How to discover ways to sustainable anti-money laundering operations*

Transcription

1 Banking and Capital Markets How to discover ways to sustainable anti-money laundering operations* *connectedthinking

2

3 Table of contents Situation 5 Perspective 6 Common components of a successful integrated AML operating model 9 Implications 11 PricewaterhouseCoopers 3

4

5 Situation In response to rapid advances in technology and more robust regulatory oversight, banks have evolved to match the risks and needs of the institution with the laws that govern them and the customers that they serve. However, in today s world, keeping up has become increasingly difficult. Banks face a dilemma with their customers whose growing appetites for privacy and protection are equaled by their pressing need for a global, efficient means of moving money. This poses a distinct challenge because customers needs are somewhat contradictory: Privacy and protection often require more controls while efficient global access requires less. In addition, government policies present a challenge to banks. To facilitate global trade and build national wealth, governments encourage the development of means and mechanisms for rapid funds movement. Citizens also encourage their governments to safeguard their privacy. At the same time, citizens mandate that their financial supervisory agents reduce the likelihood that terrorists, drug cartels and organized criminals will find anonymity in privacy and ease in their global funds transfers. To meet the challenges posed by the customer s contradictory objectives and the new regulations posed by governments, banks have had to modify many of their internal operating procedures. However, banks often struggle to adapt their technology systems and internal processes some of which evolved over decades to these new procedures. In the case of recent anti-money laundering (AML) compliance, this has forced many institutions to implement quick fixes. Some of these short-term, quick-fix solutions include: Decentralized and un-integrated customer due diligence and AML surveillance functions Use of manual muscle approaches Use of inadequately configured technology systems Hiring third parties to own core processes These quick fixes were not intended to be long-term solutions, yet we still see them in existence at many banks years after their implementation. They may continue to function, but their sustainability develops into an issue when operating costs become disproportionately high compared to the risk they were intended to mitigate. The good news is that long-term, cost-effective, sustainable solutions are within reach. PricewaterhouseCoopers 5

6 Perspective Based on our collective experience, in order to maintain acceptable levels of risk, provide long-term, sustainable solutions and reduce costs, an institution must take a multifaceted approach to AML operations by leveraging enterprise efficiencies. To achieve these efficiencies, a financial institution needs to identify areas for integration within and across countries, units, and functions while also preserving those differences that are warranted. This requires the focus on what has to be done rather than who reports on it or where it occurs. The first step in the assessment and redesign effort is to establish a set of core principles that is common across the organizational structure. The principles that organizations use successfully that can serve as examples for other financial institutions include: Reporting Issues management Testing Monitoring Risk/control identification and assessment Communication, training, and development of compliance personnel Policies and procedures Structure, roles and responsibility Risk appetite and tolerance Objective setting Once the core set of principles has been established, a financial institution can assess the methods used to execute those principles and find the points for regional and global integration. To systematically tackle this major undertaking, a financial institution needs to evaluate the way people, processes, technology and information the four operating levers are applied to each principle. In the case of AML, these levers may include: People (compliance officers, risk managers, IT system analysts, account officers, relationship managers, investigators, data analysts, operation managers) 6 PricewaterhouseCoopers

7 Processes (new client take on, periodic review, event-driven review, client exit, existing client remediation, transaction monitoring, case management, regulatory reporting, client screening, transaction screening, document lifecycle management, data and process governance, quality assurance, management information, client ownership) Technology (rules, scoring, workflow, matching, MIS reporting, regulatory reporting, expert/knowledge-based system, list management, anomaly detection, peer grouping and profiling) Information (customer, product, account, transactions, electronic funds transfers/wires, hidden relationships, customer risk ratings, case information, CIP and approvals documentation) By evaluating and applying the principles to levers, a bank can identify gaps, target opportunities for integration and redesign its AML operating model. The redesigned model should integrate using options that range from combination and shared services platforms to co-sourced and outsourced activities. The table on page 8 represents a sample financial institution and a current state of some of its AML processes. These processes, such as client due diligence, client screening, or transaction monitoring, tend to be business unit centric and often times decentralized. This often leads to inconsistencies in processes and information gathering as well as inefficiencies in use of technologies and human capital. Depending on an organization, any lever described above provides an opportunity for integration. A thoughtful planning process is a prerequisite to designing a future state that will meet compliance objectives but will also be cost effective and well integrated with the other processes within the financial institution. What s left after the quick fixes? Highly manual and unrepeatable AML customer risk assessment processes Compliance departments struggle to meet non-aml compliance demands Different processes and technologies used for collecting, reporting storing due diligence information within and across lines of business Inconsistencies in customer risk scoring and due diligence procedures for the same customer or similar customer types across lines of business and globally Lack of meaningful money-laundering risk reports Large number of false positives in transaction surveillance systems Case management processes that are supported by inaccurate financial intelligence Inability to see into static and transaction activities of customers their related accounts within and across lines of business and globally Case consolidation by customer or other common case characteristics performed through ad-hoc workarounds Lack of consistency and reconciliation between the risk model used account monitoring and the model used for customer risk assessments Inability to report on key performance indicators Lack of coordination among other key areas such as credit risk management, suitability for broker-dealer accounts and fraud detection units Little integration of AML compliance with other bank initiatives PricewaterhouseCoopers 7

8 Table 1: Simple example of the application of AML levers to customer risk/control identification and assessment principle Levers Sample current status Integration opportunities Sample future state Retail Wealth management Wholesale Retail Wealth management Wholesale Process Account opening Customer due diligence Customer due diligence Related to account opening, but risk aligned with customer due diligence Customer due diligence People Bank officer Relationship banker Relationship manager No change: Ownership should remain with front-office Bank officer Relationship banker Relationship manager Technology Online application Paper based Smart Word document Standardize on new technology platform Integrated web-based KYC technology Information CIP form Wealth management version of KYC Risk Form Wholesale version of KYC risk form Standardize risk assessment form with extensions for customer and product differentiators KYC form based on common client risk rating methodology Process Client screening No change needed Client screening People Operations account manager Relationship banker Compliance officer Skill-set and technology are better aligned with operations Centralized middle-office operations Technology Automated using OFAC agent Manual using FINRA OFAC tool Manual using World Check Manual approaches can be replaced with automation Automated using OFAC agent Information Customer Relationship Legal entity No change: Customer types warrant differences Customer Relationship Legal entity Process Transaction monitoring No change needed Transaction monitoring People Investigator Relationship manager Investigator Leverage investigation skill-set Centralized financial intelligence unit Technology ERASE Manual report review ERASE Automate manual review with pre-existing technology Automated using ERASE Information Account, transaction, wire Relationship, account transaction, wire Account, transaction, wire Link accounts to create single customer view Relationship, customer, accounts, transactions, wires 8 PricewaterhouseCoopers

9 Common components of a successful integrated AML operating model A redesigned AML operating model will differ from organization to organization based on the specific risks, needs and geographic makeup of the organization. However, we have seen some components that are consistently adopted within the industry, and those components have been highly effective. The first component calls for the COO and the CIO to increase their roles in the AML compliance function because many of the areas of improvement are within their domains. The second calls for the need to tailor AML policies and procedures to be globally consistent yet able to be effectively implemented locally. The third component calls for integration across operational areas, specifically to the middle and back offices in a shared-services structure, to create centralized hubs that manage many surveillance and due diligence activities. The final component assigns specific, discrete AML responsibilities to core functions within the enterprise that allow per-unit costs to be measured and monitored. These responsibilities include: Front office: The front office retains ownership of the customer and continues to on-board customers, as well as conduct initial risk assessments, eventdriven reviews and periodic customer reviews, and collect relevant customer due diligence and enhanced due diligence information. These functions are well aligned with front-office expertise, which is focused on customers and products. Integration challenges Multiple entry points for customer information (e.g. multiple business lines, internet vs. branch network, third party agents/brokers, etc.) Customer relationship ownership when the customer has accounts that exist across lines of business, etc. Organizational and global complexity Certain AML compliance practices vary by line of business, regions, and geographies Cross-border data sharing due to local data security laws Operating and integrating with local privacy laws, including bank secrecy jurisdictions Resource and skill set availability at the corporate, region, and local levels Middle office: A gatekeeping function sits centralized in the middle office to help drive efficiency and consistency of policy application. The middle office enforces the institution s Know Your Customer (KYC) strategy, which includes customer acceptance policies; quality assurance of static customer information; integration of comprehensive customer risk assessments across lines of business, products and services; and monitoring of front-office customer review compliance. Back office: The back office houses both the AML transaction surveillance and case management functions, which together make up the financial intelligence unit (FIU). The FIU provides one dynamic picture of customer PricewaterhouseCoopers 9

