How did we end up in this mess?

If your Bank/Financial Institution has been in an unfortunate situation where it ended up being fined by the regulators (specifically for AML/CFT issues), I can imagine this is the first question you might have been confronted with, by your Senior Management (Board member, C-level and the likes). If you are the lucky one whose Institution has not been fined yet, please be prepared to face the music :)

The reason for writing this post is to bring awareness about the fact that problems don't arise overnight. If you talk to the Senior Management, they almost always have a "pretty" picture about how great their organization is performing to control AML/CFT risks. They are not wrong from their perspective, because they only speak what they are informed about. It's a known fact that there are challenges, one way or another, in every FI. The important thing is how transparent you are in making these challenges visible to your internal organization. I am going to highlight a few pointers which will help you/your organization in limiting the overall damage you may face.

Transparency

As mentioned earlier, this is a very important aspect, be transparent about your current situation. As a Senior Management, you need to drive the organization towards transparency. What I always recommend is to at least understand the basics of each AML/CFT process so you are in a position to ask the right questions. This will show your willingness to engage and you will get inputs/feedback which will help you in realizing the gaps and take prompt action. On the other hand, if you are the one reporting to Senior Management, be open and honest. There is no point covering up some problems in hope that the next time you report, you will be able to solve them. A problem is a problem and should be highlighted as a problem. For example if you notice there is a significant delay in introducing Transaction Monitoring rules (because someone decided it should be a low priority), raise this to the senior most level. Such problems may look minor but collectively may lead you to point of no return and will become a big mess! I have seen this particular problem happen too many times and hence bringing it up. If everyone in the hierarchy is on the same page and understands the severity of your problems, it will help in collectively solving the critical ones which can eventually lead you in trouble. And guess what, when the regulators come knocking at your door, they have enough experience to start asking questions around your backlogs, priority queues etc. If you cannot demonstrate control and transparency, it's enough for them to start digging deeper.

Think long term

This is a very common problem I have encountered all my working life at Banks. I have generally been part of project teams, putting off one fire or another. However I have always made sure that any solution I recommend or implement, can continue for a long run. This is very important. Sometimes project teams have a tendency to solve an immediate problem and leave the rest for another team or a new project to pick it up. Such kind of attitude will always land you in trouble. Again taking the example of Transaction Monitoring (TM). Imagine you are connecting a country X to your TM solution. If the current mandate of the project team is to roll-out monitoring for Commercial Banking clients, I am 99% sure all the focus and energy will be put on connecting just the Commercial Banking clients. This is how project teams unknowingly limit themselves. No one will pay attention to think a bit of long term and explore possibility to connect all customer base from country X! Now try to understand the consequences. The regulator comes by and asks you the status of monitoring country X, you will have a hard time explaining why certain client segments were left out! Such things will end up in their end report and your Senior Management will keep on guessing why after setting up a great team to roll-out TM for all countries, some customer segments were left out... I hope you get the point.

Don't forget the complete chain

Financial Institutions have a big challenge, working in silos. This silo is not just among FI's but also within their own organization. I will try to explain with an example. A marketing campaign is run to attract as many foreign students as possible. The back-office team supports this initiative by making the onboarding process faster by being a bit lenient (e.g. assigning default risk to all such new customers; after all these are students so what is the issue). Now come down the chain and guess when will these customer be assessed again... at least after 3-4 years based on your risk appetite! Imagine, unless there is an adverse new media or a Transaction Monitoring (TM) alert on these clients, you will never have the opportunity to look back at these customers, just because default risk was assigned. Moreover your TM system will be lenient in monitoring such customers, again due to their default risk! This example does not come from thin air, but from the ABN AMRO fine where default risk was assigned to "mass retail" client base. Regulators took this very seriously and you know the rest. Hence before taking any decisions, please think from a AML/CFT risk perspective and the impact it may have on the full chain of controls.

Cannot outsmart regulators

I believe in a simple philosophy : If you find your problems yourself and highlight these to the regulators, they will appreciate and might help you in solving these problems. However if the regulators find out a problem, which you/your team was unaware you, then you have a BIG problem! You may have noticed that regulators are becoming more and more connected and are quickly catching-up with the tricks in the trade. They are no longer performing a tick in the box. If they find something interesting at Bank X, they will try to find out whether Bank Y is using the same best practices, if not, why not. They are setting the bar very high and evaluating Banks/FI's on the same high standards. I still remember sometime back when presenting documentary evidence was enough to convince the regulators, but not anymore. You will be surprised to know that a part of your organization may still believe to be in this stone age and may hamper your innovative ideas. You need to push back such roadblocks and bring innovations in. The last thing you want is the regulator sitting across the table and having more facts about your situation than you have!

I know this turned out to be a bit lengthy article, on the other hand it may have helped you understand there are always sequence of events which lead to your institution being in the news. If you start with at least a few of the pointers I have suggested, it will go a long way in bringing back confidence and potentially avoid your institution in getting a huge regulatory fine in future!