Anti-Money Laundering: Getting to Efficient...protiviti.com Anti-Money Laundering: Getting to Efficient · 3 A majority of FIs have adopted a financial crime risk rating methodology

Internal Audit, Risk, Business & Technology Consulting

Anti-Money Laundering: Getting to Efficient

Anti-Money Laundering: Getting to Efficient · 1protiviti.com

Roadmap to AML Efficiency: Once a financial institution’s AML program is compliant with

AML/TF regulations, how does it become efficient in meeting its obligations?

Over the last 15 years, financial institutions (FIs) have

faced massive cultural and operational challenges

responding to anti-money laundering and terror-

ist financing (AML/TF) regulations. FIs that failed to

implement requirements in the timetable demanded

by governments and regulators have faced significant

fines, regulatory investigations and restrictions such

as limitations on the onboarding of new clients for

periods of time. Many FIs in well-developed regula-

tory environments now largely satisfy both their local

and international-equivalent regulatory requirements

following substantial investments in people, process-

es and technology. Among the core areas that have

seen major investment are: the capture of “Know Your

Customer” (KYC) documentation; the robust appli-

cation of transaction monitoring controls; and the

consistent screening of customers against sanctions

and other watch lists.

In addition, front offices and operations functions have

had to adapt to the cultural shift that “knowing your

customer” must extend beyond narrow commercial

value and into an acknowledgment that they “own”

the ML/TF risks associated with each customer and the

consequential systems and processes to identify, mitigate

and manage such risks.

Many FIs have achieved regulatory compliance in these

areas but at very significant cost, including experiencing

commercially punitive degradations to levels of customer

service and increased onboarding times due to the

frequent requests for client data at multiple stages of the

customer lifecycle.

In many cases, FIs have had to engage large numbers of

temporary staff for multiple years to accomplish manual

KYC remediations, and siloed system workarounds have

been developed since integrated systematic solutions

could not be developed and implemented quickly enough

to meet regulatory expectations.

Introduction

The challenge for many FIs now is how to make KYC and other AML/TF processes significantly more efficient

and risk-based to deliver cost savings and customer service improvements while still meeting AML/TF

regulatory obligations.

2 · Protiviti

This paper explores seven key areas of AML programs, highlighted in the diagram, that institutions should focus on to

achieve this goal of “Getting to Efficient.”

Optimize the AML/TF Target Operating Model

Shift from "Tactical" to Sustainable, Strategic Solutions

in AML Program Governance

Eliminate Common Inefficiencies in the

KYC Process

Leveraging Data for AML

Efficiency Gains

Accurate Identification of Customer Risk

Decrease Reliance on Manual Processes and

Increase the Application of Technology

Shift Institutional Culture

Anti-Money Laundering: Getting to Efficient · 3protiviti.com

A majority of FIs have adopted a financial crime risk

rating methodology designed to establish whether a

customer poses a high (or higher) risk of being a money

launderer and/or terrorist financier, or is likely to allow

such activities to pass undetected or to be complicit in

those activities.

Some of the factors that generally feed into this meth-

odology for an entity include, but are not limited to:

• Country of domicile of the entity

• Type of business/industry the entity engages in

• Transparency of ownership or control of the entity

• Involvement of any Politically Exposed Persons

(PEP) in the ownership, management or control of

the entity

• Negative news impacting the reputation of the

entity and its principals

• Products and services used by the customer and

related delivery channels

Typically, these factors are given a weighting in the overall

calculation of a risk rating of low/medium/high (some FIs

may also have classifications of “very hight risk” or “ultra

high risk”). In addition, a number of individual factors are

often deemed to pose such a risk level that they automat-

ically result in a high/very high risk classification being

attributed to the customer. Examples of these factors

could be a fine or other regulatory sanction for money

laundering, or a domicile within a high risk jurisdiction.

Failure to correctly identify higher risk elements for

a customer may expose the FI to regulatory fines and

sanctions. Also, the inefficient design or application of

a risk rating methodology can result in FIs undertaking

higher-than-necessary levels of due diligence and more

frequent reviews of customers than are needed. FIs must

make sure the risk rating methodologies and the results

they generate are dynamic and continue to properly reflect

the current financial crime risk posed by the customer.

Elements of the risk rating methodology which can lead

to inefficiencies include:

• Applying a simplistic industrial classification to

the entity’s business — For example, the supplier

of protective clothing to the oil and gas industry

does not pose the same financial crime risk as a

supplier of major capital goods to the same industry,

but they both could be grouped in the same higher

risk industrial classification. Defining tolerance for

exposure (e.g., x% of revenues) to a certain industry

and where that warrants classification within a high

risk industry may help to avoid misclassification;

however, any areas of doubt should involve compliance

expertise to assess whether the industry classification

and input to risk rating are appropriate based on the

level of involvement or proximity to a certain industry.

