance on Manual Processes and Increase the Application of Technology
Focussing technology investment in areas where you
will see the greatest return — time- and cost-wise — will
allow employees to concentrate their skills and specialist
knowledge in areas of greatest value add.
– Jonathan Wyatt, Managing Director — Global Head of Protiviti Digital
12 · Protiviti
Common Areas of Inefficiency Getting to Efficient
Disconnected technology — Patchwork technology developments create disconnected systems of information which do not ‘speak’ to each other.
Siloed ecosystem — Fractured view of data/systems reduces efficiency and increases costs of AML compliance and reporting.
Short-term fixes — ‘Tactical’ investments prohibit long-term efficiency.
Manual processes — In addition to being time-consuming and inefficient, manual processes leave room for human error.
Informed technology decisions — Assess compatibility/effectiveness of systems to better inform key decision makers.
Streamlined data — Ability to consolidate information and streamline data flows in system ecosystem provides a competitive advantage by improving customer experience and operational efficiency across the three lines of defence.
Strategic technology investment — Revisit technology investment strategies early and often as internal (systems, organisation changes, self-identified issues, etc.) and external factors (regulatory requirements, technology solution offerings) change.
Process automation — Consider opportunities within current processes to utlise RPA and machine learning to enhance process efficiencies and accuracy.
The reality is that regulatory requirements are evolving for all FIs, but having technology and data that can adapt
in an organised, efficient manner will provide organisations with a competitive advantage in the market.
Anti-Money Laundering: Getting to Efficient · 13protiviti.com
The need to implement AML/TF processes tactically
has often resulted in target operating models (TOM),
which satisfy short-term requirements but fail to
deliver on a strategic basis. Key issues in the three
principal components of a TOM are:
• People — Employees have been hired in ‘factories’,
often in lower-cost locations, to undertake KYC and
AML/TF activities. Their geographic location and
time zone are disconnected from core operations
and front office functions, which leads to signif-
icant inefficiencies in communication and failure
for commercial KYC information to be leveraged
to satisfy regulatory KYC requirements. Viewing
KYC as a factory-driven process has led to the
tracking of metrics that focus on throughput
(number of files reviewed, delinquency rates,
etc.) but do not consider how these processes are
reducing risk, improving quality or affecting the
customer experience.
• Processes — Processes often remain largely
manual and a key source of information on
the customer is the customer themselves. The
exponential growth in reliable and independent
information sources in the public domain must
be leveraged to minimise intrusive, unnecessary
and time-consuming customer contact. AML/TF
regulation across the European Union in particular
is also moving in the direction of maximising
the use of publicly available records (including
subscription-based sources) to meet the criteria of
being ‘independent and reliable’ to the customer.
• Technology — Technological advancements may
have been developed outside of mainstream
systems, leading to significant challenges of KYC
information being shared across countries/entities,
often resulting in unnecessary, duplicative and
time-consuming onboarding of the same customer.
Given the various data privacy and sharing regula-
tions that global FIs face, even sharing data within
the same organisation has become challenging
when interpreting compliance between different
AML/TF and data regulations. A common issue
across organisations is the understanding in the
front office systems of the details of how/how much/
how frequently the customer will transact with
the FI. This needs to be reflected in transaction
monitoring systems to avoid poor data definition
that results in the triggering of transactions as being
‘unusual’ which are not so and missing truly unusual
transactions which require subsequent review.
06 Optimise the AML/TF Target Operating Model
The target operating model must be viewed as a ‘living’ document, something that can grow and adapt as an
organisation changes.
– Matt Taylor, Managing Director, Protiviti
14 · Protiviti
Common Areas of Inefficiency Getting to Efficient
Disconnected staffing model — Outsourced KYC activities to third parties/remote parts of the institution, leading to communication inefficiencies.
Manual processes — Overuse of tactical manual/semi-manual processes.
Siloed technology — Siloed technology development/data privacy regulation hindering effective sharing of KYC information across the organisation.
Quantified cost of KYC — Activity-based cost modelling to establish an optimal solution to apportioning KYC activities and minimising customer touch points.
Streamline processes integrated with technology —
• Use of automation (e.g. RPA) and optimised use of existing systems to use publicly available, reliable and independent information sources to collect/update customer data and increase efficiencies of process for KYC, onboarding, alert discounting, etc.
• Consider ‘off-the-shelf’ solution to standardise technology across the organisation.
A TOM must be developed on a global basis for AML/
TF and recognise the importance of the integration
of AML operations into other operational and front
office functions to maximise efficiency and minimise
costs and onboarding times. The TOM must be viewed
as a ‘living’ document, something that can grow and
adapt with the organisation’s changes. The TOM must
be subject to ongoing governance to ensure that it
continues to provide the optimal operating model as
circumstances change, such as the increasing maturity
of the AML programme, adapting to new regulation and
supporting the implementation of new and emerging
technologies/automation, etc. AML/TF must become
part of mainstream operations and not a necessary
irritant disconnected from other functions.
Anti-Money Laundering: Getting to Efficient · 15protiviti.com
Achieving a sustainable cultural change within any
large organisation is always a major challenge and
can take a significant amount of time. In the area of
financial crime, this has been particularly challenging
since the requirement to undertake strenuous and
systematic AML/TF procedures was forced from outside
of FIs by legislation and regulators.
Many organisations’ front offices have been slow to
accept that they ‘own’ ML/TF risk and regard it as the
responsibility of the second line compliance functions.
