The Financial Action Task Force (FATF) was formed in 1989 as an intergovernmental body designed to prevent, detect and deter money laundering, terrorist financing and other related threats to the integrity of the international financial system. While the threats have evolved, the financial industry has become more sophisticated at recognizing and dealing with them, due in large part to the increased availability and management of key information and data.
When anti-money laundering (AML) was in its infancy, regimes for the regulated sectors were established with a common purpose – to make information and data available to law enforcement to help them catch criminals.
In some cases, this basic tenet appears to get lost in a fog of AML compliance and regulation; the volumes of data can make it hard to see the forest for the trees and, if not managed properly, distract us from the common purpose.
The structure for management and use of information to detect money laundering has been in place for many years, and the key AML controls that utilize customer and transaction information are well understood. However, with 2012 revisions of FATF recommendations, Customer Due Diligence (CDD) controls have received a renewed focus to:
The ability to meet these objectives depends on the ability to collect, analyze and manage data.
Understanding who the customer is requires the collection, verification, storage and analysis of customer identity data.
What makes this so difficult? Some customers hesitate to share data because of business models that create legitimate commercial risks in sharing it. Complex financial institutions still struggle to ensure that accurate information about a customer is collected in a timely fashion and stored in a manner that is retrievable and useable. Some regulators, due to concerns about driving to a tick-box approach, contrary to the risk-based approach, leave the industry to work out what compliance looks like and, as a result, predominantly articulate regulatory policy through enforcement. This is further exacerbated by the FATF fourth round mutual evaluations’ focus on “effective in practice.”
These factors have created an environment that means the regulated sector is sometimes unable to fully fulfill its role to provide information to help catch and prosecute criminals.
The second objective is also driven by information – primarily customer identity and transaction data.
Variations in the treatment and application of the customer and transaction information within financial institution risk models, even though the information and data used to drive the risk models are largely the same, can result in the application of very different types and levels of control to prevent, detect and deter money laundering.
This again can restrict the regulated sector’s ability to fulfill its role and may result in an uneven provision of information to law enforcement. Within some quarters, there also still remains a fundamental misinterpretation of what risks the regulated sector should seek to understand and therefore manage.
This misinterpretation can be best summed up by anti-money laundering (AML) risk vs. money laundering (ML) risk. It is sometimes forgotten that there is only one AML risk – the risk of not complying with regulatory obligations.
A focus on AML risk rather than ML risk can also mean that controls to prevent, detect and deter may not be commensurate with the real ML risks and therefore further limit capability to provide information to law enforcement.
This is one of the biggest challenges facing the regulated sector today.
Many large banks have undertaken remediation with their customer base in the last 10 years for one simple reason: banks are not data companies. This is a significant burden because the banks struggle to manage data. The complexity of their operations, legacy system and data management mean, when faced with the requirement to confirm that customer information is still correct, in some cases it is easier for the bank (but not necessarily the customer) to completely repeat the identity information collection.
Once collected, the information gets filed away, and the next day its accuracy begins to degrade until the bank repeats the remediation exercise. As a result, the regulated sector diverts precious and finite resources to a task that adds limited value to the pursuit of the common purpose.
The continued growth in available data and techniques to manage and mine it should support the regulated sector’s efforts to provide information to law enforcement. The use and management of information in AML is vital, but continues to be a challenge for the regulated sector, particularly in relation to CDD, and the industry is seeking out solutions to address the issues.