10 activities, enabling the institution to monitor and investigate unusual activity at the customer level and gain insight into the overall activity and behavior of the customer across all business lines and products. The FIU and the KYC strategies operate in tandem to provide a holistic view of the customer s AML risk. AML compliance: AML compliance sets and modifies compliance guidelines and polices based on international, domestic, industry, third-party and internal requirements. The AML compliance team is responsible for resolving AML issues escalated from the middle office customer due diligence function and/ or the FIU as well as making regulatory reporting filing decisions. IT: IT owns and operates relevant compliance technologies and helps drive efficiency by identifying, categorizing, evaluating and consolidating redundant systems. IT staff members participate in the process of deciding when new systems should be implemented or when existing systems should be leveraged. 10 PricewaterhouseCoopers

11 Implications To achieve sustainable AML operations, we recommend the following fivestep approach: 1. Shift AML oversight responsibility to a senior risk management task force that includes both local and global compliance, risk management, operations and IT representatives. Include feedback channel for line of business inputs. 2. Perform an initial health check, or diagnostic review of AML operations, to provide a snapshot view of current operations and to identify key risks, costs and improvement opportunities. Based on the results of the health check, develop a cost-and-efficiency business case. 3. Using the health check as a guide and leveraging existing analysis and documentation, assess the current state of the AML compliance function across principles and levers. Perform the following actions: Identify applicable AML global policies, key regulatory requirements, commitments made to regulatory examiners and internal auditors related to customer due diligence and customer risk assessment for widely varying customer types from individuals to multinationals. Analyze the quality and quantity of people and processes in corporate and in each line of business, including current account opening processes and activities, transaction surveillance and case management activities (acceptance and information collection methodologies, tools and techniques, roles and responsibilities, risk tolerance, issues tracking, reporting, etc.). Take inventory of current AML compliance technology. Organize requirements by type of customer, product, industry of business or wealth of customer, rather than by business unit. Review, assess and prioritize key commonality and differentiator requirements between the various AML functions. Evaluate and define integration opportunities. PricewaterhouseCoopers 11

12 4. Develop an AML compliance global strategy, future-state vision and implementation plan to meet the institution s global standards and risk tolerance, local regulatory requirements and industry standards. This strategy must take into consideration all lines of business, products and services, as well as the institution s customer base, and include the following activities: Define the desired operating model using key differentiators and integration mechanisms (e.g., creating hubs uniting critical enterprise capabilities across multiple geographies, taking into account local data privacy laws and cost structures) and other common AML integration components as a foundation. Evaluate technology options focusing on systems that can adapt to the unique needs of each line of business as well as to new and changing local regulatory requirements. Define pre- and post-implementation quality assurance standards. Design new or leverage existing governance processes for the acquisition of new AML compliance technologies. Develop a communication and training plan within consolidated functions and across business units. Identify key activities/controls and establish metrics for continuous monitoring and improvement (e.g., account rejection that is proportional to the risk tolerance of the institution). Determine change management requirements such as staffing and training needs to support the new organization. 5. Integrate redesigned operating functions incrementally through a fourphased approach, beginning with the phase appropriate to the current state of the bank s systems and processes. Phase One: Enhance Roll out centralized KYC people and process functions to the middle office using manual processes to address immediate issues without major technology enhancements. Conduct an AML risk reassessment on existing customers. 12 PricewaterhouseCoopers

