Internal Audit, Risk, Business & Technology Consulting Anti-Money Laundering: Getting to Efficient
Anti-Money Laundering: Getting to Efficient · 1protiviti.com
Roadmap to AML Efficiency: Once a financial institution’s AML program is compliant with
AML/TF regulations, how does it become efficient in meeting its obligations?
Over the last 15 years, financial institutions (FIs) have
faced massive cultural and operational challenges
responding to anti-money laundering and terror-
ist financing (AML/TF) regulations. FIs that failed to
implement requirements in the timetable demanded
by governments and regulators have faced significant
fines, regulatory investigations and restrictions such
as limitations on the onboarding of new clients for
periods of time. Many FIs in well-developed regula-
tory environments now largely satisfy both their local
and international-equivalent regulatory requirements
following substantial investments in people, process-
es and technology. Among the core areas that have
seen major investment are: the capture of “Know Your
Customer” (KYC) documentation; the robust appli-
cation of transaction monitoring controls; and the
consistent screening of customers against sanctions
and other watch lists.
In addition, front offices and operations functions have
had to adapt to the cultural shift that “knowing your
customer” must extend beyond narrow commercial
value and into an acknowledgment that they “own”
the ML/TF risks associated with each customer and the
consequential systems and processes to identify, mitigate
and manage such risks.
Many FIs have achieved regulatory compliance in these
areas but at very significant cost, including experiencing
commercially punitive degradations to levels of customer
service and increased onboarding times due to the
frequent requests for client data at multiple stages of the
customer lifecycle.
In many cases, FIs have had to engage large numbers of
temporary staff for multiple years to accomplish manual
KYC remediations, and siloed system workarounds have
been developed since integrated systematic solutions
could not be developed and implemented quickly enough
to meet regulatory expectations.
Introduction
The challenge for many FIs now is how to make KYC and other AML/TF processes significantly more efficient
and risk-based to deliver cost savings and customer service improvements while still meeting AML/TF
regulatory obligations.
2 · Protiviti
This paper explores seven key areas of AML programs, highlighted in the diagram, that institutions should focus on to
achieve this goal of “Getting to Efficient.”
Optimize the AML/TF Target Operating Model
Shift from "Tactical" to Sustainable, Strategic Solutions
in AML Program Governance
Eliminate Common Inefficiencies in the
KYC Process
Leveraging Data for AML
Efficiency Gains
Accurate Identification of Customer Risk
Decrease Reliance on Manual Processes and
Increase the Application of Technology
Shift Institutional Culture
Anti-Money Laundering: Getting to Efficient · 3protiviti.com
A majority of FIs have adopted a financial crime risk
rating methodology designed to establish whether a
customer poses a high (or higher) risk of being a money
launderer and/or terrorist financier, or is likely to allow
such activities to pass undetected or to be complicit in
those activities.
Some of the factors that generally feed into this meth-
odology for an entity include, but are not limited to:
• Country of domicile of the entity
• Type of business/industry the entity engages in
• Transparency of ownership or control of the entity
• Involvement of any Politically Exposed Persons
(PEP) in the ownership, management or control of
the entity
• Negative news impacting the reputation of the
entity and its principals
• Products and services used by the customer and
related delivery channels
Typically, these factors are given a weighting in the overall
calculation of a risk rating of low/medium/high (some FIs
may also have classifications of “very hight risk” or “ultra
high risk”). In addition, a number of individual factors are
often deemed to pose such a risk level that they automat-
ically result in a high/very high risk classification being
attributed to the customer. Examples of these factors
could be a fine or other regulatory sanction for money
laundering, or a domicile within a high risk jurisdiction.
Failure to correctly identify higher risk elements for
a customer may expose the FI to regulatory fines and
sanctions. Also, the inefficient design or application of
a risk rating methodology can result in FIs undertaking
higher-than-necessary levels of due diligence and more
frequent reviews of customers than are needed. FIs must
make sure the risk rating methodologies and the results
they generate are dynamic and continue to properly reflect
the current financial crime risk posed by the customer.
Elements of the risk rating methodology which can lead
to inefficiencies include:
• Applying a simplistic industrial classification to
the entity’s business — For example, the supplier
of protective clothing to the oil and gas industry
does not pose the same financial crime risk as a
supplier of major capital goods to the same industry,
but they both could be grouped in the same higher
risk industrial classification. Defining tolerance for
exposure (e.g., x% of revenues) to a certain industry
and where that warrants classification within a high
risk industry may help to avoid misclassification;
however, any areas of doubt should involve compliance
expertise to assess whether the industry classification
and input to risk rating are appropriate based on the
level of involvement or proximity to a certain industry.
• Failing to re-assess the financial crime risk that
a PEP or former PEP currently poses — While a
PEP’s involvement in an entity may result in an
automatic high risk rating, a complete assessment
of the likelihood that the PEP is using the customer
entity for corrupt purposes is highly recommended.
The assessment would focus on the ability of a
current or former PEP to exert corrupt influence
or to use the entity for corrupt purposes, or the
determination criteria for when a former PEP is no
longer considered to have the ability or standing to
influence the entity.
01 Accurate Identification of Customer Risk
Accurate identification of customer risk underpins a
successful AML program and allows organizations
to have a view of a proportionate amount of time
and resources that should be focused on areas of the
customer base with the greatest level of potential risk.
– Carol Beaumier, Senior Managing Director, Protiviti
4 · Protiviti
• Failing to maintain up-to-date information on the
customer’s usage of the FI’s high risk products — If
the customer no longer uses high risk products, or uses
them to a non-material level, then this could reduce
the overall risk rating. As an example, historically
many business types such as restaurants have been
described as “cash intensive” and potentially posing a
heightened risk of financial crime. However, in many
economies, the use of debit or other payment cards
has reduced the use of cash to the point where some
businesses do not accept cash.
• Continuing to apply a high risk rating to a regulated
entity which has satisfied a regulatory sanction
(e.g., enforcement action, fine) and been allowed
to continue with its regulated activities — It may
be appropriate for an FI to create a specialist team to
conduct due diligence globally on all customers that
have been subject to regulatory sanction at any time
in the past to ensure that they are risk classified in a
manner consistent with their current status.
Generally, it is important that senior staff from the first
and second lines review all high risk customers to confirm
that the elements driving the risk rating are still in place
and the FI is not relying solely on the “mechanical” rating
generated by raw inputs. Equally, the FI must put in place
mechanisms to ensure that low and medium risk ratings
are accurate to avoid misclassifying high risk customers.
The involvement of senior FI staff in this process may
appear onerous but applying a higher risk rating than
required would have significant inefficiency implications.
On the flip side, the regulatory risk of applying a lower
rating than appropriate is very serious when considering
the requirements to maintain a compliant AML program,
particularly as the risk rating sets the tone for ongoing
management of the customer.
Common Areas of Inefficiency Getting to Efficient
Model-driven risk rating — Relying solely on the “mechanical” result of the rating model.
Outdated risk rating — Feeding the risk rating methodology/model with outdated and/or incomplete customer information.
Blanket PEP rating — Failing to establish the current risk posed by an existing or former PEP in the context of their role within a customer’s ownership structure or related parties.
Blanket high risk rating — Continuing to apply a blanket high risk rating to a customer which has been subject to regulatory sanction in the past, even where a regulatory enforcement action has since been satisfied.
Accurate rating reflective of current risk factors —
• Require senior first line staff with detailed knowledge of the customer to review the inputs to the risk rating methodology to ensure that they properly reflect the customer’s current circumstances.
• Review risk ratings (at least on a sample basis) to ensure that they properly reflect the actual current risk posed by that customer.
Risk-based PEP relationship assessment — Analyse the individual’s current status as a PEP, their role within the customer relationship, and other factors to determine if they currently pose a heightened risk.
Risk-based adverse media assessment — Consider establishing a senior specialist team to review customers with past issues on adverse media (e.g., enforcement actions) globally. This could include senior first and second line staff and their review may include liaising with senior customer staff to establish the current status of the regulatory enforcement action.
Anti-Money Laundering: Getting to Efficient · 5protiviti.com
KYC processes have often been developed “tactically”
in response to the need to implement regulatory
standards quickly and, in many cases, in direct
response to regulatory mandates. These tactical
solutions often become regarded as business-as-usual
(BAU) processes despite the fact that they were initially
designed for a short-term project objective, such as
remediation of the existing book of customers.
When evaluating the efficiency of KYC processes, the key
principles outlined below should be considered:
• Connectivity of KYC and front office functions
— KYC is often seen as disconnected from actually
“knowing the customer” from a commercial
perspective, but this can lead to duplication of effort
and inefficiencies in customer contact and other
processes. This is particularly true for relationship-
managed customers, where significant knowledge
about the customer sits in the front office.
If the KYC team is geographically remote from the
front office functions, consider creating a cost and
operational model to place the KYC function along-
side the front office. The first line of defense owns
the ML/TF risk of a customer; therefore, placing KYC
analysts in the front office can help reinforce this
ownership of risk and ensure a wholly connected
approach to “knowing the customer” and the relative
risk it poses for ML/TF.
