By Alice Cheung and Qi Zhang, Disputes and Investigations Asia

As money laundering schemes get increasingly complex and harder to detect, the enormous and costly task of combating money laundering has become more challenging. “Regulators imposed bigger fines for anti-money laundering failures in the first half of this year than they did in the whole of 2019,”[i] according to a report in the Financial Times, as companies repeated their previous mistakes in trying to combat financial crime. In a world where technology, regulations and sanctions are changing at a pace faster than many financial institutions can keep up with, it is no wonder that banks keep falling foul of the regulators despite investing heavily in their compliance frameworks.

Banks have for many years made efforts to improve their anti-money laundering (AML) compliance frameworks, not least because of the U.S. PATRIOT Act introduced in 2001 following the 9/11 terrorist attacks.  Yet, some banks continue to struggle to meet AML regulatory requirements and fail to detect and/or report money laudering activities that pass through their systems.  So, despite all the effort, why do some banks continue to fall short of regulators’ expectations? And more importantly, what should they do differently?

Key challenges that cause AML compliance programs to fail are:

1. Lack of support and resources within banks

The success of an AML compliance program depends on the cooperation of all employees across different levels and global locations. Many banks over-rely on their compliance and risk personnel to act as gatekeepers. Money laundering then slips through the gate unnoticed by front line employees who assume compliance checks would have detected them.

2. New forms of technology emerging faster than banks can keep up with

The advancement of technology such as the development of virtual currency and other digital assets have afforded criminals new possible avenues to launder money. Many regulators around the world are still in the process of assessing these new threats and establishing appropriate regulatory guidelines for them. Banks are still in the dark as regulations (if any) can often be unclear. As new technology deployed by money launderers advances faster, financial institutions are struggling to respond quickly to these threats. By the time banks have acquired the necessary knowledge and expertise, the next technological advancement has arrived with new AML risks.

3. Lack of effective risk oversight by senior management

Westpac’s recent large-scale AML breaches illustrate the damaging consequences a lack of risk oversight can result in. Over a six-year period the bank failed to properly report more than 19.5 million international funds transfer instructions totalling over AU$11 billion to AUSTRAC. Westpac was handed a record penalty of AU$1.3 billion, of which Federal Court Justice Beach said “AU$300 million was attributed to Westpac’s failure to conduct proper screening of its international bank partners”[ii], indicating that its customer due diligence fell short of regulators’ expectations. The bank was found to have “breached AML laws 23 million times, including a failure to report 262 customers linked to child exploitation.”[iii] According to AUSTRAC’s CEO, Nicole Rose PSM ,“such a large number of breaches over several years was unacceptable and could have been avoided with better assurance and oversight processes to identify ongoing reporting failures,”[iv]. Adequate risk oversight by senior management is shown here to be crucial in avoiding such costly mistakes.

4. Outdated technology

Large banks are likely to have been established many years ago, with legacy banking systems possibly dating back a decade or more. These types of legacy systems are difficult to upgrade and integrate with new technology. In addition, complex organisation structures within these large banks make decision-making processes difficult and lengthy. It may take up to several years for a bank to approve and finally implement any proposed changes to its systems and by then, there could very well be new AML regulations or technology making the “new” system again outdated and unable to cope with the latest AML risks.

A more holistic approach to addressing AML risks is necessary to overcome these challenges.

Here are four examples of practical steps banks can take now to safeguard themselves against these risks:

1. Better assess AML risks and close risk gaps

Banks should look deeper and broader in their AML compliance assessments.  When it comes to AML risks, simply assessing current policies and measures is not enough. Incorporating the latest risk trends, regulatory updates, industry peers’ practice, and international standards will provide banks with a more comprehensive understanding of where the real risks lie. There is much value in engaging independent expert consultants to perform risk assessments. External consultants are more likely to spot entrenched practices that are no longer effective and ask the difficult questions without being hampered by internal politics. Once anomalies and risk gaps are identified, an immediate action plan to address these should be implemented and then monitored for continuous improvement.

2. Build adequate risk controls and enhance AML governance

Banks should set up effective risk controls to continuously assess AML policies and procedures, and regularly evaluate AML personnel’s knowledge levels to ensure optimal performance of their duties. Senior management should also closely monitor and assess whether AML programs are achieving the intended outcomes. Independent testing and monitoring performed by internal audit should be evaluated and if found to be insufficient or unsatisfactory, banks should consider engaging external consultants to assist with the work.

3. Upgrade technology

In current times, technology is the cornerstone of all AML programs. Automated systems help streamline and improve operational efficiency, as well as reduce human error. When incorporated into routine tasks such as name screening and transaction monitoring, machine learning can identify potentially suspicious activities or patterns which may be missed by manual processes.  This allows AML compliance personnel to focus on higher-value work such as evaluating high-risk activities and improving compliance frameworks.

Traditional rule-based methods to detecting suspicious activities tend to generate high volumes of false positives. In comparison, machine learning has been shown to significantly reduce false positive rates by applying algorithms to recognise and analyse customer behaviours, transaction patterns and historical investigation results. This will help banks enhance their customer due diligence (KYC) processes through a better understanding of their customer profiles and relationships to other parties. New technology enables banks to build a more complete picture by collecting data from a multitude of sources, both internal and external.

4. Improve training and instil risk-aware culture

Banks should consider providing tailor made training to address new AML risks and any regulatory changes not only to the frontline staff but also to board members who are responsible for overseeing the banks’ AML compliance performance. A risk-aware culture needs to be embedded and continuously reinforced into the culture and mindset of all employees across the bank. In efforts to encourage this, banks may consider implementing compliance-based performance metrics to determine compensation of all staff.

The risk of repeating history and falling short of regulators’ expectations again comes with too high a price. Banks should roll out necessary enhancements and solutions to safeguard against AML risks.