The pace of business, technological and regulatory change is rapid, meaning any compliance program and platform can quickly become obsolete if not regularly evaluated against a set of current and future requirements. Failure to adapt can result in significant financial and reputational harm — and could in extreme circumstances be an existential threat.
“Know Your Customer” (KYC) and anti-money laundering regulations are intended to protect financial institutions against fraud, corruption, money laundering and terrorist financing. Businesses must establish the identity of a customer, gain assurance that the source of a customer’s funds is legitimate, and screen transactions to remain confident customers are not conducting transactions that put the organization at risk.
However, over time, a variety of factors could undermine the program’s effectiveness and the right approach will likely change over time. It behooves banks to regularly consider whether their current KYC and AML approach is appropriate now and whether it will remain appropriate. For many financial services companies, this moment comes as growth begins to accelerate and the solution they implemented as an immature startup comes under strain.
What could cause our organization’s AML program to become less effective?
Factors that drive businesses to reassess whether their AML compliance program is still fit for purpose include:
Rapid business growth. A compliance program designed to handle dozens of new customers each day will likely not scale to be able to exponential growth in new customers each day. Likewise, early-stage startups regularly innovate and introduce new products and services or pivot away from older offerings to attract business, but the program may not easily be able to capture and process risk data for these new business lines.
Technological change. A compliance team that is not working closely with the information technology team may quickly find itself out of step with the technology it relies upon. As companies change to cloud-first architectures, the compliance platform may no longer work as intended. Some organizations may merge with, or acquire, other businesses meaning compliance data must be gathered from legacy networks that may run on very different architectures.
Technological advancement. The swift adoption of artificial intelligence by platform providers as a force multiplier to internal compliance teams might present opportunities for compliance teams to work in ways that were not possible when the existing program was implemented. Longer term cost and time savings may quickly outweigh short term investment and disruption.
Availability of expertise and resources. AML programs are often implemented at startups before full-time expertise is available on staff. While external expertise may be enough to get a program off the ground, optimizing a program for the longer term may require a chief compliance officer and other experienced professionals who understand the exact requirements and have a broader view of managing risk.
Regulatory changes. Financial services companies with an international footprint will find themselves having to keep abreast of an ever-growing set of global AML and KYC rules. Larger banks with more mature programs may easily be able to respond to remain in compliance, but those companies with less mature programs may initially struggle to adapt.
Many businesses will only realize a solution is not fit for purpose when an independent audit finds faults, or worse, regulatory action is taken following an investigation. While the latter is more damaging, both can be costly and are avoidable.
Read more on KYC, AML and compliance:
- How Banks Can Reduce Fraud and Improve KYC Compliance
- Customer Identity: Balancing Security and Seamless Banking Experiences
- Trends 2024: Bank Spending on RegTech Will Reach New Heights
How does an organization assess whether its AML compliance program is still fit for purpose?
Regardless of the specific regulator, businesses subject to AML regulations must perform — and be able to demonstrate they are performing — a number of key compliance activities in a repeatable manner. These include, but are not limited to:
- Testing and auditing of the program;
- Implementation of robust policies and controls;
- Ongoing monitoring of transactions;
- Conducting and updating risk assessments, and
- Providing relevant training to staff.
Sponsorship from a senior leader is also critical.
If any of these integral parts of the compliance program are not working, immediate attention should be directed towards fixes. However, it is unlikely issues within individual component processes mean the whole program is broken. The issue most likely to cause concern is either significant weaknesses in the platform used to conduct onboarding and screening or doubts about the quality of the data used to screen against.
There are two technology platform approaches to consider. First, the option that most companies opt for: buy a solution. The second approach which some smaller startups favor, especially if the cost of a dedicated solution does not seem appropriate and engineering expertise is readily available, is to develop a homegrown platform.
Building an internal platform is oftentimes a short-term solution, at best. Companies quickly outgrow the basic functionality, and many will find the IT support for managing the platform inadequate, especially in a fast-growing business with competing priorities. With the penalties for failure so high, this is not an area where the business should seek to cut corners.
Some companies may also opt to save money and compile the lists of politically exposed people as defined by the Financial Action Task Force, and sanctioned individuals and entities internally. This too is a false economy. The data exists in hundreds of separate lists published on an ad hoc basis by hundreds of separate agencies in different formats and different languages. The data may need reformatting and lists frequently contain mistakes, meaning data is not reliable without having first been cleaned and checked by experts.
The decision for most companies will be which platform to deploy. This becomes a more complex decision given the current market saturation of platform vendors and competing claims of ‘revolutionary’ artificial intelligence integration. To move forward and understand the best approach for your organization, there are four key areas to consider: the business and regulatory requirements; integration and scalability of the solution; the quality of data; and the resources available to make the program a success.
1. What business and regulatory requirements is the organization subject to?
A compliance program must be customized to the needs and challenges of each company, which requires the business to understand not only the regulatory obligations risks it faces now, but also how future products and services could alter that assessment.
Further, growth in the projected number of customers will inform the possible volume of screening that must be done, which in turn will allow decision makers to plan resources. This requires engagement with stakeholders far beyond simply the legal, risk and compliance teams; sales and marketing, strategy, and IT will have information to guide the decisions. Will new products and services result in new or increased risks that must be factored into risk assessments?
