Executive Summary...by LexisNexis® Risk Solutions and ACAMS, you’ll be able to benchmark your efforts to combat money laundering and gain meaningful insights into the challenges

Executive Summary

December 2015

Current Industry Perspectives into Anti-Money Laundering Risk Management and Due Diligence

2

Table of Contents

Research provided by:

LexisNexis® Risk Solutions and Association of Certified Anti-Money Laundering Specialists® (ACAMS).

Methodology:

From August 31 – September 14, 2015, LexisNexis and ACAMS conducted a joint research study to examine how the Anti-Money Laundering community is managing their Customer Enhanced Due Diligence and AML Risk Assessment processes. Online surveys were emailed to ACAMS’ full subscriber base and both LexisNexis Risk Solutions and ACAMS were identified as the sponsors of this research. No tangible incentive was offered for completion of the survey. In total, over 800 financial services compliance professionals responded.

Executive Summary ........................................................................................ 3

Definitions ........................................................................................................... 4

Hot Topics .......................................................................................................... 5

Customer Enhanced Due Diligence ............................................................ 6

Beneficial Ownership ...................................................................................... 9

Updating CDD Information ............................................................................11

Adverse Media ..................................................................................................12

Risk Rating ......................................................................................................... 14

Enhanced Due Diligence ...............................................................................15

Greatest Challenges Identified:

Customer Enhanced Due Diligence ...........................................................18

Regulatory Agencies .......................................................................................19

AML Risk Assessment ....................................................................................20

Investment in AML Risk Assessment ........................................................24

Greatest Challenges Identified:

AML Risk Assessment .................................................................................... 27

Methodology .....................................................................................................28

Demographics of Survey Participants ......................................................29

3

Executive Summary

According to the UN Office on Drugs and Crimes1, 2 to 5 percent of global GDP is laundered annually. Considering 2014 global GDP at US$74 trillion2, that means as much as US$3.7 trillion is laundered globally. A disturbing assertion3 is that half of that figure is laundered in the U.S. and £24 billion4 is laundered annually in the U.K. CEB Tower Group provides a ballpark figure that between US$210 billion and $367 billion is laundered in the LATAM region, composed of countries such as Brazil, Colombia and Mexico, driven by the regional history of drug cartels and corruption.

These numbers are of course approximations. The actual figures are unknowable since money laundering in its various forms is hard to identify, detect and prevent.

Financial institutions around the world have been handed a “proxy policy force” role to stop the bad actors who fund terrorism, steal identities and traffic illicit drugs. Strategic financial intelligence plays a significant role in enabling financial institutions to fully know their customers so that institutions can successfully fight financial crimes and, ultimately, protect society from the worst type of criminals.

By reading and engaging with this bi-annual study, which was jointly constructed, issued globally and then analyzed by LexisNexis® Risk Solutions and ACAMS, you’ll be able to benchmark your efforts to combat money laundering and gain meaningful insights into the challenges compliance professionals grapple with daily in the areas of Customer Due Diligence, Beneficial Ownership and Enhanced Due Diligence.

The results of this year’s report couldn’t be timelier. U.S. financial institutions await the Financial Crimes Enforcement Network (FinCEN) final rule on Customer Due Diligence (CDD). The rule is important because it amplifies the steps financial institutions have to take to onboard a business or legal entity, like a trust or company, as a customer by requiring a better understanding of beneficial owners. This means that financial institutions are going to have to do more identity verification of business customers. Are financial institutions ready? What steps are financial institutions already taking to comply? And if a financial institution isn’t updating and maintaining current customer information, it can be cited for program deficiencies. Jurisdictions around the world are watching the methods that US and European Union regulators put in place requiring financial institutions to know the owners who have economic benefit of a company.

This study delves deeply into how front-line compliance professionals are tackling CDD, especially around Beneficial Ownership. When asked about the different information types gathered to conduct CDD, 59 percent of financial institutions with total assets between US$1 billion and $10 billion said they collect Beneficial Ownership identification information compared to 88 percent of financial institutions with over US $500 billion in total assets.

Perhaps the wide gap exists because smaller financial institutions believe that they have deeper one-on-one and perhaps even daily interactions with their customers and so therefore know them better than a larger financial institution could or would be able to. Small financial institutions may feel that this “finger on the pulse” approach means that the same type and same amount of financial intelligence collected on a business or nonprofit entity that a large financial institution would collect isn’t necessary. This common theme appears in each section of the study findings.

Recently Bloomberg Radio interviewed two LexisNexis Risk Solutions anti-money laundering compliance experts. During the live broadcast, the host asked: How exactly does a bank really know its customers? The question surfaces a very complex answer.

Many small financial institutions, especially in small markets, consider being relationship-focused a primary differentiator that enables them to compete effectively against larger financial institutions. Not only does the community bank loan officer see his business customers’ banking activities but may see the customer in the grocery store or at the movies or in the community, to catch up.

4

For a financial institution with hundreds of millions of customers, though, the approach is different. Consider that a global financial institution has a presence in literally every corner of the world, from the Wells Fargo ATM in Antarctica5 to the Standard Chartered branch in Zimbabwe6. Knowing customers and being able to risk rate that customer appropriately is extremely complex for massive institutions and that reality ushers in different types of risk.

The information financial institutions collect in-house and supplement with additional third-party data about their customers is a way to mitigate the risk of a shell company tied to a terrorist financier slipping through the system and being onboarded as a customer. The study results show clearly that large financial institutions supplement their in-house data with third-party information like adverse media, sources of wealth and new parties being added to the account far more effectively than smaller financial institutions. An opportunity therefore exists for smaller institutions, especially institutions in metropolitan centers, to improve CDD through the use of third-party data.

Customer data comes from many places,including from bank customers themselves. This year’s study shows that in knowing beneficial owners, 100 percent of survey respondents use documents provided by the business owner to verify ownership. The question then becomes, can that information be trusted?

