Regulation and the Need for Automation
By Pat McElroy
Bank Secrecy Act and Anti-Money Laundering (BSA/AML) are at the top of the regulatory burden heap for today’s banker. While the laws related to BSA/AML have been around since the 1970s, the events of Sept. 11, 2001, changed the entire landscape. Today, financial institutions’ No. 1 compliance cost is likely BSA/AML, and much of that cost is focused on monitoring data to identify suspicious transactions.
It’s no longer enough to merely report currency transactions that exceed $10,000. Regulators also expect you to have controls in place to identify transactions that could be money laundering.
Under the USA PATRIOT Act, a broad range of financial institutions have been required to develop anti-money laundering programs to identify suspicious transactions. While the act does not require software, it does require financial institutions to develop reasonable procedures.
As a result of the USA PATRIOT Act and the general political environment, the federal banking regulators significantly increased enforcement of the BSA and AML laws in 2002. Most recently, the agencies issued new exam procedures in June 2005 that greatly enhance the agencies’ focus on internal controls needed to identify money laundering. While they have not required all institutions to have software, they have focused on software as a key control.
What Should the Software Do?
What should your primary consideration be when looking at software vendors? We would suggest a focused review on three primary areas of compliance: the data-mining expertise of the software, SAR submission capability and the case-management function. These are the areas that seem to make the most difference in adding efficiency and accuracy to the AML process. Other features that may be considered are CTR (Currency Transaction Report) submission, recordkeeping tools, customer identification tools and other issues and tasks related to compliance; however, the three noted above are primary.
The primary reason for purchasing software must be to improve your ability to identify money laundering. Appeasing regulators may be a byproduct, but identification is the most important. The key to identification is the data-mining capability of the tool. All vendors should first focus you on what their data-mining tool can do.
Any data-mining feature is only as good as the data that it uses for its analysis. Of primary importance is the integration of the data-mining tool with your institution’s various systems. Failure to accurately and completely map data fields from the core and other platforms can result in a tool that is ineffective and inefficient. Worst-case scenario is that bad mapping or bad data results in a tool with no validity.
Also of importance is the depth of the data that is imported into the system. If a tool takes only surface level data or a limited time frame of data, it will not be as effective as one that imports more detail.
Another key factor is the information that the tools compare the data to. Most products that we looked at applied the data to a set of rules. These rules generally are written around transactions that may be suspicious. For example, has a customer had five transactions in the past 6 months that are inconsistent with their normal behavior, or are cash deposits linked to an outgoing wire. The programs then take the violators of rules and push them to the user, either in the form of an alert or a report.
The investigative aspect is central to the work of BSA monitoring. A strong compliance function takes each instance that it believes may be suspicious and thoroughly investigates the case. Regulators favor institutions that do the legwork rather than just throwing any evidence of suspicious transactions over the SAR fence.
Effective case management enables the monitoring function to pull together the various pieces of data. This may include wire-transfer records, a copy of the check image or a copy of the teller’s write-up on a dialogue they had with the customer. The case management system will allow a third party, such as a bank examiner, to follow the logic used in the investigation and ultimate decision process.
The ultimate outcome of the case-management process is a decision on whether or not to file a Suspicious Activity Report, or SAR. The SAR form has numerous fields that the compliance function must complete. Additionally, the SAR form has a record retention requirement. Finally, the SAR filing process requires confidentiality.
What Do Bankers Really Need?
What does a banker ultimately want in AML automation? The easy answer is always the least expensive tool. It is obvious that bankers want value. While price is a factor, we submit that the banker should have two primary drivers in their selection of an AML vendor: 1) does the software identify money laundering; and, 2) can it be operated efficiently.
When assisting banks with AML workflow, we focus on the effectiveness of the tools within their environment. As a result, any decision to acquire software should be vetted thoroughly by checking similarly situated banks that have chosen the vendor. We do not believe that any tool can identify all the money-laundering activity that can occur, or that any one tool is the right answer for every bank; however, the better tools do perform differently.
In all cases, this software requires manpower to run it. Some tools require less because they have better workflow, their data mining is deeper, or their rules are more thorough.
Security plays an important role in any software that contains non-public personal information. By necessity, these programs contain such information.
The bank’s technology officer may have considerations about whether to employ this product in-house or outsource it through a hosted model. This is irrelevant from a compliance standpoint, but from an efficiency standpoint we recognize that some banks prefer a hosted model. More and more, vendors are offering hosted tools.
Finally, software compatibility and hardware requirements are a key issue. Some vendors’ requirements were prohibitive for smaller banks, but in general, the small-bank focused vendors do not require such investments. Of little concern is the age of the software platform, as the majority of the tools currently available were generally developed or significantly upgraded in the past three to five years.
Choosing the Best Vendor
The BSA/AML software space may be the most competitive space in the financial services industry today. To identify the vendor that best meets your needs, we recommend you identify all the vendors through a review of various Web sites, conversations with key industry players and discussions with peers.
Both large core vendors and small start-up companies should be considered. The speed at which vendors are developing and enhancing this software make for an interesting space. Some of the best-known vendors may be quickly passed by a new player that incorporates the latest functionalities and future needs.
Ask the right questions. A request for proposals should be developed that asks questions in the various categories and leaves room for the vendor to expand on its answers. Banks are selecting vendors at a phenomenal rate, and vendors are designing and implementing new features and functions to keep up. Make sure the vendor you select is designing its features to respond to your bank’s actual needs while keeping an eye on what the regulators will be looking for. Add proper training and support and you’ll have a system in place that protects your bank while controlling your compliance costs and satisfying your regulator.
Pat McElroy is managing director of risk management at Sheshunoff Management Services, based in Austin, Texas. In addition to his consulting work for financial institutions, he has been approved by the Office of the Comptroller of the Currency to assist in both safety and soundness and compliance examinations. For more information, please call Kristin Morgan at (800) 477-1772, ext. 577.