• KYC team experience — Rather than having
“generalist” KYC analysts handle some of the more
complex entity types and risk spending a significant
amount of time understanding and navigating
the risks of such structures on a case-by-case
infrequent basis, a dedicated KYC team can apply
specialist knowledge and experience to minimize
and standardize the time spent on customers.
Specialist KYC teams can be established to deal with
complex structures such as trusts, special purpose
vehicles, government entities and multi-layered
structures and serve as SMEs in their respective area
for the front office.
• Risk acceptance — Analysts often spend
significant amounts of time discounting adverse
media screening “hits” (particularly around tier 1 FIs
and large, regulated financial institutions with past
AML enforcement actions, fines, etc.) where a global
governance body can readily discount those issues
at the relationship level and can be factored into the
institution’s appetite to continue to do business with
the customer.
Consider establishing a global KYC governance
body, which includes the second line of defense, to
maintain and manage a “white list” of relationships
with global FIs that have been subject to fines or
other regulatory sanction and on which significant
negative news exists. This “white list” would require
standardized and approved language for audit trails,
and should be built into KYC and screening systems
so it is clear up to which date of results the “white
list” status would be covered. This would allow
KYC analysts to focus only on new issues identified
through screening and any adverse media.
02 Eliminate Common Inefficiencies in the KYC Process
Many FIs are often lost in the KYC struggle to meet both compliance obligations whilst upholding an acceptable level of
customer experience.
– Erin Gavin, Senior Manager, Protiviti
6 · Protiviti
• Cost/benefit analysis — Many organizations are
unable to gauge the cost of KYC and the time and
resources needed to onboard a new customer and
perform ongoing due diligence. The cost is often
difficult to quantify, as it includes time spent on
KYC by onboarding teams, front office, compliance,
remediation teams and senior governance
committees, as well as time spent on system builds
and maintenance and AML screening subscriptions,
among others.
Adopting a process/activity-based accounting
methodology to calculate the fully loaded cost of
onboarding a customer, using process mining to
identify inconsistencies in approach, or under-
taking a periodic review using current processes
can be extremely valuable in identifying potential
areas for improvement.
Also, having the ability to perform a cost benefit
exercise prior to implementing any new processes or
solutions may have longer term efficiency gains.
Common Areas of Inefficiency Getting to Efficient
Siloed KYC and front office functions — Disconnect between KYC and front office leads to duplication of effort.
Generalist KYC team — Non-specialist analysts may use time inefficiently to understand customer structure and its risks.
Discounting of adverse media — Disproportionate amount of time spent discounting hits on global FIs with past regulatory fines or AML enforcement actions.
No cost/benefit analysis — Poor understanding of actual cost of new customer onboarding and periodic reviews.
Unite KYC and front office functions — Closely align these functions to improve understanding of customers’ needs and risks, and reduce needless customer touch points.
Specialist KYC team — Designated KYC team will improve efficiency of managing complex client onboards and periodic reviews.
Standardized “white list” — Maintain and govern a “white list” of relationships with global FIs subjected to fines/regulatory penalties to improve the screening process for those FIs that have resolved their regulatory enforcement actions/penalties.
Clear cost/benefit analysis — Activity-based accounting methodology prior to process implementation is recommended.
Anti-Money Laundering: Getting to Efficient · 7protiviti.com
Many FIs struggle to implement and improve an AML
program that is both strategic and sustainable, as they
are often consumed with “fighting fires” and imple-
menting tactical, short-term solutions. This enduring
“tactical” solution mentality and culture in an FI’s AML
program governance are often underpinned by a sense
of reactiveness, siloed approaches across various busi-
ness divisions/geographies, an overwhelming number
of priorities and a lack of clarity on future state. This is
an understandable challenge that many organizations
face, given the ever-changing global landscape of
regulatory and AML/TF obligations. Transitioning the
mindset of the organization and teams or individuals
involved from tactical (task and delivery based) to
strategic thinking (bigger picture) will take time but
ultimately provide a competitive advantage for those
AML programs that are forward-looking and agile
in their ability to adapt to regulatory, consumer and
operational trends in the industry.
Below are common challenges and areas that can be im-
proved upon to implement sustainable, strategic solutions
in an AML program and its related governance model.
• Lack of strategic action and thinking — It is
important to challenge the status quo and think
innovatively to identify new solutions, rather than
operating in a manner just because “it’s always
been done that way.” AML governance structures must
have a view of impending regulatory decisions,
market shifts, industry trends, consumer prefer-
ences and emerging technologies, as well as known
weaknesses in their AML framework, to proactively
prepare for such challenges, opportunities and
impending changes to operations and customers.