The fact is a financial institution cannot fully know its customers if the information and data, that critical financial intelligence, they rely on isn’t accurate, easily accessible and distilled into insights that can be acted upon.

The purpose of this study is to garner a first-hand look from AML Compliance professionals around the world to understand their perspective and appreciate ongoing compliance challenges through their eyes. More than 800 compliance professionals responded to our questionnaire with 52 percent of respondents having customers in the US. This study is a much-anticipated second edition to a study originally published in 2013.

Please contact us if you have questions or need additional information about any of the data points and insights gleaned and articulated in this report.

DefinitionsFor the purposes of this report, small financial institutions are defined as having total assets of less than US $50 billion, mid-tier financial institutions are defined as having total assets of between US $51 and $100 billion and the large financial institution category is composed of institutions with total assets of US $101 billion or more.

The figure below expresses the percentage breakdown of respondents in each category.

Which of the following BEST describes your financial institution’s asset size? Answered only by “Bank” respondents. {402 respondents}

Most responding “bank” organizations haveassets of $10 billion or less

0% 30%20%

• 2013 survey respondents tended to represent slightly smaller financial institutions,with just 9% over $500 Billion in assets

10% 40%

Over $500 Billion (USD)

$101 to $500 Billion (USD)

$51 to $100 Billion (USD)

$11 to $50 Billion (USD)

$1 to $10 Billion (USD)

Under $1 Billion (USD)

17%

17%

29%

23%

9%

5%

5

Hot TopicsThe survey results indicate that compliance professionals are dealing with myriad challenges that fall under the following main categories:

Bad Data Undermines ComplianceBad data diminishes the value of the money that financial institutions spend on compliance. Respondents stated they face many challenges in collecting the data they need to conduct thorough due diligence processes and maintain compliance with regulations. This data deficit is further compounded by a lack of confidence in the quality of the data collected from or provided by the end customer during onboarding. A scarcity in accurate and timely public domain information to help confirm and verify the customer-provided data adds another layer of complexity to the CDD process, which in turn increases the amount of research time and manpower that must be dedicated to customer due diligence.

Customer Reluctance to Share InformationMany respondents found their due diligence efforts hindered on the front end by a growing number of customers who are unwilling to share personally identifying details that are needed to complete due diligence. In the wake of major data breaches, customers have a heightened awareness of the value of their personally identifiable information (PII) and are reluctant to share critical details that support comprehensive due diligence efforts. In addition, our survey respondents have a lack of confidence in the information customers do willingly share, with just 34 percent of respondents stating they find customer-provided statements of expected activity to be accurate. In an industry where risk decisions and compliance mandates hinge on data precision, these developments are equally challenging and troubling.

Need to Verify Beneficial Ownership InformationAs the regulatory climate around Beneficial Ownership continues to evolve, over 85 percent of respondents have begun collecting Beneficial Ownership information. The absence of clearly defined regulatory guidelines and the need to verify the accuracy of this information when it is collected has created numerous challenges. Currently 100 percent of respondents use customer-provided business formation documents to verify Beneficial Ownership information while 95 percent also utilize government filings and/or public records. The lack of clarity around the final regulation and continued ambiguity around who will own the lion’s share of the burden of collecting and maintaining Beneficial Ownership data has left many financial institutions dedicating large amounts of resources to staying ahead of what currently are vaguely defined parameters.

Time and Effort Required to Complete Key ProcessesSurvey respondents indicated the time needed to perform a risk assessment has increased to 10 weeks since our 2013 survey. Couple that increase with the fact that 51 percent of respondents still use a manual spreadsheet or document in the risk assessment process and the demand on resources and manpower created by risk assessment becomes evident.

Lack of StandardizationThe absence of industry standards around the risk assessment process combined with varied and sometimes overlapping expectations stemming from specific business units and different countries creates a great deal of confusion and inefficiencies across most respondents’ risk assessment processes. The absence of global standards and a reliable level of industry specification places extra demands on manpower and resources by creating redundancies that can erode attention from true due diligence risks.

6

Changing and Unclear Regulatory Expectations Managing innumerable regulatory requirements and keeping pace with an evolving regulatory environment creates a great deal of pressure for our respondents. Sixty-five percent say greater regulatory requirements pose a significant challenge while 53 percent cite the complexity of the regulations as a main pain point. Maintaining processes and systems that are rigid enough to meet regulatory requirements but agile enough to quickly adapt to a very fluid regulatory environment is costly and time consuming for our respondents.

ImplicationsAML Departments continue to grapple with increased demands on their resources and personnel bandwidth in an effort to maintain an effective compliance program while managing increased expectations and resistance from their end customers. Regulatory pressures are showing no signs of abatement and regulatory uncertainty has added another layer of confusion as AML teams attempt to meet requirements that have not been fully defined. The combination of these factors places a great deal of strain on AML manpower, budgets and resources. The demands of the current AML and risk management environment can erode focus on core business goals and negatively impact risk prevention. It also diminishes an AML department’s ability to plan and execute more long-term strategies.

Customer Enhanced Due DiligenceHow familiar are you with the information, systems and resources used for performing CDD as it relates to your financial institution? {826 respondents}

74% of respondents are very familiar with the Customer Due Diligence process.

0%Very

familiarSomewhat

familiarNot toofamiliar

Not at allfamiliar

Not employed by afinancial institution

100%

80%

60%

40%

20%

74%

19%

2% 0%5%

7

Which of the following types of information does your organization currently gather as part of its CDD process? {More than one response allowed - 689 respondents}

While the figure below focuses on the aggregated data from all respondents, it is equally interesting to delve into the responses by asset segment. We found that financial institutions with total assets of US$51 billion to $100 billion (mid-tier) collected more information than those of any other asset sizes, except the institutions with US$500 billion and more in total assets.

