Posted by Brian Monroe - bmonroe@acfcs.org 05/24/2021
In FinCEN release of AML priorities, Wolfsberg metrics of effectiveness, a glimpse of the future of financial crime compliance
The skinny:
- The future of financial crime has “effective” compliance teams generating “highly useful” and “relevant” intelligence for investigators in focused, shifting defined “priority areas,” both broad generators of illicit income, like corruption and cyber-enabled fraud, but also attuned to the actions and reactions of international threat actor groups.
- Those are just some of the key takeaways from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) releasing the formal list of its national anti-money laundering and countering the financing of terrorism (AML/CFT) priorities, a collection of historic foils like organized criminal groups and other rising risks, like record ransomware attacks and crypto-fueled paydays.
- Coinciding with and underpinning the release of FinCEN’s AML priorities, the Wolfsberg Group issued a critical missive to detail in practical, tactical steps how financial institutions can actually demonstrate effectiveness, a term in recent years bandied about with much fanfare, but little in the way of bright-line, auditable boundaries
By Brian Monroe
bmonroe@acfcs.org
July 14 , 2021
The future of financial crime has “effective” compliance teams generating “highly useful” and “relevant” intelligence for investigators in focused, shifting defined “priority areas,” both broad generators of illicit income, like corruption and cyber-enabled fraud, but also attuned to the actions and reactions of international threat actor groups.
Those are just some of the key takeaways from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) releasing the formal list of its national anti-money laundering and countering the financing of terrorism (AML/CFT) priorities, a collection of historic foils like organized criminal groups and other rising risks, like record ransomware attacks and crypto-fueled paydays.
The widely-watched and highly anticipated AML priorities are the first concrete update to implement the U.S. Anti-Money Laundering Act (AML Act) – the most significant upgrade to the country’s fincrime framework since the 2001 U.S.A. Patriot Act.
The AMLA is an expansive package of updates to break open beneficial ownership bastions, bolster public-private information sharing, usher in a new era of innovation and focus on effectiveness – with the threat of higher penalties for violations, and serial scofflaws.
To read ACFCS coverage of the AML Act, which Congress enacted into law in January after overriding a presidential veto, click here.
Coinciding with and underpinning the release of FinCEN’s AML priorities, the Wolfsberg Group issued a critical missive to detail in practical, tactical steps how financial institutions can actually demonstrate effectiveness, a term in recent years bandied about with much fanfare, but little in the way of bright-line, auditable boundaries.
In short, the Wolfsberg metrics of effectiveness include:
- Are you compliant with local AML laws, cognizant of global standards?
- Are you producing highly useful information to law enforcement, guided by national AML priorities?
- Do you have a reasonable compliance program that reviews internal and external threats, gaps and vulnerabilities and adjusts based on rising or receding risks and law enforcement input?
To read the full statement by Wolfsberg Group, an influential alliance of more than a dozen of the world’s largest banks, including Citi, JPMorgan, Barclays, Credit Suisse and others, click here.
The FinCEN priorities, likely familiar drumbeats to large, international banks, are still given more weight and attention as they stand front and center at the new countercrime vanguard, the tip of the spear for fincrime fighters, not buried in dense and didactic reports, such as the Treasury’s 2020 Illicit Finance Strategy, the 2018 National Risk Assessment and others.
FinCEN’s stated AML priorities are:
- corruption;
- cybercrime, including relevant cybersecurity and virtual currency considerations;
- foreign and domestic terrorist financing;
- fraud;
- transnational criminal organization activity;
- drug trafficking organization activity;
- human trafficking and human smuggling; and
- proliferation financing
To read the full list of AML priorities and related interagency statements, click here.
Taken together, the priorities and metrics of effectiveness give a glimpse of the future of fighting financial crime.
A brighter tomorrow where banks won’t be as divided against themselves between complying with the letter of the law – the process, pomp and circumstance around the management of risk management to manage risks – and the spirit of the law: to stop illicit cabals of all stripes by choking their financial lifeblood.
“Really, for the first time in U.S. history, we have a set of AML priorities for the regime to focus on and a set of financial crime priorities to focus on,” said Craig Timm, a managing director and financial crimes compliance executive at Bank of America, in a social media posting.
