An effective financial crime compliance solution isn’t something a company can just pull off a shelf. Depending on the organization, the process can take as long as a year. Shayne Begin and Ozgur Vural of FTI Consulting explore the finer points of vendor selection and model design in the finserv sector.
One of the most important decisions a compliance team will make regarding their financial crime compliance program pertains to implementing effective and automated transaction monitoring, sanction screening and customer due diligence controls — often performed by third-party solutions if not developed internally. With an ever-evolving regulatory landscape and an increased expectation for companies to use data and digital systems appropriately to be as compliant as possible, vendor selection, model design and implementation testing have become critical steps in successfully carrying out such responsibilities.
Know your pain points
Financial services companies must address financial crime and compliance issues to avoid severe consequences. Regulatory inquiries, consent orders and monitorships are often results of program deficiencies associated with inadequate anti-money laundering (AML), sanctions and watchlist screening and Know Your Customer (KYC) programs and controls. These deficiencies can lead to significant operational and reputational risks, making it essential for clients to ensure robust and effective compliance frameworks by doing the following:
- Conduct a proper vendor selection process to identify vendors and system solutions best aligned with the client’s risk profile, business requirements and compliance needs.
- Develop an understanding of how a particular vendor solution will operate on a day-to-day basis. The selected solution must provide adequate risk coverage and contain critical functionality and capabilities to carry out the business and compliance requirements.
- Perform a proof of concept or pilot testing before going live in production to ensure everything is working as intended and aligned with expectations.
- Conduct comprehensive pre- and post-implementation data and model validation testing to assure an accurate and complete set of model inputs (customers, transactions, data attributes, quality of the data, etc.) are being considered and screened. The model validation should assure the system and model was implemented correctly.
- Properly design, configure and validate system solution processes, settings and rule logic are set as expected to prevent issues down the road, such as suspicious activity going undetected and unreported.
- Conduct a comprehensive coverage assessment, red-flag analysis and incorporate your risk assessments to prevent inadequate risk coverage.
- Map risk indicators to effective monitoring rules and risk typologies, especially those designed to detect complex financial crime schemes.
- Establish appropriate parameter and threshold settings supported by underlying data analytics (among other regulatory and qualitative factors) and tune them using below-the-line/above-the-line testing periodically given risk-based intervals.
The above action items, especially a lack of data and model validation, conducting a proper coverage assessment and not appropriately setting and tuning parameter settings, are often overlooked steps that result in program deficiencies and undetected suspicious activity. If these steps are addressed during the design and testing phases of the system implementation, many of the underlying issues we often observe would be identified early on through proper due diligence, preventing them from becoming significant problems later in the process.
Compliance teams often operate with limited resources and are already occupied with their daily responsibilities. Asking them to carry out a proper vendor selection process, implement a new system solution and cover the above discussed action items can seem like an additional full-time job.
Many companies find it daunting and overwhelming when deciding on the right vendor solution, especially given the myriad existing and emerging advanced technologies enabled by AI and machine learning. Additionally, the regulatory pressure to remain compliant, manage all risks and support a growing business demands innovative, automated and data-driven approaches (e.g., data collection, verification, screening, monitoring and reporting). We’ve seen numerous instances where a vendor solution and design process was rushed or improperly implemented, leading to significant headaches down the line related to regulatory scrutiny and cost implications associated with fixing such problems.
How Much Has Changed in AML & KYC Since Bernie Madoff Went to Prison?
In the 15 years since Bernie Madoff’s conviction for running the largest known Ponzi scheme in history, regulatory agencies have sought to tighten their oversight of the financial sector, paying special attention to anti-money laundering (AML) and know your customer (KYC) rules.
Read moreThe path forward
Here are several key considerations for companies planning to conduct a vendor assessment — whether implementing a new system solution or replacing an existing one:
- Assessment of current needs
- Define criteria for vendor selection
- Market research and peer benchmarking
- Request for proposal (RFP)
- Vendor evaluation and due diligence
- Demos and proof of concept (POC)
- Contract agreements, provisions and SLA
- Implementation plan and testing
- Documentation — methodology, support and rationale
- Training and support
- Monitoring and evaluation
- Continuous validation and enhancement
Once your team identifies the right vendor solution, designing and making sure the model is working as intended are additional but critically important next steps that often take time. There is typically a six- to 12-month window for most companies and vendor partners to stand up and go live with implementing solutions, keeping in mind variability depending on the vendor solution, scope and complexity of the implementation.
When it comes to designing the model, many companies are often regulated by regulatory bodies (DFS, OCC, SEC, etc.) that set notable guidance and expectations, especially through publications, frameworks and enforcement action releases. Understanding your regulatory requirements and model risk management expectations will assist with creating an appropriate, risk-based model design and allow you to validate everything is working as intended.