Netherlands-based bank ING is paying for lax anti-fraud measures,
the BBC reports. The bank agreed to pay €775 million in fines after Dutch investigators found that errors in its policies failed to stop financial crimes. Investigators said "collective shortcomings" by management enabled customers to use their accounts for money laundering and other frauds between 2010 and 2016.
This story involving ING illustrates that it is vigilance and diligence that are needed to fight criminal activity, not negligence. It also is important to remember the dire consequences of such negligence: the link between money laundering and terrorist financing of terrible events such as the 9/11 attacks.
So much has been written about money laundering and how to detect and avoid it. Internal auditors should consider some recent leading practices in anti-money laundering (AML) when providing assurance on the adequacy and reliability of AML regimes.
First, most large multinational financial institutions, including ING, are covered by tough AML legislative and regulatory requirements. For example, the Dutch government has kept pace with European Union directives by adopting requirements for banks to conduct an AML risk analysis. It also has established detailed rules and authorities for banks to require specific ownership information about accounts and money. These rules carry the threat of sizeable financial penalties or even withdrawal of licensing to operate.
Most large banks face significant challenges in succeeding in the fight against money laundering. Most rely on legacy compliance processes to fight financial crimes that have grown so complex as to be barely manageable. Multiple iterations, multiple handovers, and too many manually controlled processes prevent banks from maintaining effective compliance systems.
This complexity has led to greater operational risks. Ironically, several large fines have resulted in part from the need for banks to spend time investigating what turned out to be false alarms or to escalate a decision about a potential problem to higher levels of management.
Four areas of leading practice for auditors to pay attention to are:
An experienced, well-trained financial intelligence unit to analyze AML reports and data. If banks staff transaction-monitoring processes with inexperienced employees — especially when dealing with foreign or multi-country transactions — the amount of investigative effort will continue to increase. This could lead the bank to either emphasize risk reduction over efficiency, or the reverse — miss risks and the root causes of problems in more complex cases.
The financial intelligence unit also needs the authority and capacity to communicate frequently among other teams, such as due diligence analysts and transaction-monitoring teams. Moreover, the unit should release information to intelligence and law enforcement agencies when appropriate.
A streamlined, end-to-end AML compliance
process. Banks have better AML results when they review their processes to define the desired future state of compliance, identify the gap between the future and current states, and mobilize the organization to redesign processes. To do this, some banks use a start-from-scratch view to set the baseline for compliance activities and roles, rather than starting from existing activities.
An integrated AML compliance process can help address other dilemmas, such as when compliance questions are not aligned with regulatory objectives. Banks also can link the process to a system that would provide a better understanding of clients.
A single source for all compliance processes. This source should consist of internal structured data that goes through a rules-based cleanup and is integrated into a database. That data should be enhanced with unstructured and external data such as text, voice, and pictures, some of which may come from web pages and search-engine results. Predefined algorithms then would process and score the data for relevance.
This approach contrasts with the fragmented, siloed nature of many current compliance processes that require frequent manual interventions and delays. Low-quality and unstructured data resides within most banks without being fully integrated. This situation creates difficulties with client reference data and documentation sharing, as well as data extraction or aggregation from flawed databases.
When data quality suffers, so does the quality of the compliance process. The rigidity of hard-coded monitoring algorithms makes it difficult to adjust for policy changes or client behaviors that drive up the volume of investigations, resulting in high false-positive rates.
Advanced analytics and algorithms. Artificial intelligence increasingly uses enhanced databases to support a proactive compliance model. Human intervention remains valuable where machines cannot make better decisions. However, a growing number of tasks blend machines and people — data collection and analysis by the former; assessment of unclear data points by the latter.
Regulatory technology companies may provide expertise to assist banks, ranging from know-your-customer or AML specialists, to customer on-boarding and workflow process services. These partnerships have their own risks, including knowledge transfer complexities and business/customer data privacy considerations.