• Failing to re-assess the financial crime risk that

a PEP or former PEP currently poses — While a

PEP’s involvement in an entity may result in an

automatic high risk rating, a complete assessment

of the likelihood that the PEP is using the customer

entity for corrupt purposes is highly recommended.

The assessment would focus on the ability of a

current or former PEP to exert corrupt influence

or to use the entity for corrupt purposes, or the

determination criteria for when a former PEP is no

longer considered to have the ability or standing to

influence the entity.

01 Accurate Identification of Customer Risk

Accurate identification of customer risk underpins a

successful AML program and allows organizations

to have a view of a proportionate amount of time

and resources that should be focused on areas of the

customer base with the greatest level of potential risk.

– Carol Beaumier, Senior Managing Director, Protiviti

4 · Protiviti

• Failing to maintain up-to-date information on the

customer’s usage of the FI’s high risk products — If

the customer no longer uses high risk products, or uses

them to a non-material level, then this could reduce

the overall risk rating. As an example, historically

many business types such as restaurants have been

described as “cash intensive” and potentially posing a

heightened risk of financial crime. However, in many

economies, the use of debit or other payment cards

has reduced the use of cash to the point where some

businesses do not accept cash.

• Continuing to apply a high risk rating to a regulated

entity which has satisfied a regulatory sanction

(e.g., enforcement action, fine) and been allowed

to continue with its regulated activities — It may

be appropriate for an FI to create a specialist team to

conduct due diligence globally on all customers that

have been subject to regulatory sanction at any time

in the past to ensure that they are risk classified in a

manner consistent with their current status.

Generally, it is important that senior staff from the first

and second lines review all high risk customers to confirm

that the elements driving the risk rating are still in place

and the FI is not relying solely on the “mechanical” rating

generated by raw inputs. Equally, the FI must put in place

mechanisms to ensure that low and medium risk ratings

are accurate to avoid misclassifying high risk customers.

The involvement of senior FI staff in this process may

appear onerous but applying a higher risk rating than

required would have significant inefficiency implications.

On the flip side, the regulatory risk of applying a lower

rating than appropriate is very serious when considering

the requirements to maintain a compliant AML program,

particularly as the risk rating sets the tone for ongoing

management of the customer.

Common Areas of Inefficiency Getting to Efficient

Model-driven risk rating — Relying solely on the “mechanical” result of the rating model.

Outdated risk rating — Feeding the risk rating methodology/model with outdated and/or incomplete customer information.

Blanket PEP rating — Failing to establish the current risk posed by an existing or former PEP in the context of their role within a customer’s ownership structure or related parties.

Blanket high risk rating — Continuing to apply a blanket high risk rating to a customer which has been subject to regulatory sanction in the past, even where a regulatory enforcement action has since been satisfied.

Accurate rating reflective of current risk factors —

• Require senior first line staff with detailed knowledge of the customer to review the inputs to the risk rating methodology to ensure that they properly reflect the customer’s current circumstances.

• Review risk ratings (at least on a sample basis) to ensure that they properly reflect the actual current risk posed by that customer.

Risk-based PEP relationship assessment — Analyse the individual’s current status as a PEP, their role within the customer relationship, and other factors to determine if they currently pose a heightened risk.

Risk-based adverse media assessment — Consider establishing a senior specialist team to review customers with past issues on adverse media (e.g., enforcement actions) globally. This could include senior first and second line staff and their review may include liaising with senior customer staff to establish the current status of the regulatory enforcement action.

Anti-Money Laundering: Getting to Efficient · 5protiviti.com

KYC processes have often been developed “tactically”

in response to the need to implement regulatory

standards quickly and, in many cases, in direct

response to regulatory mandates. These tactical

solutions often become regarded as business-as-usual

(BAU) processes despite the fact that they were initially

designed for a short-term project objective, such as

remediation of the existing book of customers.

When evaluating the efficiency of KYC processes, the key

principles outlined below should be considered:

• Connectivity of KYC and front office functions

— KYC is often seen as disconnected from actually

“knowing the customer” from a commercial

perspective, but this can lead to duplication of effort

and inefficiencies in customer contact and other

processes. This is particularly true for relationship-

managed customers, where significant knowledge

about the customer sits in the front office.

If the KYC team is geographically remote from the

front office functions, consider creating a cost and

operational model to place the KYC function along-

side the front office. The first line of defense owns

the ML/TF risk of a customer; therefore, placing KYC

analysts in the front office can help reinforce this

ownership of risk and ensure a wholly connected

approach to “knowing the customer” and the relative

risk it poses for ML/TF.

