Compliance Now More Than Ever

Compliance Officer Challenges

Today, many AML Compliance Officers report in meetings that they are facing severe budget and headcount challenges. Stretching scarce compliance dollars and achieving more with less are enormous challenges. Resisting the temptation to take on risky deals for the sake of doing business is even harder than before, and the pressure on business people to bring in more revenue may undermine their willingness to make the very important contribution to compliance that a robust program requires.

Nevertheless, industry leaders have undertaken a number of practices that mitigate risk and merit consideration by financial institutions regardless of size, customer base, products and geography.

Scenario Enhancements

The transaction-monitoring systems used by financial institutions to detect potential suspicious activities rely upon scenarios or algorithms that look for patterns of behavior inconsistent with expected customer profiles. Often, these scenarios can produce more false positives than alerts for truly suspicious conduct. By applying advanced econometric-styled analysis to the existing scenario set, our experience has shown that false positives may be reduced. With fewer cases needing to be investigated manually, opportunities may exist for staff to be consolidated or redeployed.

Financial Intelligence Units (FIUs)

Private-sector financial-intelligence units, modeled after public-sector entities such as the Treasury Department's Financial Crimes Enforcement Network (FinCEN), were developed over the past ten years. When fully operational, FIUs serve as information nerve centers. They keep track of red-flag alerts created by the AML transaction monitoring software programs. They also collect the enhanced due diligence inquiries for high-risk customers such as “politically exposed persons” and Know Your Customer information in a place where they can be collated, prioritized, reviewed and disposed of centrally and consistently. These FIUs can be a critical component of a robust risk and compliance program, especially for global financial institutions. While most FIUs operate in the limited sphere of AML compliance, we've learned that they can be expanded to encompass fraud detection, trade finance compliance, privacy protections, and economic and trade sanctions monitoring. By expanding the mandate of FIUs, financial institutions can gain a more holistic view of the risks they face. Moreover, a company's investment in an FIU can be justified in part by its potential to lower operating costs through staffing efficiencies and to generate new business, since the data collected in an FIU can help enterprise marketing teams to better understand customer behavior and identify business opportunities.

Risk Assessments

The game plan for creating a more effective and efficient compliance program often is set by the company's risk assessment. Compliance can allocate its finite technological and human resources effectively by identifying what money-laundering risks may have significant impact on the business model, products, and customer base in each jurisdiction served. Once the risks are identified and prioritized, the effort to find unusual activity to be evaluated by the FIU can be designed or redesigned. Risks are identified by examining regulatory guidance, law enforcement events, the company's historical events, reputational considerations, and the insight of the business personnel. Training, reporting protocols, testing, a customer identification program and the extra effort in high-risk situations (such as accepting a new client in electronic banking) can allow a financial institution to recognize where it has effectively mitigated risk, and to place its monitoring and other resources where they appear to do the most good. Finally, involving the business leaders in the risk assessment process helps them take their rightful ownership share in the AML program, so that they aid rather than detract from the compliance effort.

Auditor Training

The best offense is a good defense. A well trained, fully staffed and empowered audit team complements the Compliance function. Cease and Desist Orders and other regulatory sanctions issued by financial-institution regulators show that many of the deficiencies identified by the regulators have not been detected by internal bank resources. If the audit staff and compliance testing personnel are trained to understand the specific money laundering risks to their companies, financial institutions can work to mitigate their risks and senior management may have the benefit of an internal examination report before receiving the news of a compliance failure from their regulators. In turn, this would allow the bank the benefit of voluntary disclosures and remediation before the fact. Financial institutions should develop advanced training targeted to the audit function. This will require enhanced internal resources or external consultants who can deliver responsive training modules on an ongoing basis. The training should be documented and the trainees tested so that a full “audit trail” of the undertaking will be transparent to senior management and regulatory agencies. The upgraded audit should incorporate a risk-based AML approach, focusing on regulatory and business priorities rather than just a check box of minor issues.

