Transaction monitoring (TM) and sanctions screening systems are invaluable tools in the never-ending effort by financial institutions to detect potential money laundering activity effectively and efficiently. Many institutions invest significantly in implementing anti-money laundering (AML) technology but then fail to maximize its potential and capabilities, often leaving gaps in their compliance efforts.
The notion that AML technology can be installed with minimal customization and left to operate virtually autonomously is naïve – especially in an era of intensifying regulatory scrutiny. Without appropriate control procedures, significant operational errors can occur, including an excessive amount of false positives and false negatives (instances of money laundering that go undetected). The regulatory emphasis on detecting such instances and the increasing complexity and integration of AML technologies require internal audit (IA) to transform the way it assesses AML systems to help protect the institution.
Challenges and Opportunities
In our experience, financial institutions encounter several challenges in establishing a governance framework with proper controls to ensure that transaction monitoring systems are operating properly and evolving as necessary. These challenges include:
- Adapting to stricter regulatory standards. With the evolution of transaction monitoring and sanctions screening technologies, the required transparency of the processes and controls that support the technologies has increased. Specific areas of focus include assurance of data integrity, fine-tuning of monitoring scenarios, validation of system effectiveness, appropriate backup and recovery and inclusion of privacy considerations.
- Improving IA’s knowledge of AML technologies. The rapid enhancement and sophistication of AML technologies are creating a knowledge gap for some institutions’ IA staff. In today’s business environment, internal auditors need to be intimately familiar with the way AML systems work, including the testing, fine-tuning and validating of these systems.
- Integration of skills. The use of transaction monitoring and sanctions screening systems is not just an IT issue. IA needs to have an integrated team of people with compliance, business and technology skills to assess AML technology effectively.
- Understanding IA’s role in assessing AML technology systems. Responsibilities for ensuring effective deployment and maintenance of AML technology is shared among multiple parties, and the roles and responsibilities of each party must be clearly delineated.
By addressing the challenges above, financial institutions and their IA functions will be better positioned to assess and improve their AML technology and the supporting processes and increase the effectiveness and sustainability of their TM programs.
Our Point of View
Even the most sophisticated transaction monitoring and sanctions screening systems are of minimal value unless they operate in an environment with appropriate control procedures. In light of heightening regulatory expectations, financial institutions should re-evaluate and bolster IA’s role in ensuring a proper governance framework and oversight for effective, sustainable and repeatable processes and controls.
The following table outlines the various AML technology responsibilities of the three “lines of defense” inside an institution. While many responsibilities cut across the lines of defense, the table highlights IA’s potential responsibilities related to assessing AML technology.
With a clear understanding of its role and responsibilities as a third line of defense, IA is positioned to de- sign and perform a comprehensive AML technology audit. Key audit areas to ensure adequate coverage are: establishing procedures for data integrity; security; change management; and back-up and recovery.
- Data integrity. Financial institutions frequently overlook the importance of the completeness and accuracy of data sets used in transaction monitoring and sanctions screening systems. They also may underestimate the effort needed to identify and integrate data from across the institution, which requires the collection of customer, account and transaction information. In both cases, incomplete or inaccurate data will undermine a transaction monitoring system’s ability to operate optimally. IA needs to verify that procedures are in place and operating on an ongoing basis to identify and resolve data quality and data-load issues.
- Security. Security and privacy requirements should be determined for the output (e.g., alerts) of the AML technology. Privacy requirements and financial institution policy may drive access requirements for alerts and customer information based on geographic region or type of activity (e.g., private banking, alerts on employees). IA needs to ensure that alert and investigation workflows are established with appropriate segregation of duties in place to prevent users from approving their own work. In addition, security controls should be implemented across the technology layers (e.g., operating system, database management system) to ensure that access to critical data elements (e.g., customer, account, transaction) is appropriately restricted.
- Change management. A comprehensive change management process needs to be in place to ensure that any type of change to the system in the production environment has been through a testing and approval cycle. For example, changes to the threshold values of the deployed scenarios or alteration to the workflow process should follow the change management process.
- Backup and recovery. IA needs to ensure there is a systematic backup and recovery process in place that aligns with the financial institution’s recovery objectives.
If an institution is implementing new AML technology, IA’s role takes on additional dimensions. In addition to the areas mentioned above, responsibilities broaden to oversee testing strategies and organizational change management.
- Testing strategies. During implementation, IA needs to play a critical role to ensure that the product team executes the required tasks. IA’s mission in this capacity centers on preparing and asking the right questions, for example:
- Is testing comprehensive enough to verify that the system is operating as intended?
- What testing is being done to make sure that data is accurate?
- Has the institution completed an adequate inventory of the customer and transaction systems that will feed the newly implemented AML technology?
Testing includes assessing potential limitations of the system and evaluating the system’s operation over a range of input values. Specifically, this step should include user acceptance testing – ensuring that users, in a controlled environment, understand how the system functions and can operate it to achieve desired outcomes. So-called “negative testing,” using artificial sample data, should be included to detect transactions that should have resulted in alerts but failed to generate them.
- Organizational change management. The impact new AML technology has on an institution de- pends on the type and complexity of the AML technology, as well as the scope of the implementation (e.g., geographic, business unit). IA should assess more than just the AML technology and ensure all areas impacted by the AML technology are also considered. The following are some questions that IA should consider as part of its assessment:
- How will the new AML technology and related procedures impact customers (e.g., on- boarding)?
- Will current transaction and customer data need to be improved to ensure an effective use of the AML technology?
- How will compliance processes (e.g., closing of alerts, investigations) change to incorporate different information provided by AML technology?
- What management reports will need to be created or modified to determine and communicate effectiveness of the AML technology?
How We Help Companies Succeed
Our AML team consists of PH.D.-level modeling experts and other professionals with a broad set of skills, including AML, audit and IT. Collectively, we help financial institutions ensure that the configuration of their AML technology is based on the institution’s specific AML strategy and is in line with the institution’s risk profile. We have experience with a number of AML technologies including but not limited to Actimize, Mantas, Norkom, Bridger Insight XG, FircoSoft and Fiserv, as well as with various home-grown systems. Our AML audit services include:
- Independent audits of financial institutions AML programs
- Evaluation of AML technology validations
- Data integrity and management audits
- End-to-end AML technology audits
- Pre- and post-implementation audits of AML technology
Example: Identifying Monitoring Gaps as a Result of TM and Sanctions Screening System Audit
A global financial institution sought our assistance performing an audit of its TM and sanctions screening applications. The audit scope included the areas of data integrity, change management, security and functionality.
We worked together with the business and technology personnel from the bank to obtain a clear under- standing of existing processes and controls, and collected sample data sets to perform the audit. We were able to identify gaps in the sanctions screening system, which were caused by a lack of appropriate change management and security controls. As a result of our review, the bank took steps to close the gaps in the monitoring scenarios and adjust the thresholds, reducing the number of false positives.