• KYC team experience — Rather than having

“generalist” KYC analysts handle some of the more

complex entity types and risk spending a significant

amount of time understanding and navigating

the risks of such structures on a case-by-case

infrequent basis, a dedicated KYC team can apply

specialist knowledge and experience to minimize

and standardize the time spent on customers.

Specialist KYC teams can be established to deal with

complex structures such as trusts, special purpose

vehicles, government entities and multi-layered

structures and serve as SMEs in their respective area

for the front office.

• Risk acceptance — Analysts often spend

significant amounts of time discounting adverse

media screening “hits” (particularly around tier 1 FIs

and large, regulated financial institutions with past

AML enforcement actions, fines, etc.) where a global

governance body can readily discount those issues

at the relationship level and can be factored into the

institution’s appetite to continue to do business with

the customer.

Consider establishing a global KYC governance

body, which includes the second line of defense, to

maintain and manage a “white list” of relationships

with global FIs that have been subject to fines or

other regulatory sanction and on which significant

negative news exists. This “white list” would require

standardized and approved language for audit trails,

and should be built into KYC and screening systems

so it is clear up to which date of results the “white

list” status would be covered. This would allow

KYC analysts to focus only on new issues identified

through screening and any adverse media.

02 Eliminate Common Inefficiencies in the KYC Process

Many FIs are often lost in the KYC struggle to meet both compliance obligations whilst upholding an acceptable level of

customer experience.

– Erin Gavin, Senior Manager, Protiviti

6 · Protiviti

• Cost/benefit analysis — Many organizations are

unable to gauge the cost of KYC and the time and

resources needed to onboard a new customer and

perform ongoing due diligence. The cost is often

difficult to quantify, as it includes time spent on

KYC by onboarding teams, front office, compliance,

remediation teams and senior governance

committees, as well as time spent on system builds

and maintenance and AML screening subscriptions,

among others.

Adopting a process/activity-based accounting

methodology to calculate the fully loaded cost of

onboarding a customer, using process mining to

identify inconsistencies in approach, or under-

taking a periodic review using current processes

can be extremely valuable in identifying potential

areas for improvement.

Also, having the ability to perform a cost benefit

exercise prior to implementing any new processes or

solutions may have longer term efficiency gains.

Common Areas of Inefficiency Getting to Efficient

Siloed KYC and front office functions — Disconnect between KYC and front office leads to duplication of effort.

Generalist KYC team — Non-specialist analysts may use time inefficiently to understand customer structure and its risks.

Discounting of adverse media — Disproportionate amount of time spent discounting hits on global FIs with past regulatory fines or AML enforcement actions.

No cost/benefit analysis — Poor understanding of actual cost of new customer onboarding and periodic reviews.

Unite KYC and front office functions — Closely align these functions to improve understanding of customers’ needs and risks, and reduce needless customer touch points.

Specialist KYC team — Designated KYC team will improve efficiency of managing complex client onboards and periodic reviews.

Standardized “white list” — Maintain and govern a “white list” of relationships with global FIs subjected to fines/regulatory penalties to improve the screening process for those FIs that have resolved their regulatory enforcement actions/penalties.

Clear cost/benefit analysis — Activity-based accounting methodology prior to process implementation is recommended.

Anti-Money Laundering: Getting to Efficient · 7protiviti.com

Many FIs struggle to implement and improve an AML

program that is both strategic and sustainable, as they

are often consumed with “fighting fires” and imple-

menting tactical, short-term solutions. This enduring

“tactical” solution mentality and culture in an FI’s AML

program governance are often underpinned by a sense

of reactiveness, siloed approaches across various busi-

ness divisions/geographies, an overwhelming number

of priorities and a lack of clarity on future state. This is

an understandable challenge that many organizations

face, given the ever-changing global landscape of

regulatory and AML/TF obligations. Transitioning the

mindset of the organization and teams or individuals

involved from tactical (task and delivery based) to

strategic thinking (bigger picture) will take time but

ultimately provide a competitive advantage for those

AML programs that are forward-looking and agile

in their ability to adapt to regulatory, consumer and

operational trends in the industry.

Below are common challenges and areas that can be im-

proved upon to implement sustainable, strategic solutions

in an AML program and its related governance model.

• Lack of strategic action and thinking — It is

important to challenge the status quo and think

innovatively to identify new solutions, rather than

operating in a manner just because “it’s always

been done that way.” AML governance structures must

have a view of impending regulatory decisions,

market shifts, industry trends, consumer prefer-

ences and emerging technologies, as well as known

weaknesses in their AML framework, to proactively

prepare for such challenges, opportunities and

impending changes to operations and customers.

