For obliged entities, an Anti-Money Laundering Compliance Program (AML) is critical; taking proper steps to prevent money laundering and terrorist financing also helps mitigate the risk of fines for non-compliance and reputational damage.
While the need for AML is clear, the question is how to optimize a compliance program so that it is effective, efficient, scalable, and adaptive. Regulations change, as does regulators rulings and focus. Organizations are constantly changing; the nature of their business, the risk profiles they are dealing with, the jurisdictions they operate in, and their systems and processes are quite fickle. Technology also changes, providing new opportunities to deliver effective AML solutions.
Smart compliance programs take all these factors into account and are dynamic, ever-evolving and improving, not reactive.
One of the first steps for building a comprehensive AML program is to determine the scope of the regulations. On a global level, the Financial Action Task Force (FATF) has set out series of recommendations to guide implementations. In the US, the core requirements are in the Bank Secrecy Act (BSA), with major updates in the USA PATRIOT Act, as well as rulings and guidance from sector-specific agencies and authorities. In the EU the requirements of 4AMLD include the current AML standards, while each country will have specific laws that transpose that Directive.
While each jurisdiction and industry have specific requirements, having a strong overall AML program will simplify meeting the precise standards necessary. With high standards, strategic processes and dynamic systems in place, compliance will have a framework to implement demands quickly and seamlessly.
AML Compliance Standards
Many elements of compliance are not prescriptive, but rather rely on risk assessments. To that end, assessments require value judgements.
An organization needs to standardize and enforce a powerful set of values to guide all staff on all AML compliance related decisions and actions. C-level executives and the board need to establish clear and precise policies that roll out to the whole organization.
The compliance team needs the dedicated resources to perform their duties including enough staff, technology and training materials. They also need the buy-in throughout the organization to actively implement their plans and policies.
Having and maintaining written policies and making them readily available is fundamental to having effective standards:
- What information are you collecting?
- What are your privacy and security policies?
- Who requires access to what information?
- What are your risk-mitigation policies?
- What are your reporting procedures?
- How do you handle suspicious activity?
- What is your information deletion policy?
- What are your training procedures?
- Who has responsibility for the program?
This list isn’t exhaustive, but rather to demonstrate some factors to consider when updating standards.
AML Compliance Processes and Systems
It’s one thing to have written standards; systems to implement internal control processes is the deliverable. Each policy requires workflows to establish step-by-step procedures.
For example, a standards document might define what information to collect, while a workflow will determine how to process that information:
- Input checks
- Data verifications
- Data validations
- Error actions
- Success actions
- Controls and monitoring
Traditionally, these processes were done manually, therefore slow, cumbersome and demanding on staff. Increasingly, obliged entities have adopted digital techniques, allowing for automation of many steps, improving throughput, accuracy and better utilization of compliance’s time.
While many digital processes are comparable in purpose to the manual processes they replace, new tools enable new ways to optimize the entire workflow. It’s not only making certain tasks quicker, effective systems change the scope of what is possible.
In any case, whatever the process is, a proper testing regime is necessary. It’s not enough to build standards and systems that work the way you want, they need to handle edge-cases and other situations that are hard to fathom.
Support internal audits with independent testing from outside auditors, consultants or other experts. One recommendation, from the US Federal Financial Institutions Examination Council (FFIEC), is to conduct independent testing generally every 12 to 18 months.
While the intricacies of complex legislation along with the importance of compliance can make developing an AML compliance program daunting, a methodical and constant approach will help avert potential crisis. Do the research, create a strategy, document procedures, develop systems, test and repeat. By continually evaluating what you have to do, what you do and what you can do, will create a program that is efficient, resilient and serves your business purposes.