This finding stands out. While one interpretation of the results suggests that mid-tier financial institutions could be over-collecting customer information, a more probable interpretation is that as a bank reaches US $51 billion in assets, regulatory pressures change and institutions tend to start behaving more like the large global institutions.

As discussed earlier, a major challenge that compliance professionals experience is that customers don’t want to share information. The large financial institutions have overcome this challenge because they leverage third-party data providers. The study results support this statement because information like source of wealth, adverse media, source of funds and public records are secured from data providers instead of institutions having to ask customers for this information.

For a small financial institution that isn’t in a metropolitan area this finding doesn’t mean that there is more inherent risk or greater residual risk in their portfolio, but for a smaller financial institution in a metropolitan area where a true community environment doesn’t exist, if they are not leveraging the same CDD information accessible through third-party data providers as the large institutions do, they could be at greater risk.

100% of organizations surveyed gather occupation or nature of business as part of their CDD process.

0% 60% 80%40%20% 120%100%

Occupation or nature of business

Business formation documents (articles of incorporation)

Purpose of account

Source of funds

Expected activity

Identification of Beneficial Owners

Identification of organization’s principals

Expected origination and destination of funds

Source of wealth

Adverse media searches

Derogatory public records searches (criminal records)

Annual reports / financial statements

Bank references / credit reports

Other

100%

94%

90%

89%

87%

85%

77%

70%

70%

66%

61%

54%

47%

10%

8

0% 60% 80%40%20% 100%

Electronic format

Paper files/images

85%

53%

Does your organization store CDD information as paper files/images or in an electronic format? {More than one response allowed - 756 respondents}

Does your organization require the same CDD information from all customers or do different products / lines of business have different requirements? {757 respondents}

This question delves into the risk-based approach. The results show an interesting inverse relationship occurring. We know that CDD information is generally the same across products for smaller institutions as it is for the large institutions. If a smaller institution only has a few products, their use of CDD will be more uniform, which is an expected finding.

Money launderers are actively moving downstream to target smaller financial institutions. To combat this evolving threat, smaller financial institutions operating in metropolitan areas need to consider and further investigate the type of financial intelligence they are using to stay compliant and protect the financial system.

0% 60% 80%40%20% 100%

Requirements differ

Same requirements for all

57%

43%

9

The most common ownership threshold triggering beneficial owner due diligence is 11% or more greater ownership interest.

Beneficial OwnershipThe small business banking landscape is often described as fragmented7 and banks are looking to take advantage of that market dynamic by upping their offerings to attract the very profitable small business customer segment.

As banks ramp up efforts to attract small businesses, they’ll have to navigate new regulations that are changing the process to onboard these new customers. Specifically the changes focus on knowing who the owners are that receive economic benefits from a business. These steps are being taken to root out small businesses that have been set up solely to launder money,

Beneficial Ownership is perhaps the hottest topic in the banking industry because of changing regulations, like FinCEN’s soon-to-be announced final regulation and the recently enacted Fourth EU AML Directive.

FinCEN’s proposed rule specifically asks for the identity of the natural persons who are the business owners. Regulators are asking for at least one owner and as many as five owners to be identified. Today, the challenge that all banks have is that it isn’t mandatory in every jurisdiction to disclose who owns a business. In some jurisdictions it is mandatory, and in others it isn’t.

Currently in the U.S., there is no regulation setting the threshold for the percentage of ownership which would require the identification of the beneficial owners. In the EU, banks are required to identify individuals with 25 percent or more equity interest in a legal entity. Our study found that on average, financial institutions establish an ownership threshold less than or equal to 25 percent interest in the legal entity.

The study results show that most organizations currently verify the identity of beneficial owners, and about half currently verify Beneficial Ownership status.

According to your internal policies, what level of ownership subjects a customer to identification of Beneficial Ownership requirements? {657 respondents}

Most organizations also gather business formation documents, purpose of account, source of funds, expected activity and identification of beneficial owners.

0%

100%

80%

60%

40%

20%

1-10%

20%

11-25%

42%

26-50%

21%

Other

17%

10

Most organizations currently verify the identity of beneficial owners, and about half currently verify Beneficial Ownership status.

0%

100%

80%

60%

40%

20%

Currently verify the status ofBeneficial Ownership

53%

Currently verify the identityof individuals named as

Beneficial Owners

79%

Currently seek to identifynon-disclosed Beneficial

Owners

36%

Which of the following does your organization currently do relative to Beneficial Ownership? {More than one response allowed - 688 respondents}

0% 60% 80%40%20% 100%

Business formation documentsprovided by the customer

Tax returns

Credit reports

Other

Government filings and/or public records (such asSecretary of State or Business Registry filings)

100%

38%

37%

16%

95%

What sources does your organization use to verify the status of Beneficial Ownership? Answered only by respondents who verify the status of Beneficial Ownership. {More than one response allowed - 308 respondents}

11

Updating CDD Information Is your organization’s CDD information updated on a regular basis or only when there is a triggering event? {More than one response allowed - 747 respondents}

In most cases, CDD information is updated both on a regular basis and when there is a triggering event. The most common triggers for reviewing/updating CDD information are unusual transaction activity and new KYC information. The most common frequency for updating customer profiles is on an annual basis.

0% 60% 80%40%20% 100%

Updated when there is a triggering event

Updated on a regular basis

61%

60%

0%

50%

40%

30%

20%

10%

Daily

7%

Weekly

2%

Monthly

3%

Quarterly

9%

Semiannually

5%

Annually

30%

Every2-3 years

13%

Every4-5 years

1%

Less oftenthan 5years

2%

Other

28%

Which of the following best represents how frequently your organization updates its customer profiles? Answered only by respondents who update customer profiles on a regular basis. {433 respondents}

Smaller institutions are more trigger event driven as a percentage of total respondents, meaning they only review customers when an event like a transaction monitoring alert occurs or upon receipt of new KYC information. Larger institutions consistently rely on both trigger events and periodic reviews to drive updating KYC information.

Smaller institutions appear to be relying heavily on triggering events as a way to man age the operational burden of CDD. This means that if small financial institutions are relying primarily on trigger events to determine workload and which customer is going to have a CDD review/ KYC review, the trigger events are limited to new information that small financial institutions have collected on the customer and it isn’t information external to the institution. It is passive new information, data that small institutions are getting in the normal course of business instead of actively going out and getting from third-party data. This reactive position combined with their lower reliance on third-party data, may put smaller financial institutions at greater risk.

Financial institutions relying on both periodic annual profile reviews compared and trigger events are accelerating higher risk reviews to proactively manage their risk, while giving them the catchall on the annual or other periodic review cycle.

12

Adverse MediaAre Adverse Media searches performed as part of your organization’s CDD? {731 respondents}

Adverse media reliance is two to three times higher in financial institutions with total assets of US $100 billion and above.

Considering the aggregate answer to high-risk customers, the reverse trend exists. The large financial institutions use adverse media 33 percent on high-risk customers while smaller financial institutions are using it 54 percent of the time.

From a risk profile perspective, large institutions have little face-to-face contact, so large financial institutions rely on the data flow to help manage portfolio risk that is otherwise difficult to pinpoint.

Smaller financial institutions can get better risk coverage and have a cost effective alert clearing process and adverse media program.

Most organizations perform Adverse Media searches as part of their CDD process. However, there is a fairly even split between those who search on all customers (41%) vs. just high-risk customers (44%).

0%

80%

60%

40%

20%

No

15%

Yes, but only onhigh-risk customers

44%

Yes, on all customers

41%

0% 60% 80%40%20% 100%

Unusual transaction activity

Additional party(ies) in an account

Additional relationship(s)

Other

New KYC (Know Your Customer) information (changein occupation or nature of business for example)

93%

79%

77%

14%

85%

What would typically trigger a review/update of CDD information? Answered only by respondents who update customer profiles only when there is a triggering event. {More than one response allowed - 397 respondents}

13

When Adverse Media searches are performed as part of KYC, they are usually performed on an ongoing basis, not just at onboarding. Typically when Adverse Media searches are performed on an ongoing basis, the most common frequency is daily.

0% 60% 80%40%20% 100%

Used to identify reputational risk

Used to identify unusual transaction activity

77%

72%

0%

40%

30%

20%

10%

Daily

25%

Weekly

8%

Monthly

8%

Quarterly

12%

Semiannnually

3%

Annually

17%

Every 2-3 years

2%

Other

25%

Which of the following best represents how frequently your organization performs its ongoing Adverse Media searches? Answered only by respondents whose Adverse Media searches are performed on an ongoing basis. {203 respondents}

Our study indicates 25 percent of the respondents perform Adverse Media searches daily. Financial institutions with more than US $100 billion in total assets perform daily searches the most (38 percent). Performing daily adverse media searches appears to be a consistent practice across the larger financial institutions.

Within your organization, are Adverse Media searches performed to identify accounts that may need to be reviewed for unusual transaction activity or to identify reputational risk? {More than one response allowed - 663 respondents}

Larger financial institutions tend to use Adverse Media as a way to protect their reputation more so than smaller institutions.

0% 60% 80%40%20% 100%

Performed on an ongoing basis

Performed at onboarding only

77%

23%

Are Adverse Media searches performed only at onboarding or are they done on an ongoing basis? Answered only by respondents whose Adverse Media searches are performed as part of KYC. {278 respondents}

Smaller financial institutions perform ongoing Adverse Media searches on high-risk customers while larger financial institutions perform on-going searches on all customers.

14

Risk RatingWhich of the following does your organization use as part of Customer Risk Rating? {More than one response allowed - 740 respondents}

As part of customer risk rating in general, large institutions rely less on customer statements of activity. Instead large institutions rely substantially more on actual activity combined with public source information. Study results show that small institutions don’t use public information, like court records. This finding represents a major opportunity for financial institutions with less than US $50 billion in total assets to use public source data to reduce their risks.

By a margin of 30 percent, more large financial institutions are leveraging data to understand the risks of associated persons or businesses. The lack of reliance on public records data could place small institutions behind in identifying “community pillars” that may happen have a business relationship with a bad actor in another state.

Most organizations use geographic location, political exposure, actual customer activity and transaction history as part of their Risk Rating.

Only about a third of respondents expect customer-provided statements of expected activity to be accurate.

0% 60%40%20% 80% 100%

Geographic location

Political exposure

Actual customer activity

Transaction history

Adverse Media

Associated persons of businesses

Customer statement of expected activity

Public figures (e.g., celebrities, etc.)

Criminal records

Court records

Estimated income

High value property owned

Mobility of the customer

None of the above

86%

79%

71%

68%

57%

56%

53%

48%

46%

29%

26%

19%

18%

2%

0%

50%

40%

30%

20%

10%

Accurate (%4,5)

34%

Neutral (%3)

42%

Not Accurate (%1,2)

24%

In general, how accurate do you find customer-provided statements of expected activity compared to actual transaction activity? Answered only by respondents who currently use customer statements of expected activity. {361 respondents}

15

KYC information is by far the most common trigger for performing Enhanced Due Diligence (EDD) on a customer. Common EDD triggers include geography and type of service being offered.

