There was a time when having an effective anti-money laundering (AML) compliance program meant little more than filing Currency Transaction Reports and the occasional Criminal Referral Form, the predecessor to a Suspicious Activity Report (SAR), if you happened to identify unusual transactions. Few current AML practitioners likely remember those days.
Maintaining an effective AML compliance program today requires so much more: robust engagement with and by senior management and the Board of Directors; multi-disciplined compliance personnel; proactive identification of the risks posed by customers, products/services and geographies; dynamic risk mitigation strategies; the use and upkeep of increasingly sophisticated technologies; and ongoing credible challenge from the second and third lines of defense to ensure that the compliance program aligns with industry practice and regulatory expectations and that the risks assumed are within established risk tolerances. Incorporating all of these considerations and more into the design and maintenance of an effective AML compliance program can be a daunting task and generally raises many questions about what’s really expected of organizations and how they should carry out their responsibilities.1 The following explores three of these questions, with a particular focus on the roles of the Board of Directors and senior management.
How Does Governance Affect the Success of the Program?
It goes without saying that “tone at the top” is critical to the success of any compliance effort, but only if the words of the Board of Directors and senior management are supported by their actions. Unless the organization is convinced of the commitment of the Board and senior management, there is the risk that the “tone at the middle,” which really drives day-to-day activities, will send a conflicting message about the importance of compliance and undermine – intentionally or inadvertently – the compliance effort.
Among the most impactful actions the Board and senior management can take to promote an effective AML compliance program are:
- Defining the organization’s AML risk appetite so that it is clear throughout the organization how much AML risk is acceptable.
- Monitoring changes in the organization’s risk profile performance against stated tolerances.
- Ensuring that the AML Compliance Officer is positioned in the organization in a way that supports the importance of the role. This means establishing an appropriate reporting line and appropriate title. An AML Compliance Officer with an institutional title several levels below the Chief Compliance Officer may send the message that AML compliance is not as important as other types of compliance.
- Providing adequate resources – human and technological – to the AML compliance effort. More about this in the following section.
- Ensuring that the roles and responsibilities of all three lines of defense are clearly delineated.
- Requiring that performance evaluations and compensation decisions reinforce the message that the business, not AML compliance, owns the risk and is responsible for managing it.
In short, as with any other risk management discipline, the Board of Directors and senior management need to set the strategy, ensure there are adequate resources, clear authorities to execute the strategy and monitor its execution.
How Do You Know You Have the Right People – and Enough of Them?
It is not unusual for a CEO, CRO or even a Board member to say “We always seem to be adding people to our AML compliance team. How will we know we have the right number?” Responding to that question requires answering several other questions, such as:
- Has the organization been adding staff to meet business as usual (BAU) needs or to address an enforcement action or other special project needs?
- Are data or systems challenges impeding the ability of staff to carry out their responsibilities?
- Do existing personnel have the skill sets and experience necessary to execute their responsibilities?
In the current environment, many financial institutions are dealing with enforcement actions or, at a minimum, examination criticisms that require them to upgrade their AML compliance programs. These remediation efforts create pressure on the AML compliance organization, often requiring so much attention and time that BAU activities may suffer as a result. Some institutions opt to bring in senior-level personnel with compliance or risk management experience from another part of the organization to manage remediation efforts, because these individuals can take a fresh, objective view of what needs to be done and because this approach allows the existing AML compliance team to focus on BAU. Regardless of the approach taken, directors and senior management of institutions facing large-scale remediation efforts should question how both the remediation effort and BAU activities are being managed.
Next to people, the largest costs associated with an AML compliance program relate to technology. Notwithstanding how much the industry has invested, and continues to invest, in enabling technology, it is not unusual for compliance personnel to spend inordinate amounts of time trying to retrieve and aggregate data from disparate systems, ensuring that existing systems are capturing all the appropriate data and devising manual workarounds because the technology currently in use is not robust enough for the products and services or customer-types served by the organization. Directors and senior management should understand how the AML compliance organization evaluates the adequacy of data and technology and should look for independent assessments from internal or external model validation resources or other such experts on the effectiveness and efficiency of the technology in use.
An effective AML compliance organization must be staffed with individuals with experience and knowledge of the legal and regulatory requirements; operations, including how the products and services offered by the organization can be used for money-laundering and terrorist financing; fraud and forensic techniques; and technology and data analytics. They – and especially the AML Compliance Officer – must also be able to engage effectively, stand their ground with the business and interact cooperatively with other constituents, such as legal and internal audit. Gaps in any of these skill areas are likely to impede the effectiveness of the compliance function.
When faced with a request for more resources or when trying to assess the adequacy of the existing staff, the CEO, CRO or Board member should first ask the AML Compliance Officer to provide a “staffing needs” assessment. This assessment, which should be periodically refreshed by the AML Compliance Officer and is increasingly being requested by regulators, should document the skill sets of the existing staff and where they spend their time, differentiating between BAU and remediation and special projects. Using measures that are both quantitative (e.g., empirically-derived information on how long it takes someone to review an alert or adjudicate a sanctions “hit”) and qualitative (e.g., intuitive judgment on where people would be expected to spend the most time), the “staffing needs” assessment should provide the support for the number of staff needed and why.
If additional staff are needed because of remediation efforts, consider seconding people from elsewhere in the organization or using temporary help, rather than hiring more full-time people who may not be required once the issues have been addressed. If additional staff are needed because of data and/or technology challenges, consider whether a plan is needed to improve technology and access to data in order to improve the efficiency of the compliance organization. If no one on the team has a solid understanding of technology or data analytics, consider upgrading the staff. Informed decisions will serve the organization far better in the long term than the oft-tempting desire to just add more resources.
How Do You Know When Things Aren’t Working?
Too often, Boards of Directors and senior management are surprised to learn from a regulator that their AML compliance program is deficient. Some argue that this happens because regulatory expectations keep changing, and there may be merit to that argument; however, often there are already telltale signs of cracks in the compliance program that would have been apparent if management reporting had included robust key performance indicators and key risk indicators. These would have revealed information such as the following:
- A number of aged, unfilled positions in the AML compliance department
- Increased turnover in the AML compliance department
- An increasing number of high-risk customers being on-boarded
- A growing number of existing customers with multiple SAR filings
- A backlog of alerts
- Aged examination or audit exceptions
Assuming the availability of data, a competent AML Compliance Officer should be expected to develop and maintain comprehensive Board and management reporting. If that is not happening, the Board and senior management should be asking why not.
Oversight by the Board of Directors and senior management is a vital component of a strong AML compliance program. There are many more questions to address, but knowing the answers to the three outlined above will go a long way to ensuring compliance success.
1 For comprehensive coverage of the wide range of AML and sanctions-related questions facing financial institutions and other businesses, see Protiviti’s U.S. Guide to Anti-Money Laundering: Frequently Asked Questions, Sixth Edition, available at http://www.protiviti.com/AML.