Archive for April, 2012

Components of an Effective AML Monitoring Program


AML – A Critical Component of an institution’s risk and compliance

 Combating Money Laundering and fraud has become an area of increasing focus for governments and regulators across the world. Financial Institutions (FIs) play a key role in the war against money laundering and terrorist financing by developing strong Anti Money Laundering monitoring capabilities. Obviously, investments in AML monitoring systems and processes have to be balanced with other priorities and demands placed on FIs by an economy weakened by recession and by a slew of regulatory changes being introduced by the Dodd Frank Act and similar legislations globally.

However since AML sanctions violations continue to attract stiff regulatory fines and penalties, this remains an area of high priority for Boards and senior management at the FIs.

AML Integrated into Enterprise Risk Management (ERM)

In an era of constrained budgets, leading FIs should consider creating an integrated Enterprise Risk Management model of which AML risk and compliance monitoring remains a critical component. The institution’s time and resources should consequently be invested commensurate with the institution’s AML risk profile and take into account the likelihood and impact of AML risks vis a vis other significant risks that the institution faces. An integrated risk management effort leverages good internal control practices implemented in other areas of the business such as customer identification and on boarding controls.

Elements of an Effective Monitoring Program

Based on our experience with a number of FIs, we share below the key elements of an effective AML program:

AML /OFAC Risk Assessment

Every FI has different products, customer base and operates in different geographies and has to consider the AML/OFAC Risk Assessment in light of this. Some of the factors that the FI will need to consider include the quality and type of customers, the industries these customers represent, the geographies that the FI has banking or correspondent operations, whether these locations including High Risk jurisdictions, High Intensity Drug Trafficking Areas (HIDTA) or High Intensity Financial Crime Area (HIFCA).

Risk-Intelligent Policies and Procedures

Based on the risk assessment, the FI will need to develop and implement suitable policies and procedures which will provide the first layer of defense. These would need to be approved by the FI’s Board of Directors or a Risk Committee of the Board. Such approval will demonstrate the Board’s commitment to implementation and ensure that AML receives the level of attention and resources that it deserves. The policies and procedures should be comprehensive and cover areas such as establishment of customer identification and on boarding procedures, training of personnel tasked with fulfilling of various AML monitoring responsibilities, ongoing customer due diligence and transaction monitoring, record keeping and custody, suspicious activity identification and reporting, management reporting and escalation processes, internal controls, segregation of duties, information technology controls such as access restrictions and business continuity plans. Some aspects of these policies and procedures are discussed below:


A key component to ensure success of the AML program is the training of personnel. FIs should implement an ongoing training and education program that will ensure staff knowledge and skills are current with the latest regulatory changes, new money laundering and fraud schemes and consequent changes to the organization’s policies and procedures and their own roles and responsibilities in maintaining a full state of compliance. FIs would also need to maintain records of training conducted as this has increasingly been the subject of recent regulatory reviews.

Customer Identification and Onboarding Processes

Generally known as the Know Your Customer (KYC) process, most FIs have in place processes for understanding and verification of the customer’s identity, demographic information, risk profile etc.  FIs typically also filter the customer name against published watch lists such as the one from the Office of Foreign Asset Control (OFAC). Creating a customer profile based on the initial transactions aids in monitoring activities by flagging abnormal patterns or significant variations in subsequent customer transactions.

Beyond the KYC process, it is critical for the FI to ensure that customer data is regularly refreshed, as customers’ circumstances change. Another important consideration for FIs is to account for regulatory changes that might impact customer identification and monitoring, such as the Foreign Account Tax Compliance Act (FATCA). FIs ability to fulfill the requirements of this legislation, including identifying relevant US persons for reporting purposes will depend on enhanced KYC systems and processes.

Ongoing Transaction Monitoring and suspicous activity reporting

It is critical to perform ongoing due diligence of all customer transactional activity against risk levels and profiles. This allows FIs to detect potential suspicious activities that may require further investigation and also the filing of a Suspicious Activity Report (SAR) with the regulators within prescribed time limits.

The FI should have the systems and processes that will allow the monitoring of all customer transactions to assess if such activity falls within the expected activity patterns of the customer. Most AML monitoring systems contain algorithms that are applied to the customer information files and historical transactional data to generate the expected activity profile for each customer. Additional rule based monitoring is usually set up to flag transactions that may require further scrutiny for example transactions originating from or sent to high risk jurisdictions. Our experience during independent AML assessments we have conducted at several institutions has shown that organizations that fail to maintain their data quality often see a marked deterioration in their AML monitoring effectiveness over time. Also in large and global FIs, it is often a challenge to integrate information from various source systems across different geographies to be able to effectively monitor cross border transaction flows.

Managing Sanctions Lists

Another key challenge is ensuring the latest OFAC and other sanction party lists are updated and current. Many organizations do not have a process in place to maintain updated sanction lists issued by the various regulators, within a reasonable time frame. This leaves them open to the potential risk of not detecting transactions where the originator or beneficiary might be a newly listed sanctioned party. While the likelihood of such a risk may be small, the potential negative consequences of regulatory actions, should such a lapse occur, give organizations plenty of incentive to implement a process to proactively reconcile the sanction lists and keep them regularly updated.

Periodic Management Review of Monitoring Program

Management review of the effectiveness of the AML monitoring is the second layer of defense. Typically senior management is not involved with day to day compliance responsibilities, but should provide periodic review and oversight. Management reporting and analysis of trends will provide them with insights on the high risk areas and opportunities for improvement. We have often seen improvement programs emerge as a result of this management review, where for example management may want to optimize their AML/OFAC match levels by reducing false positive matches and increasing true matches.

 Independent Review and Testing

 The third layer of defense is provided by the Independent Assessment and Testing of the AML program. This would need to be performed by an independent third party that has no role in either the implementation or oversight of the AML program which are typically staff and management functions. FIs’ may have internal audit groups or may bring in an external independent assessment firm. Conducted annually, the independent assessment becomes a means to provide assurance to the Board and senior management about the effectiveness of design and operation of the AML program. External firms also bring in additional benefits from the knowledge and best practices they have gleaned from working with other FIs and this can be a valuable source of benchmarking information as part of a continuous improvement cycle.



April 7, 2012 at 4:50 pm Leave a comment

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 26 other followers