An increased global footprint will significantly impact compliance requirements. Organizations should consult with external legal specialists on current and expected changes in the regulatory landscape around the world with a particular focus on where the company does business now and may do business in the future. This ensures the requirements capture process takes account of all the possible regulations the company will be subject to and establishes the baseline set of requirements, though stakeholders must prepare for increased regulatory scrutiny and design a system that is sufficiently able to expand and contract as needed.
At this stage, the project team should also consult with internal privacy and cybersecurity leaders to capture their requirements and align with their expectations. For example, what personal data will need to be shared to screen a payment? Will data on European citizens need to be processed in the U.S., or vice versa, which could create legal issues around data transfers. Will the data or platform provider be able to see personal details of clients being screened? Is the provider Service Organization Control (SOC) II compliant and what does their most recent audit cover?
2. How will a solution integrate into the existing technology stack and scale with the business?
Seamless integration with the existing technology stack — the tools and applications the organization uses to do business — is essential for long-term program success. As such, stakeholders must take the information technology strategy into consideration to futureproof any investment in a compliance platform.
Businesses can integrate solutions into existing systems and workflows using two main processing technologies: APIs and batch processing. APIs are essential for real-time decision-making processes, such as customer onboarding in fintech companies. They offer scalability and seamless workflow integration, although they require some degree of customization which the vendor may or may not be able to assist with.
Batch processing, on the other hand, is ideal for updating and monitoring large volumes of customer data at scheduled intervals. It allows for continuous customer risk monitoring without user interaction. Depending on the requirements of the business, one solution may suffice, though many organizations will have a requirement for both.
Decision-makers should discuss not only how any solution can scale to grow alongside the business, but also how the solution will evolve over time. Does the provider plan to introduce more AI capabilities or new features that could improve productivity and potentially also introduce new cybersecurity risks that the organization may not be comfortable with?
3. How can data quality be evaluated?
Regardless of how well the platform performs, organizations must screen against the best possible data to avoid both false positives, which can be time consuming and lead to customer and staff frustration, and false negatives, which could lead to the organization doing business with high-risk individuals that ends up damaging the company.
Organizations typically subscribe to a data feed either as part of the platform package or a platform-agnostic feed. Data must meet four criteria:
- The data must cover the areas that the organization wants to screen against, which likely includes risks such as AML, anti-bribery and corruption, and sanctioned individuals and entities.
- The data must be accurate and only include those individuals that meet the criteria for being recorded. Screening databases regularly contain several million names and removing old profiles is just as important as adding new ones if the system is to run efficiently.
- The data must be complete and include all of the individual’s details allowing the name matching technology to make a positive match and to rule out as many false positives as possible.
- The data must be timely. The latest updates from dozens of lists issued by agencies around the world must be processed quickly to avoid the risk of doing business with an individual or entity that was recently added to a list.
Some data providers will provide third-party assurance reports that speak to the quality of their data. Decision-makers should also look for service level commitments such as updates being made within one business day of changes and skilled human analysts being ‘in-the-loop’ as a minimum to verify automated systems and AI have acted as expected and correctly handle language translation and name-matching complexities.
4. To what extent is the organization comfortable implementing AI solutions?
Compliance leaders should not expect AI to solve all their AML compliance problems. Though AI-powered solutions promise to increase the accuracy and efficiency of identifying financial crime risk, which may be very attractive to organizations seeking to reduce their compliance-related expenses, AI is still relatively immature and far from foolproof.
In the short term, additional human expertise may be required both to fine-tune AI systems and to check that the decisions the AI is making are in line with expectations. Operators need to try to understand why the AI takes certain courses of actions, and to be assured that the outcomes of decisions are free from bias. This process, though time consuming, is critical because regulators could require the compliance leader to explain why certain decisions were made and defend the result. As AI becomes more widespread in compliance, regulators will likely hone in on areas of common weakness.
Ultimately, the quality of the data will be a key factor in the quality of the AI-driven output and indeed, any AML program; the old adage “garbage in, garbage out” still holds true.
5. What is the best solution for our organization?
There simply is no one-size-fits-all solution for AML compliance. Variables in the organization’s size, access to human and technical resources, the company’s existing technology stack and future strategic direction mean even two businesses that appear similar from the outside may opt for quite different solutions.
The key is to regularly ask whether the current solution is fit for purpose now and whether it will likely still be fit for purpose in 12 months or more. That process is quick and painless, however the process of collecting requirements, evaluating options and conducting trials, selecting a new platform and potentially a new data supplier at the same time, and then installing and fine-tuning a solution can easily take six to nine months meaning if the compliance team is not aligned with the wider business-growth strategy it can easily be wrong-footed.
Rob Sloan is VP, cybersecurity advocacy, at Zscaler. Prior to joining Zscaler, Rob was research director at WSJ Pro for The Wall Street Journal. Rob joined Dow Jones in 2014 and spent several years with the Risk and Compliance product team, where he gained his Certified Anti-Money Laundering Specialist qualification, before moving to the WSJ newsroom to develop and lead the WSJ Pro Research team. Before that, Rob worked as response director for a specialist IT security consultancy in London, where he built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents. Rob started his career working for the U.K. government, looking at some of the earliest state-sponsored cyberattacks against the critical national infrastructure.