A fundamental rethink of FCC is needed to move away from tick-box compliance and ensure greater focus on effectiveness and outcomes, says Kelvin Toh.
Picture this. A bank is presenting on their revamped financial crime compliance (FCC) framework. The compliance officer proceeds to elaborate that “New Bank” only screens cross border transfers for low risk, locally domiciled customers above a certain threshold amount and involving high risk geographies. Transaction monitoring is generally not performed for all outward transfers involving individual customers and certain established listed companies in the e-commerce business during selected holiday seasons. He proceeds to add that New Bank is exploring a new initiative to not screen selective incoming cross-border transfers against OFAC sanctions lists if they have been processed via or cleared by a US financial institution.
If you are a regulator or auditor reading this, at this point you may be fidgeting uncomfortably in your seat. You may even feel angry. How audacious of New Bank to have such lax standards; do they have any regard for the regulatory requirements and rules?
But what if I told you that New Bank files three times more Suspicious Activity Reports (SARs) than peer banks of comparative asset size and customer book size in its country, and its proportion of SARs that led to eventful investigations by law enforcement or sanctions designation hits was five times the national average? Also, as a result of the cost and time savings from the bold and radical processes, New Bank was able to devote more resources and efforts on risk-themed focused internal reviews and in-depth, targeted investigations, thereby uncovering more bad customers and risks than under its previous FCC framework.
Fret not, New Bank, as well as the above radical and questionable ‘risk-based approaches’ only exist as a figment of my imagination. The fictional and extreme examples were brought out to tease a new idea. You see, having worked in FCC for more than a decade amid an increasingly challenging work environment with progressively tougher and more complex regulatory standards, and banks increasingly spending on compliance[1], it is widely known that the current anti-financial crime regime has a limited impact on crime vis-à-vis the growing scale of global money laundering[2]. If pursuing a path with grit and perseverance for more than ten years has not really worked, should we be thinking of and approaching FCC in a materially different way?
A focus on proving work done, and cost avoidance
One of the potential factors that limits the effectiveness of the global fight against financial crime is that currently, most banks’ compliance programmes take an approach that is heavily focused on cost / penalty avoidance and proving work performed. FCC hence largely becomes a tick-box exercise at the end of the day, rather than aiming to make a real impact in combatting financial crime.
This can be detrimental to the development of a healthy compliance culture in a bank as well, as compliance is often viewed purely as a cost and regulatory requirement, while the social responsibility and positive impacts to communities and societies are seldom considered. If the primary priority is for a bank to demonstrate the completion of required compliance tasks and the discharge of its regulatory obligations, rather than the results or outcomes of those tasks, the bank will focus on utilising its limited resources towards only meeting the baseline requirements.
Ploughing more resources and effort towards achieving more impactful outcomes then becomes a secondary consideration and relevant only when there are excess resources to spare, which is rarely the case given tight cost controls and competition to allocate more resources towards business growth objectives. By design, this encourages behaviour where there is simply limited upside to doing more, and disincentivises a shift of resources towards higher-impact tasks if it results in a loss of coverage of other ‘tick-the-box’ tasks – even if the end outcome is that the bank manages to detect and stop more potential crime. The bank would risk punitive action due to technical breaches, and worse if crime or illicit activity was later detected and linked to customers or transactions that were not assessed.
The practical reality is that compliance resources are always limited. Spreading out resources to achieve technical complete coverage of the baseline requirements means less resources are available to go around to perform more targeted, complex and resource-intensive compliance work such as risk theme focused reviews and in-depth investigations.
The Pareto Principle and the prioritisation of time and resources is understood and practiced in almost all aspects of our lives. We deprioritise or cancel selected tasks to focus our efforts on others that deliver the most results or most important outcomes, from choosing which emails to read and action on, to juggling work and personal goals, to deciding who to afford care in a medical emergency room.
Our law enforcement units pick out the ‘big fish’ as well, recognising crime is not homogeneous and that it is simply impossible to eradicate all crime. So why has our global anti-financial crime regime been designed to incentivise technical compliance, and the mere completion of tasks off a checklist?
Carrot and not just the stick
If we need to move towards an anti-financial crime regime that encourages focus on effective outcomes, and allows banks more freedom to decide which aspects of their compliance programmes and processes to focus resources on, what safeguards do we have to ensure that banks do not take advantage of the less onerous and prescriptive regulatory requirements, loosen their standards, or cut down their commitments towards FCC under the guise of resource prioritisation? (After all, we continue to regularly hear of firms having poor compliance culture and ineffective senior management commitment and oversight towards compliance being fined for AML/CFT and other compliance lapses.)
The answer is that such changes needs to come alongside a shift in the supervisory approach towards banks, one that similarly focuses on results and outcomes over technical compliance. The principles that underpin the risk-based approach advocated by the Financial Action Task Force (FATF) continue to be relevant; for banks to be allowed to adopt a more outcomes-focused AML/CFT approach they must be able to demonstrate via clear, quantifiable metrics that more financial crime is detected or stopped as a result of the changes to their FCC framework or risk-based decisions, and that the changes result in an overall reduction in net residual risks.
