Skip to content

Compliance Week: AML Woes Continue to Plague Firms Amid New Compliance Demands

On their surface, anti-money laundering regulations are an exercise in simplicity. Know who your customers are and alert the government if they do anything shady or, at the very least, execute cash transactions exceeding $10,000.

In reality, like so many compliance obligations, things are rarely ever that simple. In fact, many enforcement actions are leveled because a compliance protocol was deemed inefficient, rather than because there was a reportable instance of money laundering or terrorist financing.

One need only look at recent headlines to see money laundering’s surprising sources. As part of investigations into potential campaign manipulation by Russia, a side topic of alleged real estate-based money laundering has emerged from within the Trump organization.

The Securities and Exchange Commission seems to be ramping up its own AML-related efforts with warnings about virtual currencies and enforcement actions against broker-dealers that increased by 20 percent in the first half of FY 2017. The Commission is also warning of risks associated with virtual currencies.

Against a global backdrop of nearly perpetual money laundering revelations and scandals, two forces are afoot in the U.S. to change existing rules. On one side are those imposing more, stricter requirements. On the other side are firms and organizations looking to streamline and de-cost protocols.

Amid ongoing AML news from around the world, forthcoming rules add new, sometimes complex requirements onto the traditional foundation of knowing one’s customer and reporting suspicious activity.

New York AML regulations. In December 2015, New York Governor Andrew Cuomo unveiled a slate of new anti-money laundering regulations for financial institutions that fall under that state’s regulatory regime and supervision.

New York will now require that banks and other financial firms maintain a transaction monitoring program, manual or automated, that seeks out potential Bank Secrecy Act and money laundering violations. The system, as stipulated, should map these risks to the firm’s businesses, products, services, and customers, and factor in relevant information from existing know-your-customer due diligence and enhanced customer due diligence programs.

There are also new demands for sanctions compliance and screening filters to help combat the financing of terrorism. Those filters must include the data from the Treasury Department’s Office of Foreign Assets Control, politically exposed persons lists, and internal watch lists.

The key word that sets the new regime apart from others is “accountability.”

The proposal requires that CCOs—or whoever is in a comparative role—must annually submit, by April 15 of each year, certifications on the effectiveness of these systems and controls. Criminal liability could be imposed on certifications that are later found to be incorrect or false.

The rule became effective on Jan. 1. Covered organizations must file written attestations for that year by April 15, 2018.

“It probably goes without saying that after the April 15 certifications are filed next year, Department of Financial Services examiners will begin evaluating compliance with the regulation,” says Thomas Delaney, a partner with law firm Mayer Brown. “It is expected that many firms will not be able to achieve compliance with the new rule. So, the question is what will DFS do to institutions that either cannot certify to their compliance, or that certify but are otherwise found to be falling short”

“It is an intriguing question given the recent history of DFS imposing very harsh penalties for institutions it finds to be in violation of anti-money laundering compliance requirements,” he adds.

Federal AML regulations. At the Federal level, Treasury Department officials have pledged a renewed focus on issues related to shell companies and beneficial ownership.

Aside from continuing crackdowns on money laundering masked by luxury real estate sales, the Treasury and its Financial Crimes Enforcement Network, will soon set in motion: a customer due diligence final rule; proposed beneficial ownership legislation; and proposed regulations related to foreign-owned, single-member limited liability companies.

Effective in the New Year, the rule contains three core requirements: identifying and verifying the identity of the beneficial owners of companies opening accounts; understanding the nature and purpose of customer relationships to develop customer risk profiles; and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

Financial institutions will need to identify and verify the identity of any individual who owns 25 percent or more of a legal entity, and an individual who controls the legal entity.

Ross Delston, an attorney, AML consultant, and expert witness from Washington D.C. says the world of AML is one where breaking news is a near constant.

“There is always a lot going on, particularly if you factor in what other countries are doing,” he says. “There is also a heightened concern about terrorism and the financing of terrorism and that feeds into heightened money laundering enforcement. The two are related.”

Aid the push-bull of regulation and deregulation what AML regulations may eventually look like is unclear.

“No matter what happens, firms themselves are going to have to start collecting more data and finding better, more efficient ways,” Delston says.

“Everyone has trouble taking control of the data they have,” Delston adds. Especially at big banks, where data is siloed and the systems used to monitor suspicious and unusual transactions change frequently.