Always Sometimes Rarely Never

0% 60% 80%40%20% 100%

KYC information

Location of customer’sgeographic footprint

Type of service being offered

Supervisory guidance

Type of product oraccount being opened

81% 17%

63% 8%28%

60% 5%31%

52% 9%36%

51% 12%33%

Enhanced Due DiligenceHow frequently, if at all, do the following impact your financial institution’s decision to perform EDD on a customer? {765 respondents}

1% to 2% 3% to 5% 6% to 10% More than 10%

0% 60% 80%40%20% 100%

An individual (consumer) (n=594)

Other legal entity (trust, foundation, etc.) (n=562)

A business (commercial) (n=610)

Other (n=62)

34% 18% 22%26%

24% 16% 47%14%

14% 24% 42%20%

19% 13% 60%8%

What percent of the following types of customers typically require EDD? {Please note: Percentages <5% are not displayed to enhance readability}

0% 60% 80%40%20% 100%

Yes

No

86%

14%

Does your organization use the Risk Rating based on CDD information in its transaction monitoring process? {715 respondents}

16

Major EDD triggers include a significant change in transaction patterns and an increased volume of cash transactions.

0%

100%

80%

60%

40%

20%

A change in accountownership to include a

non-resident alien (n=696)

68%

52%

37%

14%

A foreign wireto/from a higher riskjurisdiction (n=715)

81%

53%46%

9%

A significant changein transaction

patterns (n=720)

80%

61%

49%

5%

An increased volumeof cash transactions

(n=712)

78%

58%

46%

7%

A HIGH Risk Customer A MEDIUM Risk Customer A LOW Risk Customer Is Not a Trigger

0%

50%

40%

30%

20%

10%

Within the first 30 days

34%

Longer than 30 days

10%

Within the first 7 days

20%

At account opening

36%

Which of the following activities would trigger the need for EDD to be performed on a low, medium or high risk customer?

How long does it typically take your organization to gather information needed for EDD? {713 respondents}

Important (%4,5) Neutral (%3) Not Important (%1,2)

0% 60% 80%40%20% 100%

Criminal history

Geographic

Derogatory news (Adverse Media)

Citizenship

Associates/relationships

Asset ownership

Address stability

79% 9%12%

75% 7%18%

73% 10%17%

63% 15%22%

61% 12%27%

53% 18%29%

45% 24%31%

How important are each of the following types of information when conducting EDD on a customer? {765 respondents}

17

While about a third of organizations gather EDD information at account opening, the majority of the remainder do so within 30 days.

0% 60% 80%40%20% 100%

By a dialogue between a customerand a bank employee

Through a third-party provider

By contacting another financial institution

Other

Through non customer-facing financialinstitution research

84%

57%

23%

8%

65%

How does your financial institution gather EDD? {More than one response allowed - 690 respondents}

0%

40%

30%

20%

10%

At least monthly

11%

Quarterly

11%

Annually

18%

Every 2-3 years

26%

Randomly

24%

Never

10%

0%

100%

80%

60%

40%

20%

Completely outsourced

1%

Some is handled within yourinstitution and some is outsourced

20%

Handled completely withinyour institution

79%

How often are low risk customers who did not require EDD at onboarding reviewed to determine whether EDD might be warranted due to circumstances changing? {679 respondents}

Which of the following BEST describes the collection of EDD information for your institution? {748 respondents}

18

Most organizations gather EDD information via a dialogue between a customer and an employee. Other common information collection methods include non-customer-facing institutional research and through third parties.0% 80%60%40%20% 100%

Compliance

Line of Business

Operations

Credit Risk

Legal

Technology

Other

89%

19%

17%

9%

8%

42%

39%

Which of the following departments, if any, own and manage your financial institution’s EDD process? {More than one response allowed - 693 respondents}

Greatest Challenges Identified: Customer Enhanced Due Diligence

When asked to describe the main challenges in the area of Customer Enhanced Due Diligence the survey audience shared the following:

1. Deficiency in Data Availability and Data Accuracy: Respondents’ efforts to complete timely and accurate due diligence processes are often thwarted by a lack of data on two sides of the equation: first, a limited amount of data and a minimal level of transparency in data provided by the customer during onboarding and second, a scarcity in updated and current public domain information to verify or confirm the customer data.

“Availability of current and accurate info”

“Collecting accurate data and determining the risk level of the data”

“Accuracy of information provided by clients/intermediaries”

“Availability of accurate public domain information”

“Collecting data … and making sure how accurate the data is”

2. Customer Reluctance to Share Information: Respondents continue to manage the delicate balance between preserving the customer experience and protecting their interests by collecting adequate and accurate information to complete due diligence processes.

“It is becoming increasingly difficult to gather specific information from customers because they feel their privacy is being invaded and do not wish to divulge personal information that does not seem necessary for the account opening process”

“Getting the customers to give you accurate information voluntarily”

“Gathering specific information directly from the client”

“Getting the customer to respond to questions to update their

information”

19

3. Need to Verify Beneficial Ownership Information: Respondents are facing the burden of collecting Beneficial Ownership information while working around the uncertainty created by a shifting regulatory environment around this issue.

“Until the Beneficial Ownership regulation is finalized, we are constantly challenged on the legal requirement for obtaining this information from both customer and technology perspectives”

“It is difficult to manage the EDD program due to lack of staff and resources to verify customer information (such as undisclosed beneficial owners)”

“Accurate information—especially in regard to Beneficial Ownership/control validation”

AML Risk AssessmentHow familiar are you with the information, systems, and resources are used to create a financial institution AML risk assessment program? {827 respondents}

Regulatory AgenciesWhich of the following is your institution’s regulatory agency? {More than one response allowed - 652 respondents}

0%

80%

60%

40%

20%

Very familiar

62%

Somewhat familiar

31%

Not too familiar

6%

Not at all familiar

1%

FinCEN, OCC and FDIC are the most prevalent US-based regulatory agencies.

0% 30%20%10% 40% 50%

Regulator outside the U.S.

FINCEN

OCC

FDIC

FRB

FINRA

OCIE/SEC

Other

38%

35%

32%

28%

21%

19%

13%

3%

20

AML Risk AssessmentIs your institution’s AML risk assessment stand-alone or combined with other assessments? {Select all that apply - 688 respondents}

Roughly equal numbers of organizations’ AML risk assessments are stand-alone vs. combined with another type of risk assessment.

