AML risk assessment to monitoring rules...don't be too late!

More and more banks are “finally” linking their risks assessments to monitoring rules, an exercise which is being mandated by the regulators. If you are reading this piece and not doing so, now is a good time to give some thoughts as it’s the new fancy thing everyone is talking about. You may wonder why I am being a bit sarcastic about this. Let me start with the basics. Let me be clear upfront that I completely support this process but not so much how several banks are performing this exercise 😉

The Why

Let’s start with the basics. In the good old days (which is also the current way of working at many banks), banks would try to make a professional judgement in what kind of risks they are exposed in, draft some monitoring rules (or in many cases rely on the vendor to offer out of the box rules) and implement them. And life goes on. The risk of this approach was that the common belief was that current accounts (or payment accounts) hold the maximum risk and hence monitoring rules should be focused on them. Rest of the products were relying on manual controls (on a side note, this is one of the reasons you will see majority of Transaction Monitoring solutions are still current account focused). This approach did help but not to an extent it should have. The primary reason being that there are far more risks with other products (e.g. loans, TCF, guarantee etc.) and manual controls are not always sufficient. The regulators started taking this seriously as well so that banks follow a proper structure and have a rationale why they have certain monitoring rules and not just professional judgement. This also makes the evaluations easier. The ultimate objective being that we close the “hidden” loopholes as soon as possible and not have a false sense of satisfaction that everything is fine.

The challenge

This new way of working is indeed challenging because now banks have to link their existing (or may be define from scratch) risk assessment process, adapt it in such a way that these can be easily linked to monitoring rules. Several banks across the board took this challenge and setup different risk assessment teams, identifying risks and then discussing with businesses (for controls in place) and finally defining post fact monitoring rules. As each bank may have a different product suite as well as customer base, the process can take a bit longer than expected. However the challenge is, do these monitoring scenarios get into place sooner or they end up like a soap opera saga where even after a few years you run a backlog. This is the reason I emphasized on the word “define” earlier.

Just defining what has to be done does not solve the problem. You are still running a risk because you have vulnerabilities which have not been addressed. Moreover, whenever you have your next regulatory visit, the regulator will assess how far you are with this backlog. If you are not able to demonstrate significant progress (even after a long time), you are in deep trouble. This brings me to the core issue. The sole purpose of the exercise (risk to monitoring rules) is to get back control and close the loose ends. What these vulnerable banks (can be your bank too) end up with is exposing the problem (which is good) but not doing anything tangible. This has to be solved as soon as possible. This extended delay also has negative influence on your teams performing risk assessments. This exercise has to be performed periodically (ideally every year), but if you are not able to close the gaps (or any gaps) in a time-frame of one year or so, you leave your risk assessment team frustrated and left out to dry.

The solution

If you have been following my articles, you know that I just don’t highlight a problem, but also try to present opportunities to solve your problems. If you are facing this challenge or you expect to face this challenge in the near future, first and foremost you need to box the problem. What I have seen in most cases is that once the task of defining the monitoring rules is done, your implementation team may be left out in open to interpret on their own. As I have highlighted in my other article (regarding AML rule builders), you will have to get your rule builders and the assessment teams together and work closely together. The implementation team should understand the full scope of “what” part and get full clarity on what is it that you want to achieve. Once that is done, let the rule builders use their expertise to develop , giving them freedom on the “how” part. If you break this important silo, your backlog will be addressed much more quicker.

Another major aspect is the technology part. Traditionally banks are not open to new technologies, or I must say prefer in-house available technologies. In today’s day and age, you need to leverage on the best (and trusted) available technologies to solve your problems. You cannot and should not rely on manual solutions for every problem. For example if one of the potential rules is to trigger an alert on changing company structure whenever a trust with majority shareholding pops-up, I have seen more often than not, a whole team is dedicated to build such a solution. Stop this exercise and find a smart Fintech who can do it for you (and as a bonus, will keep on evolving to bring new insights as that is their core business!). You can better use your resources to integrate and develop low hanging fruits with better results.

Last but not least, many controls can be put in place by just educating the front line. You don’t need to automate everything. Explore opportunities where you can put a better control (e.g. update the user instructions for day to day operations). You can introduce a four-eye check or a regular training/feedback sessions to monitor the progress. This will not only help in making your first line staff aware, but also make them responsible in doing the right thing!

Conclusion

You may have heard the phrase “justice delayed is justice denied”. The same applies here. Having the right intention can only take you so far. You/ your bank will have to get your house in order so that the core purpose of this exercise (risk assessment to monitor rules) is achieved and does not end up as a never ending project with no deadline…