How to discover ways to sustainable anti-money laundering operations* Banking and Capital Markets

Banking and Capital Markets
How to discover ways
to sustainable anti-money
laundering operations*
*connectedthinking
Table of contents
Situation
5
Perspective
6
Common components of a successful integrated AML operating model
9
Implications
How to discover ways to sustainable anti-money laundering operations*
PricewaterhouseCoopers
11
3
Situation
In response to rapid advances in technology and more robust regulatory oversight, banks have evolved to match
the risks and needs of the institution with the laws that govern them and the customers that they serve. However, in
today’s world, keeping up has become increasingly difficult.
Banks face a dilemma with their customers whose growing appetites for privacy and protection are equaled by their
pressing need for a global, efficient means of moving money. This poses a distinct challenge because customers’
needs are somewhat contradictory: Privacy and protection often require more controls while efficient global access
requires less.
In addition, government policies present a challenge to banks. To facilitate global trade and build national wealth,
governments encourage the development of means and mechanisms for rapid funds movement. Citizens also
encourage their governments to safeguard their privacy. At the same time, citizens mandate that their financial
supervisory agents reduce the likelihood that terrorists, drug cartels and organized criminals will find anonymity in
privacy and ease in their global funds transfers.
To meet the challenges posed by the customer’s contradictory objectives and the new regulations posed by
governments, banks have had to modify many of their internal operating procedures. However, banks often struggle
to adapt their technology systems and internal processes—some of which evolved over decades—to these new
procedures. In the case of recent anti-money laundering (AML) compliance, this has forced many institutions to
implement quick fixes. Some of these short-term, quick-fix solutions include:
1. Decentralized and un-integrated customer due diligence and AML surveillance functions
2. Use of “manual muscle” approaches
3. Use of inadequately configured technology systems
4. Hiring third parties to own core processes
These quick fixes were not intended to be long-term solutions, yet we still see them in existence at many banks
years after their implementation. They may continue to function, but their sustainability develops into an issue when
operating costs become disproportionately high compared to the risk they were intended to mitigate. The good news
is that long-term, cost-effective, sustainable solutions are within reach.
How to discover ways to sustainable anti-money laundering operations*
PricewaterhouseCoopers
5
Perspective
Based on our collective experience, in order to maintain acceptable levels
of risk, provide long-term, sustainable solutions and reduce costs, an
institution must take a multifaceted approach to AML operations by leveraging
enterprise efficiencies.
To achieve these efficiencies, a financial institution needs to identify areas
for integration within and across countries, units, and functions while also
preserving those differences that are warranted. This requires the focus on
what has to be done rather than who reports on it or where it occurs.
The first step in the assessment and redesign effort is to establish a set
of core principles that is common across the organizational structure. The
principles that organizations use successfully that can serve as examples for
other financial institutions include:
• Reporting
• Issues management
• Testing
• Monitoring
• Risk/control identification and assessment
• Communication, training, and development of compliance personnel
• Policies and procedures
• Structure, roles and responsibility
• Risk appetite and tolerance
• Objective setting
Once the core set of principles has been established, a financial institution
can assess the methods used to execute those principles and find the
points for regional and global integration. To systematically tackle this
major undertaking, a financial institution needs to evaluate the way people,
processes, technology and information—the four operating levers—are
applied to each principle. In the case of AML, these levers may include:
• People (compliance officers, risk managers, IT system analysts,
account officers, relationship managers, investigators, data analysts,
operation managers)
6
How to discover ways to sustainable anti-money laundering operations*
PricewaterhouseCoopers
• Processes (new client take on, periodic review, event-driven review, client
exit, existing client remediation, transaction monitoring, case management,
regulatory reporting, client screening, transaction screening, document
lifecycle management, data and process governance, quality assurance,
management information, client ownership)
What’s left after the “quick fixes”?
• Technology (rules, scoring, workflow, matching, MIS reporting, regulatory
reporting, expert/knowledge-based system, list management, anomaly
detection, peer grouping and profiling)
• Different processes and technologies
used for collecting, reporting storing due
diligence information within and across
lines of business
• Information (customer, product, account, transactions, electronic
funds transfers/wires, hidden relationships, customer risk ratings, case
information, CIP and approvals documentation)
By evaluating and applying the principles to levers, a bank can identify gaps,
target opportunities for integration and redesign its AML operating model. The
redesigned model should integrate using options that range from combination
and shared services platforms to co-sourced and outsourced activities.
The table on page 8 represents a sample financial institution and a current
state of some of its AML processes. These processes, such as client due
diligence, client screening, or transaction monitoring, tend to be business
unit centric and often times decentralized. This often leads to inconsistencies
in processes and information gathering as well as inefficiencies in use of
technologies and human capital.
Depending on an organization, any lever described above provides an opportunity for integration. A thoughtful planning process is a prerequisite to designing
a future state that will meet compliance objectives but will also be cost effective and well integrated with the other processes within the financial institution.
• Highly manual and unrepeatable AML
customer risk assessment processes
• Compliance departments struggle to
meet non-AML compliance demands
• Inconsistencies in customer risk scoring
and due diligence procedures for the
same customer or similar customer
types across lines of business and
globally
• Lack of meaningful money-laundering
risk reports
• Large number of false positives in
transaction surveillance systems
• Case management processes that
are supported by inaccurate financial
intelligence
• Inability to see into static and
transaction activities of customers their
related accounts within and across lines
of business and globally
• Case consolidation by customer or other
common case characteristics performed
through ad-hoc workarounds
• Lack of consistency and reconciliation
between the risk model used account
monitoring and the model used for
customer risk assessments
• Inability to report on key performance
indicators
• Lack of coordination among other key
areas such as credit risk management,
suitability for broker-dealer accounts
and fraud detection units
• Little integration of AML compliance
with other bank initiatives
How to discover ways to sustainable anti-money laundering operations*
PricewaterhouseCoopers
7
Table 1: Simple example of the application of AML levers to customer risk/control
identification and assessment principle
Levers
Sample current status
Integration opportunities Sample future state
Retail
Wealth
Wholesale
management
Retail
Process
Account
opening
Customer due Customer
Related to account
diligence
due diligence opening, but risk aligned
with customer due
diligence
Customer due diligence
People
Bank officer
Relationship
banker
Relationship
manager
No change: Ownership
should remain with
front-office
Bank officer
Technology
Online
application
Paper based
Smart Word
document
Standardize on new
technology platform
Integrated web-based KYC technology
Information
CIP form
Wealth
management
version of
KYC Risk
Form
Wholesale
version of
KYC risk
form
Standardize risk
KYC form based on common client risk
assessment form with
rating methodology
extensions for customer
and product differentiators
Process
Client screening
People
Operations
account
manager
Relationship
banker
Technology
Automated
using OFAC
agent
Information
Customer
Process
Transaction monitoring
People
Investigator
Relationship
manager
Technology
ERASE™
Information
Account,
transaction,
wire
8
Wealth
Wholesale
management
Relationship
banker
Relationship
manager
No change needed
Client screening
Compliance
officer
Skill-set and technology
are better aligned with
operations
Centralized middle-office operations
Manual using
FINRA OFAC
tool
Manual
using World
Check™
Manual approaches
can be replaced with
automation
Automated using OFAC agent
Relationship
Legal entity
No change: Customer
types warrant differences
Customer
No change needed
Transaction monitoring
Leverage investigation
skill-set
Centralized financial intelligence unit
Manual report ERASE™
review
Automate manual
review with pre-existing
technology
Automated using ERASE™
Relationship,
account
transaction,
wire
Link accounts to create
single customer view
Relationship, customer, accounts,
transactions, wires
Investigator
Account,
transaction,
wire
Relationship
Legal entity
How to discover ways to sustainable anti-money laundering operations*
PricewaterhouseCoopers
Common components of a successful integrated
AML operating model
A redesigned AML operating model will differ from organization to organization
based on the specific risks, needs and geographic makeup of the organization.
However, we have seen some components that are consistently adopted
within the industry, and those components have been highly effective.
Integration challenges
The first component calls for the COO and the CIO to increase their roles in
the AML compliance function because many of the areas of improvement are
within their domains.
• Customer relationship ownership when
the customer has accounts that exist
across lines of business, etc.
The second calls for the need to tailor AML policies and procedures to be
globally consistent yet able to be effectively implemented locally.
The third component calls for integration across operational areas, specifically
to the middle and back offices in a shared-services structure, to create
centralized hubs that manage many surveillance and due diligence activities.
The final component assigns specific, discrete AML responsibilities to core
functions within the enterprise that allow per-unit costs to be measured and
monitored. These responsibilities include:
• Multiple entry points for customer
information (e.g. multiple business lines,
internet vs. branch network, third party
agents/brokers, etc.)
• Organizational and global complexity
• Certain AML compliance practices
vary by line of business, regions, and
geographies
• Cross-border data sharing due to local
data security laws
• Operating and integrating with local
privacy laws, including bank secrecy
jurisdictions
• Resource and skill set availability at the
corporate, region, and local levels
Front office: The front office retains ownership of the customer and continues
to on-board customers, as well as conduct initial risk assessments, eventdriven reviews and periodic customer reviews, and collect relevant customer
due diligence and enhanced due diligence information. These functions are
well aligned with front-office expertise, which is focused on customers and
products.