13 Phase Two: Expand Pilot the future-state model. Roll out centralized KYC technology and information to a select number of lines of business. This technology should be an improvement to manual compliance processes that already exist in the front office. Phase Three: Standardize Roll out centralized KYC technology and information across all lines of business and geographies using a risk-based approach to focus efforts on key areas first. Deploy consolidated FIU capability leveraging the single view of the customer created by the middleoffice gatekeeping function. Integrate within and across lines of business. Phase Four: Maximize Integrate centralized people, process, information and technology functions with other institution-wide initiatives, e.g., KYC with the customer relationship management initiative or the FIU with the anti-fraud and financial crime function. Integrated global Global AML Program program (Policies & Procedures) & procedures) Lines of business Insurance Wholesale Retail Banking banking Online Banking banking Event-Driven Review (EDR) New Client Take On On Client Exit exit (NCTO) Periodic Review (PR) Existing Client client remediation Remediation Transaction Monitoring monitoring Client Screening screening Document Life life Cycle cycle Management management Data and Process process Governance governance Quality Assurance assurance Management Information information Client Ownership ownership Centralized Supporting supporting Organization organization AML KYC CLIENT LIFECYCLE Integrated Global KYC Technology Europe North America South America Asia/Pacific Business regions PricewaterhouseCoopers 13

14 Every organization is at a different level of operational sustainability. PwC can help determine your organization s current state by performing our AML health check. We can quickly and cost-effectively provide basic quantitative reports that provide a high-level traffic-light representation of AML operations against industry practices, your organization s risk tolerance and optimal state.

15 A look forward Cost and risk are obvious key measures in the determination of the effectiveness of the AML operating model. However, there are less obvious measures of success as well. Consider the benefits to the compliance function. As banks become more diverse and global, this model can adapt. It is not fixed. This gives compliance the ability to react quickly to changes in laws and regulations. And since compliance can more easily assess risk before products go live, Product Management benefits because those products can be brought to market more quickly and can give a distinct competitive advantage to the organization. Positive effects of truly knowing your customer Sales: Improved cross-selling Marketing: Improved product targeting Customer service: Improved retention rate Finance: Increased profit potential Operations: Better channel alignment The impact to the sales force is also significant. Rather than having to go to multiple sources, account officers and/or relationship managers can share one view of customers. This facilitates a cross-line of service and cross-border view of client relationships and improves the ability to service those customers. The customer experience improves as well. The KYC model creates consistency for customers regardless of where they are opening the account whether local or international. Instead, the distinguishing factors of the model are based on customer type, product, geography and anticipated activity. For example, a student domiciled in a high risk jurisdiction opening and depositing $500,000 in cash into a U.S. checking account is handled differently by the model compared with a long standing customer domiciled in a low risk jurisdiction opening a $10,000 time deposit in a Canadian account. All of these corollary benefits contribute to the overall business. Measuring, understanding and managing customer performance are key factors to business success. The integrated AML operating model sets the stage not only to reduce risk and costs, but also to attain business value from the AML function by recognizing and understanding the true costs and benefits of customer relationships. The result is to Truly Know Your Customer (TKYC). With an increasingly complex and fast-paced business environment, Institutions must act now to build a sustainable AML operation that enable them to properly balance cost with risk. This can be accomplished by leveraging enterprise efficiencies. The principles-based framework, the common AML integration components and the five implementation steps provide the means to achieve this goal incrementally and allows companies to move toward integration at a speed that matches their unique needs, risks and geographies. PricewaterhouseCoopers 15

16 Contacts We encourage you to contact any of our subject matter professionals for more information on sustainable anti-money laundering operations. John Campbell Principal, AML Practice Leader (646) Damian Kalinowski (314) Jeff Lavine (703) Monique Maranto (410) Bruce Roland (410) Cathy Stahlmann (305) Deven Swim (617) Sean Wilhelm (312) Thomas Messina (646) pwc.com 2008 PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity. *connectedthinking is trademark of PricewaterhouseCoopers LLP (US). MC-NY A. TP.