0% 60% 80%40%20% 100%

Combined with an OFAC risk assessment

Part of an enterprise-wide risk assessment

Combined with a fraud risk assessment

Other

A separate stand-alone risk assessment

47%

40%

21%

3%

45%

0%

50%

40%

30%

20%

10%

Never

42%

Sometimes

42%

Always

16%

How often does your institution hire external advisory support or consultancy firms to assist in the completion of annual AML risk assessments? {664 respondents}

0% 60% 80%40%20% 100%

Yes

No

29%

71%

Do you see a need for this type of AML risk-assessment external advisory or consultancy support? Answered only by respondents who never hire external advisory support. {216 respondents}

21

The majority of AML risk assessments are updated on an annual basis.

100% of respondents say high-risk customer types carry significant weight when fulfilling their AML risk-assessment requirements. Other heavily weighted factors include geographic locations and transaction volumes.

0%

100%

80%

60%

40%

20%

Monthly

6%

Quarterly

7%

Bi-Annually

6%

Annually

64%

Less often thanannually

3%

When eventswarrant (e.g., new

products

14%

How often is your financial institution’s risk assessment updated? {646 respondents}

An interesting curve exists in terms of enterprise risk assessment update frequency. The smaller financial institutions and the larger financial institutions are more aligned in timing, updating their risk assessment annually, while the mid-tier financial institutions (total assets between US$51 to $100 billion) do so at a much slower pace.

Forty-one percent of mid-tier institutions indicate that they conduct risk assessment updates annually, while 60 percent of the larger financial institutions (total assets US$101 billion or more) and 69 percent of the smaller financial institutions (total assets US$50 billion and under) update risk assessment annually.

That finding is interesting because the mid-tier financial institutions conduct risk assessment mainly when events warrant, which could be at any time. We believe that this inverted curve exists because mid-tier institutions are more likely to buy portfolios, and when a financial institution buys a new portfolio they tend to do risk assessment around a new line of business. In addition, this size institution may be entering new markets and introducing new products that would trigger an update. It also is likely that periodic risk assessment update is a default behavior by mid-tier financial institutions that is supplemented by a trigger.

The smaller institutions tend to have static businesses where growth is focused on organic growth, and the larger financial institutions are already saturated in their geographic markets, always doing acquisitions and constantly introducing new products.

22

While two-thirds of AML risk assessments are conducted at the Line of Business level, half are also conducted at the Legal Entity level.

0% 60% 80%40%20% 100%

High-risk customer types

Transaction volumes

Length of account relationships

Other

Geographic locations

100%

82%

40%

11%

91%

0% 60% 80%40%20% 100%

Line of Business level

Legal Entity level

None of the above

67%

50%

7%

At your institution, which of the following factors would you say carry significant weight when fulfilling AML risk-assessment requirements? {More than one response allowed - 625 respondents}

Are your institution’s AML risk assessments conducted at the Line of Business level or the Legal Entity level? {More than one response allowed - 659 respondents}

0% 60% 80%40%20% 100%

Yes

No

83%

17%

Are your Line of Business or Legal Entity level AML risk assessments ultimately rolled up to a Centralized Enterprise level? Answered only by respondents whose AML risk assessments are conducted at the Line of Business or Legal Entity level. {519 respondents}

23

The most common AML risk assessment process duration is 1 to 3 months, with an average of approximately 10 weeks. The vast majority (81%) of risk assessments take less than 3 months.

0%

50%

40%

30%

20%

10%

Longer than 9 months

4%

7 to 9 months

3%

4 to 6 months

12%

1 to 3 months

48%

Less than 1 month

33%

How long is your institution’s assessment process from start to finish? {552 respondents}

Less than a week 2 to 4 weeks 1 to 3 months 4 to 6 months More than 6 months

0% 60% 80%40%20% 100%

Creation of Report for Managementand Board of Directors (n=523)

Quality assurance of data (n=507)

Analysis of data (n=529)

Compiling data (n=530)

Research (n=520)

23% 30% 6%37%

23% 26% 6%39% 6%

18% 34% 7%35% 6%

18% 35% 7%35% 6%

17% 34% 7%37% 6%

0% 60% 80%40%20% 100%

Manual spreadsheet or document

Proprietary software/system

Off-the-shelf software/system

51%

35%

14%

Approximately how much time collectively is spent annually on your risk assessment for each of the following: {Please note: Percentages <5% are not displayed to enhance readability}

What type of software or system do you use to conduct your institution’s AML risk assessment? {571 respondents}

AML risk assessment is becoming more time consuming with most risk assessment tasks showing increases in time to complete when compared to our 2013 survey. Research, compiling data and analyzing data are the most time-consuming steps in the AML risk assessment process.

24

Investment in AML Risk Assessment How have your internal AML structure and staffing changed over the past 3 years? {More than one response allowed - 605 respondents}

0% 60% 80%40%20% 100%

Increased staff

No change

Reduced staff

Centralized all functionswithin headquarters

70%

15%

9%

24%

Over the past three years, 70% of organizations have increased their AML staffing.

0% 30%20%10% 40% 50%

Increase of 100% or more

Increase of 50%-99%

Increase of 25%-49%

Increase of 10%-24%

Increase of less than 10%

Total AML investment has not changed

Total AML investment has decreased

13%

14%

16%

24%

13%

14%

6%

How has your organization’s total investment in AML activity increased compared to 3 years ago? {534 respondents}

This question ultimately tests financial institutions’ AML activity spend patterns.

In response to this question, the anomaly that we’ve noticed throughout this study occurring in the mid-tier financial institutions surfaces again. An inverted curve exists with the US $51 to $100 billion. They have a mature program, they have invested historically, they have relatively stable risk profile and therefore there is no need to change and make additional investments. Or these institutions, because of their size, just don’t get the same attention from regulators that the other financial institutions do.

