Since the signing of the U.S. Patriot Act into law in September 2001, anti-money laundering (AML) compliance has become increasingly difficult to ignore for financial-services institutions, and specifically for broker/dealers. As the intensity of scrutiny is only likely to increase over time, it is imperative that broker/dealers start planning for AML compliance with both short- and long-term implications in mind. Good AML compliance is insurance worth having. Consequently, a proactive approach to AML compliance, coupled with a willingness to invest for the long term, will help broker/dealers deal effectively with new regulations.
Since the range of AML-technology solutions varies from simple filtering to the more sophisticated "intelligent" solutions, investing the time in understanding the trade-offs beyond the basics of cost of implementation is worthwhile.
While previous regulations only covered banks and their subsidiaries, the Patriot Act includes broker/dealers registered with the SEC, asset-management companies and insurance companies. The complexity of transactions in capital markets and the subsequent difficulty in tracing them makes broker/dealers a convenient 'pass-through' for money laundering.
Regulators, in their efforts to clamp down on illegal activity, have issued regulations specific to the broker/dealer segment. As an example, broker/dealers are required to initiate regular filing of SARs (Suspicious Activity Reports) with the FinCEN, since July 2002. This means that broker/dealers must now review all account activity for existing customers and impose tighter filters on all transaction activity, including new-account openings. Broker/dealers must, in effect, learn to strike a delicate balance between growing their profitable high-net-worth customer base while keeping a close watch on their financial dealings.
Assessment of Current Capabilities
As a first step, every organization must undertake a thorough assessment of where they stand today with respect to AML compliance along four key dimensions:
- Knowledge: This is about familiarity with regulations i.e. is everyone in the organization familiar with the basic requirements of AML compliance and do they have a common interpretation?
- Organization: Have you created a role for specifically managing AML compliance? In the case of small broker/dealers, your chief risk officer can also double up for this role. In larger organizations, this may require complementing existing staff in the risk department with AML-compliance specialists.
- Technology: Is your systems infrastructure adequate to provide comprehensive reporting on suspicious activities? Are your detection systems capable of identifying and tagging unusual patterns in customer activities?
- Operations: Process changes to identify and report suspicious activity are imminent, both now and as regulations become tighter. Can your process changes keep up with the changes to your systems infrastructure?
The Road Map to AML Compliance
Just as every sound business decision should be based on a good assessment of the situation, and possibilities, we believe that a structured approach is necessary to develop a road map for AML compliance. This approach is a three-step process:
Assess: Examine existing audit systems and policies for reporting any suspicious activity. Assess the state of your account-opening procedures, identity verification and payment mechanisms. Also, determine the level of familiarity of staff with compliance procedures and the amount of manual activity currently undertaken to create SAR reports.
Prepare: Once a clear understanding of your current position along the four dimensions is obtained, develop a detailed road map for systems and procedures that are needed to build compliance with both short- and long-term requirements of Patriot Act. Put in place necessary controls between back-office and front office to eliminate gaps in coverage.
Implement: Develop detailed business specifications to hand over to the implementation vendor. Then, assign a dedicated-program office to manage all aspects of the implementation, including training and operations. A key role of the program office is in vendor management to ensure quality and consistency with specifications. Before a formal rollout, conduct a few pilots to validate procedures, operational processes and data integrity.
The off-the-shelf technology-solution space for AML is not quite mature yet. However, organizations must consider developing their own solutions only if they have already made significant investments in this direction (e.g. risk-management systems) or if their legacy environment is too restrictive in terms of integrating an off-the-shelf package.
As long as there is a close fit between requirements and the features of an off-the-shelf package solution (i.e. without excessive customization), the package route should be the way to go. For the simple reason that as regulations change rapidly, software vendors can target many more resources at staying current than an organization that develops its own solution. Business attributes such as customer profile, geographic span of business, and transaction type and volume should be an integral part of the build versus buy assessment.
In addition, organizations must also worry about walking the fine line between a robust AML system and protecting the privacy of their customers. As a way to address the above concern, organizations must complement internally available data with databases from third-party vendors like Axicom, ChoicePoint and Equifax. These databases offer easy access to public records and can be used by sales staff to verify customer identity without embarking on a line of questioning that might otherwise be construed as an invasion of privacy.
Two factors form the basis of our outlook on AML compliance:
Increasingly tighter regulations - Beyond the Patriot Act, the coverage and intensity of scrutiny is likely to increase. Mandated connectivity to neural networks or statewide systems, higher penalties for internal-procedure failures and increased-disclosure norms will accompany this trend. Therefore, AML systems being built today have to be robust and adaptable.
Huge downside risk - Both the monetary, as well as the reputation risk of non-compliance, can be very high. Therefore, while AML compliance may require substantial investments in technology and process changes, do not attempt to judge these investments strictly on an ROI basis.
Broker/dealers must adopt a very structured approach for achieving AML compliance. Nothing can summarize this better than the comment of SEC Compliance Director Lori Richards in her anniversary speech on the status of the Patriot Act: "We are in this for the long haul, so doing it right is important."