Foreign Assets Control Health Check

An ounce of prevention is worth a pound of cure. In the area of economic and trade sanctions (ETS), this may be an understatement. Counter-terrorist financing is a national security imperative and has become intertwined into the fabric of AML and ETS compliance. The lists of “specially designated nationals” with whom U.S. persons are prohibited from doing business change nearly on a daily basis, and both country-specific and hybrid programs require careful interpretation and encoding in screening lists and systems. To complicate compliance more, global regulations are not harmonized with the U.S. sanctions regime. While AML compliance allows for transactions to be completed before investigation and then reported to the government after the fact if necessary, transactions with entities sanctioned by the Office of Foreign Assets Control (OFAC) must be rejected or blocked in real time and then reported. In addition to required annual testing, frequent ad hoc “health checks” to test the effectiveness of the ETS compliance program reduce the risk of prohibited transactions. Elements of the “health check” can include verification of completeness of the lists used; confirmation that cross-border transactions and entities across relevant product and business lines are being scanned; sampling and review of the process by which scanned items that matched a sanctioned entity were handled; and ascertaining whether retained records of the process provide sufficient information to demonstrate that the program is functioning as designed. While OFAC regulations don't offer a risk-based approach, higher scrutiny is often applied in areas with higher risk of breaches. Therefore, “health checks” should pay extra attention to transactions used more frequently for terrorist financing (such as trade financing) and locations where the opportunity exists for data to be stripped before sanctions screening tools are used (such as transactions processed by hand).

The Cost of Non-Compliance

The recent forfeiture of $350 million by a large multinational bank under deferred-prosecution agreements with the U.S. Department of Justice and the New York County District Attorney and the enforcement actions against an online banking institution are stark reminders of the cost of non-compliance. Whether the institutions will also suffer intangible harm to their reputations will take longer to assess. In the current economic climate, no financial institution can afford to lose customer confidences.

Compliance departments can create opportunities to streamline staff and reduce costs without ignoring the SEC's warnings that a company skimping on compliance does so at its own peril. One of the keys is to have an efficient, integrated compliance function whose risk-based priorities are well documented and defensible. Indeed, doing so will improve the company's culture of compliance.

Michael Zeldin ([email protected]), a member of this newsletter's Board of Editors, is the global leader of the anti-money laundering and economic and trade sanctions practice of Deloitte FAS. Robert Axelrod, a Deloitte FAS Director, Alison Clew, a Deloitte FAS principal, and Scott Nathan, a Deloitte FAS Manager in the AML/ETS practice, assisted in the preparation of this article.

“In a profit- and loss-driven world, there is always a risk that companies facing an uncertain economic future may choose to cut compliance expenses,” SEC Chairman Christopher Cox noted last November at the SEC's Compliance Officer Outreach National Seminar. Then he issued a stern warning: “When a company cuts compliance, violations will occur. And if violations occur, punitive actions should and will be taken.”

Lori Richards, Director of the SEC Office of Compliance, Inspections and Examinations, re-emphasized the point in a December 2008 open letter to the CEOs of SEC-registered firms: “Firms must be vigilant and proactive in preventing, detecting and correcting problems that could occur. Providing adequate resources ' and ensuring that ' compliance personnel are integrated into the activities of the firm are essential to that process.”

Soon thereafter, as if to underscore these points, the SEC announced a $1 million fine for an online brokerage firm arising out of its alleged failure to follow its own Anti-Money Laundering (AML) procedures for gathering and tracking information under the Customer Identification Program regulations.

Compliance Officer Challenges

Today, many AML Compliance Officers report in meetings that they are facing severe budget and headcount challenges. Stretching scarce compliance dollars and achieving more with less are enormous challenges. Resisting the temptation to take on risky deals for the sake of doing business is even harder than before, and the pressure on business people to bring in more revenue may undermine their willingness to make the very important contribution to compliance that a robust program requires.

Nevertheless, industry leaders have undertaken a number of practices that mitigate risk and merit consideration by financial institutions regardless of size, customer base, products and geography.

Scenario Enhancements

The transaction-monitoring systems used by financial institutions to detect potential suspicious activities rely upon scenarios or algorithms that look for patterns of behavior inconsistent with expected customer profiles. Often, these scenarios can produce more false positives than alerts for truly suspicious conduct. By applying advanced econometric-styled analysis to the existing scenario set, our experience has shown that false positives may be reduced. With fewer cases needing to be investigated manually, opportunities may exist for staff to be consolidated or redeployed.

Financial Intelligence Units (FIUs)

Private-sector financial-intelligence units, modeled after public-sector entities such as the Treasury Department's Financial Crimes Enforcement Network (FinCEN), were developed over the past ten years. When fully operational, FIUs serve as information nerve centers. They keep track of red-flag alerts created by the AML transaction monitoring software programs. They also collect the enhanced due diligence inquiries for high-risk customers such as “politically exposed persons” and Know Your Customer information in a place where they can be collated, prioritized, reviewed and disposed of centrally and consistently. These FIUs can be a critical component of a robust risk and compliance program, especially for global financial institutions. While most FIUs operate in the limited sphere of AML compliance, we've learned that they can be expanded to encompass fraud detection, trade finance compliance, privacy protections, and economic and trade sanctions monitoring. By expanding the mandate of FIUs, financial institutions can gain a more holistic view of the risks they face. Moreover, a company's investment in an FIU can be justified in part by its potential to lower operating costs through staffing efficiencies and to generate new business, since the data collected in an FIU can help enterprise marketing teams to better understand customer behavior and identify business opportunities.