Understanding the highest value areas within an FI

and how to protect and enhance those areas by gaining

a better understanding of current and future AML/TF

opportunities and obstacles are essential. In addition,

having an open discussion of areas of AML program

weaknesses or blind spots is critical to the long-term

goals of any organization that wishes to meet its AML

obligations and improve customer satisfaction.

• Accurate information and involvement from key

stakeholders — Decisions on budget and strategic

investment in AML programs are sometimes made

in a siloed environment without considering a) other

efforts or initiatives that may already be in place;

and b) what the impact of including certain areas

and excluding others would be on the day-to-day

operations, downstream implications and customer

experience. For instance, the idea of scaling down

budget for onboarding systems improvement may

seem cost effective on the surface; however, a deeper

dive may reveal that improvements are needed to

enhance the customer experience and/or meet regu-

latory requirements for all correspondent banking

relationships. Similarly, dedicating resources, time

and effort to the review and tuning of transaction

monitoring rules may seem costly or tedious initially;

however, proper tuning can reduce the number of false

positives that require further investigation. The impli-

cations of missing potentially suspicious transactions

due to incomplete or inaccurate scenarios built into

the transaction monitoring system may result in both

financial and reputational repercussions for the FI.

By bringing the right mix of people (and therefore

information) to the table, decisions on budget alloca-

tion and strategic investment in areas for AML/TF are

likely to be more effective. All too often, the rollout of

a new tool to improve a certain function (e.g., sanc-

tions screening) is announced by senior leadership

who are more removed from customer experiences

and day-to-day activities. Meanwhile, the staff on

the ground may be content with the process and the

time it takes to execute the sanctions screening, but

actually need a better tool to perform other functions

(e.g. customer risk rating, adverse media/negative

news screening, PEP screening, etc.).

03 Shift from “Tactical” to Sustainable, Strategic Solutions in AML Program Governance

8 · Protiviti

Working in silos, especially from an AML program

standpoint, is oftentimes rooted in the need to de-

velop strategic solutions for a particular department,

geography and team and to navigate and adhere to

competing local AML/TF regulatory requirements.

Where the strategic plans for an AML program fail

to consider the overarching strategy and goals of

the entire organization, and when communication

is lacking and strategy is not aligned, it can result

in duplication of efforts to solve the same problem.

However, when strategies are aligned to the core

values and goals of the organization, it is easier

to identify duplication of work and shared goals to

enhance collaboration across common platforms/

initiatives, functional teams, lines of defense, opera-

tions and departments. For instance, the development

of a regulatory reporting function for country-specific

regulators should be part of an overarching global

regulatory reporting team’s responsibility. This

important AML function would encourage consistent

communication (internal and external-facing

to regulators) and a well-coordinated structure

to share regulatory requests and insights. This

important AML program function must ultimately

tie to the “tone from the top” from the firm’s ex-

ecutives, and information should be disseminated

to relevant regional and local functions to maximize

awareness and streamlining of efforts for effective

AML programs at global FIs.

Taking analysis from external resources (e.g., market

analysis, benchmarking, etc.) and tapping into inter-

nal resources of an organization (e.g., leadership levels

as well as staff in compliance, anti-financial crime,

risk management, operations and customer-facing

roles) to understand different AML and business

viewpoints, priorities and perspectives will assist

leadership in making informed decisions and under-

standing the implications of those decisions if the

right people are involved and consulted.

Common Areas of Inefficiency Getting to Efficient

Reactive in nature — Being distracted from overall AML program strategy by fighting fires and an overwhelming number of priorities (e.g., regulatory visits or reviews, last-minute adoption of regulation changes, de-prioritising investment in AML/TF, etc.).

Misalignment of strategic solutions — Working in silos (e.g., local AML requirements); no view of shared goals or common challenges across certain areas of the organization.

Uninformed decisions — Decision making without the appropriate information to influence and inform the decision makers.

Forward-thinking — Strategic thinking to enhance high value areas of the business model, particularly around meeting AML/TF obligations for the most critical areas of the business model (i.e., targeted spending of AML resources, time and costs on the business divisions and customers that align to the strategic vision).

Alignment of strategy — End-to-end view of how the AML program fits into the strategic goals across an FI organization (organizationwide, regional, department-wide, etc.), and may include a shift toward a more global and harmonised approach to AML/TF.

Informed decisions — Making informed strategic decisions for the AML program based on consideration of widespread perspectives and consultation with key individuals to understand the impact to operations and customer experience.

Anti-Money Laundering: Getting to Efficient · 9protiviti.com

Data held by FIs can be a powerful combatant in fighting

ML/TF if it is available, formatted and used in a meaning-

ful way. This is often not the case for many FIs that are

plagued by legacy data with poor quality which is frag-

mented across many systems. For instance, the number

of false positives generated in transaction monitoring

from incorrect/incomplete legacy data increases the time

it takes analysts to review and discount false positives,

with the risk that genuine money laundering alerts could

be missed.

