Originally published on CUInsight.com.
Even the best kitchen in the world—equipped with a brick oven, top-of-the-line equipment, and the sharpest knives—can’t turn a bad cook into a great one (even though it could help). The substandard cook still needs to learn some critical cooking skills before the dream kitchen can produce the pièce de résistance.
So it makes sense that even the best anti–money laundering (AML) monitoring system in the world—perfectly optimized with no expense spared for the most current technology and automation—can’t guarantee effective AML (even though it helps). No matter how good the system is on its own, AML is a much more involved matter than simply determining what is noise and what is not; it requires documentation, research, and quality control.
If You Can’t Stand the Heat
If your AML system—something you’ve invested time, money, and due diligence in—generates an alert and you determine that the alert does not merit an investigation, you can’t leave it there; you must say why. From my reviews of financial institutions throughout the country, I’ve noticed that this lack of explanation seems to stem from a lack of quality control standards for triaging. Basically, this means that the initial evaluation of alerts lacks documentation of why the alert was generated and why it does or does not merit an investigation. Many institutions don’t appreciate that closed alerts often receive as much scrutiny as escalated alerts — so much so that documenting the reason for even non-escalation is important.
Choosing Your Ingredients
Let’s go back to the kitchen analogy: let’s say you want to make tomato basil soup (a very rewarding desire). The first step for any culinary creation is gathering the necessary materials, most importantly the ingredients. Now, while you may have many ingredients available in your refrigerator or pantry, it is important to only select the foods relevant to your recipe (tomatoes, garlic, heavy cream, fresh basil, etc.). After all, selection requires choosing what is used and what gets left out of the pot, and of course the great chefs only want the best of ingredients. Similarly, the person responsible for conducting the triage is, in part, selecting what goes forward and what gets dropped. This process of alert triage is perhaps one of the most critical parts of any AML system and often one step we find lacking.
Unlike the sous chef choosing which ingredients to use, the person conducting the triage cannot expect to escape scrutiny of that information which he or she chooses to drop. No, there will most certainly be scrutiny at this stage because poor decisions at this level often mean the FI is wasting valuable resources on incorrect alerts. The person handling triage can’t simply present a yes/no decision; it must be a yes/no decision with documented rationale. Many employees don’t realize that the best practice for this is writing (yes, writing) a summary narrative that includes an introduction, alerted activity, basic customer due diligence information, analysis of activity, review of other activity, external research, and a conclusion. This process is so important that failing to document these steps will frequently leave the institution missing the mark in its decision to escalate its alerts.
Where a lot of institutions, including the big guys, come up short is in quality control on this key step. Ensuring thorough triaging takes a quality control check. If the alert was properly escalated (or properly categorized as noise) and QC agrees with this, congratulations—you have a good triage process. If not, you need to make modifications. Institutions with strong AML processes have uniform standards for each step in this process (triage à investigation à escalation à SAR/no SAR). And of course, ubiquitous quality control grows in importance the larger your institution is and the more people you employ.
For example, pretend with me that you’re a level one analyst. You have a list of alerts in front of you. You also have some quotas to meet, so you elect to just close the alerts. In this case, if the process has no controls over the quality of each alert closure, then transactional activity that warrants escalation (and potential SAR filing) is missed. Corrective action must be pursued or the problem will likely worsen into a far more serious, potential-headline-grabbing problem.
Stick to the Recipe
The key in this initial stage is to establish standards that promote documentation and quality control. From there, it makes sense to use independent sources to evaluate the effectiveness of this process. We call that quality assurance. After all, the regulators are looking for a system that is both valid and effective. That’s typically where we step in. When conducting a validation, we’re trying to see one thing: Is the system working as designed?
However, if we’re to evaluate effectiveness, then the institution must have those quality standards and outcome documentation that includes support rationale. Without these, the entire AML system optimization effort is like picking your ingredients in the dark and using them without knowing what they are. It almost never works.
Ken Agle, President of AdvisX, brings more than 25 years of experience covering almost all facets of financial institution risk management operations. He has conducted more than 350 compliance reviews and has assisted more than 200 financial institutions throughout the United States. He has developed and implemented systems and training programs on all phases of banking risk management, including, but not limited to BSA/AML, fair lending, loan review, HMDA, CRA, BSA, operational compliance, TILA, and RESPA. He has written numerous regulatory responses and appeals and has been instrumental in assisting institutions with challenging circumstances while facing regulatory enforcement orders. He has partnered with McGladrey & Pullen, RSMI, Promontory, Sheshunoff and other multi-region firms to provide support services to financial institutions. Mr. Agle specializes in strategic regulatory response and in developing and implementing both proactive and reactive tools and systems to preempt and resolve issues affecting today’s financial institution.