The struggles financial institutions face when it comes to compliance are nothing new. And while technology is often billed as a clarifying force, that magic bullet remains elusive. Napier’s Aidan Houlihan discusses how the Russian invasion of Ukraine casts a spotlight on the stopgap solutions firms have relied on for far too long.
For many years, banks have been struggling to meet compliance challenges, and current technology solutions have so far only added to their compliance costs and frustrations.
Financial institutions globally spend more than $214 billion each year, according to research by LexisNexis, on financial crime compliance. But existing compliance solutions often over-promise and under-deliver, having been built on outdated technology that doesn’t stand up to the demands banks face today.
The promises of new technologies and efficiencies have increased frustrations, costs, and team sizes for banks. Especially for the business managers and the compliance and Bank Secrecy Act (BSA) officers within these banks, all of whom are genuinely committed to meeting — and exceeding — regulatory requirements.
It’s time for next-generation platforms to step in. Financial institutions need solutions that provide transparency, are cloud-native and can be deployed in a matter of months. The current unfeasibly long implementations that bear eye-watering costs and don’t deliver without continued, further significant investment are no longer palatable to all involved. Proactively investing in next-generation compliance and risk management is the only way forward if costs are to be managed and progress is to be made, as legacy platforms are simply no longer fit for purpose. We’ve seen this firsthand with the struggle around the Russian sanctions, which effectively came in overnight and presented an enormous burden to institutions that were obligated to implement them immediately.
In the months since Russia invaded Ukraine, a spotlight has been cast on complications related to sanctions and ultimate beneficial ownership, Know Your Customer (KYC) and transaction screening. These are significant issues that have been repeatedly overlooked or received only stopgap solutions, a method of patchworked problem-solving that is no longer tenable in today’s landscape.
Previous failures in addressing these concerns have had tremendous consequences, as evidenced by fines (which exceeded $14 billion in 2020, according to a 2021 Norton Rose Fulbright survey) for sanctions breaches and penalties for poor controls against money laundering. With the conflict in Ukraine, financial institutions again face significant potential penalties should they fail to react appropriately and rapidly.
Since the invasion began, governments have enacted thousands of sanctions against Russia, making it the current most sanctioned country on the planet. According to the Brookings Institution, about 6,100 global sanctions were mandated against Russia through April 25, with about 920 coming from the United States specifically. Financial institutions, with little warning or guidance, have been left to sort through what these sanctions mean for their business and how they ought to be implemented.
The crucial role that chief compliance officers and their broader teams play in addressing financial risk and crime has only been amplified by these sanctions. If they fail to adapt, they face the risk of significant fines and reputational damage for their organization. Even without taking the additional pressure of current events into account, second-generation software is not effective or efficient enough for conducting customer reviews.
Institutions typically use a review cycle based on pre-set risk classification criteria. Under this framework, the largest financial organizations can conduct approximately 118,500 KYC reviews and dedicate about 1.3 million human work hours to this task in a single financial year, with employees manually investigating disparate and siloed datasets.
This is where resources are being wasted and companies are struggling with uneconomical and unproductive methods to carry out even the most straightforward customer reviews. It is telling that these reviews often make up less than 2 percent of the KYC checks processed.
In short, the resources currently being dedicated to outdated processes are disproportionate to the outcomes. Significant operational inefficiencies potentially keep AML officers from pursuing other value-adding activities, such as improving customer onboarding and dedicating more time to complex investigations.
More importantly, the sheer volume of data being processed on a continuous basis lends itself to large volumes of errors and inconsistencies in the quality control of critical KYC reviews, increasing the AML and financial crime risk for companies. I believe that perpetual AML ought to be standard across the board for compliance teams. This will allow for real-time risk management and there is compelling evidence all around to support the need for this proactive approach to risk.
Look no further than the Archegos fallout for an example: A family office typically classified as a “low-risk” customer escaped detection between review periods when its activity changed, leading to massive fines and reputational damage for one of the world’s largest banks, which failed to notice the signs.
Now, institutions are rapidly evaluating their holdings from top to bottom in the face of complex sanctions, even those with no direct exposure to Russia could face consequences for unknowingly facilitating money transfers for sanctioned entities. Truthfully, it may take years for the consequences of Russia-related compliance failures to reveal themselves. However, history often repeats itself, so we could look to incidents of sanctions violations from recent years, where millions — even billions — in fines have been levied.
This is not to say the sky is falling in. The Russian invasion offers banking executives an opportunity to recognize where the future of compliance is headed and move toward it.
After all, financial crime compliance regulations are only increasing in complexity, scale, and quantity every year. Procedures implemented under the Bank Secrecy Act require ongoing reviews, and other regulators globally will only increasingly adopt similar mandates.
Regulators are also becoming increasingly unimpressed by the performance of existing compliance platforms, especially those that enjoy a perceived reputation as industry standard-setters but fail to live up to that prestige.
The writing is on the wall. With technology constantly evolving and an inconsistent regulatory landscape across an ever more connected global market to keep up with, banks must implement perpetual AML and client activity reviews if they are to protect themselves both now and in the future.
These are not wholesale changes but do require institutions to take a proactive approach to compliance, continuously monitoring their customers by switching from periodic KYC reviews to those triggered by suspicious customer behavior. In doing so, organizations significantly mitigate the risk of criminal activity going undetected for months or even years, and are better equipped to adjust to market-disrupting events like those we’ve seen over the past few years.
One encouraging sign is that companies have begun shifting toward more dedicated compliance functions, according to the Norton Rose Fulbright survey. The report, which gathered responses from 375 financial institutions across 77 global jurisdictions, found that 74 percent of compliance and risk management professionals anticipate an increase in their AML and sanctions compliance-related spending. However, most of those costs are associated with increasing headcount. In order to truly maximize budgets, talent and efficiency, companies must also deploy effective technological tools to support their compliance efforts.
Another positive shift is the U.S. Treasury’s recent work with law enforcement, the Securities and Exchange Commission and the Financial Industry Regulatory Authority to improve its visibility into the financial sector and better understand how sanctioned and corrupt Russian oligarchs use various connections, identities, accounts and financial institutions to hide their assets. This kind of collaboration across sectors, private and public, is important to highlight vulnerabilities in the system and ultimately close them against corruption.
These large-scale industry shifts will not happen overnight, but current global sanctions have painted a clear picture of the crucial role that compliance teams play and will continue to play at the world’s largest banks and financial institutions. But, with some renewed clarity, my hope is that the financial industry approaches the fight against financial crime armed with solutions that deliver on that immense $214 billion investment and recover more than the current $20 billion (<1 percent of global illicit financial flows) in illicit funds.