“This is a really great achievement by FinCEN and the other agencies to get this accomplished.”
FinCEN AML priorities say what to do, Wolfsberg says how to do it, effectively
For the global financial crime and compliance community – the countercrime pillars of this citadel include AML and sanctions officers, investigators, regulators and auditors – the two releases are akin to twin shockwaves hitting the field at the same time and must be viewed, scrutinized and analyzed together as they are inextricably intertwined.
The FinCEN AML priorities represent the tangible changes of the incoming new regime of fincrime compliance, one which focuses on results and quality investigations, reports and intelligence, rather than rote regulatory box ticking and program minutiae.
The priorities, which will be reviewed and updated every four years, finally detail where to focus compliance resources, what to do and, most importantly, what to do differently than before.
The changes have been broadly welcomed by the compliance community as banks for years have felt they are tasked with being all things, to all people all the time – chasing criminal fraud and money laundering trends that ebb and flow with the tide and jumping to anticipate and adapt to regulatory whims.
In that same vein, where the FinCEN priorities focus on what to do, the Wolfsberg statement on effectiveness gives bank fincrime compliance teams vital direction on how to do it.
The tacit guidance is designed to help assess if a bank is managing, mitigating and reporting on the highest risk regions and entities and more quickly adjusting to better meet law enforcement needs.
But that still leaves the industry guessing: what’s next?
“I think now the big question is what do we do with those? How as banks and financial institutions do we implement those?” Timm said. “That’s where I think the recent Wolfsberg paper is so important. It gives us a framework to think about this, to assess our programs and think about this in the priority areas and overall.”
And the Wolfsberg factors give us the “three simple things to really think about in terms of what we do and how to demonstrate that we are actually effective in accomplishing what we are trying to achieve,” he said.
Those three factors are “if we are compliant with the law, and by law, we mean actual law, not guidance, not something an auditor told you,” Timm said. “We need to really focus this element on law. Because if it’s not required by law, then really everything else should be risk-based.”
That’s where the second two elements come in, he noted.
“Are you producing highly useful information to law enforcement and other government authorities? And the third one: do you have a reasonable and risk-based program to evaluate your risk,” Timm said.
“And by that, we are really focusing on outcomes,” he said. “Is it actually helping you mitigate your risk? So, I think this is a really important development. I think the Wolfsberg factors are something I would certainly recommend banks consider as you are thinking about these priorities, thinking about how you assess risk and think about how you evaluate your programs.”
Even with industry support, priorities, effectiveness updates will challenge bank technology, training
Even with the finally published priorities and freshly minted guidance giving harder edges to the esoteric idea of effectiveness, there are still a host of unknowns, gray areas and herculean challenges to overcome to retool the country’s fincrime compliance defenses.
And while banks don’t need to do anything yet – formal regulations by FinCEN on how to implement the priorities are not out yet and the AML interagency exam manual has not been updated to parse out examiner expectations – banks shouldn’t wait to start wargaming on potential training and operational changes.
Banks still must gauge their direct and in-direct exposure to the priorities, engage in a training needs assessment, upgrade skills-based and role-based training programs, and tweak related customer risk ranking methodologies and transaction monitoring algorithms to ensure systems spit out more priority-driven alerts.
“Banks must adapt to the current state of expected technical expertise, from practical and applied knowledge, to expand and address emerging and more theoretical knowledge,” said Casey Nelson, the Senior Director of Training Solutions at ACFCS and the former Vice President of Global Financial Crimes Compliance Training at Citi.
“Not to say practical knowledge is not valuable because it is, in the sense of standards and policies applied through roles and responsibilities. But staying knowledgeable of evolving risk that has the potential for intrusive systemic breakdown is greater than ever.”
FinCEN is cognizant not all banks, large or small, will have such a deep well of knowledge available and be able to immediately overlay AML priorities against customers, regions, products and transactions.
FinCEN “recognizes that not every Priority will be relevant to every covered institution, but each covered institution should, upon the effective date of future regulations to be promulgated in connection with these Priorities, review and incorporate, as appropriate, each Priority based on the institution’s broader risk-based AML program,” according to the bureau.