Middle office: A gatekeeping function sits “centralized” in the middle office
to help drive efficiency and consistency of policy application. The middle
office enforces the institution’s Know Your Customer (KYC) strategy, which
includes customer acceptance policies; quality assurance of static customer
information; integration of comprehensive customer risk assessments across
lines of business, products and services; and monitoring of front-office
customer review compliance.
Back office: The back office houses both the AML transaction surveillance
and case management functions, which together make up the financial
intelligence unit (FIU). The FIU provides one dynamic picture of customer
How to discover ways to sustainable anti-money laundering operations*
PricewaterhouseCoopers
9
activities, enabling the institution to monitor and investigate unusual activity at
the customer level and gain insight into the overall activity and behavior of the
customer across all business lines and products. The FIU and the KYC strategies
operate in tandem to provide a holistic view of the customer’s AML risk.
AML compliance: AML compliance sets and modifies compliance guidelines
and polices based on international, domestic, industry, third-party and internal
requirements. The AML compliance team is responsible for resolving AML
issues escalated from the middle office customer due diligence function and/
or the FIU as well as making regulatory reporting filing decisions.
IT: IT owns and operates relevant compliance technologies and helps drive
efficiency by identifying, categorizing, evaluating and consolidating redundant
systems. IT staff members participate in the process of deciding when new systems should be implemented or when existing systems should be leveraged.
10
How to discover ways to sustainable anti-money laundering operations*
PricewaterhouseCoopers
Implications
To achieve sustainable AML operations, we recommend the following fivestep approach:
1. Shift AML oversight responsibility to a senior risk management task
force that includes both local and global compliance, risk management,
operations and IT representatives. Include feedback channel for line of
business inputs.
2. Perform an initial “health check,” or diagnostic review of AML operations,
to provide a snapshot view of current operations and to identify key risks,
costs and improvement opportunities. Based on the results of the health
check, develop a cost-and-efficiency business case.
3. Using the health check as a guide and leveraging existing analysis and
documentation, assess the current state of the AML compliance function
across principles and levers. Perform the following actions:
• Identify applicable AML global policies, key regulatory requirements,
commitments made to regulatory examiners and internal auditors
related to customer due diligence and customer risk assessment for
widely varying customer types—from individuals to multinationals.
• Analyze the quality and quantity of people and processes in corporate
and in each line of business, including current account opening
processes and activities, transaction surveillance and case management
activities (acceptance and information collection methodologies,
tools and techniques, roles and responsibilities, risk tolerance, issues
tracking, reporting, etc.).
• Take inventory of current AML compliance technology.
• Organize requirements by type of customer, product, industry of
business or wealth of customer, rather than by business unit.
• Review, assess and prioritize key commonality and differentiator
requirements between the various AML functions.
• Evaluate and define integration opportunities.
How to discover ways to sustainable anti-money laundering operations*
PricewaterhouseCoopers
11
4. Develop an AML compliance global strategy, future-state vision and
implementation plan to meet the institution’s global standards and risk
tolerance, local regulatory requirements and industry standards. This
strategy must take into consideration all lines of business, products
and services, as well as the institution’s customer base, and include the
following activities:
• Define the desired operating model using key differentiators and
integration mechanisms (e.g., creating hubs uniting critical enterprise
capabilities across multiple geographies, taking into account local data
privacy laws and cost structures) and other common AML integration
components as a foundation.
• Evaluate technology options focusing on systems that can adapt to the
unique needs of each line of business as well as to new and changing
local regulatory requirements.
• Define pre- and post-implementation quality assurance standards.
• Design new or leverage existing governance processes for the
acquisition of new AML compliance technologies.
• Develop a communication and training plan within consolidated
functions and across business units.
• Identify key activities/controls and establish metrics for continuous
monitoring and improvement (e.g., account rejection that is proportional
to the risk tolerance of the institution).
• Determine change management requirements such as staffing and
training needs to support the new organization.
5. Integrate redesigned operating functions incrementally through a fourphased approach, beginning with the phase appropriate to the current
state of the bank’s systems and processes.
Phase One: Enhance—Roll out centralized KYC people and process
functions to the middle office using manual processes to address
immediate issues without major technology enhancements. Conduct an
AML risk reassessment on existing customers.
12
How to discover ways to sustainable anti-money laundering operations*
PricewaterhouseCoopers
Lines of business
How to discover ways to sustainable anti-money laundering operations*
PricewaterhouseCoopers
Integrated
GlobalAML
AML Program
(Policies
& Procedures)
Integrated
global
program
(Policies
& procedures)
Event-Driven
Event
Driven Review
Review
(EDR)
(EDR)
New
TakeOn
On
New Client
Client Take
(NCTO)
(NCTO)
Client Exit
Client
exit
Periodic
Review
Periodic Review
(PR)
(PR)
Existing
client
Existing Client
remediation
Remediation
Transaction Monitoring
Transaction
monitoring
Client Screening
Client
screening
Document Lifelife
Cycle
Management
Document
cycle
management
Data and
Process
Governance
Data
and
process
governance
Quality Assurance
Quality
assurance
Business regions
Phase Four: Maximize—Integrate
centralized people, process,
information and technology functions
with other institution-wide initiatives,
e.g., KYC with the customer
relationship management initiative
or the FIU with the anti-fraud and
financial crime function.
