Originally published on CUInsight.com.
Have you ever built something from scratch? I mean no plans, nothing—just pulled an idea out of the air and went for it? I have, and let me tell you, it takes an amazing amount of time and effort. In 2013, my four sons and I built a fire pit pagoda in the back yard.
We had no kit, some skills, and precious few right angles. It might not have been wise, but it was certainly adventurous.
Because this project was built “off the cuff,” a number of mistakes were made that required fixing, adding a tremendous amount of time and costs, as well as a few slightly heated arguments. If you’d rather avoid criticisms and headaches, the “winging it” approach might not be advisable—especially if you happen to be a BSA officer and your build of choice is an anti-money laundering system for your Bank Secrecy Act program.
It’s not that the build itself is extraordinarily difficult; it’s that building one without tried-and-true plans too often results in chaos. When proven designs and plans aren’t followed, the result is a huge increase in costs and time. In the world of BSA, winging architectural plans is equivalent to arbitrarily creating and/or implementing untested BSA/AML rule parameters—and thus, institutions cheat themselves out of a beautifully manageable BSA/AML reporting system. If it is a beautifully manageable BSA/AML reporting system you are after, your institution must follow the proper procedures for building your system: you must organize, analyze, and modify BSA/AML rule parameters before and after implementing them.
Whatever AML system you’re using—whether it’s the most expensive platform with all the bells and whistles or a Google spreadsheet built by your own team—its effectiveness and efficiency are closely correlated to how much effort has gone into customizing the rules to fit your institution’s circumstances. There is no industry-wide set of rule parameters for identifying transactions that should result in an alert to be investigated. The institution or software vendor may come up with an initial set of rules, but far too often an understanding of what particular activities these rules are designed to detect is lacking. This can result in excess “noise” (an overabundance of useless alerts, as disappointing as angles on a fire pit pagoda that don’t match up). But it can also result in suspicious activities that skate by undetected, exposing the institution to regulatory, legal, and reputational risks (similar to the risk posed when your 6-year-old is climbing on the roof and you’re wondering if it will hold). Avoiding these negative effects is often a simple matter of organization, analysis, and modification.
Five Steps to a Smart AML System Build
First, it is helpful to define categories under which each rule can fit. Below are examples of some basic categories that could apply to most institutions (recognizing that it is important to tailor the categories to your institution’s needs):
- High-Risk Geographies
- Common Counterparties/Groups
- Large Asset Movement
- Increase in Behavior
- Rapid Rotation/Velocity
- Inconsistent Activity to Account or Entity Type Profile
- Accounts Meriting Monitoring
Second, identify the types of unusual or suspicious activities for which you would file a SAR, and divide them into your predetermined categories. For example, bulk cash or monetary instrument transactions are suspicious activities that could be classified as “Large Asset Movement.” Unusual financial nexuses and transactions occurring among certain business types could be categorized as “Common Counterparties/Groups.” Continue with this process until you have identified all usual/suspicious activities and divided them into groups.
Third, organize each BSA/AML rule according to the type of activity it was created to detect; this should help institutions define the purpose of each rule. Ascertaining which of the rules from your current rule array raises an alert for each suspicious activity will help you identify whether you are lacking rules or have implemented superfluous ones.
Fourth, analyze the efficiency of these rules. At this stage, it would be helpful to know two basic facts about each rule:
- The number of alerts generated by this rule over a given period of time.
- The number of SAR filings resulting from these alerts over the same period of time.
Knowing this information will indicate which rules aren’t catching the intended activity and which are catching too much. It is important to note that an alert doesn’t have to trigger frequently to be effective; the significant information is how many SARs are generated per alert, providing a helpful indicator of the rule’s usefulness to the BSA/AML program.
Of special interest are rules that have been recently modified to see if the modification has had the intended effect. After conducting this analysis, many institutions may be surprised to find that a high percentage of their resources are tied up investigating alerts based on parameters that have never resulted in a single filing of a suspicious activity report, which means that they have been generating nothing but “noise.” While a certain amount of noise is to be expected, this type of analysis can help make sure the noise level remains manageable. There are more sophisticated types of analyses that we typically employ to further refine the process for our client institutions, but this type of analysis can be a helpful start in organizing your AML system’s efficiency.
Finally, it is time to assess whether a modification to the rule parameter is warranted. Such modifications should only be implemented once they have been fully considered, documented, and tested (initially tested to verify they have been accurately implemented and then follow-up tested to ensure that the modification is having the desired impact of reducing noise without adversely impacting reporting of suspicious activity).
Instead of skipping the building plans, some forethought and analysis in the ongoing building of your AML system will save you trouble in the long run. By taking a little extra time to scrutinize your rule array, you will be empowered to remove ineffective rules, modify rules with potential, and maintain successful rules for a structurally sound reporting system.
Ken Agle, President of AdvisX, brings more than 25 years of experience covering almost all facets of financial institution risk management operations. He has conducted more than 350 compliance reviews and has assisted more than 200 financial institutions throughout the United States. He has developed and implemented systems and training programs on all phases of banking risk management, including, but not limited to BSA/AML, fair lending, loan review, HMDA, CRA, BSA, operational compliance, TILA, and RESPA. He has written numerous regulatory responses and appeals and has been instrumental in assisting institutions with challenging circumstances while facing regulatory enforcement orders. He has partnered with McGladrey & Pullen, RSMI, Promontory, Sheshunoff and other multi-region firms to provide support services to financial institutions. Mr. Agle specializes in strategic regulatory response and in developing and implementing both proactive and reactive tools and systems to preempt and resolve issues affecting today’s financial institution.