Conclusions Paper Modernizing Anti-Money Laundering Practices How Financial Institutions Can Use Predictive Analytics to Pinpoint Suspicious Activity Insights from a presentation at the ACAMS AML & Financial Crime Conference Featuring: Mason Hinkle, Senior Vice President, Deputy BSA Officer, BSA Operations and Financial Crime Risk Management, Union Bank David Stewart, Director of Financial Crimes Global Practice, SAS
Contents Introduction... 1 Springing to Action... 1 Building the Financial Intelligence Unit... 1 How the FIU Is Structured... 3 Surveillance Unit... 3 Investigations Unit... 3 Global Sanctions Group... 4 Currency Transaction Unit... 4 Client Intelligence Unit... 4 A Work in Progress... 4 Closing Thoughts... 4 About the Presenters... 5
1 Introduction It was a nightmare come true for Union Bank, a wholly owned subsidiary of Bank of Tokyo-Mitsubishi UFJ with branches primarily in California, Washington and Oregon. Between January 2004 and August 2005, drug dealers moved millions of dollars of proceeds from drug sales through their Union Bank accounts as part of a money laundering operation. Union Bank failed to detect the illicit activity and to file suspicious activity reports (SARs) to the Financial Crimes Enforcement Network (FinCEN) in a timely manner as mandated by 12 CFR 21.11. This put the bank in violation of the Bank Secrecy Act (BSA) of 1970. Regulators demanded that Union Bank implement an enterprisewide BSA compliance program to improve its processes for identifying and reporting suspicious transactions. The bank was ordered to develop proper controls, train managers and staff, and establish audit and due diligence procedures. When the bank didn t move fast enough, it received $10 million in fines. Worse, a cease and desist (C&D) order prohibited the bank from any new operations until it could resolve the compliance issues. As a result of the C&D, we couldn t grow. We couldn t open branches. We were at a total standstill, said Mason Hinkle, Senior Vice President and BSA Operations Manager for Union Bank. Union Bank is hardly alone. Regulators are under pressure from Congress to crack down on BSA violations. As a result, more financial institutions than ever are finding themselves in Union Bank s shoes. BankersOnline.com compiled a list of approximately 120 financial institutions that have been slapped with BSA/AML fines or penalties since 2004. The largest enforcement action to date was $1.9 billion levied against HSBC. Clearly, financial institutions of all types and sizes need to beef up their BSA compliance efforts. The challenge is that high transaction volumes from online and mobile banking services give criminals considerable cover for money laundering schemes. Identifying a suspicious transaction is like finding a needle in a haystack. And while the largest institutions can hire armies of compliance experts, most firms lack these resources. They need to work smarter so they can pinpoint truly suspicious activity - with minimal false negatives or false positives - to optimize investigator productivity. David Stewart, Director of the Financial Crimes Global Practice at SAS, recently spoke with Mason Hinkle about how Union Bank successfully modernized its anti-money laundering (AML) practices using sophisticated analytics capabilities - and extricated itself from its C&D in record time. Springing to Action In the face of the C&D, Union Bank wasted no time in doubling down on its AML efforts. It was all hands on deck, said Hinkle. We made sure we had total support and buy-in from board members and senior executives. We assigned board members to our project and kept them intimately involved. Our parent company provided intense support as well. We put a lot of money into building our program. We went from basically nothing to the very large and robust program that we have today. Our first order of business was to understand the root of the problem and determine what we needed to achieve, Hinkle continued. At the time, we had no financial intelligence unit (FIU) for monitoring suspicious transactions. We had about five people in a BSA-related function. We had no tools. We had disparate processes and disparate systems. We had to determine what we needed to do from a people, process and technology perspective and what players needed to be involved. Throughout the process, we also initiated a lot of open and transparent conversation with our primary regulator, said Hinkle. We met with them weekly. We disclosed anything we found. We were very fortunate that they were receptive