More than 50 percent of large financial institutions think they are going to have an increase in spend on AML activity between 25 percent and over 100 percent. Comparatively, 20 percent of financial institutions with total assets under US $10 billion think that they expect to increase spend less than 10 percent. Thirty-nine percent of the over US $500 billion said they were increasing 10 to 24.

Thirty-six percent of the US $100 billion to over US $500 billion financial institutions indicate that they expect their spend on AML activity to increase more than 100 percent. This finding is interesting because the aggregate 13 percent is representative of the rest of the market sans the very large institutions.

25

Most organizations have increased their AML investment over the past three years – most by 10%-24%.

Increase of less than 10 Increase of 10-24 Increase of 25-49 Increase of 50-99 Increase of 100 or more

0% 60% 80%40%20% 100%

Under $1 Billion (USD)

$1 to $10 Billion (USD)

$11 to $50 Billion (USD)

$51 to $100 Billion (USD)

$101 to $500 Billion (USD)

18% 32% 15%23%

23% 23% 14%33% 8%

9% 13% 23%38% 17%

13% 20% 27%27% 13%

4% 8% 20%32% 36%

Over $500 Billion (USD) 4% 24% 14%39% 18%

12%

Increase in investment in AML Activity over the past three years, classified by asset size.

How much do you anticipate your organization’s total investment in AML activity to increase over the next 3 years? {520 respondents}

For the last three years, the small financial institutions have invested little in their AML spend nor do they anticipate spending on AML activity in the coming three years, indicating that small institutions feel their compliance programs are able to meet the challenges of new regulatory expectations with minimal investment.

The US $51 billion to $100 billion institutions plan heavier investments than all other financial institution categories. For example, this category expects an increase of 10 and 50 percent increase in the next three years. In aggregate, they’ve had the most increase in the last three years and they are also expecting the largest amount of increase over the next three years.

It is clear from the findings that the larger institutions expect the most increase spend in AML activity in the coming three years. The challenge that the larger institutions will face is balancing operational efficiencies against the amount of spend.

0% 30%20%10% 40% 50%

Increase of 100% or more

Increase of 50%-99%

Increase of 25%-49%

Increase of 10%-24%

Increase of less than 10%

Total AML investment will not changed

Total AML investment will decrease

4%

8%

17%

35%

19%

15%

2%

26

Additionally, most organizations anticipate increasing their AML investment over the next three years – most by 10%-24%.

0% 30%20%10% 40% 50%

Increase of 100% or more

Increase of 50%-99%

Increase of 25%-49%

Increase of 10%-24%

Increase of less than 10%

Total AML compensation has not changed

Total AML compensation has decreased

1%

3%

10%

19%

22%

40%

5%

Anticipated investment in AML Activity over the next three years, classified by asset size. {628 respondents}

How have your organization’s compensation packages for AML personnel changed compared to 3 years ago? {487 respondents}

Total AML investment will decrease Total AML investment will not change Increase of less than 10Increase of 10-24 Increase of 25-49 Increase of 50-99 Increase of 100 or more

0% 60% 80%40%20% 100%

Under $1 Billion (USD)

$1 to $10 Billion (USD)

$11 to $50 Billion (USD)

$51 to $100 Billion (USD)

$101 to $500 Billion (USD)

Over $500 Billion (USD)

16%41%15%19% 5%

19%32%23%16% 4%

17%34%19%15% 11%

7% 27%47%7%7% 77%

4% 8%33%21% 8%8% 17%

18%45%18% 4%77% 9%

27

Greatest Challenges Identified: AML Risk Assessment On a scale of 1 to 5 where 1 means “not a challenge at all” and 5 means “an extreme challenge,” how would you rate each of the following in terms of being an operational challenge faced by your organization in complying with AML regulations? {636 respondents - Please note: Percentages <5 percent are not displayed to enhance readability}

When asked to describe the main challenges in the area of AML Risk Assessment, the survey audience stated the following:

1. Time and effort required to complete risk assessment: The time needed to perform a risk assessment has increased to 10 weeks in three years’ time which means dedicating even greater amounts of manpower and resources to the risk assessment process.

“Getting all the information in one location or through one software and the time and effort to complete the assessments”

“The manual process, such as having to pull multiple reports manually from the back-of-the-house system and compare them, takes a lot of time”

“The time and manpower required to complete these annually”

2. Lack of Standardization: Respondents are managing delays and challenges that result from the lack of both industry specifications and global standards around the risk assessment process.

“Lack of standards across regulators of what is minimal acceptable level of data”

“Standardizing the process across business lines and countries. High level of proficiency and testable justification”

“A risk assessment is typically subjective by nature; quantifying the process and results in an objective, standardized way would help make the process simpler (and probably easier) for examiners”

“Lengthy and exhaustive process—no standardization—from industry itself”

“There should be a standardized template for which organizations may customize to suit its own business”

Extreme Challenge 5 4 3 2 Not A Challenge At All 1

0% 60% 80%40%20% 100%

Greater regulatory requirements

Changing regulatory expectations

Manual (time-consuming) processes

Lack of readily-accessible customer data

Recruiting, training and retaining AML staff

Technology (IT) infrastructure

Poor quality of available data

Growing volume of data

Lack of senior management engagement

Existing processes are too difficult to change

Compliance for both local and globalAML policies/guidance/regulations

Complex regulations with wider KYC obligations

Screening technology/processproduces too many false-positives

28% 23% 8%37%

28% 24% 10%35%

27% 24% 8%35% 6%

24% 26% 17%28% 5%

22% 27% 16%28% 7%

22% 27% 15%31% 5%

21% 28% 18%28% 6%

21% 30% 13%31% 5%

19% 29% 11%36% 5%

19% 29% 13%34% 6%

19% 28% 16%28% 10%

12% 24% 22%18% 24%

9% 34% 22%25% 10%

28

3. Changing and unclear regulatory expectations: Respondents are navigating an ever-evolving regulatory environment and the increased demands that environment places on their assessment processes and resources.