Understanding the highest value areas within an FI
and how to protect and enhance those areas by gaining
a better understanding of current and future AML/TF
opportunities and obstacles are essential. In addition,
having an open discussion of areas of AML program
weaknesses or blind spots is critical to the long-term
goals of any organization that wishes to meet its AML
obligations and improve customer satisfaction.
• Accurate information and involvement from key
stakeholders — Decisions on budget and strategic
investment in AML programs are sometimes made
in a siloed environment without considering a) other
efforts or initiatives that may already be in place;
and b) what the impact of including certain areas
and excluding others would be on the day-to-day
operations, downstream implications and customer
experience. For instance, the idea of scaling down
budget for onboarding systems improvement may
seem cost effective on the surface; however, a deeper
dive may reveal that improvements are needed to
enhance the customer experience and/or meet regu-
latory requirements for all correspondent banking
relationships. Similarly, dedicating resources, time
and effort to the review and tuning of transaction
monitoring rules may seem costly or tedious initially;
however, proper tuning can reduce the number of false
positives that require further investigation. The impli-
cations of missing potentially suspicious transactions
due to incomplete or inaccurate scenarios built into
the transaction monitoring system may result in both
financial and reputational repercussions for the FI.
By bringing the right mix of people (and therefore
information) to the table, decisions on budget alloca-
tion and strategic investment in areas for AML/TF are
likely to be more effective. All too often, the rollout of
a new tool to improve a certain function (e.g., sanc-
tions screening) is announced by senior leadership
who are more removed from customer experiences
and day-to-day activities. Meanwhile, the staff on
the ground may be content with the process and the
time it takes to execute the sanctions screening, but
actually need a better tool to perform other functions
(e.g. customer risk rating, adverse media/negative
news screening, PEP screening, etc.).
03 Shift from “Tactical” to Sustainable, Strategic Solutions in AML Program Governance
8 · Protiviti
Working in silos, especially from an AML program
standpoint, is oftentimes rooted in the need to de-
velop strategic solutions for a particular department,
geography and team and to navigate and adhere to
competing local AML/TF regulatory requirements.
Where the strategic plans for an AML program fail
to consider the overarching strategy and goals of
the entire organization, and when communication
is lacking and strategy is not aligned, it can result
in duplication of efforts to solve the same problem.
However, when strategies are aligned to the core
values and goals of the organization, it is easier
to identify duplication of work and shared goals to
enhance collaboration across common platforms/
initiatives, functional teams, lines of defense, opera-
tions and departments. For instance, the development
of a regulatory reporting function for country-specific
regulators should be part of an overarching global
regulatory reporting team’s responsibility. This
important AML function would encourage consistent
communication (internal and external-facing
to regulators) and a well-coordinated structure
to share regulatory requests and insights. This
important AML program function must ultimately
tie to the “tone from the top” from the firm’s ex-
ecutives, and information should be disseminated
to relevant regional and local functions to maximize
awareness and streamlining of efforts for effective
AML programs at global FIs.
Taking analysis from external resources (e.g., market
analysis, benchmarking, etc.) and tapping into inter-
nal resources of an organization (e.g., leadership levels
as well as staff in compliance, anti-financial crime,
risk management, operations and customer-facing
roles) to understand different AML and business
viewpoints, priorities and perspectives will assist
leadership in making informed decisions and under-
standing the implications of those decisions if the
right people are involved and consulted.
Common Areas of Inefficiency Getting to Efficient
Reactive in nature — Being distracted from overall AML program strategy by fighting fires and an overwhelming number of priorities (e.g., regulatory visits or reviews, last-minute adoption of regulation changes, de-prioritising investment in AML/TF, etc.).
Misalignment of strategic solutions — Working in silos (e.g., local AML requirements); no view of shared goals or common challenges across certain areas of the organization.
Uninformed decisions — Decision making without the appropriate information to influence and inform the decision makers.
Forward-thinking — Strategic thinking to enhance high value areas of the business model, particularly around meeting AML/TF obligations for the most critical areas of the business model (i.e., targeted spending of AML resources, time and costs on the business divisions and customers that align to the strategic vision).
Alignment of strategy — End-to-end view of how the AML program fits into the strategic goals across an FI organization (organizationwide, regional, department-wide, etc.), and may include a shift toward a more global and harmonised approach to AML/TF.
Informed decisions — Making informed strategic decisions for the AML program based on consideration of widespread perspectives and consultation with key individuals to understand the impact to operations and customer experience.
