A robust anti-money laundering programme is a sophisticated machine with various moving parts: customers need to be onboarded efficiently while complying with the rules and taking into account customer risk assessments; documentation needs to be stored in a reliable and accessible manner; transactions screened and monitored; data shared promptly and accurately with regulators; policies written, updated and understood. That quite a few balls juggle, and it quickly becomes impossible to operate at any scale unless you and your teams have adequate tools in order to achieve and demonstrate compliance with the relevant requirements. This is where technology, and technology vendors, come into play.
Sales pitches promising magical one-stop-shops that will take away all your compliance challenges out-of-the-box should be treated with healthy skepticism. That said, technology is absolute essential for a good, robust, scalable anti-financial crime programme. However it is easy to get it wrong. In this piece we will therefore look at how to get the technology part of your anti-financial crime programme right.
Typical AML Compliance Tools
First of all, let’s assess some of the typical tools that can assist you in delivering a robust compliance programme:
- Name screening tools: are tools that screen names against various lists of names that may be of interest to subject persons. Names will be typically screened against sanctions lists, law enforcement lists and list of politically exposed persons. Screening may also take place against adverse media. While it is theoretically possible to screen names manually against the various relevant lists, the multiplicity of lists and complexity of name matching processes means that it is effectively impossible to perform this process manually with any credibility. Name screening technology is therefore essential for any effectively compliance programme, big or small.
- List providers: provide the data (i.e. the lists) against which name screening tools will screen names. The two concepts are closely related, and certain name screening providers will also provide the relevant lists, generally aggregating names from various sources and keeping them up to date.
- Transaction monitoring systems: transaction monitoring systems analyse transactions for suspicious patterns of behaviour, such as the breaking down of large transactions into smaller ones (i.e. smurfing) and present this information to staff for further investigation. Since transaction monitoring systems are looking for suspicious patterns of behaviour, these systems typically screen behaviour on a post-transaction
- Payment screening systems: screen payments against sanctions, compliance with mandatory payment data requirements, internal risk limits (such as prohibited jurisdictions) and other elements that the firm may be interested in controlling on a pre-transaction
- Identity Verification services: typically provide firms with technology that assists with or streamlines identity verification services. This includes address verification data providers, videoconferencing tools and facial ID verification services.
- Customer relationship management tools (CRM): customer relationship management may strictly speaking be viewed as commercial rather than compliance effort, but in practice good customer relationship management systems are essential to any robust compliance programme. A good compliance programme requires the company to have clear information about its customer base and useful information about its composition, behaviour and interaction with the company, all of which require good customer relationship management systems be delivered at scale.
In addition to the above there are various specialist tools that may add value to compliance programmes, and which may be useful depending on the scale and risk profile of the entity in question. These include various open source intelligence tools, automated customer and business risk scoring solutions, and communication surveillance technologies.
Choosing the right tool for the job is therefore essential. A small firm with a limited customer base may not need a sophisticated customer relationship management tool, however the ability to screen names will still be vital. Transaction monitoring tools are may be unnecessary for businesses that engage in slower, more structured activity, such as private equity funds, however they are absolutely vital for any firm engaged in large scale payment activity, such as a money remitted.
Embedding AML Compliance Tools into Your Business
In order to derive benefit from the purchase of a compliance technology, it is not sufficient to simply purchase the best tool or the best vendor. Companies also need to ensure that the relevant tool is correctly embedded within its day to day activities. The key elements to ensure proper embedment are the following:
- Governance: as always, governance is the first step. An investment in compliance technology should only be made following a documented analysis of the needs of the company and the risks it is exposed to as well as a fair and transparent vendor selection process which should in turn inform decision making at the appropriate governance forum.
- Project planning: some tools can be fairly painless to adopt, while others may necessitate complex implementations. Implementation processes may necessitate the use of internal as well as external resources, meaning that the relevant implementation actions need to be mapped out in the context of pre-existing commitments
- Testing: no tool will deliver perfect results out of the box, and indeed without a proper testing process a tool can create more problems than it solves, generating unmanageable workflows or giving false comfort. Every tool should be subject to a careful process of testing, iteration and calibration, which should be documented and presented to management as part of management information packs.
- Training and resourcing: excellent tools will be ineffective in untrained hands, therefore the implementation of any new tool should be accompanied by appropriate training. Moreover, staff will need be dedicated to manning the tool.
- Monitoring: once the tool is up and running, a monitoring programme should be established to ensure that the tool continues to deliver as it is supposed to, requires upgrades are put into place in a timely manner, and changes in legislation or other requirement duly reflected in the system.
Regulatory requirements and good practices
Your anti-financial crime tools are meant to assist you in delivering your compliance programme, so the last thing you want is for the tools you use to become themselves sources of compliance risk. It is therefore important to be mindful of applicable rules around data protection and similar issues.
In particular it is important to assess whether by acquiring the tool in question you are engaging in some form of outsourcing. The FIAU Implementing Procedures deal with these situation under section 6.1 which states that outsourcing takes place where “the subject person is delegating the implementation of certain AML/CFT obligations to another person(s)”. This is to be distinguished from “reliance” which arises where the subject person relies “on another subject person or a third party who would have carried out CDD to meet its own AML/CFT obligations and the subject person or third party being relied on grants the subject person placing reliance access to the information and documentation so collected”. The FIAU also clarifies that “the acquisition of software or access to commercial databases to assist in, or facilitate, the carrying out of AML/CFT obligations without any data or information belonging to the subject person being submitted to and processed by a third party is not to be considered as outsourcing” (we also add that it would not constitute reliance).
The deployment of technology solutions can often entail an element of outsourcing. Where a firm embeds facial ID verification technology as part of its onboarding process, and relies upon determinations made by the relevant technology solution for customer verification (and subsequent onboarding) purposes, that may be deemed to be outsourcing. This has important ramifications because outsourcing is subject to detailed regulation, both in terms of mandatory contractual requirements as well as proper oversight and management of the outsourced relationship.
Shoulder Compliance can assist you in using technology to improve the robustness of your compliance programme and the effectiveness of your business. We can help you identify the right technology tools for the job, design the relevant workflows, ensure they are properly embedded in your daily operations, advise you on the correct governance procedures, and assist with the relevant regulatory requirements and dialogues. We have supported various companies with the adoption of different technologies, including facial ID verification, name screening technologies, transaction monitoring tools and customer relationship management tools.