Strengthening Compliance with AML-as-a-Service

A Tectonic Shift in Operating Models?

Financial services has always been a heavily regulated industry. And while anti-money laundering and counter-terrorist financing regulations are getting more stringent by the day, financial criminals continue to find ways to bypass the strict monitoring rules employed by banks. Banks face increased regulatory scrutiny, heavy fines for compliance breaches and reputational harm in the event of a breach – all factors driving banks to invest significantly in strengthening their anti-money laundering (AML) platforms and processes, oversight and reporting.

As regulators across the globe are trying to enact rules to curb complex money laundering and terrorist financing that use the banking and financial services systems, banks have been trying to keep pace with these new regulations by implementing the same in their AML compliance platforms and processes – an uphill task in an extremely dynamic regulatory environment. No wonder then that demand for sophisticated AML solutions has been on the rise while banks are also exploring new strategies and operating models to achieve better compliance with reduced CAPEX (capital expenditure) and overall compliance management costs.

From Self-Run to Managed Services Model: A Paradigm Shift

Over the last few years, banks have been witnessing the emergence of the managed services, or “as a service” operating model. Service providers are now bundling the “3P’s” – platforms, processes and people – to deliver banking operations in a well-packaged format. From loan origination to cybersecurity, card services and fraud risk management, the vendors promise to provide the technology, including the applications required to run the functions, manage all enhancements required to these systems (periodically or on an ad hoc basis) and also handle the hosting platform (cloud, on-premises and so on). They promise to run the operations as per the banks’ defined processes while also taking the responsibility of staffing, skilling and training their workforce for these operations per the banks’ standards.

AML is a critical and sensitive function with far-reaching regulatory impact, and banks have always taken extra effort and caution in every aspect of this compliance – be it in terms of building or buying the best-in-class AML platform for superior transaction monitoring, streamlining processes and workflows for effective customer due diligence (CDD) and alerts investigation or continuously training their AML compliance workforce on every new regulation (and changes to existing ones) to prevent slippage in the manual activities involved in these processes.

In AML compliance, while the critical and sensitive operations (e.g. transaction monitoring, sanctions screening, alert investigation, SAR and other report filing) have always remained with the banks, the other routine back-office functions, such as new customer onboarding, documentation, KYC data modification and remediation, were shipped out to their BPO vendors. However, the overall governance and oversight of the bank’s AML IT systems, processes and operations, as well as the IT infrastructure for such operations, remained in the banks’ charge. But now as the “AML-as-a-Service” model has started evolving, this is set to change. Banks are looking at strengthening their AML compliance programs while achieving cost optimization by migrating to this managed services model.

Business Drivers for Banks to Adopt AML-as-a-Service Model

The AML compliance function in banks has been witnessing rapid regulatory enhancements, with new rules being enforced at frequent intervals for increased scrutiny. Take, for example, the enactment of NYS DFS Part 504 AML rule – published in June 2016 and effective in January 2017, with the first AML certification by banks due in April 2018 – and FinCEN’s new beneficial ownership rule issued in May 2016 and effective in May 2018.

On one hand, such developments increase the compliance activity volume in banks; on the other hand, they necessarily involve additional technology costs in order to upgrade the existing systems so that they comply with the new regulations. Large amounts are invested as CAPEX to install state-of-the-art technology platforms, which then require continuous enhancements to meet the regulatory obligations within the target timelines. Because AML is a non-revenue-generating yet mandatory compliance function, funds need to be diverted from other revenue-generating functions toward AML platform maintenance, as expenses for the latter cannot be deferred due to timeline pressures. To add to that, banks continuously grapple with resource challenges due to a shortage of skilled AML staff and the constant training needs for the existing AML staff with every regulatory change.