to our ideas and provided feedback. We also gave (and continue to give) them a road map of what we re looking to change and improve. Building the Financial Intelligence Unit The bank needed to organize its efforts at detecting and monitoring suspicious transactions, regulatory filing, and creating currency transaction reports (CTR) and suspicious activity reports (SAR). That meant implementing the right technology - including solutions that would allow it to perform sophisticated analysis - hiring the right people, and developing robust controls and processes around monitoring. Addressing these issues became the purview of the new Financial Intelligence Unit (FIU). As the bank considered its technology, it searched for opportunities to integrate technology, eliminate redundant processes and eliminate rekeying of data to improve the overall effectiveness of systems. It also implemented solutions to synthesize data from incompatible data sources on a wide variety of platforms to create an enterprisewide view of risk across customers, products, business units and channels. The FIU also staffed its operation. Says Hinkle, We made sure to hire a balanced staff - from former law enforcement to former bankers to people who ve been in the AML industry at many different organizations. Because analytics would play a key role in
2 the bank s BSA compliance efforts, it also hired four statisticians to build predictive models and perform validation. Ultimately, financial institutions will also need to hire people with skill sets new to the compliance department. As Stewart explained, In most IT organizations, you have a database administrator and the old-school federated data, star schema, data warehouse guys. Now there s an emerging role of data scientist. Some new architectures put large amounts of data into memory to make it available for analysis and reporting. They do this in a less structured manner than a traditional database. These new approaches allow IT to make data available to compliance users more quickly. In addition, disciplines like text mining and managing unstructured data will require new skill sets. Ranking Customers for Risk To improve its ability to identify suspicious activity, Union Bank implemented a risk-based AML program that looks at groups of customers in different ways depending on their ever-changing overall risk profile. They then monitor the customer or accounts according to the risk classification. The bank examines the behavior of high-risk customers more closely than low-risk ones. For example, a customer deemed to be high risk might have a much lower threshold for wire transfers before the activity alerts the AML system. A customer deemed to be low risk would have a much higher limit for wire transfers in the eyes of the AML system. Stratifying customers based on risk classification enables the bank to run AML scenarios with different parameter thresholds that more closely match the risk represented by each unique customer. Ranking customer risk requires the bank to collect information about the customer, starting when the customer first signs up. The bank uses a structured approach to assign that customer to a risk category, depending on specific attributes or behaviors. We put a lot of energy into customer risk ranking. We rank our customers on a scale of 1-3, with 1 and 2 being the highest risk. The majority of clients are in the lowest risk category - 3, said Hinkle. These risk categories are moving targets. We always have to look at where they ll potentially elevate, said Hinkle. For example, we have a client who s risk-ranked as a 3 or low risk, but based on factors such as negative news they have the moderate risk characteristics of a 2. What do we do? Do we automatically force elevate? Or do we put additional monitoring and controls around it. You have to be as accurate as possible in ranking your clients. The answer is having up-to-date data so the bank can accurately evaluate risk on an ongoing basis. This can be challenging in a retail setting. As Hinkle explained, When you onboard the client, you get a lot of information, but then the client s financials change. Say you onboard a student and they re ranked low risk and then Figure 1: Regulatory expectations mean leading financial institutions need to employ new skill sets within their AML operations unit, particularly talent that understands data, logic and analytics. These firms are also re-engineering processes to enhance integration, share information, and streamline processes to drive efficiency gains.