The meaning: an institution can’t simply and blithely conclude a given priority doesn’t apply to them – without first going through the exercise.
“The only way an institution will know if the priorities are applicable is if it performs a threat-focused assessment,” said Sarah Beth Felix, the founder and president of Palmera consulting and a former compliance officer, in a social media posting.
Felix detailed some important considerations and fincrime compliance program ramifications of the AML priorities and effectiveness parameters in several insightful posts.
To check them out, and be part of the conversation with the community, click here and here.
Further, banks must also prove to regulators they are producing intelligence better aligned with law enforcement needs, while not dropping the ball in core, foundational AML areas and exam flashpoints.
Which ones?
How about some of the old chestnuts highlighted in recent AML enforcement actions, penalties that have soared into the billions of dollars, including accurate data capture at account opening, validating risk models, balancing alert to analyst ratios and sharpening and better documenting human decision-making.
Updating systems, aligning programs, priorities could challenge smaller banks
This may mean banks need to take more time to gather data proving to examiners that suspicious activity report (SAR) filings are changing.
With new priorities and reorganized resources, banks should see SARs rising in some areas of the institution more in line with the FinCEN priority areas, and receding in others, an unavoidable offshoot of organizations having finite resources and nigh infinite evolving, revolving risks.
Those challenges may be magnified for smaller and mid-size banks that don’t have the internal expertise – or can’t afford to engage high-priced consultants or former law enforcement agents – to deeply understand so many areas of financial crime at once.
Similarly, the universe of household name and boutique fincrime compliance vendors also could be hard-pressed to quickly update longstanding algorithms and newer, artificial intelligence-fueled transaction monitoring and sanctions filtering systems.
The FinCEN priorities are the “starting point for institutions to then extrapolate applicable and relevant threats for customers/transactions,” Felix said.
“Most community institutions need to start having the conversation, in writing, with their system providers, especially if your institution has a behavior-centric system,” she said. Conversely, if your system provider is rules-based, that is an “easier start to try and apply monitoring tactics once applicable threats have been noted.”
One key nuance banks should realize is that the threats and vulnerabilities covered in the priorities are not coming out of the blue – banks have been reporting on suspected money laundering and terror financing for decades and worked to glean the precursor suspected unlawful activities.
The big change is that law enforcement, and regulators, have refocused the lens, shifting from an AML program that reports on suspected money laundering, with details on the underlying crime more of a nice-to-have, to a compliance function that works harder to parse out the crimes generating the illicit funds as a need-to-have.
“The underlying threats you are identifying are not new to your institution, the Priorities and related threats are just a new focus for examiners,” Felix said. “The main point is to start doing something in this waiting season to prepare.”
In preparing for new era of priorities, start with data dive on customers, core systems
How and where to start?
Here is a quick and dirty checklist, according to Felix.
Go through the Priorities and outline the threats that are applicable to your institution by:
- Data capture, communication: Making sure you have the right data. For most community institutions this is a long project, so it is better to start now. You need industry codes for individuals. and businesses (not just populated, but accurate) and proper data hierarchy in your core banking and compliance systems.
- Data divination, revelation: Reviewing customer data (industry, NRA, PEP, etc) and matching it up, cross-referencing it to the threats, vulnerabilities and stated priorities.
- Flagging efforts: Gathering the various red flags (from guidance) for the applicable threats and extract parameters, limits, functions, etc. for your system.
“Will your examiners ask you about the Priorities over the next 12-18 months? Probably not,” she said, adding that is also how much time it can take to update systems, policies and procedures. “So start now.”
The foundation of fincrime effectiveness: define risks, refine strategy, review results
In this new dawn, banks, law enforcement and regulators will have to work more closely together than ever before, a challenge for sure, with financial institutions being more wiling to show their warts in a genuine desire to improve.
Truth, trust and transparency will be the name of the game.
The priorities are a “significant milestone in FinCEN’s efforts to improve the efficiency and effectiveness of the nation’s AML/CFT regime and to foster greater public-private partnerships,” said Acting Director Michael Mosier.