The emerging AML-as-a-Service model promises to help banks resolve some of these issues; vendors offer the 3P bundled services in this new domain, which has so far been insulated from the managed services operating model. The package brings a bundle of benefits for banks, too:

• Large investments are required in implementing or upgrading AML technology platforms in the form of huge CAPEX budgets with C-level approvals. The managed services model reduces such CAPEX, as no upfront investment in the whole range of technology platforms is necessitated, resulting in cost optimization.
• AML IT transformation involves a long procurement and implementation cycle. However, the “pay as you go” model for the bundled services requires no major procurement or implementation, thereby reducing this cycle time.
• AML IT platform maintenance requires huge allocation of resources (e.g., annual license fees, system enhancements around changing compliance regulations and so on). The managed services model does away with annual license fees payment, and no platform or process maintenance is required by banks, as it is taken care of by the service providers.
• New AML regulations bring forth increasing complexities in the compliance processes, which are mostly manual in banks. But when AML operations are managed by vendors, they take charge of enhancing processes to cover changing regulations, albeit post validation by the banks.
• Lack of sufficiently skilled resources for handling AML operations is a major challenge for most banks. The managed service model shifts the responsibility of staffing AML operations, training and skilling resources from banks to vendors.

Treading a New Path: Challenges and Considerations

The merits of AML-as-a-Service are being viewed with mixed feelings by the banking industry. Some banks are extolling the anticipated benefits and planning to run pilots for a few select functions within AML in this model. This would give them a chance to compare the efficiency and effectiveness of their current AML compliance model with that of the managed services model. But several other banks are wary about completely handing over a regulatory function to third-party vendors, as any breach of AML compliance can lead to serious consequences – from heavy penalties for banks to bank closures in the gravest cases.

While strategizing on whether an AML function can be transitioned to the “as-a-service” model, one must consider certain factors. For example:

• How sensitive is that particular function as far as regulatory compliance is concerned?
• To what extent does the failure of this operation impact the bank from a risk and regulatory perspective?
• What is the level of domain and technical specialization required in terms of staff expertise? and so on.

If the answer to all these questions is low to medium, then that function may be a candidate for managed services. Moreover, rather than going for a full-fledged transition from self-managed to vendor-managed AML compliance, a prudent strategy would be to run pilots for the identified functions with options to make corrections to the model if required. A phase-wide transition can be undertaken, starting with low-complexity functions and moving to medium- and higher-complexity ones as both the bank and vendor gain confidence along the way.

KYC during onboarding new customers, periodic review and client refresh of existing customers can be considered for transition in the initial phases due to their low complexity yet high volume, while customer screening for sanctions, PEP (politically exposed persons) and negative news, being of slightly higher complexity, can follow in the next phase. Transaction filtering and AML alert investigation form the most complex operations and can be the toughest to transition, given the consequences of failure and regulatory impact in these functions.

The decision and roadmap toward migration from the self-run AML compliance program to the AML-as-a-Service model is also fraught with its own share of challenges, just like with any other disruptive transformations. The foremost concern is how much of the AML compliance function should be shifted to vendors, who will then manage all the 3P’s (platform, processes and people) and practically take control of such functions. Then there is the issue of sharing customer data, including their personally identifiable information, which has to be made available to the vendor. Various countries have several data privacy regulations prohibiting movement of that country’s data beyond its shores, thus limiting the feasibility of outsourcing the compliance function to vendors who may be based in other countries. Risk of process failures or noncompliance on the part of vendors is another factor banks must weigh and protect against, as ultimately penalties are imposed on the banks for such failures.

The Way Forward

Optimizing costs while remaining compliant at all times has been the foremost objective of C-level executives of banks for quite some time now. The AML-as-a-Service model promises to fulfill that criteria – although vendor selection goes a long way toward ensuring this – banks stand to face a new third-party risk. Of course there are several agreements and indemnification clauses which go into such contracts, coupled with the bank’s third-party risk management strategies, to mitigate this. However, moving from self-run AML compliance to the managed services model is no doubt a huge transformation for any bank. While the stated benefits are many, the success of this outcome-based model depends to a large extent on the capability of the vendor in delivering effective compliance by utilizing state-of-the-art technology and highly skilled staff to carry out AML functions. The AML-as-a-Service model is still in its infancy in the banking industry, but it may just be a matter of time until a few banks take the initiative and lead the way for others. The lessons learned from their transition will help shape the journey of others, as this model seems set for the long run.