Anti-Money Laundering: Getting to Efficient · 9protiviti.com
Data held by FIs can be a powerful combatant in fighting
ML/TF if it is available, formatted and used in a meaning-
ful way. This is often not the case for many FIs that are
plagued by legacy data with poor quality which is frag-
mented across many systems. For instance, the number
of false positives generated in transaction monitoring
from incorrect/incomplete legacy data increases the time
it takes analysts to review and discount false positives,
with the risk that genuine money laundering alerts could
be missed.
Prior to implementing new AML technologies or fully
optimizing existing solutions and being able to reap the
efficiency rewards of such tools and analytics, a data
structuring exercise should be undertaken to understand
existing data flows, and to cleanse and format the data
so that it may be used in a meaningful way. Inputting
data with poor integrity into data management systems,
machine learning scenarios or analytics will skew the
output. The term “garbage in, garbage out” is commonly
referenced, so the importance of this data structuring
exercise in the process cannot be underestimated.
• Understanding data — Misinterpreting certain data
fields could have negative consequences downstream.
For example, when classifying a customer as active
or inactive, the same data field may be populated by
different teams in varying jurisdictions. However, if
those teams have different definitions of “inactive,”
the data will not be interpreted correctly when
assessed at a holistic level.
Subject-matter experts familiar with the data being
collected may be required to analyze, interpret and
communicate what the data means within a particular
function, report or data field (e.g., technical definition
of a data field from system build requirements vs.
business definition and use of that same data field).
• Cleansing customer data — Many organizations
have extensive amounts of legacy customer data
but cannot trust that the data is reliable and may
therefore discount data-based outcomes or reporting.
The data may lack credibility due to missing or partial
fields and conflicting or outdated information held
across various systems.
An exercise to analyze and update incomplete,
inaccurate or irrelevant data by replacing, modifying
or deleting may be necessary to cleanse a data set
and improve data integrity. An example of this could
be the validation of a city’s zip code through public
records to correct an error in the input of an address.
Any adjustments to data during cleansing should be
closely aligned with teams familiar with the purpose
and context of the data fields so the information is
adjusted as intended and used in a consistent manner,
ultimately improving the cleanliness of the data to get
to a “single source of the truth.”
• AML system and data mapping — Many
organizations do not have a holistic view of how data
flows throughout their organization horizontally and
vertically at a local or functional level, let alone at a
global view. All too often, customer inputs of data
during the onboarding process get passed out to the
various divisions of an organization and stored in
siloed systems, databases or offline spreadsheets
(e.g., trading systems, KYC case management tools,
regulatory reporting databases, etc.), creating a
fragmented data environment.
A data mapping exercise to understand system
inventory and data flows (inputs/outputs) is critical
to assess the benefits of any system consolidations or
redundancies and to understand the data sources and
flows. Maintaining an environment where complex
data silos exist in an FI can be time-consuming and
expensive and can hinder an organization’s ability to
leverage the benefits of the data in decision making
and combating ML/TF.
04 Leveraging Data for AML Efficiency Gains
10 · Protiviti
• Enrich data — After data has been cleansed,
refining and enhancement of the data can be applied
so it may be used for analysis and decision making.
The data must also be assessed for its veracity.
Increasing an organization’s confidence in the data
it holds will improve its view on existing systems.
Processes can then be optimized to clear the path
to future implementations of AML technology. This
may include the use of third-party data sources to
enhance the efficiency of data gathering as well as
the independence, reliability and integrity of the data
used to identify and verify customers. Third party data
sources may include onboarding platforms, verification
vendors and resource subscriptions used throughout
the client onboarding and ongoing customer due
diligence lifecycle.
Making an effort to understand and enhance data
integrity through some of the steps outlined above
will allow an organization to empower leadership to
make data-driven business decisions and to optimize
automated capabilities in existing systems or new
technology, such as robotic process automation
(RPA), artificial intelligence (AI) and machine
learning. To truly improve efficiency and target their
AML/TF efforts, organizations must rely less on judg-
ment and take a clear risk-based approach supported by
facts and valuable data on risk to their business.
Common Areas of Inefficiency Getting to Efficient
Misinterpretation of data — Misinterpretation of data amongst jurisdictions/business lines may lead to inconsistencies in the handling of AML alerts, KYC, screening results, etc.
Lack of veracity of data
• Missing/conflicting information reduces its integrity.
• Lack of confidence in data reduces its commercial value.
Siloed data — Siloed and disconnected storage of customer data creates a fragmented data and system environment.
Manual sourcing and verification of data — This often is a time-consuming exercise for staff and can result in incomplete or inaccurate information.
Understanding the context of data — Establish a universally consistent understanding of captured data.
Cleansing the data — Enrich and validate data through public and subscription-based sources, where possible, to reduce unnecessary customer outreach.
Reliable data — Assess veracity of data to allow for valuable analysis of AML program key performance and risk indicators (KPI, KRIs).
Data mapping — Map data flows to assess benefits of system consolidations/redundancies.
Optimizing third party data sources — Automation of the data gathering exercises increases efficiency as well as the reliability, independence and integrity of data. Staff can then spend more time on complex issues requiring attention.
Anti-Money Laundering: Getting to Efficient · 11protiviti.com
Following the structuring of data, the efficiency gained
from decreased use of manual and offline processes
and increased use of technology can begin to be fully
realized. Years of offline computing and manual work-
arounds in AML programs have proven to be a barrier to
gaining full advantage of current technology. The ability
to use structured data to identify redundant processes/
systems/tools and understand what an “optimized”
environment looks like in current systems for customer
onboarding, screening and transaction monitoring can
add value to an AML program.
• Informed technology decisions — Many times,
technology solutions (either custom-built or out-of-
the-box from a vendor) have been patched together
with an FI’s existing core systems to keep pace
with the changing regulatory environment and
reporting requirements, creating fragmented
systems of records and data. The RegTech market
alone includes thousands of providers, some
offering customer lifecycle management systems
(end-to-end), while others are focused only on
specific areas (e.g., screening, transaction moni-
toring, etc.). It is not uncommon for organizations
to add technology solutions on a tactical basis and
end up with an ecosystem of various providers.
• Understanding your ecosystem — The ability to
consolidate information and streamline data flows
through the ecosystem can provide FIs a competitive
advantage in the market. For instance, having a
single customer relationship view globally and being
able to visualize such data for clear and quick decision
making for first line purposes (e.g., expansion of
products offered, global view of customer accounts)
and second line (e.g., KYC approvals, regulatory
reporting) is still a target that most traditional FIs
are working toward. Achieving this target allows for
operational efficiency gains and cuts operating costs
across all lines of defense. It also can improve the
customer experience in that the customer will not
be asked for the same information multiple times
from various teams and can be provided a better
level of service if the front office actually knows
the customer.
• Technology investment — Investments in AML
program technology must be strategic, rather than
tactical. Strategic investments must be determined
after an organization’s data has been appropriately
structured and formatted to enable informed decision
making. Data management should not be a one-time
activity, as the maintenance of data integrity must be
an ongoing and sustainable activity to maintain the
efficiencies in new and existing technology.
05 Decrease Reliance on Manual Processes and Increase the Application of Technology
Focussing technology investment in areas where you
will see the greatest return — time- and cost-wise — will
allow employees to concentrate their skills and specialist
knowledge in areas of greatest value add.
– Jonathan Wyatt, Managing Director — Global Head of Protiviti Digital
12 · Protiviti
Common Areas of Inefficiency Getting to Efficient
Disconnected technology — Patchwork technology developments create disconnected systems of information which do not “speak” to each other.
Siloed ecosystem — Fractured view of data/systems reduces efficiency and increases costs of AML compliance and reporting.
Short-term fixes — “Tactical” investments prohibit long-term efficiency.
Manual processes — In addition to being time-consuming and inefficient, manual processes leave room for human error.
Informed technology decisions — Assess compatibility/effectiveness of systems to better inform key decision makers.
Streamlined data — Ability to consolidate information and streamline data flows in system ecosystem provides a competitive advantage by improving customer experience and operational efficiency across the three lines of defence.
Strategic technology investment — Revisit technology investment strategies early and often as internal (systems, organization changes, self-identified issues, etc.) and external factors (regulatory requirements, technology solution offerings) change.
Process automation — Consider opportunities within current processes to utilize RPA and machine learning to enhance process efficiencies and accuracy.
The reality is that regulatory requirements are evolving for all FIs, but having technology and data that can adapt in
an organized, efficient manner will provide organizations with a competitive advantage in the market.
Anti-Money Laundering: Getting to Efficient · 13protiviti.com
The need to implement AML/TF processes tactically has
often resulted in target operating models (TOM), which
satisfy short-term requirements but fail to deliver on a
strategic basis. Key issues in the three principal compo-
nents of a TOM are:
• People — Employees have been hired in “factories,”
often in lower-cost locations, to undertake KYC and
AML/TF activities. Their geographic location and time
zone are disconnected from core operations and front
office functions, which leads to significant inefficien-
cies in communication and failure for commercial
KYC information to be leveraged to satisfy regulatory
KYC requirements. Viewing KYC as a factory-driven
process has led to the tracking of metrics that focus
on throughput (number of files reviewed, delinquency
rates, etc.) but do not consider how these processes
are reducing risk, improving quality or affecting the
customer experience.