Prior to implementing new AML technologies or fully

optimizing existing solutions and being able to reap the

efficiency rewards of such tools and analytics, a data

structuring exercise should be undertaken to understand

existing data flows, and to cleanse and format the data

so that it may be used in a meaningful way. Inputting

data with poor integrity into data management systems,

machine learning scenarios or analytics will skew the

output. The term “garbage in, garbage out” is commonly

referenced, so the importance of this data structuring

exercise in the process cannot be underestimated.

• Understanding data — Misinterpreting certain data

fields could have negative consequences downstream.

For example, when classifying a customer as active

or inactive, the same data field may be populated by

different teams in varying jurisdictions. However, if

those teams have different definitions of “inactive,”

the data will not be interpreted correctly when

assessed at a holistic level.

Subject-matter experts familiar with the data being

collected may be required to analyze, interpret and

communicate what the data means within a particular

function, report or data field (e.g., technical definition

of a data field from system build requirements vs.

business definition and use of that same data field).

• Cleansing customer data — Many organizations

have extensive amounts of legacy customer data

but cannot trust that the data is reliable and may

therefore discount data-based outcomes or reporting.

The data may lack credibility due to missing or partial

fields and conflicting or outdated information held

across various systems.

An exercise to analyze and update incomplete,

inaccurate or irrelevant data by replacing, modifying

or deleting may be necessary to cleanse a data set

and improve data integrity. An example of this could

be the validation of a city’s zip code through public

records to correct an error in the input of an address.

Any adjustments to data during cleansing should be

closely aligned with teams familiar with the purpose

and context of the data fields so the information is

adjusted as intended and used in a consistent manner,

ultimately improving the cleanliness of the data to get

to a “single source of the truth.”

• AML system and data mapping — Many

organizations do not have a holistic view of how data

flows throughout their organization horizontally and

vertically at a local or functional level, let alone at a

global view. All too often, customer inputs of data

during the onboarding process get passed out to the

various divisions of an organization and stored in

siloed systems, databases or offline spreadsheets

(e.g., trading systems, KYC case management tools,

regulatory reporting databases, etc.), creating a

fragmented data environment.

A data mapping exercise to understand system

inventory and data flows (inputs/outputs) is critical

to assess the benefits of any system consolidations or

redundancies and to understand the data sources and

flows. Maintaining an environment where complex

data silos exist in an FI can be time-consuming and

expensive and can hinder an organization’s ability to

leverage the benefits of the data in decision making

and combating ML/TF.

04 Leveraging Data for AML Efficiency Gains

10 · Protiviti

• Enrich data — After data has been cleansed,

refining and enhancement of the data can be applied

so it may be used for analysis and decision making.

The data must also be assessed for its veracity.

Increasing an organization’s confidence in the data

it holds will improve its view on existing systems.

Processes can then be optimized to clear the path

to future implementations of AML technology. This

may include the use of third-party data sources to

enhance the efficiency of data gathering as well as

the independence, reliability and integrity of the data

used to identify and verify customers. Third party data

sources may include onboarding platforms, verification

vendors and resource subscriptions used throughout

the client onboarding and ongoing customer due

diligence lifecycle.

Making an effort to understand and enhance data

integrity through some of the steps outlined above

will allow an organization to empower leadership to

make data-driven business decisions and to optimize

automated capabilities in existing systems or new

technology, such as robotic process automation

(RPA), artificial intelligence (AI) and machine

learning. To truly improve efficiency and target their

AML/TF efforts, organizations must rely less on judg-

ment and take a clear risk-based approach supported by

facts and valuable data on risk to their business.

Common Areas of Inefficiency Getting to Efficient

Misinterpretation of data — Misinterpretation of data amongst jurisdictions/business lines may lead to inconsistencies in the handling of AML alerts, KYC, screening results, etc.

Lack of veracity of data

• Missing/conflicting information reduces its integrity.

• Lack of confidence in data reduces its commercial value.

Siloed data — Siloed and disconnected storage of customer data creates a fragmented data and system environment.

Manual sourcing and verification of data — This often is a time-consuming exercise for staff and can result in incomplete or inaccurate information.

Understanding the context of data — Establish a universally consistent understanding of captured data.

Cleansing the data — Enrich and validate data through public and subscription-based sources, where possible, to reduce unnecessary customer outreach.

Reliable data — Assess veracity of data to allow for valuable analysis of AML program key performance and risk indicators (KPI, KRIs).

Data mapping — Map data flows to assess benefits of system consolidations/redundancies.

Optimizing third party data sources — Automation of the data gathering exercises increases efficiency as well as the reliability, independence and integrity of data. Staff can then spend more time on complex issues requiring attention.