Retail banking
Banking
Online banking
Banking
Asia/Pacific
South America
North America
Europe
Phase Three: Standardize—Roll
out centralized KYC technology
and information across all lines
of business and geographies
using a risk-based approach to
focus efforts on key areas first.
Deploy consolidated FIU capability
leveraging the “single view” of the
customer created by the middleoffice gatekeeping function. Integrate
within and across lines of business.
Insurance
Wholesale
Integrated
Integrated
Global
Global KYC
KYCTechnology
Technology
Phase Two: Expand—Pilot
the future-state model. Roll out
centralized KYC technology and
information to a select number of
lines of business. This technology
should be an improvement to manual
compliance processes that already
exist in the front office.
Management Information
Management
information
Client Ownership
Client
ownership
Centralized
supportingOrganization
organization
Centralized Supporting
AML
LIFECYCLE
KYC CLIENT
CLIENT LIFECYCLE
13
Every organization is at a different level of
operational sustainability. PwC can help
determine your organization’s current state
by performing our AML health check. We can
quickly and cost-effectively provide basic
quantitative reports that provide a high-level
traffic-light representation of AML operations
against industry practices, your organization’s
risk tolerance and optimal state.
A look forward
Cost and risk are obvious key measures in the determination of the
effectiveness of the AML operating model. However, there are less obvious
measures of success as well.
Consider the benefits to the compliance function. As banks become more
diverse and global, this model can adapt. It is not fixed. This gives compliance
the ability to react quickly to changes in laws and regulations. And since
compliance can more easily assess risk before products go live, Product
Management benefits because those products can be brought to market more
quickly and can give a distinct competitive advantage to the organization.
Positive effects of truly knowing your
customer
• Sales: Improved cross-selling
• Marketing: Improved product targeting
• Customer service: Improved retention rate
• Finance: Increased profit potential
• Operations: Better channel alignment
The impact to the sales force is also significant. Rather than having to go to
multiple sources, account officers and/or relationship managers can share one
view of customers. This facilitates a cross-line of service and cross-border view
of client relationships and improves the ability to service those customers.
The customer experience improves as well. The KYC model creates
consistency for customers regardless of where they are opening the
account—whether local or international. Instead, the distinguishing factors of
the model are based on customer type, product, geography and anticipated
activity. For example, a student domiciled in a high risk jurisdiction opening
and depositing $500,000 in cash into a U.S. checking account is handled
differently by the model compared with a long standing customer domiciled in
a low risk jurisdiction opening a $10,000 time deposit in a Canadian account.
All of these corollary benefits contribute to the overall business. Measuring,
understanding and managing customer performance are key factors to
business success. The integrated AML operating model sets the stage not
only to reduce risk and costs, but also to attain business value from the AML
function by recognizing and understanding the true costs and benefits of
customer relationships. The result is to Truly Know Your Customer (TKYC).
With an increasingly complex and fast-paced business environment,
Institutions must act now to build a sustainable AML operation that enable
them to properly balance cost with risk. This can be accomplished by
leveraging enterprise efficiencies. The principles-based framework, the
common AML integration components and the five implementation steps
provide the means to achieve this goal incrementally and allows companies
to move toward integration at a speed that matches their unique needs, risks
and geographies.
How to discover ways to sustainable anti-money laundering operations*
PricewaterhouseCoopers
15
Contacts
We encourage you to contact any of our subject matter professionals
for more information on sustainable anti-money laundering operations.
John Campbell
Principal, AML Practice Leader
(646) 471-7120
[email protected]
Damian Kalinowski
(314) 206-8013
[email protected]
Jeff Lavine
(703) 918-1379
[email protected]
Monique Maranto
(410) 404-1905
[email protected]
Bruce Roland
(410) 659-3310
[email protected]
Cathy Stahlmann
(305) 375-6345
[email protected]
Deven Swim
(617) 530-7875
[email protected]
Sean Wilhelm
(312) 298-5759
[email protected]
Thomas Messina
(646) 471-4757
[email protected]
pwc.com
© 2008 PricewaterhouseCoopers LLP. All rights reserved. “PricewaterhouseCoopers” refers to
PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as the context requires, the
PricewaterhouseCoopers global network or other member firms of the network, each of which is a
separate and independent legal entity. *connectedthinking is trademark of PricewaterhouseCoopers
LLP (US). MC-NY-08-0556-A. TP.