• Processes — Processes often remain largely manual
and a key source of information on the customer is
the customer themselves. The exponential growth
in reliable and independent information sources in
the public domain must be leveraged to minimize
intrusive, unnecessary and time-consuming customer
contact. AML/TF regulation across the European Union
in particular is also moving in the direction of maxi-
mizing the use of publicly available records (including
subscription-based sources) to meet the criteria of
being “independent and reliable” to the customer.
• Technology — Technological advancements may have
been developed outside of mainstream systems,
leading to significant challenges of KYC information
being shared across countries/entities, often resulting
in unnecessary, duplicative and time-consuming
onboarding of the same customer. Given the various
data privacy and sharing regulations that global FIs
face, even sharing data within the same organization
has become challenging when interpreting compliance
between different AML/TF and data regulations. A
common issue across organizations is the under-
standing in the front office systems of the details of
how/how much/how frequently the customer will
transact with the FI. This needs to be reflected in
transaction monitoring systems to avoid poor data
definition that results in the triggering of transactions
as being “unusual,” which are not so and missing truly
unusual transactions which require subsequent review.
06 Optimize the AML/TF Target Operating Model
The target operating model must be viewed as a “living” document, something that can grow and adapt as an
organization changes.
– Matt Taylor, Managing Director, Protiviti
14 · Protiviti
Common Areas of Inefficiency Getting to Efficient
Disconnected staffing model — Outsourced KYC activities to third parties/remote parts of the institution, leading to communication inefficiencies.
Manual processes — Overuse of tactical manual/semi-manual processes.
Siloed technology — Siloed technology development/data privacy regulation hindering effective sharing of KYC information across the organization.
Quantified cost of KYC — Activity-based cost modelling to establish an optimal solution to apportioning KYC activities and minimising customer touch points.
Streamline processes integrated with technology —
• Use of automation (e.g., RPA) and optimized use of existing systems to use publicly available, reliable and independent information sources to collect/update customer data and increase efficiencies of process for KYC, onboarding, alert discounting, etc.
• Consider “off-the-shelf” solution to standardize technology across the organization.
A TOM must be developed on a global basis for AML/
TF and recognize the importance of the integration of
AML operations into other operational and front office
functions to maximize efficiency and minimize costs and
onboarding times. The TOM must be viewed as a “living”
document, something that can grow and adapt with
the organization’s changes. The TOM must be subject
to ongoing governance to ensure that it continues to
provide the optimal operating model as circumstances
change, such as the increasing maturity of the AML
program, adapting to new regulation and supporting the
implementation of new and emerging technologies/au-
tomation, etc. AML/TF must become part of mainstream
operations and not a necessary irritant disconnected from
other functions.
Anti-Money Laundering: Getting to Efficient · 15protiviti.com
Achieving a sustainable cultural change within any
large organization is always a major challenge and
can take a significant amount of time. In the area of
financial crime, this has been particularly challenging
since the requirement to undertake strenuous and
systematic AML/TF procedures was forced from outside of
FIs by legislation and regulators.
Many organizations’ front offices have been slow to
accept that they “own” ML/TF risk and regard it as the
responsibility of the second line compliance functions.
Front offices have also been slow to integrate com-
mercial KYC information into the KYC for AML/TF
purposes in circumstances where it can be used for dual
purposes. This has been exacerbated by the creation of
KYC “service centers” which are often remote from the
front office function and may be outsourced to a third
party. These generally have separate reporting lines
and are measured on throughput and volumes for point-
in-time activities (often used to catch up on delinquent
records) rather than supporting the understanding of the
underlying customer, its relationship with the institution
and their ML/TF risk.
Other aspects of a lack of clarity of ownership of ML/
TF risk include poorly defined (in some cases completely
undefined) roles and responsibilities across the front
office and other elements of the first line of defense
or ineffective sanctions imposed internally where
procedures and standards are not applied consistently to
the required level.
Top leadership of the organization has a crucial role
to play in providing the “tone” in this area. Clear,
unequivocal messages from the top concerning the
responsibilities of the three lines of defense are
required, as is a commitment to implement what
is required to satisfy regulatory obligations across
the organization to ensure that heavily damaging
regulatory sanctions are avoided and that customer
intrusion and negative service impacts are minimized.