Anti-Money Laundering: Getting to Efficient · 11protiviti.com

Following the structuring of data, the efficiency gained

from decreased use of manual and offline processes

and increased use of technology can begin to be fully

realized. Years of offline computing and manual work-

arounds in AML programs have proven to be a barrier to

gaining full advantage of current technology. The ability

to use structured data to identify redundant processes/

systems/tools and understand what an “optimized”

environment looks like in current systems for customer

onboarding, screening and transaction monitoring can

add value to an AML program.

• Informed technology decisions — Many times,

technology solutions (either custom-built or out-of-

the-box from a vendor) have been patched together

with an FI’s existing core systems to keep pace

with the changing regulatory environment and

reporting requirements, creating fragmented

systems of records and data. The RegTech market

alone includes thousands of providers, some

offering customer lifecycle management systems

(end-to-end), while others are focused only on

specific areas (e.g., screening, transaction moni-

toring, etc.). It is not uncommon for organizations

to add technology solutions on a tactical basis and

end up with an ecosystem of various providers.

• Understanding your ecosystem — The ability to

consolidate information and streamline data flows

through the ecosystem can provide FIs a competitive

advantage in the market. For instance, having a

single customer relationship view globally and being

able to visualize such data for clear and quick decision

making for first line purposes (e.g., expansion of

products offered, global view of customer accounts)

and second line (e.g., KYC approvals, regulatory

reporting) is still a target that most traditional FIs

are working toward. Achieving this target allows for

operational efficiency gains and cuts operating costs

across all lines of defense. It also can improve the

customer experience in that the customer will not

be asked for the same information multiple times

from various teams and can be provided a better

level of service if the front office actually knows

the customer.

• Technology investment — Investments in AML

program technology must be strategic, rather than

tactical. Strategic investments must be determined

after an organization’s data has been appropriately

structured and formatted to enable informed decision

making. Data management should not be a one-time

activity, as the maintenance of data integrity must be

an ongoing and sustainable activity to maintain the

efficiencies in new and existing technology.

05 Decrease Reliance on Manual Processes and Increase the Application of Technology

Focussing technology investment in areas where you

will see the greatest return — time- and cost-wise — will

allow employees to concentrate their skills and specialist

knowledge in areas of greatest value add.

– Jonathan Wyatt, Managing Director — Global Head of Protiviti Digital

12 · Protiviti

Common Areas of Inefficiency Getting to Efficient

Disconnected technology — Patchwork technology developments create disconnected systems of information which do not “speak” to each other.

Siloed ecosystem — Fractured view of data/systems reduces efficiency and increases costs of AML compliance and reporting.

Short-term fixes — “Tactical” investments prohibit long-term efficiency.

Manual processes — In addition to being time-consuming and inefficient, manual processes leave room for human error.

Informed technology decisions — Assess compatibility/effectiveness of systems to better inform key decision makers.

Streamlined data — Ability to consolidate information and streamline data flows in system ecosystem provides a competitive advantage by improving customer experience and operational efficiency across the three lines of defence.

Strategic technology investment — Revisit technology investment strategies early and often as internal (systems, organization changes, self-identified issues, etc.) and external factors (regulatory requirements, technology solution offerings) change.

Process automation — Consider opportunities within current processes to utilize RPA and machine learning to enhance process efficiencies and accuracy.

The reality is that regulatory requirements are evolving for all FIs, but having technology and data that can adapt in

an organized, efficient manner will provide organizations with a competitive advantage in the market.

Anti-Money Laundering: Getting to Efficient · 13protiviti.com

The need to implement AML/TF processes tactically has

often resulted in target operating models (TOM), which

satisfy short-term requirements but fail to deliver on a

strategic basis. Key issues in the three principal compo-

nents of a TOM are:

• People — Employees have been hired in “factories,”

often in lower-cost locations, to undertake KYC and

AML/TF activities. Their geographic location and time

zone are disconnected from core operations and front

office functions, which leads to significant inefficien-

cies in communication and failure for commercial

KYC information to be leveraged to satisfy regulatory

KYC requirements. Viewing KYC as a factory-driven

process has led to the tracking of metrics that focus

on throughput (number of files reviewed, delinquency

rates, etc.) but do not consider how these processes

are reducing risk, improving quality or affecting the

customer experience.

• Processes — Processes often remain largely manual

and a key source of information on the customer is

the customer themselves. The exponential growth

in reliable and independent information sources in

the public domain must be leveraged to minimize

intrusive, unnecessary and time-consuming customer

contact. AML/TF regulation across the European Union

in particular is also moving in the direction of maxi-

mizing the use of publicly available records (including

subscription-based sources) to meet the criteria of

being “independent and reliable” to the customer.

