Whether it was a model airplane, some Legos, or a Swedish bookcase, odds are you’ve purchased something that requires some at-home assembly. What all these things have in common is the instruction booklet. Not all of these instruction booklets are created equal, however. Some are clear, precise and easy to follow, while others are so vague and complicated that trying to decipher them often results in pulling out your own hair and a few choice curse words. At one point or another, you may have had the audacity to ditch the instruction booklet altogether, trusting to your own instincts to complete the assembly. Unless you are Tim “The Tool Man” Taylor, this probably didn’t go very well. “Winging it” more often than not leads to mistakes that require fixing, added assembly time, and higher blood pressure.
If you’d rather avoid criticisms and headaches, the “winging it” approach might not be advisable—especially if you happen to be a BSA Officer and your build of choice is an anti-money-laundering system for your Bank Secrecy Act program.
It’s not that the build itself is extraordinarily difficult; it’s that building one without tried-and-true plans too often results in chaos. When tried-and-true designs and plans aren’t followed, the result is a huge increase in costs and time. In the world of BSA, arbitrarily creating and/or implementing untested BSA/AML rule parameters is equivalent to winging architectural plans—and thus, institutions cheat themselves out of a beautifully manageable BSA/AML reporting system. If it is a beautifully manageable BSA/AML reporting system you’re after, following the proper procedures for building your system is a must. You must organize, analyze, and modify BSA/AML rule parameters before and after implementing them.
Whatever AML system you’re using—whether it’s the most expensive platform with all the bells and whistles or a Google spreadsheet built by your own team—its effectiveness and efficiency are closely correlated to how much effort has gone into customizing the rules to fit your institution’s circumstances. There is no industry-wide set of rule parameters for identifying transactions that should result in an alert to be investigated. The institution or software vendor may come up with an initial set of rules, but far too often an understanding of what particular activities these rules are designed to detect is lacking. This can result in excess “noise” (an overabundance of useless alerts, as disappointing as angles on a fire pit pagoda that don’t match up), and it can also result in suspicious activities that skate by undetected, exposing the institution to regulatory, legal, and reputational risks. Avoiding these negative effects is often a simple matter of organization, analysis, and modification.
Four Steps to a Smart AML System Assembly
First, it is helpful to define categories under which each rule can fit. Below are examples of some basic categories that could apply to most institutions (recognizing that it is important to tailor the categories to your institution’s needs):
• High Risk Geographies
• Common Counterparties/Groups
• Large Asset Movement
• Increase in Behavior
• Rapid Rotation/Velocity
• Inconsistent Activity to Account or Entity Type Profile
• Accounts Meriting Monitoring
Second, identify the types of unusual or suspicious activities for which you would file a SAR, and divide them into your predetermined categories. For example, bulk cash or monetary instrument transactions are suspicious activities that could be classified as “Large Asset Movement.” Unusual financial nexuses and transactions occurring among certain business types could be categorized as “Common Counterparties/Groups.” Continue with this process until you have identified all usual/suspicious activities and divided them into groups.
Third, organize each BSA/AML rule according to the type of activity it was created to detect; this should help institutions define the purpose of each rule. Ascertaining which of the rules from your current rule array raises an alert for each suspicious activity will help you identify whether you are lacking rules or have implemented superfluous ones.
Fourth, analyze the efficiency of these rules. At this stage, it would be helpful to know two basic facts about each rule:
- The number of alerts generated by this rule over a given period of time; and
- The number of SAR filings resulting from these alerts over the same period of time.
Knowing this information will indicate which rules aren’t catching the intended activity and which are catching too much. It is important to note that an alert doesn’t have to trigger frequently to be effective; the significant information is how many SARs are generated per alert, providing a helpful indicator of the rule’s usefulness to the BSA/AML program.
Of special interest are rules that have been recently modified to see if the modification has had the intended effect. After conducting this analysis, many institutions may be surprised to find that a high percentage of their resources are tied up investigating alerts based on parameters that have never resulted in a single filing of a Suspicious Activity Report, generating nothing but “noise.” While a certain amount of noise is to be expected, this type of analysis can help make sure the noise level remains manageable. There are more sophisticated types of analyses that we typically employ to further refine the process for our client institutions, but this type of analysis can be a helpful start in organizing your AML system’s efficiency.
Finally, it is time to assess whether a modification to the rule parameter is warranted. Such modifications should only be implemented once they have been fully considered, documented, initially tested to verify they have been accurately implemented, then follow-up tested to ensure that the modification is having the desired impact of reducing noise without adversely impacting reporting of suspicious activity.
Instead of ditching the instruction booklet, some forethought and analysis in the ongoing assembly of your AML system will save you trouble in the long run. By taking a little extra time to scrutinize your rule array, you will be empowered to remove ineffective rules, modify rules with potential, and maintain successful rules for a structurally sound reporting system.