Clear communiations from leaders within each of the
three lines of defense is essential in driving the shared
responsibility for AML/TF controls and the differing
activities owned by each line of defense in delivering a
structured and systematic approach. The organization
must work collaboratively to achieve an optimal op-
erating model. Another key message to be delivered is
that the AML/TF requirements are not transient — they
are here to stay, and regulatory requirements are likely
to only become more stringent. It is essential that
the organization therefore applies the most efficient
methodologies to the issue, since that will deliver a
commercial advantage over a less efficient organization
in terms of both cost and customer experience.
07 Shift Institutional Culture
Common Areas of Inefficiency Getting to Efficient
Lack of clarity in ownership of risk — Reluctance by front office to accept responsibility for ML/TF risk.
AML is deprioritized — Without a strong tone from the top, AML controls, awareness and operational effectiveness may be viewed as a chore or “tick the box” exercise.
Roles & responsibilities — Clarity of ownership of ML/TF risk and roles of each line of defence is the shared responsibility of AML/TF controls through development of an optimal operating model.
AML program as a priority — Clear “tone from the top” on the need to prioritise AML programs and detect, prevent and deter ML/TF.
The message is, “Everyone has to do it — let’s do it best!”
16 · Protiviti
By applying the enhancements discussed in this paper
to the seven key areas noted, an FI can progress along
the roadmap to AML: Getting to Efficient. The roadmap
to an efficient AML program will require continuous
improvement, with some changes having more
immediate effect than others; however, FIs should
pursue the model described below when looking for
industry leading efficiency practices to gain a competi-
tive advantage in the efficiency of an AML program.
Roadmap to AML Efficiency
Optimize the AML/TF Target Operating Model
Shift from "Tactical" to Sustainable, Strategic Solutions
in AML Program Governance
Eliminate Common Inefficiencies in the
KYC Process
Leveraging Data for AML
Efficiency Gains
Accurate Identification of Customer Risk
Decrease Reliance on Manual Processes and
Increase the Application of Technology
Shift Institutional Culture
Increased understanding and accuracy of the
identification of the risk within your customer
base is critical to know the proportionate
amount of mitigation required.
Legacy data is streamlined, system ecosystem is clearly
mapped and redundancies are removed to allow
for informed technology decisions and strategic
investment for AML systems/tools.
KYC processes are updated to support the effectiveness of
resources and provide measurable cost savings
as well as improved customer experience.
Reduction in “fighting fires” and the AML program strategy is clear, aligned
and forward-thinking.
Customer and transaction data held or being collected/updated
by FIs is cleansed, formatted and enriched, as needed, to be used as a powerful combatant in
fighting ML/TF.
Anti-Money Laundering: Getting to Efficient · 17protiviti.com
How We Can Help
At Protiviti, we continuously explore how advances in AML programs can be achieved. We have deep subject-
matter expertise around global AML/TF regulatory requirements and have extensive experience in designing and
implementing all areas of AML programs across many Tier 1 and Tier 2 FIs.
Since 2002, Protiviti has rallied itself around a set of values that encourage innovation and collaboration; in this
regard, we collaborate with various lines of defense and regulatory technology vendors to bring our clients creative
solutions to meet their regulatory compliance obligations.
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 75 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Carol BeaumierSenior Managing Director+1 [email protected]
Shaun CreeganManaging Director+1 [email protected]
Michael BrauneisManaging Director, Americas Financial Services Leader+1 [email protected]
Matthew MooreManaging Director+1 [email protected]
Bernadine ReeseManaging [email protected]
Matt TaylorManaging [email protected]
Erin GavinSenior Manager+44 207 930 [email protected]
CONTACTS
© 2019 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0919-103139 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
*MEMBER FIRM
THE AMERICAS UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Denver
Fort Lauderdale
Houston
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro Sao Paulo
CANADA
Kitchener-Waterloo Toronto
CHILE*
Santiago
COLOMBIA*
Bogota
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE, MIDDLE EAST & AFRICA
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
NETHERLANDS
Amsterdam
SWITZERLAND
Zurich
UNITED KINGDOM
Birmingham
Bristol
Leeds
London
Manchester
Milton Keynes
Swindon
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
SAUDI ARABIA*
Riyadh
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
EGYPT*
Cairo
SOUTH AFRICA *
Durban
Johannesburg
ASIA-PACIFIC AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney
CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
INDIA*
Bengaluru
Hyderabad
Kolkata
Mumbai
New Delhi
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
© 2
018
Proti
viti
Inc.
An
Equa
l Opp
ortu
nity
Em
ploy
er M
/F/D
isab
ility
/Vet
eran
s. P
RO-0
918