3 four years later, you re seeing wire transactions because they re not a student anymore. They re in the workforce or own a business. But your Know Your Customer (KYC) data says they re still a student. You need to come up with a way to gather that information. Credit bureaus have a lot. But you have to be careful how you use that information. Currently, there s no panacea. We do client outreach to keep the KYC current with high-risk clients. But client outreach isn t possible with the high number of low-risk clients. Luckily, technology is available to help monitor low-risk clients. First, Union Bank is using a technique called event-based client rating. The bank purchases lists from third-party providers of information about negative news events. It uses this information to identify clients whose risk ranking should be changed. The bank is also working to link its transaction monitoring solution to its client risk rating system. When the monitoring system sees activity that is characteristic of customers with lower ratings, the rating system will be able to use that information to adjust the customer s ranking accordingly. Of course, any alert-based system comes with the risk of false positives. Investigators could be deluged with work that ultimately proves unnecessary because no nefarious activity occurred. Union Bank applies another layer of analytics combined with automated workflows to minimize the impact of false positives. Typically, when a bank s monitoring system uncovers potentially suspicious activity, it generates an alert. This kicks off an investigation that involves several levels of human analysts who determine whether or not the alert is suspicious enough to warrant an SAR. In contrast, Union Bank s sophisticated analytical models compare the event or transaction with results from thousands of other similar events or transactions. It then scores the event based on the likelihood that it will warrant an SAR. If the score meets a specified threshold, the system automatically escalates the case, bypassing several levels of human analysts. As a result, fewer humans need to review cases and those employees can focus their efforts on cases that are less clear-cut. As banks develop thresholds and policies for handling suspicious events, Hinkle stressed the importance of aligning policies with risk appetite. For example, the Los Angeles market has a high number of customers of Iranian descent who can be subject to additional scrutiny by the Office of Foreign Assets Control (OFAC) as the result of US government s sanctions against Iran. As a result, the bank needed to develop policies and processes, for example, to include additional reviews of wire transfers. Union Bank contrasts its approach with the static and disparate risk management approaches found in many other institutions. Said Hinkle, A lot of the client risk rating that we see as the status quo is based on a static risk rating. So based on defined time intervals, certain groups of customers will be reviewed for potential risk. Static rules run the risk of being overly broad or not specific to the institution s real money laundering risks. These institution risks are easy to overlook, leaving the institution exposed to greater regulatory scrutiny and putting compliance staff under greater pressure. Moreover, a static rules-based system can trigger too many false positives and overwhelm compliance staff with busy work. At the very least, the increased volume of work items may diminish the credibility and energy of AML monitoring and distract front-line staff from primary responsibilities. Hinkle continued, We also see financial institutions using many disparate methods for ranking customers - whether they re a high net-worth client or normal customer or business client. You have your high-risk customer surveillance. You see general population activity monitoring. And then you see anomaly models in addition to your normal heuristic or simple behavioral modeling. It may indeed be appropriate to use different approaches to monitor different customer groups. But financial institutions will need to defend these decisions. While regulators are not currently demanding this step, they likely will be soon. When they do, firms will need to back up their judgments with data, results and historical outcomes. Union Bank is well on the road to addressing this issue of compliance governance. Said Stewart, They re actively documenting their monitoring models to explain and defend policies for monitoring customers. How the FIU Is Structured Today, Union Bank s FIU has more than 90 employees with numerous units in charge of various aspects of monitoring nefarious transactions. Most of these units employ some form of analytics. Surveillance Unit The Surveillance Unit (SU) is a triage unit. Referrals from the field, systems or negative news searches come in to SU analysts. These analysts determine whether the alerts represent nonsuspicious activity and can be closed, or whether they require additional research and vetting. This unit employs analytics and tools as well as automated SAR workflows. Its road map incorporates even more analytics. Investigations Unit The Investigation Unit (IU) conducts comprehensive investigations in accordance with standards set by FinCEN, FFIEC BSA/AML Examination Manual guidelines, and bank policies. IU investigators determine whether the customer s activity is normal and explainable, or is suspicious and requires an SAR.
4 Global Sanctions Group The Global Sanctions Group addresses issues relating to the bank s Office of Foreign Assets Control (OFAC) and anti-corruption program. Its duties include monitoring to identify OFAC-related parties, blocking or rejecting prohibited transactions, and OFAC reporting. Says Hinkle, We re in the process of ramping up this group. The OFAC world has changed quite a bit. We ve enhanced our affidavit program and have implemented additional prevention controls. Currency Transaction Unit The Currency Transaction Unit monitors and reports on currency transactions and monetary instruments. They currently have their own system now and we re doing more blending with traditional FIU systems and processes, says Hinkle. Client Intelligence Unit The Client Intelligence Unit (CIU) is an integrated group that manages the bank s Know Your Customer and enhanced due diligence processes for high- and moderate-risk customers. The CIU reviews customer profiles to ensure activity is consistent with the customer s transaction profile. They evaluate customers with high-risk products or within specialized business units. The CIU also manages an adverse findings process that provides additional oversight, review, and exiting of customers when needed. This unit has successfully improved its ability to address suspicious activity in an appropriate manner. As Hinkle explained, In some cases they were taking an extremely conservative approach. We were exiting clients we shouldn t. We enhanced our client outreach and have seen a lot of success in making that activity cease. A Work in Progress With the whole industry and operations around BSA compliance in a state of flux, Union Bank is continually looking to improve its operations. I ve never been one to build a program and set it on the shelf and say, OK, we re done, said Hinkle. This effort involves staying up-to-date with analytics models and technology. You have to keep current around your rules and scenarios, including what you re monitoring, said Hinkle. Every month we test the accuracy and efficacy of our monitoring rules. We also evaluate our technology to determine whether it s the right solution, or whether we need a newer release or a different vendor. In addition, while the bank is currently considered to be midtier, with about 450 branches and 12,000 employees, it is looking to grow. Explained Hinkle, We re looking at how to make sure our BSA program is scalable and will carry us all the way to becoming a top 10 bank. Closing Thoughts BSA compliance is clearly something all financial institutions need to take seriously. Analytics plays a key role in enabling them to improve the effectiveness of their suspicious activity monitoring efforts. Based on Union Bank s experience, financial institutions can take away the following conclusions to apply to their own operations. First, big data is real and it s here to stay. Says Stewart, Poke around you ll find that every bank s information technology department has projects under way where they re adopting various big data standards, such as Hadoop, as well as in-memory and in-database technologies. Be aware of the big data projects in your company and take advantage of the innovation and best practices that are occurring in other departments. Second, money launderers adapt quickly. Once banks get their feet wet in analytics, they need to take the next step. Says Stewart, You have to get away from monitoring risky transactions and accounts and start investigating high-risk customers or counterparty relationships using a modeling approach. Third, banks need to keep abreast of new analytics technologies that will make their investigations even more productive. For example, the new release of the SAS Financial Crimes Suite will offer a new in-memory architecture that can run multiple simulations of monitoring strategies in a test/sandbox environment in seconds compared with hours or next day. This power will allow financial institutions to quickly perform what-if analysis against a large volume of data to more accurately measure the impact of deploying new scenarios or changing parameters. For example, a bank might conduct multiple simulations to determine the optimal thresholds of ATM withdrawals to mitigate risk most effectively. And finally, as financial institutions move toward adopting analytics, says Stewart, Don t try to boil the ocean all at once. Don t do some huge enterprise project. Enterprise projects are very demanding. It s all about data. You need an 18- to 36-month road map of which risks you want to address first. Then do a phased approach that s more culturally sustainable.
5 About the Presenters Mason Hinkle, Senior Vice President, Deputy BSA Officer, BSA Operations and Financial Crime Risk Management, Union Bank Mason Hinkle is responsible for Bank Secrecy Act operations at Union Bank. He has worked in the BSA/AML domain for more than 10 years and has more than 30 years of experience in the financial industry. David Stewart, Director of Financial Crimes Global Practice, SAS David Stewart is responsible for developing strategy, guiding product management and supporting the marketing of SAS fraud and financial crimes solutions for the banking industry. He also coordinates best practices among SAS global subjectmatter experts in combating financial crimes. He works closely with many of the world s most innovative financial services institutions, regulatory agencies, SAS research and development, implementation teams, and SAS Alliance partners to deliver superior solutions for fraud detection and anti-money laundering compliance. Stewart is a Certified Anti-Money Laundering Specialist and serves on the North Carolina ACAMS board.
To contact your local SAS office, please visit: sas.com/offices SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. indicates USA registration. Other brand and product names are trademarks of their respective companies. Copyright 2014, SAS Institute Inc. All rights reserved. 106930_S114334.0214