Risk Assessments

The game plan for creating a more effective and efficient compliance program often is set by the company's risk assessment. Compliance can allocate its finite technological and human resources effectively by identifying what money-laundering risks may have significant impact on the business model, products, and customer base in each jurisdiction served. Once the risks are identified and prioritized, the effort to find unusual activity to be evaluated by the FIU can be designed or redesigned. Risks are identified by examining regulatory guidance, law enforcement events, the company's historical events, reputational considerations, and the insight of the business personnel. Training, reporting protocols, testing, a customer identification program and the extra effort in high-risk situations (such as accepting a new client in electronic banking) can allow a financial institution to recognize where it has effectively mitigated risk, and to place its monitoring and other resources where they appear to do the most good. Finally, involving the business leaders in the risk assessment process helps them take their rightful ownership share in the AML program, so that they aid rather than detract from the compliance effort.

Auditor Training

The best offense is a good defense. A well trained, fully staffed and empowered audit team complements the Compliance function. Cease and Desist Orders and other regulatory sanctions issued by financial-institution regulators show that many of the deficiencies identified by the regulators have not been detected by internal bank resources. If the audit staff and compliance testing personnel are trained to understand the specific money laundering risks to their companies, financial institutions can work to mitigate their risks and senior management may have the benefit of an internal examination report before receiving the news of a compliance failure from their regulators. In turn, this would allow the bank the benefit of voluntary disclosures and remediation before the fact. Financial institutions should develop advanced training targeted to the audit function. This will require enhanced internal resources or external consultants who can deliver responsive training modules on an ongoing basis. The training should be documented and the trainees tested so that a full “audit trail” of the undertaking will be transparent to senior management and regulatory agencies. The upgraded audit should incorporate a risk-based AML approach, focusing on regulatory and business priorities rather than just a check box of minor issues.

Foreign Assets Control Health Check

An ounce of prevention is worth a pound of cure. In the area of economic and trade sanctions (ETS), this may be an understatement. Counter-terrorist financing is a national security imperative and has become intertwined into the fabric of AML and ETS compliance. The lists of “specially designated nationals” with whom U.S. persons are prohibited from doing business change nearly on a daily basis, and both country-specific and hybrid programs require careful interpretation and encoding in screening lists and systems. To complicate compliance more, global regulations are not harmonized with the U.S. sanctions regime. While AML compliance allows for transactions to be completed before investigation and then reported to the government after the fact if necessary, transactions with entities sanctioned by the Office of Foreign Assets Control (OFAC) must be rejected or blocked in real time and then reported. In addition to required annual testing, frequent ad hoc “health checks” to test the effectiveness of the ETS compliance program reduce the risk of prohibited transactions. Elements of the “health check” can include verification of completeness of the lists used; confirmation that cross-border transactions and entities across relevant product and business lines are being scanned; sampling and review of the process by which scanned items that matched a sanctioned entity were handled; and ascertaining whether retained records of the process provide sufficient information to demonstrate that the program is functioning as designed. While OFAC regulations don't offer a risk-based approach, higher scrutiny is often applied in areas with higher risk of breaches. Therefore, “health checks” should pay extra attention to transactions used more frequently for terrorist financing (such as trade financing) and locations where the opportunity exists for data to be stripped before sanctions screening tools are used (such as transactions processed by hand).

The Cost of Non-Compliance

The recent forfeiture of $350 million by a large multinational bank under deferred-prosecution agreements with the U.S. Department of Justice and the New York County District Attorney and the enforcement actions against an online banking institution are stark reminders of the cost of non-compliance. Whether the institutions will also suffer intangible harm to their reputations will take longer to assess. In the current economic climate, no financial institution can afford to lose customer confidences.

Compliance departments can create opportunities to streamline staff and reduce costs without ignoring the SEC's warnings that a company skimping on compliance does so at its own peril. One of the keys is to have an efficient, integrated compliance function whose risk-based priorities are well documented and defensible. Indeed, doing so will improve the company's culture of compliance.

Michael Zeldin ([email protected]), a member of this newsletter's Board of Editors, is the global leader of the anti-money laundering and economic and trade sanctions practice of Deloitte FAS. Robert Axelrod, a Deloitte FAS Director, Alison Clew, a Deloitte FAS principal, and Scott Nathan, a Deloitte FAS Manager in the AML/ETS practice, assisted in the preparation of this article.