“The Priorities reflect the U.S. Government’s view of the threat landscape—highlighting longstanding threats like corruption, fraud, and international terrorism, as well as rapidly evolving and acute threats, such as domestic terrorism, and ransomware and other cybercrime.”
The shift to place more emphasis on results follows efforts by the Paris-based Financial Action Task Force (FATF), which sets global AML standards, to move away from simply grading technical compliance, laws on the books, and focus on effectiveness, such as assets forfeited, number of convictions and length of prison terms and large, complex cases crushed.
As for what Wolfsberg feels are the tenets of effectiveness at the institution level and alignment with designated fincrime compliance priorities, the grading criteria include:
Assess Risk in Defined Priority Areas:
- Most FIs do not focus their AML/CTF risk assessments on government priorities. Instead, and largely in response to supervisory expectations, AML/CTF risk assessments are focused on technical compliance with requirements rather than the effectiveness of the FI’s efforts to prevent and detect financial crime.
- This exercise typically culminates in an enterprise-wide risk assessment which tends to be very long, complex, and focused on data, documentation, and process rather than outcomes.
Assess a bank’s compliance with laws and regulations:
- Don’t be swayed by guidance or examiner interpretations.
- Unless the compliance teams’ activities lead to highly useful information for government authorities or help the FI materially prevent, detect, or deter actual crime, these “expectations” are often counterproductive to an effective AML/CTF program.
Review how a bank’s compliance program is designed to provide highly useful information to government authorities in defined priority areas:
- The best indicator of quality is direct feedback from government authorities and how that feedback influences enhancements or improvements to the FI’s control framework.
- Where feedback is limited or unavailable, FIs could consider factors like the complexity of the investigation, the identification of network activity, or reporting in identified priority areas, as indicators of quality.
Implement/Enhance Controls:
- The path to compliance effectiveness means burying a “set it and forget it” mindset. Banks must be attentive and adroit to rising industry trends and insight from domestic and foreign law enforcement agencies.
- This could mean tinkering with technology or field-testing new regulation technology, or regtech, vendors using artificial intelligence and machine learning to better burnish and wield big data – potentially finding gaps and persisting vulnerabilities before law enforcement even asks or examiners are even aware.
Prioritize Resources:
- With a priority-driven, precision-guided risk-based approach, this should allow banks to move and reorganize sparse analytical and investigative resources to internal and external stimuli, leading to more valuable reports – even as intelligence into lower risk areas dries up.
Engage with Law Enforcement:
- This could include participation in public-private partnerships, such as government action following tactical information sharing or work on strategic and policy initiatives and crafting typologies on emerging threats.
Demonstrate AML/CTF Program Effectiveness:
- This is where the bank brings it all together – contingent on the jurisdiction understanding and publicly stating its AML priorities.
- To have an effective countercrime program, the bank needs to have reviewed the national priorities, reviewed and updated its own systems, training, policies and procedures, started or strengthened its relationship with law enforcement and is producing better – not necessarily more – SARs that are more rich, relevant and timely.
Review how the FI builds and maintains a reasonable, risk-based set of controls to mitigate the chance of the operation being used to facilitate illicit activity:
- Where a control requires significant time and/or resources for minimal risk mitigation, FIs should consider changing or eliminating the control altogether and reallocating those resources to those with demonstrably more effective outcomes.
- In other words, it is entirely normal for an FI to decommission ineffective and inefficient controls.
After historic degree of disruption, confusion, then clarity, consistency
Wolfsberg believes that by “designing, assessing, and measuring AML/CTF programmes based on performance against these defined outcomes will help to achieve the FATFs goal of creating a more effective system to combat money laundering and terrorist financing, while at the same time reducing friction on legitimate customers and supporting governments in achieving their financial inclusion objectives.”
While confusion is likely in the immediate future as the industry responds to a historic degree of disruption, there could be a positive down the line.
“Another added benefit is that this should provide consistency across all firms in regard to priorities,” particularly for compliance exams, said Kevin Escott, the BSA, OFAC & Foreign Correspondent Banking Officer for Sunwest Bank.
“Inconsistencies across the industry only expands the confusion as to what needs to be done and blurs the expectations for all firms.”