Front offices have also been slow to integrate
commercial KYC information into the KYC for AML/
TF purposes in circumstances where it can be used
for dual purposes. This has been exacerbated by the
creation of KYC ‘service centres’ which are often remote
from the front office function and may be outsourced to
a third party. These generally have separate reporting
lines and are measured on throughput and volumes
for point-in-time activities (often used to catch up on
delinquent records) rather than supporting the under-
standing of the underlying customer, its relationship
with the institution and their ML/TF risk.
Other aspects of a lack of clarity of ownership of ML/
TF risk include poorly defined (in some cases completely
undefined) roles and responsibilities across the front
office and other elements of the first line of defence
or ineffective sanctions imposed internally where
procedures and standards are not applied consistently
to the required level.
Top leadership of the organisation has a crucial role
to play in providing the ‘tone’ in this area. Clear,
unequivocal messages from the top concerning the
responsibilities of the three lines of defence are
required, as is a commitment to implement what
is required to satisfy regulatory obligations across
the organisation to ensure that heavily damaging
regulatory sanctions are avoided and that customer
intrusion and negative service impacts are minimised.
Clear communications from leaders within each of the
three lines of defence is essential in driving the shared
responsibility for AML/TF controls and the differing
activities owned by each line of defence in delivering a
structured and systematic approach. The organisation
must work collaboratively to achieve an optimal op-
erating model. Another key message to be delivered is
that the AML/TF requirements are not transient — they
are here to stay, and regulatory requirements are likely
to only become more stringent. It is essential that
the organisation therefore applies the most efficient
methodologies to the issue, since that will deliver a
commercial advantage over a less efficient organisation
in terms of both cost and customer experience.
07 Shift Institutional Culture
Common Areas of Inefficiency Getting to Efficient
Lack of clarity in ownership of risk — Reluctance by front office to accept responsibility for ML/TF risk.
AML is deprioritised — Without a strong tone from the top, AML controls, awareness and operational effectiveness may be viewed as a chore or ‘tick the box’ exercise.
Roles & responsibilities — Clarity of ownership of ML/TF risk and roles of each line of defence is the shared responsibility of AML/TF controls through development of an optimal operating model.
AML programme as a priority — Clear ‘tone from the top’ on the need to prioritise AML programmes and detect, prevent and deter ML/TF.
The message is, ‘Everyone has to do it — let’s do it best!’
16 · Protiviti
By applying the enhancements discussed in this
paper to the seven key areas noted, an FI can progress
along the roadmap to AML: Getting to Efficient.
The roadmap to an efficient AML programme will
require continuous improvement, with some changes
having more immediate effect than others; however,
FIs should pursue the model described below when
looking for industry leading efficiency practices to
gain a competitive advantage in the efficiency of an
AML programme.
Roadmap to AML Efficiency
Optimise the AML/TF Target Operating Model
Shift from ‘Tactical’ to Sustainable, Strategic Solutions in AML Programme Governance
Eliminate Common Inefficiencies in the
KYC Process
Leveraging Data for AML
Efficiency Gains
Accurate Identification of Customer Risk
Decrease Reliance on Manual Processes and
Increase the Application of Technology
Shift Institutional Culture
Increased understanding and accuracy of the
identification of the risk within your customer
base is critical to know the proportionate
amount of mitigation required.
Legacy data is streamlined, system ecosystem is clearly
mapped and redundancies are removed to allow
for informed technology decisions and strategic
investment for AML systems/tools.
KYC processes are updated to support the effectiveness of
resources and provide measurable cost savings
as well as improved customer experience.
Reduction in ‘fighting fires’ and the AML programme strategy is clear,
aligned and forward-thinking.
Customer and transaction data held or being collected/updated
by FIs is cleansed, formatted and enriched, as needed, to be used as a powerful combatant in
fighting ML/TF.
Anti-Money Laundering: Getting to Efficient · 17protiviti.com
How We Can Help
At Protiviti, we continuously explore how advances in AML programmes can be achieved. We have deep subject-
matter expertise around global AML/TF regulatory requirements and have extensive experience in designing and
implementing all areas of AML programmes across many Tier 1 and Tier 2 FIs.
Since 2002, Protiviti has rallied itself around a set of values that encourage innovation and collaboration; in
this regard, we collaborate with various lines of defence and regulatory technology vendors to bring our clients
creative solutions to meet their regulatory compliance obligations.
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 75 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Carol BeaumierSenior Managing Director+1 [email protected]
Shaun CreeganManaging Director+1 [email protected]
Michael BrauneisManaging Director, Americas Financial Services Leader+1 [email protected]
Matthew MooreManaging Director+1 [email protected]
Bernadine ReeseManaging [email protected]
Matt TaylorManaging [email protected]
Erin GavinSenior Manager+44 207 930 [email protected]
CONTACTS
© 2019 Protiviti Inc. PRO-0919-103139I-IZ-ENG Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
*MEMBER FIRM
THE AMERICAS UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Denver
Fort Lauderdale
Houston
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro Sao Paulo
CANADA
Kitchener-Waterloo Toronto
CHILE*
Santiago
COLOMBIA*
Bogota
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE, MIDDLE EAST & AFRICA
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
NETHERLANDS
Amsterdam
SWITZERLAND
Zurich
UNITED KINGDOM
Birmingham
Bristol
Leeds
London
Manchester
Milton Keynes
Swindon
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
SAUDI ARABIA*
Riyadh
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
EGYPT*
Cairo
SOUTH AFRICA *
Durban
Johannesburg
ASIA-PACIFIC AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney
CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
INDIA*
Bengaluru
Hyderabad
Kolkata
Mumbai
New Delhi
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
© 2
018
Proti
viti
Inc.
An
Equa
l Opp
ortu
nity
Em
ploy
er M
/F/D
isab
ility
/Vet
eran
s. P
RO-0
918