Cross your fingers

The latest OR&C Intelligence survey shows that, while progress is being made in anti-money laundering (AML) systems at financial services firms, there is still a long way to go before firms have totally automated systems and metrics in place to measure their performance by.

The new survey, which was sponsored by risk management consulting firm Protiviti, shows that, while 72.2% of firms have an AML system in place, half of firms with systems in place have multiple technology platforms across different products and countries.

"The focus in recent years has been on implementing systems that afford companies (and their regulators) adequate assurance that unusual or suspicious activity is being detected," says Carol Beaumier, executive vice-president, global industry programmes, at Protiviti. "In many instances, the initial system selection/design was hurried and ultimately the system did not fully meet the company's needs. I believe this is supported in the survey by the number of companies who report upgrading their systems in the last two years. Given the continual upgrading that appears to be occurring, some companies may not believe they have reached the optimal state where establishing metrics makes sense."

Beaumier says that both the survey and her firm's experience show that many financial services companies are upgrading their AML technology platforms and/or integrating them into one organisation-wide framework. Some 70% of firms that have systems have upgraded them over the past few years. "In some instances, there may be bona fide reasons for having multiple systems, for example, privacy laws that affect the transmission of data across jurisdictional lines," says Beaumier. "In many cases, however, the reasons companies have multiple systems tends to be because regulatory pressures in one jurisdiction might have prompted them to make a decision in one country before they were ready to make a global decision and/or they believe that they need different systems for different types of business - retail versus wholesale. Intuitively, there seems to be value in having a single system.

The next evolutionary step is to put effective metrics in place to help firms understand how well their AML frameworks are working and how they can be improved. Indeed, the profusion of platforms in many international organisations means that they are not monitoring the performance of their AML framework at all (32.5% of firms who have a platform), while others monitor only basic indicators, such as the correlation between alerts investigated and suspicious activity reports filed (26.3%) and the ability of current staff to handle the number of alerts produced (17.5%).

Beaumier says metrics should be designed to measure the efficiency and effectiveness of the monitoring system, and should include consideration of such factors as the extent to which suspicious activity reports (SARs) are based on system-generated alerts versus internal referrals, the relationship between alerts and investigations, and the relationship between investigations and SAR filings.

What firms value in their AML platform is also changing. A few years ago, many firms went on a binge of hiring former regulators to operate their AML systems. However, today understanding of a firm's products is given a higher level of importance, at 67.5, than regulatory experience (66.8). Following on from that, operations experience (57.6) and forensic accounting (51.5) edged out law enforcement. Says Beaumier: "Experience as a regulator provides those charged with monitoring with practical experience of regulators' expectations as well as how peer institutions approach monitoring. However, unless one has a good understanding of the products and services offered by an institution and the extent to which the features of these products and services pose a risk to money laundering or terrorist financing, it will be difficult, if not impossible, to identify anything but the most basic, for example, cash activity or types of money laundering. This is increasingly true given the extent of innovation in the financial services industry and continuing introduction of new or modified products."

When selecting the technology platforms themselves, firms rate the 'bread and butter' issue of an effective audit trail the highest, with a score of 76. User-friendliness and customisation are tied for second place at 65.7 points, while securities features and scalability are both tied for fourth place with 63 points. Cost ranks 10th in importance, with a score of just 54.6 points.

"The audit trail - which could also be called a case management system - provides evidence that alerts were investigated and stores the documentation that supports a company's decision to file or not file a SAR," says Beaumier. "It is imperative for demonstrating the adequacy of the company's monitoring and investigative processes to a company's regulators and for supporting individual decisions in the event of a regulator challenge."

Beaumier also points out that 93% of the respondents customised their systems. "This is actually higher than what I might expect, but demonstrates an increasing awareness of the need to ensure that screening scenarios are adapted to the unique needs of each institution," she says. "Failure to do this often results in large numbers of meaningless alerts that can overwhelm the monitoring and investigation processes and make it more difficult to detect actual unusual or suspicious activity."