Compliance practitioners have long struggled with the notion of an effective compliance program. What does it mean to be “effective”? In this struggle, many find out when it is too late—through an audit, examination, or enforcement order. This question is not only for the compliance officer but also for management and the board of directors, who should understand the compliance risks pertinent to their business and the efforts made to mitigate those risks.
A reasonable place to start the assessment of effectiveness is with regulatory expectations. Through an examination of expectations from U.S. banking regulators, the Financial Crimes Enforcement Network (FinCEN), the Office of Foreign Assets Control, the U.S. Department of Justice, the U.K. Financial Conduct Authority and the European Union, we can see there are fundamental constants:
Organizationally, there must be a management commitment that establishes not only a tone at the top but also a tone from the top. This management commitment must permeate all levels of the organization. There must also be compliance resources in sufficient quantity and sufficient skill levels commensurate with their positions, roles, and responsibilities in the organization. Those compliance resources must be autonomous both in fact and appearance.
The importance of risk assessments cannot be underestimated when it comes to regulatory expectations. In fact, FinCEN, in its “Advance notice of proposed rule making” of September 2020,1 goes beyond expectations and includes risk assessments as part of an effective anti-money laundering (AML) compliance program.
Policies, procedures, and internal controls are designed to mitigate the risks identified in the assessment and bring the level of risk within the risk appetite set by the organization. Training on policies, procedures and internal controls should be tailored, with higher risk areas and those requiring more manual intervention and decision making receiving specific training.
Monitoring and testing, along with independent testing and auditing, should also be based on an assessment of risk. The risk assessment itself should be evaluated and, if appropriately robust, used to design the monitoring and testing and internal audit programs.
In a recent poll of compliance practitioners,(2) the following question was asked: “What is the current state of your compliance program?” As illustrated in Graphic 1, 28% of respondents said they believed their program to be “mature and effective.” A plurality, 48%, responded that they believed their program to be “stable, but improvement necessary.”
Graphic 2 illustrates that 52% said “technology and ongoing assessment” in response to being asked, “Where do you see the largest gap in your compliance program?” Thirty-nine percent responded with “data governance and quality control framework.” This was followed by a near-even split between “risk assessment (with key risk and performance indicators)” at 29% and “training” at 27%. “Risk and compliance governance (policies and procedures)” rounded out the answers at 20%.
The focus on technology and ongoing assessment, along with data governance and quality, are illuminating. Advances in technology can make finding the right technology solution, implementing it and using it effectively to mitigate risk difficult, and the potential to add more risk rather than reduce risk cannot be ignored.
Regulation and guidance set forth the components of an AML compliance program. For example, the Bank Secrecy Act and FinCEN, through their regulations, require a financial institution (FI) to have an AML compliance program that includes five pillars: a system of internal controls, a designated person to oversee day-to-day operations, training, customer due diligence, and independent testing. As seen in the poll results, FIs struggle with meeting the requirements and expectations of the regulators.
A framework, such as shown in Graphic 3, depicts how one might implement an effective AML program. This framework has five components supported by a solid foundation of governance, all of which support an effective compliance program. These five components are regulatory alignment, understanding risk and risk indicators, data quality and handling, technology, and ongoing assessment and training.
Regulatory alignment is the process of identifying all the regulatory requirements applicable to the business. In the context of AML, this is driven by the customers, products and services, and geographies within the business. Compliance professionals must ensure effective processes and controls are in place to mitigate risk.
Understanding the risk and appropriate risk indicators is critically important. AML compliance professionals have long struggled with the question of measuring and mitigating overall risk or what makes a customer high risk versus low risk. There is also the issue of determining if the customer or counterparty is committing suspicious activity or just behaving in a particular manner. It is important to answer this question and establish a measure, albeit a calculated one, for the risk. Coincident with the identification of risk is the identification of an appropriate metric to measure it.
This naturally leads to the third component: data quality and data handling. Today’s compliance professional is or should be heavily reliant upon data to measure and monitor risk and the performance of controls to mitigate risk. There must be an agreed-upon standard unit of measure to monitor risk and make appropriate decisions.
As shown in Graphic 4, poor data leads to poor decision-making. Poor decision-making can be exacerbated when processes are more automated and when innovative technologies, such as machine learning and artificial intelligence, are part of the decision-making process.
The fourth component, technology and ongoing assessment, addresses assessing whether your current technology is fit for purpose, i.e., whether it is aiding in mitigating risk or potentially adding more risk due to its lack of functionality or performance. Furthermore, how effective are the organizational setup and security; monitoring, alerting and reporting; data quality controls and governance; and training to use the system? Performing a technology “health check” periodically can keep the compliance program on track.
As part of the ongoing assessment process, the first line of defense—the business—should continually monitor the key risk metrics discussed above. The second line of defense should monitor risk and compliance governance activities, ensuring accuracy and completeness of data and performing the risk assessment. The third line of defense should be independent, and it should review the risk and compliance governance framework; risk assessment with key risk and performance indicators; data governance; data quality controls and considerations; and staff training to meet external audit requirements.
The fifth component, training, is critically important and must be tailored to the people, processes and technologies found in the organization. It should also communicate the tone from the top to support management’s foundational commitment to a sound and effective compliance program.
An effective AML compliance program manages risk and provides value to the organization. Looking to the ideal state as depicted in Graphic 5, a mature program contains each element shown.
Be sure to address components—individually or collectively—that have weaknesses or do not align with leading practices. The journey is never complete. Change is the only constant, and that need for change must be identified and adjustments made on an ongoing basis.