• Technology — Technological advancements may have

been developed outside of mainstream systems,

leading to significant challenges of KYC information

being shared across countries/entities, often resulting

in unnecessary, duplicative and time-consuming

onboarding of the same customer. Given the various

data privacy and sharing regulations that global FIs

face, even sharing data within the same organization

has become challenging when interpreting compliance

between different AML/TF and data regulations. A

common issue across organizations is the under-

standing in the front office systems of the details of

how/how much/how frequently the customer will

transact with the FI. This needs to be reflected in

transaction monitoring systems to avoid poor data

definition that results in the triggering of transactions

as being “unusual,” which are not so and missing truly

unusual transactions which require subsequent review.

06 Optimize the AML/TF Target Operating Model

The target operating model must be viewed as a “living” document, something that can grow and adapt as an

organization changes.

– Matt Taylor, Managing Director, Protiviti

14 · Protiviti

Common Areas of Inefficiency Getting to Efficient

Disconnected staffing model — Outsourced KYC activities to third parties/remote parts of the institution, leading to communication inefficiencies.

Manual processes — Overuse of tactical manual/semi-manual processes.

Siloed technology — Siloed technology development/data privacy regulation hindering effective sharing of KYC information across the organization.

Quantified cost of KYC — Activity-based cost modelling to establish an optimal solution to apportioning KYC activities and minimising customer touch points.

Streamline processes integrated with technology —

• Use of automation (e.g., RPA) and optimized use of existing systems to use publicly available, reliable and independent information sources to collect/update customer data and increase efficiencies of process for KYC, onboarding, alert discounting, etc.

• Consider “off-the-shelf” solution to standardize technology across the organization.

A TOM must be developed on a global basis for AML/

TF and recognize the importance of the integration of

AML operations into other operational and front office

functions to maximize efficiency and minimize costs and

onboarding times. The TOM must be viewed as a “living”

document, something that can grow and adapt with

the organization’s changes. The TOM must be subject

to ongoing governance to ensure that it continues to

provide the optimal operating model as circumstances

change, such as the increasing maturity of the AML

program, adapting to new regulation and supporting the

implementation of new and emerging technologies/au-

tomation, etc. AML/TF must become part of mainstream

operations and not a necessary irritant disconnected from

other functions.

Anti-Money Laundering: Getting to Efficient · 15protiviti.com

Achieving a sustainable cultural change within any

large organization is always a major challenge and

can take a significant amount of time. In the area of

financial crime, this has been particularly challenging

since the requirement to undertake strenuous and

systematic AML/TF procedures was forced from outside of

FIs by legislation and regulators.

Many organizations’ front offices have been slow to

accept that they “own” ML/TF risk and regard it as the

responsibility of the second line compliance functions.

Front offices have also been slow to integrate com-

mercial KYC information into the KYC for AML/TF

purposes in circumstances where it can be used for dual

purposes. This has been exacerbated by the creation of

KYC “service centers” which are often remote from the

front office function and may be outsourced to a third

party. These generally have separate reporting lines

and are measured on throughput and volumes for point-

in-time activities (often used to catch up on delinquent

records) rather than supporting the understanding of the

underlying customer, its relationship with the institution

and their ML/TF risk.

Other aspects of a lack of clarity of ownership of ML/

TF risk include poorly defined (in some cases completely

undefined) roles and responsibilities across the front

office and other elements of the first line of defense

or ineffective sanctions imposed internally where

procedures and standards are not applied consistently to

the required level.

Top leadership of the organization has a crucial role

to play in providing the “tone” in this area. Clear,

unequivocal messages from the top concerning the

responsibilities of the three lines of defense are

required, as is a commitment to implement what

is required to satisfy regulatory obligations across

the organization to ensure that heavily damaging

regulatory sanctions are avoided and that customer

intrusion and negative service impacts are minimized.

Clear communiations from leaders within each of the

three lines of defense is essential in driving the shared

responsibility for AML/TF controls and the differing

activities owned by each line of defense in delivering a

structured and systematic approach. The organization

must work collaboratively to achieve an optimal op-

erating model. Another key message to be delivered is

that the AML/TF requirements are not transient — they

are here to stay, and regulatory requirements are likely

to only become more stringent. It is essential that

the organization therefore applies the most efficient

methodologies to the issue, since that will deliver a

commercial advantage over a less efficient organization

in terms of both cost and customer experience.

07 Shift Institutional Culture

Common Areas of Inefficiency Getting to Efficient

Lack of clarity in ownership of risk — Reluctance by front office to accept responsibility for ML/TF risk.

AML is deprioritized — Without a strong tone from the top, AML controls, awareness and operational effectiveness may be viewed as a chore or “tick the box” exercise.