“Keeping up with the changes in regulations which result in changing policies and procedures”

“Lack of consistency in education and enforcement of regulations”

“Regulations are vague but regulators appear to be expecting more than identified in FFIEC”

MethodologyFrom August 31 – September 14, 2015, LexisNexis and the Association of Certified Anti-Money Laundering Specialists conducted a joint research study to examine how the Anti-Money Laundering community is managing their Customer Enhanced Due Diligence and AML Risk Assessment processes. Online surveys were emailed to ACAMS’ full subscriber base and both LexisNexis Risk Solutions and ACAMS were identified as the sponsors of this research. No tangible incentive was offered for completion of the survey. In total, over 800 financial services compliance professionals responded.

The study was designed to garner a deeper perspective into the leading obstacles AML departments and employees are facing as they work to successfully prevent money laundering and satisfy AML Risk Assessment and Customer Due Diligence regulatory compliance requirements.

Nearly 900 respondents from financial institutions of varying sizes and geographic footprints from across the globe participated in the 20-minute survey. Survey respondents consisted of:

AML senior level executives (20 percent)

AML managers and supervisors (51 percent)

AML employees (29 percent)

0% 30%20%10% 50%40%

You are not involved in theprocess at all

Your input is sought but you are notdirectly involved in the final decision

You make the final decisionwith others

You are the soledecision-maker

9%

40%

43%

8%

Which of the following BEST describes your decision-making authority/responsibilities for AML processes and procedures? {680 respondents}

76% percent of respondents work in their organization’s compliance decisions.

Half of respondents are managers/supervisors.

29

Demographics of Survey ParticipantsWhich of the following categories best describes your organization? {624 respondents}

A slight majority of responding “non-bank” organizations have annual global revenue of $100 million or more

Responding organizations tend to be mostlycommercial and/or retail banks

0% 30%20%10% 40% 50% 60%

Commercial banking

Retail banking

Private bank / wealth management

Investment banking

Brokerage

Money service, transfer and foreign exchange company

Non-bank financial institution

Global payments and risk management provider

Insurance company

Credit union

Legal firm

50%

50%

26%

21%

17%

13%

11%

10%

7%

4%

2%

0% 30%20%10% 40%

$500 Million (USD) or more

$250to $499 Million (USD)

$100 to $249 Million (USD)

$50 to $99 Million (USD)

$5 to $49 Million (USD)

Less than $5 Million (USD)

38%

8%

24%

16%

7%

7%

What was your organization’s total annual global revenue for last year? Answered only by “non-Bank” respondents. {165 respondents}

17%

4%

12%

52%

6%

9%

North America South America Africa Asia Australia Europe

Where are the majority of your organization’s customers located? {625 respondents}

30

1%0%

11%

76%

4%

8%

Compliance Operations Line of Business Technology Marketing Other

Which of the following best represents your primary work department? {626 respondents}

Roughly half of responding organizations’ customers are located in North America.

22%

7%

51%

20%

Manager/Supervisor Senior Executive Hourly employee (non-manager)Exempt employee (non-manager)

0% 30%20%10% 50%40%

You are not involved in theprocess at all

Your input is sought but you are notdirectly involved in the final decision

You make the final decisionwith others

You are the soledecision-maker

21%

42%

35%

4%

Which of the following BEST describes your decision-making authority/responsibilities for AML-related purchases? {626 respondents}

Which of the following best represents your title? {683 respondents}

For More InformationCall 866.858.7246 or visit lexisnexis.com/risk/financial-services

About LexisNexis® Risk SolutionsLexisNexis® Risk Solutions (www.lexisnexis.com/risk/)is a leader in providing essential information that helps customers across all industries and government predict, assess and manage risk. Combining cutting-edge technology, unique data and advanced scoring analytics, Risk Solutions provides products and services that address evolving client needs in the risk sector while upholding the highest standards of security and privacy. LexisNexis Risk Solutions is part of RELX Group, a leading publisher and information provider that serves customers in more than 100 countries with more than 30,000 employees worldwide.

LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. Other products and services may be trademarks or registered trademarks of their respective companies. NXR11242-01-1215-EN-US

1 United Nations Office on Drugs and Crime, “Estimating illicit financial flows resulting from drug trafficking and other transnational organized crimes,” October 2011,

www.unodc.org/documents/data-and-analysis/Studies/Illicit_financial_flows_2011_web.pdf.

2 “Global gross domestic product (GDP) at current prices from 2010 to 2020 (in billion U.S. dollars),” Statista.com, Last modified 2015. http://www.statista.com/statis-

tics/268750/global-gross-domestic-product-gdp/.

3 “Criminal Justice Resources: Money Laundering,” staff.lib.msu.edu, accessed November 16, 2015, http://staff.lib.msu.edu/harris23/crimjust/moneylau.htm.

4 Hannah Mills, Sara Skodbo and Peter Blyth, “Understanding organised crime: estimating the scale and the social and economic costs, Research Report 73,” updated

February 27, 2014, www.gov.uk/government/publications/understanding-organised-crime-estimating-the-scale-and-the-social-and-economic-costs.

5 “The World’s Most Southerly ATM: An Interview With Wells Fargo’s David Parker,” Need Coffee dot com(blog), January 5, 2010, http://www.needcoffee.

com/2010/01/12/antarctica-atm-interview/.

6 Sc.com, accessed November 16, 2015, www.sc.com/zw/en/.

7 Emily Glazer and Ruth Simon, “J.P. Morgan Goes Big On Growing Small Business Customers,” Money Beat WSJ (Blog), September 14, 2015, http://blogs.wsj.com/

moneybeat/2015/09/14/j-p-morgan-goes-big-on-growing-small-business-customers/.