“The systems spit out lots of alerts, but even now with all the fine tuning that has gone on, 95 percent or more of the alerts are false positives,” Delston says. “That is demoralizing for staff and it means lots of alerts to wade through until you can find something that is meaningful.”

More money, more problems. Why are even the largest financial institutions facing AML woes? “The biggest issue is corporate culture,” Delston says. “There is a resistance at the top levels of a bank, particularly at larger banks, to taking actions that are necessary to effectively implement an AML program. No one on the business end of a bank likes that you not only have to report suspicious activity about your customers, but start to decline customers. The larger banks have an aversion to ever saying no to a customer.”

Among his suggestions improving the quality and frequency of training for all employees and managers, from the branch lobby to the C-suite.

To get an idea of the stakes at play, consider the example of Commonwealth Bank of Australia, one of the oldest and largest financial institutions in Australia. It currently faces accusations of “serious and systemic non-compliance” by the Australian Transaction Reports and Analysis Centre (AUSTRAC) for unknowingly facilitating money laundering though its network of cash deposit machines. Commonwealth Bank has blamed the problem on a “coding error.”

Commonwealth Bank’s woes provide lessons for other institutions to heed, says John Melican, the global head of the financial crimes practice at Exiger, a global regulatory, financial crime, risk, and compliance company. He has previously overseen anti-money laundering, anti-corruption, and compliance functions at Bank of Tokyo, American Express, and, Bear Stearns.

New product integration oversight with the deposit machines either did not include proper connectivity to the automated transaction monitoring systems, or had a programming error that prevented those departments from properly recognizing these as cash deposits.

“The bank’s required risk assessment processes did not recognize this new feature as a possible AML risk and apparently did not, according to Austrac (the Australian Financial Regulator), install proper controls until several years later,” Melican says.

The situation, he says, is “a classic example of how any cracks in financial armor at banks will be exploited.”

The Austrac action alleges that at least four separate money laundering syndicates were exploiting the weakness related to the bank’s cash acceptance through the new ATM machines. One syndicate was able to establish 29 accounts in apparently “fake names” and used these accounts to receive the cash deposits then immediately transfer the funds internationally.

“Once the weakness was recognized, the criminals then turned to exploiting the weakness by opening multiple accounts and spreading the activity to enable the movements of tens of millions over a single year,” Melican says. “Versions of this process were probably tried it at ten different banks until the criminal syndicate found one that work and allowed the activity to continue. This is a prime example of how even a bank, with AML processes in place in a lower risk country with a well-developed regulatory framework can be exploited by persistent bad actors.”

“As banks breed new technology, they need to make sure that technology is effectively integrated into the control structure of the bank,” he adds.

Risk and reward. While new technology does indeed have its pitfalls, there is also an upside. Vishal Ranjane is a managing director in the risk & compliance practice at Protiviti, a global consulting firm. He is an expert in, and proponent of, integrating artificial intelligence into AML compliance. Technology, he says, brings both risk and reward.

“Criminals are obviously getting more savvy,” Ranjane says. “They know how to outpace any innovation brought in. It is fair to say that the risks are evolving and banks need to be dynamic in how they manage it.”

Banks, he says, have been somewhat successful with technology investments “but these investments have increased the cost of compliance and the tools that they do have are bringing in too many false positives. These are blunt tools, rather than sharp tools, so they solve the problem by throwing more people at it.

Ranjane says that the future of artificial intelligence offers numerous benefits, from ensuring the quality of data to spotting red flags and reducing false flags. Linked with robotic automation, activities like background searches can be similarly streamlined, allowing “human” compliance officers to focus on what they do best.

“With every new technology, I would really start with a governance structure that sets standards, boundaries, and overall strategy,” Ranjane says. “AI should be no different. Banks needs need to also understand their entire digitization strategy of which AI is just one component.”

“Once you have your governance plan and strategies in place, consider the processes where you would get the biggest bang for the buck,” he adds. “Implement the solution where you know what the benefits are, you know what the pros and cons are, and what the challenges are. Only then, go ahead and talk about investing in a solution. When you do that, start with the pilot program in a controlled environment with a deployment strategy for rolling out to other areas of the bank in a controlled manner.”

The risk landscape is constantly changing. Hear about the latest with Exiger.