Metrics such as SARs filed and SAR conversion ratios – as well as data analysis from law enforcement on the quality of SARs or proportion of SARs that led to subsequent investigation, enforcement action or sanctions designation hits – can be used to measure performance. Just like how regulators and auditors use confirmed risks or events to back-test a firm’s processes and controls to assess robustness and identify gaps, a similar approach could be undertaken to back-test the new FCC framework, processes and risk-based decisions using past data and activity to simulate performance.
Should the results prove viable, the changes to the FCC framework or risk-based decision process can then be undertaken, with an expectation that ‘live’ metrics used to measure performance will continue to be monitored and show improvements.
A shift towards an outcome and impact focused regime will also encourage banks to make existing risk assessments, such as the Enterprise Wide Risk Assessment, more meaningful instead of treating it as a painful annual tick box exercise. With appropriate design, outputs from the Assessment could be used to support prioritisation of resources, as well as monitor the effectiveness of FCC framework tweaks and decisions.
Once favourable results are achieved, auditors and regulators may then seek to increase the intensity of the changes or tasks that worked, or increase their coverage. This may backfire and push the bank back on the path of prioritising technical compliance and issue avoidance, given the reality that resources are limited and that any innovation or process change likely involved a trade-off in resources and coverage from another area.
Instead, to encourage banks to devote more resources to increase overall compliance resources, and hence coverage, incentives or carrots tied to performance could be considered. Such incentives could be financial or non-financial in nature, such as concessions on supervisory capital, grants or subsidies tied to compliance hiring and training, or good publicity via government issued awards – for example.
Positive impact on other FCC initiatives
A foundational shift in the global anti-financial crime regime towards an outcomes and impact focused one will also boost the pace and strength of other important initiatives that banks globally are already starting to embark on to achieve greater FCC effectiveness – such as greater use of technology and analytics, data driven risk contextualisation in decision making, financial crime information sharing, and engagement in public private partnerships.
For example, banks may at times hesitate to adopt new technologies or solutions because the risk coverage of the new solutions may not completely account for risks identified under previous control processes without use of the solution, even if the overall risk coverage with the new solution is greater.
The search therefore is always for a solution that is ‘legacy plus’ – one that can cover all known previous risks and more. However, due to the fundamentally different ways new technologies contextualize data and identify risks, compared to rule-based risk identification complemented by human review, a complete overlap in coverage is rarely achieved.
A clearer regulatory emphasis on effective outcomes would encourage banks to be more open to adopting technological solutions in these situations, analysing risk trade-offs and overall net risk impacts, and discussing proposed changes to their FCC frameworks and processes with regulators.
Conclusion
The global anti-financial crime regime has been in place for more than 20 years. Regulatory expectations, and the demands on banks to ensure compliance, have also risen over the years. And banks have come a long way from a time when most had no FCC frameworks, policies, procedures, or dedicated compliance resources at all.
Today, most banks have established compliance functions in place and are increasingly willing to spend on new technologies and automation to better fight financial crime. Yet, the United Nations estimates that around 2-5 percent of global GDP continues to be laundered annually[3], while a paltry 1 percent of that is seized or frozen by law enforcement agencies.
Something does not add up here, and while no one may claim to have the answer to why, if data tells us that the current regime is not working adequately, perhaps it is time we radically rethink the foundation of our approach to financial crime. An anti-financial crime regime that encourages focus on effectiveness and outcomes, allow banks the freedom to allocate resources towards higher-impact areas, and uses a carrot rather than the stick, could be what we need.
—
Kelvin Kairong Toh, CAMS, is a compliance professional with more than a decade’s experience spanning regulatory supervision, financial crime compliance and sanctions compliance in government agencies, global banks and national banks. He is passionate on the topics of sanctions compliance and ethics & compliance culture. The views expressed are his own and are not representative of the views of any institutions he is affiliated with.
—
[1] A 2019 report by LexisNexis Risk Solutions “True Cost of AML Compliance” estimates that Singapore financial services firms spend USD 3.13b on AML Compliance, with costs expected to increase by 10% within the next 24 months. A report “Cutting the Costs of AML Compliance” published by Oxford Economics and LexisNexis Risk Solutions estimates that UK firms spend GBP 28.7b on AML Compliance in 2021, and are projected to spend over GBP 30b by 2023.
[2] The Global Coalition to Fight Financial Crime – “Illicit proceeds from criminal activity are estimated to account for 2-5% of global GDP (around USD 2 trillion), yet less than 1% is ever seized or frozen by law enforcement agencies“
[3] Based on the UNODC. A 2011 estimate by the UNODC places this at USD $1.6 trillion, or 2.7% of global GDP.</span