Roles & responsibilities — Clarity of ownership of ML/TF risk and roles of each line of defence is the shared responsibility of AML/TF controls through development of an optimal operating model.

AML program as a priority — Clear “tone from the top” on the need to prioritise AML programs and detect, prevent and deter ML/TF.

The message is, “Everyone has to do it — let’s do it best!”

16 · Protiviti

By applying the enhancements discussed in this paper

to the seven key areas noted, an FI can progress along

the roadmap to AML: Getting to Efficient. The roadmap

to an efficient AML program will require continuous

improvement, with some changes having more

immediate effect than others; however, FIs should

pursue the model described below when looking for

industry leading efficiency practices to gain a competi-

tive advantage in the efficiency of an AML program.

Roadmap to AML Efficiency

Optimize the AML/TF Target Operating Model

Shift from "Tactical" to Sustainable, Strategic Solutions

in AML Program Governance

Eliminate Common Inefficiencies in the

KYC Process

Leveraging Data for AML

Efficiency Gains

Accurate Identification of Customer Risk

Decrease Reliance on Manual Processes and

Increase the Application of Technology

Shift Institutional Culture

Increased understanding and accuracy of the

identification of the risk within your customer

base is critical to know the proportionate

amount of mitigation required.

Legacy data is streamlined, system ecosystem is clearly

mapped and redundancies are removed to allow

for informed technology decisions and strategic

investment for AML systems/tools.

KYC processes are updated to support the effectiveness of

resources and provide measurable cost savings

as well as improved customer experience.

Reduction in “fighting fires” and the AML program strategy is clear, aligned

and forward-thinking.

Customer and transaction data held or being collected/updated

by FIs is cleansed, formatted and enriched, as needed, to be used as a powerful combatant in

fighting ML/TF.

Anti-Money Laundering: Getting to Efficient · 17protiviti.com

How We Can Help

At Protiviti, we continuously explore how advances in AML programs can be achieved. We have deep subject-

matter expertise around global AML/TF regulatory requirements and have extensive experience in designing and

implementing all areas of AML programs across many Tier 1 and Tier 2 FIs.

Since 2002, Protiviti has rallied itself around a set of values that encourage innovation and collaboration; in this

regard, we collaborate with various lines of defense and regulatory technology vendors to bring our clients creative

solutions to meet their regulatory compliance obligations.

ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 75 offices in over 20 countries. 

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Carol BeaumierSenior Managing Director+1 [email protected]

Shaun CreeganManaging Director+1 [email protected]

Michael BrauneisManaging Director, Americas Financial Services Leader+1 [email protected]

Matthew MooreManaging Director+1 [email protected]

Bernadine ReeseManaging [email protected]

Matt TaylorManaging [email protected]

Ken [email protected]

Erin GavinSenior Manager+44 207 930 [email protected]

CONTACTS

© 2019 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0919-103139 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

*MEMBER FIRM

THE AMERICAS UNITED STATES

Alexandria

Atlanta

Baltimore

Boston

Charlotte

Chicago

Cincinnati

Cleveland

Dallas

Denver

Fort Lauderdale

Houston

Kansas City

Los Angeles

Milwaukee

Minneapolis

New York

Orlando

Philadelphia

Phoenix

Pittsburgh

Portland

Richmond

Sacramento

Salt Lake City

San Francisco

San Jose

Seattle

Stamford

St. Louis

Tampa

Washington, D.C.

Winchester

Woodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro Sao Paulo

CANADA

Kitchener-Waterloo Toronto

CHILE*

Santiago

COLOMBIA*

Bogota

MEXICO*

Mexico City

PERU*

Lima

VENEZUELA*

Caracas

EUROPE, MIDDLE EAST & AFRICA

FRANCE

Paris

GERMANY

Frankfurt

Munich

ITALY

Milan

Rome

Turin

NETHERLANDS

Amsterdam

SWITZERLAND

Zurich

UNITED KINGDOM

Birmingham

Bristol

Leeds

London

Manchester

Milton Keynes

Swindon

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

QATAR*

Doha

SAUDI ARABIA*

Riyadh

UNITED ARAB EMIRATES*

Abu Dhabi

Dubai

EGYPT*

Cairo

SOUTH AFRICA *

Durban

Johannesburg

ASIA-PACIFIC AUSTRALIA

Brisbane

Canberra

Melbourne

Sydney

CHINA

Beijing

Hong Kong

Shanghai

Shenzhen

INDIA*

Bengaluru

Hyderabad

Kolkata

Mumbai

New Delhi

JAPAN

Osaka

Tokyo

SINGAPORE

Singapore

© 2

018

Proti

viti

Inc.

An

Equa

l Opp

ortu

nity

Em

ploy

er M

/F/D

isab

ility

/Vet

eran

s. P

RO-0

918