AML compliance checklist: best practices for Anti-Money Laundering
Effective Anti-Money Laundering (AML) programs — to ensure AML compliance — are a fundamental requirement for obliged entities. Ensuring effective policies, procedures, human resources and technologies helps protect the organization and instills confidence in its operations.
- AML fundamentals
- AML red-flags
- AML screening
- AML monitoring
- Risk management
- AML compliance technology
- AML resources
- AML compliance news
How do you measure success in regard to AML (Anti-Money Laundering) compliance? The obvious answer is that you don’t get fined for non-compliance and manage to prevent laundered money from entering into your financial system.
But is it enough to simply meet the minimum requirements? Don’t you want more from your compliance program and implement systems that are resilient, efficient and cost-effective? The good news is that there’s a new era of capabilities that can evolve your current AML compliance processes without creating inter-departmental wars or breaking the bank (pardon the pun).
Before digging deep into specific steps you can take to improve your AML operations, let’s consider the big picture. The reason for AML regulations in the first place is to make it harder for criminals to get away with ill-gotten gains. Since most crimes have a financial incentive at their core, hindering proceeds is a powerful method to dampen corruption, tax evasion, theft, fraud and numerous other crimes. That is money that should be spent on more productive things, improving society and individual lives.
That core tenet — AML is a critical component of a fair and functioning society — is at the center of an effective program. AML compliance is not a nice to have, or a necessary evil, it’s a fundamental requirement. Ensure that any decision-maker who has an impact on your budgets or operations understands and respects the true value of compliance.
As each jurisdiction has specific requirements, this post won’t include prescriptive rules for each jurisdiction; rather, let’s examine best practices that will serve you well, no matter what country you’re doing business in.
Don’t try to wing it. AML compliance is not something you want to improvise. Think policies through carefully, state them clearly and have it written out for all (executives, staff, and regulators) to see. What are your identification policies? What reports are you creating? What is your record retention policy? What regulations are you complying with and how? What are your communications procedures?
Who is the person responsible for the program? Designate one individual to “own” the system and ensure that processes are followed and updated, reports are filed, training is correct and that the system is running smoothly. Consider a senior-level individual who has the power to influence the company on these matters; after all, there’s a lot riding on the success of the program both from a reputational and financial point of view.
Every employee who deals with customers or transactions in any way needs to understand your company’s policies and procedures. They need to understand the legal requirements, techniques used by money launderers, checks they should make, and how to report suspicious activities.
Training isn’t a one-time thing. Look at refresher programs to keep staff vigilant and informed to ensure the program is up-to-date.
It’s easy to become complacent; if everything is running smooth, why change? Unfortunately, by the time you notice a problem it might be too late. Have an independent expert, such as a third-party, or at least someone not associated with the day-to-day compliance operations, review your program on a periodic basis.
What are some activities or situations to watch for? Remember, money laundering is about trying to legitimize illegal funds, so there are patterns that indicate that money might not come from legal means. You are looking for unusual activities, such as:
- Large cash transactions
- Large amount of transactions, which could indicate layering of transactions (splitting up of deposits to fall below reporting thresholds)
- Spikes in activity or amounts
- Transactions connected with cash-heavy businesses, such as gambling
- Transactions connected with jurisdictions that have a history of money laundering
- Transactions connected with individuals or businesses that are potential money launderers
These activities are noticeable in the initial due diligence process or through ongoing monitoring procedures. During onboarding, a baseline for normal activities should become apparent. Whether it’s classifying by account type, source of funds, expected transactions or some other criteria, set up a process to determine when something needs looking at, and how. Whether it’s an internal examination, or an external report to regulators, it’s not enough to note a red flag.
For example, just filing a report to file a report, is not really solving the problem. As compliance lawyer Michael Volkov states, “The government has been complaining that financial institutions are now submitting too many SARs (Suspicious Activity Reports), and that the SARs often fail to contain adequate information to warrant the filing of the notice.” Clear processes to handle events are crucial to successful AML compliance.
The best way to mitigate risk is to detect and manage problematic accounts before they become a risk. Performing a comprehensive identity verification check reduces risk from fraud, risk of breaking compliance rules, and risk from dealing with dirty money. Once a bad customer passes the initial checks, they are past the gate and can start testing your fraud prevention systems.
Fraudsters are becoming more and more sophisticated. Money launderers and terrorists are identifying weak links in your AML/KYC (Anti-Money Laundering/Know Your Customer) processes to help them hide the true source of funds, and their connection to it. By blocking access to those that want to bypass your safeguards in the first place, your prevention systems will be more robust and secure.
This includes an exhaustive AML screening program needs to gather data from diverse government sources, international regulators and law enforcement agencies. These watchlist checks scan for known or suspected entities and individuals who are associated with money laundering, terrorism, financial fraud, arms proliferation, drug trafficking or PEPs (Politically Exposed Persons).
After the initial onboarding process, compliance is not complete. There’s a necessity for monitoring on an ongoing basis. Monitoring refers to the analysis of continual, ongoing activities to ensure activities remain in compliance.
There are various activities to keep track of, such as exceeding thresholds, suspicious activities, change of status, recording of communications, surveillance of employees, watchlists, market trends, new regulations, trade data and various other market and transaction monitoring needs.
For financial institutions (FIs), even after AML/KYC regulations are met when signing up new customers, continued monitoring is critical long after initial sign up. FIs must monitor activity to ensure fraud is not committed, or that money laundering or terrorist financing funds enter their system.
With the rate of technological and regulatory change, determining modern-day risk assessments are not an exact science. Rather, it’s about creating policies and procedures that are dynamic, defendable and adaptable. According to an EY report, AML model risk management and validation “With the vast amounts of information available to decision makers, “gut feel” business decisions are not sufficient to satisfy internal auditors, or examiners. Decisions must be supported with well-documented rationale and evidence, and tracked to evaluate whether assumptions hold true initially and over time.”
Regulators themselves are trending toward a more risk-based approach. As ACAMS points out, “institutions and organizations will be required to become more risk-focused in the way they manage their CDD programs. That applies not only to the question as to whether simplified or Enhanced Due Diligence (EDD) should apply, but also to which methods, sources and monitoring approaches are appropriate.”
AML compliance technology
Dedicating staff to perform costly, manual compliance process isn’t the best use of resources. Allocating 90 percent of an employee’s time on data collection, entry and organization — when it’s better to use automation — is inefficient and negatively impacts the bottom line.
Technologies that add to, or improve existing processes are gaining the most traction:
- Look for proven technologies; just having potential is not enough (we’re looking at you, Blockchain).
- What is the utility? What pain-point does the solution solve and how quickly will it bring results?
- How easy is it? While compliance technology does involve complex ideas and technology, good solutions are adaptable and can integrate quickly into existing workflows. Having to fundamentally change processes is prone to resistance from staff, customers and regulators.
Automation won’t eliminate the need for human evaluation and judgment, especially in investigations, but by assigning the data and rule processing to computers, automation streamlines the process, reduces regulatory risk and avoids unnecessary charges for people handling repetitive tasks that computers do better.
However, as Trulioo’s VP of Product, Rob Hartley, states:
AML/KYC requirements are continually growing the demands on compliance. AML automation ensures that compliance can perform its due diligence, fraud prevention measures remain strong, and, at the same time, increase capacity, productivity and operational efficiencies.
Originally published December 14, 2017, updated to reflect the latest industry news, trends and insights.