Wednesday, November 01, 2006

The Risk-Based Approach - Is It a Poisoned Chalice?

Alain Damais, the head of the FATF, has recently highlighted some of the problems associated with the approach being adopted by many financial institutions towards the problem of ‘best practice’ anti-money laundering compliance.

In an interview widely reported in the European press, his remarks contain a series of important observations. He is reported as saying…;

‘…The main area of AML concern for banks was their obligation to take a "risk-based approach" to the problem.

"The RBA is a fairly new system for many regulated firms; the dangers are that it will increase the owner's responsibility and therefore the fear. On the other hand, it could be safer as it is more flexible. It could allow the bank to target the difficulty. The risk-based approach is how you deal with the normal people, the majority."Although someone's account may have little unusual activity, his business — or identity — could contain other "red flags" that could throw doubt upon his risk classification. Damais said that each bank had to identify and document the risk linked to each account holder and conceded that this could mean more work on the bank's part. He thought, nonetheless, that this would help each bank deal more easily with people on sanctions lists. He stated unequivocally: "Either you have Osama bin Laden as a client or you don't."

In many ways, it is too easy for a regulator, and particularly the FATF to make broad pronouncements of policy, they don’t have to think through the implications of what the policy will mean to the average institution. In some respects, this identifies one of the perennial problems that the financial industry has with the FATF, an organisation with a self-generated policy objective, and with little or no direct accountability – its pronouncements carry significant weight and moral authority, and can expect to be acted upon, while at the same time, its own authority is little more than a self-fulfilling prophecy!

There is nothing at all wrong with the risk-based approach (rba), in theory! In theory, every bank knows all its customers intimately, and the rba is practised as a sine qua non!

In practice, the rba is not attractive to financial practitioners because it places too great a degree of responsibility on the shoulders of the industry itself, to undertake the necessary degree of due diligence and risk mitigation, and it places a very mobile spotlight into the hands of the regulators which can so easily be shone into some dark and murky corners, when necessary.

The rba in fact, is a poisoned chalice for the industry, while being a consummation, devoutly to be wished, for the regulatory agencies. For the banks, it magnifies their need to provide for additional compliance requirements, while it absolves the regulators from having to make difficult decisions about the minutiae of practical issues, and enables them to focus upon the high-level provision of policy pronouncements. which the regulated sector then has to spend time and money seeking to find ways round!

Indeed, when I was both a regulator and later, a legal practitioner, it never ceased to amaze me how little money a financial institution was willing to spend on developing good compliance procedures; while money became no object if their lawyers could suggest ingenious ways to circumnavigate the implications of an inconvenient regulation!

The policy of most financial institutions has been to develop and implement AML best practice compliance procedures on a grudging, and extremely dilatory basis, in some cases, some institutions have had to be dragged, kicking and screaming into a semblance of compliance with the AML regulatory requirements. One only has had to look at the fines which have been levied on some of the most famous names in the average High Street for failure to comply with the most simple of requirements. If a major institution cannot even provide compliance with a requirement to maintain its own client’s records in an accurate and recoverable manner, then how much credence can be placed on its assertions that it is conducting meaningful transaction monitoring activities?

Possibly the biggest problem however for practitioners is that the rb approach means that they must now make all the decisions as how they engage with the entire compliance process, and without any form of proscription from the regulators. Indeed, their very approach to compliance must adopt rb characteristics. In other words, they must decide how much of a risk they can afford to take by either adopting or not adopting elements of the compliance process!

Let us examine the use of IT systems for assisting in the potential identification of suspicious transactions, as an example!

By far the largest percentage of regulated financial institutions have not implemented any form of IT-assisted transaction monitoring (tm) system, despite the significant importance that is placed on tm by international regulators. It is fast becoming realised that tm is really the only way that institutions can bring any form of meaningful enquiry to the question of how their clients are conducting their affairs.

For many practitioners, making use of a broad-based name checking system has, until now, been considered to be sufficient to meet their KYC needs, but any continued adherence to this policy alone and without additional tm applications, would be a great mistake.

Name checking, while no doubt one method of ensuring that Osama bin Laden is not running an account with your bank, is merely part of the compliance function. Let us be pragmatic, what are the chances of any well-known international terrorist or criminal operating an account in his or her reported name, I mean, it isn’t going to happen, is it? At the same time, how many variations are there on the way in which the single name, ’Mohammed, can be spelt?’ How many false positives must get generated every day by a mere name checking system, and how long do these take to verify?

TM tools have to be seen as now becoming a mandatory part of the regulatory process, and financial practitioners must begin to implement such systems, as part of a best practice, rb approach to AML compliance.

Now, there have been some real scare stories generated in this space, and I have no doubt that everyone who practises in this arena could tell an equally horrifying tale of woe of cases where they have heard of thousands of false positives being generated, all of which have to be examined and analysed.

Such events have happened, it’s true, but at the same time, a significant amount of good work has also been identified as the result of good adherence to these systems. I have always maintained that the use of a well-balanced, properly implemented tm system not only provides the front line of defence against allegations of failing to adhere to the regulatory imperative; but at the same time, in practice can be used to identify real examples of purported fraud against the bank, because the tm system picks up all anomalies. It does not seek to differentiate and only examine those activities which might be indicative of money laundering! That is not its function, it looks at every transaction and seeks to identify any one which breaks the parameters of normative behaviour defined by the account conduct over the past year!

The adoption of the rba means, that in so many cases, and for the first time, the institution is required to take a long look at its business profile and determine its risk parameters in a meaningful way. Having conducted that exercise, it is then better placed to decide what kind of tm system it really needs.

The practice has developed for IT managers to require additional functions to be added to any IT response, in the hope that by packaging a portfolio of different tools within one platform, this will make the product easier to sell, internally. Increasingly therefore, IT solution providers are being asked to provide anti-fraud tools, as well as AML requirements. Some of these anti-fraud tools require a wide cross-section of individual fraud scenarios to be included, yet all this is doing is making the problem of determining potentially suspicious transactions which need to be disclosed to the relevant authorities, more and more difficult to identify, and is radically increasing the possibility of the provision of additional false positives.

The answer to a best practice rba is not to seek to build an entire suite of solutions into one operating model because this will merely exacerbate the potential problems which can be generated.

If the rba is properly determined, constructed and documented, the provision of an IT-led, STR support mechanism, can and should be capable of being calibrated in a simple and extremely functional way. By tailoring the operating function as closely to the risk profile of the institution, false positives should be reduced significantly and the system should become really effective at identifying those disclosures that the institution really needs to be making, rather than just submitting a vast batch of alerts, none of which have been properly qualified.

The intelligence agencies are not looking for a vast volume of disclosures, but value in information; disclosures that really do identify potential wrong-doing and upon which they can rely from an early stage. Any financial institution which is regularly submitting hundreds of alerts on a regular basis, is failing in their duty to provide a properly qualified rba, as is the institution which submits none at all. Both will, in future, stick out like a sore thumb!

No comments: