Respondents cited a number of issues that hamper the efficiency and effectiveness of their AML compliance processes, including data quality, system failures, gaps in IT infrastructure, ineffective internal tools and outdated technologies.
We asked firms to estimate how their financial crime compliance costs are split between the various processes. There was little discrepancy between the percentage share of costs and the percentage share of staff time reported for each of the processes.
Together, customer due diligence (CDD) processes and investigations account for two thirds of total AML and CFT compliance time and cost. CDD was by far the most costly and time-consuming process in our sample, accounting for 53% of overall AML compliance costs – see Fig 3.
It’s no surprise that firms are spending a lot of time on customer due diligence. The 4th EU Anti-Money Laundering Directive, integrated by the UK into the 2017 Money Laundering Regulations, mandated a number of changes that drove this greater emphasis on CDD.It required obliged entities to provide evidence that they have undertaken appropriate levels of CDD and to take steps to understand beneficial owners.
It also widened the definition of politically exposed persons (PEPs) and mandated other changes in relation to record keeping and reducing the limits on transaction values to trigger CDD. The 5th EU Money Laundering Directive, which was integrated into UK regulations in January 2020, further tightened these rules and also recognised the growing use of electronic identity verification (EIV), permitting obliged entities to conduct EIV with a trust service. This, in turn, triggered a need for regulated firms to review their technological infrastructure to support digital identification in onboarding, which for many, was no small task.
Our survey shows that more rigorous checks and increased investment in risk assessment were among the top three internal drivers of increased cost in AML compliance – see Fig 2. In fact, half of CDD costs (and a quarter of total financial crime compliance costs) relate to identity authentication checks and risk assessments.
"Over recent years, there’s been a lot more emphasis, especially for financial institutions, on the understanding of the customer and definitely a drive to ensure that we’re making referrals to the NCA. Financial institutions regularly see fines from the regulator because of breaches. I think that tends to drive everybody to being very risk-averse.”
– Group Head of Financial Crime, UK specialist lending Bank
Compliance teams are facing mounting pressure to design processes that work around the customer journey and balance the need for speed and convenience with the requirement for effective compliance.
“One of the buzz phrases now is ‘customer journey’, but there will always come a point where you’ve got to be careful that the customer journey is not so streamlined and so quick that you miss your own responsibilities within the regulatory and legislative framework. My challenge is making sure that my mandate gets fulfilled, as well as meeting the commercial expectations of the firm, and keeping the customer, or the applicant, happy.”
– Steve Payne, Group Head of Financial Crime and MLRO, Vitality Group
Customer expectations are changing. Increasingly, customers are now expecting a response almost instantaneously and are far less prepared to wait. They also want the convenience of being able to apply whenever it suits them, and more likely than not, online or by mobile. Offering customers faster and more convenient onboarding represents a challenge for compliance teams who need to ensure their identity checks and risk assessments are equally robust and secure, regardless of how the customer chooses to apply. Since the start of the pandemic, the boom in remote Know Your Customer (KYC) and identity verification needs has put significant pressure on businesses to carry out quick and effective identity checks that negate the need for customers to send physical identity documents by post. The technology required to facilitate this is already ubiquitous – customers can use their phones to scan the chip on their passport and submit a selfie. The company then simply compares the two. There is now mounting commercial pressure on all businesses to adopt this technology to meet customer demand.
However, as Chris Leatherland, Head of Financial Crime at NewDay explains: “The problem is that biometrics, at their very core, depending upon how verified or matched, don’t necessarily currently meet the legal requirement in the Money Laundering Regulations and the Guidance Notes. So, despite the fact we could potentially do it, there isn’t currently the necessary regulatory aircover to say you’re allowed to do it.”
As a result, many firms are reticent to go through the expense and process of embracing some of these newer and more efficient technologies, for fear of regulatory reprimand. Instead, they appear to be watching and waiting for the regulator to make the next move.
Firms are required to verify the identities of new and returning customers and screen for global sanctions and enforcements, PEPs and for instances of higher risk adverse media, which may pose financial, regulatory and reputational risk to the business. Where firms have millions, or even billions of customer accounts, this can be a real challenge. The frequency of screening depends on the firm’s chosen risk-based approach, however, given the 24-hour news cycle and ever-shifting sands of global politics, many firms screen their entire customer base, daily.
Added to this, the landscape of global threats is constantly changing, making it difficult and time consuming to compile real-time global intelligence in house. Doing so also inevitably slows workflows, increasing the cost of doing business and taking the focus off core business activities. It’s no surprise therefore that a further fifth (22%) of overall financial crime compliance costs relate to watchlist and sanctions screening at onboarding, as well as the ongoing monitoring of customers and payments.
Graeme Morrison of Ardonagh Group paints a picture of his organisation’s regular and thorough customer due diligence controls:
“We have metrics and controls in place around the onboarding. We have automated screening, and we screen all clients, six days a week. We have real-time screening for where we’re making payments to individuals who are not part of that automated screening. We screen all staff, we screen all suppliers, we screen all incoming businesses.”
The triage processes deployed to effectively risk assess and segment customers for AML screening are coming under increasing scrutiny. Firms are reportedly taking more than 20 hours to remediate even standard risk customers – which in 90% of cases, turn out to be false positives. This is in line with the findings of our research from three years ago, which showed a typical KYC remediation case took on average 18 hours and 3.7 staff members to complete, with a typical sanction remediation case taking a similar time, on average, albeit with fewer staff.
For banks, the average processing times for both KYC and sanctions remediation are closer to 24 hours - nearly double the time taken by investment firms (13 hours)6. According to one MLRO at a mid-sized building society, current screening generates about 100 alerts per day of which around 10 percent need escalation or investigation. Of these, very few actually turn out to be the result of financial crime. False positives are one of the biggest operational issues that financial crime compliance teams face and constitute some 95 percent or more of the investigations they have to check. Despite their team’s ability to identify false positives within a few minutes, those that do require escalation often take all day to remediate and in the bulk of cases, these also turn out to be false positives.
There are a variety of underlying factors which drive inefficiencies in remediation processes, including disparate data systems and the lack of a single view of customer risk. Incomplete or out of date data impacts the number of alerts that financial crime teams have to deal with, as well as creating delays for ongoing screening if customer data is missing or inaccurate. It also impacts customer experience, both through delays and the intrusion of being contacted to re-verify their details. To make matters worse, this is not necessarily an area over which compliance teams have much control, as responsibility for customer data usually sits with another department.
“A lot of what we are facing in banks are not financial crime issues, but data issues or data legacy issues. For example, when I talk to the board about records management or third-party contracts, these are not financial crime issues, they are legal issues. A lot of things have to be solved by financial crime teams because there is a piece of legislation out there that makes it a financial crime or AML issue, which is why AML gets a bad name. Having quality data becomes paramount.”
– Head of Financial Crime, major UK Bank
Banks need to do things more efficiently and cost effectively. There is a big drive to understand customers better, driven partly by the emergence of Open Banking and partly through competitive pressures. The success of all of which is predicated on the quality of data. Having clean data, in the right format, which is easily accessible and retrievable is becoming increasingly fundamental. However, many of the bigger financial institutions and particularly those that are part of big groups, struggle to achieve a single view of the customer, due to multiple brands and separate business areas with different systems and interfaces.
Implementing an effective risk-based approach to AML regulatory compliance processes could be made drastically easier simply by establishing a rich, accurate and holistic view of customers, through a robust customer data management system.
Addressing this could have an exponentially positive effect on a firm’s ability to effectively risk-assess customers. Not only that, but a knock-on effect would also be a reduction in the entire down-stream compliance time and cost commitment, thereby reducing the mammoth resources currently being lost to remediation and needless investigations and enable compliance teams to focus on the real issue of managing financial crime risk more effectively.
“From an AML perspective, we have recently put in a better detecting system to reduce our referral rates. So, it’s a data matching system, effectively. So, taking some of the elements of the referral and just working a little bit smarter. We’ve recently been through a merger and our customer base may be a quarter, to half a million [people]. So, all accounts in effect doubled, and we’ve had to look for synergies along that route.”
Beyond remediation, the 5th EU Anti-Money Laundering Directive also tightened the rules around EDD, extending the definitions of what constitutes ‘higher risk’ and requires EDD investigations, as well as extending the types of information needed to be gathered for CDD checks.
Many firms rely on their own resources to conduct EDD checks, yet without the correct tools and support, this can be time consuming and leave them exposed to unseen risk.
Suspicious activity reports (SARs), widely mooted as being a heavily time-consuming activity, in reality take up less than 10% of AML compliance professionals’ time, according to our study. The issue here is perhaps, not resource, but a perceived lack of a return on investment. As most AML compliance professionals will attest to, in the vast majority of cases, businesses won’t receive any feedback on submitted SARs or DAMLs and get no sense as to whether it was time well spent.
Another issue with the SARs regime is the propensity for ‘defensive reporting,’ – firms intentionally over-report to err on the side of caution, taking solace in the fact that they’ve discharged their legal obligation, even after they’ve facilitated the transaction and taken their fee. The resulting glut of reports inevitably overwhelms the system.
“That’s part of the problem with the Proceeds of Crime Act, it gives you that defence… but that’s not what the spirit of the legislation should be. We’ve almost lost the focus as to what the legislation was designed to do, which was to stop funds being transmitted that are linked to money laundering, terrorist financing and, indeed, financial crime generally.”
– Kam Biring, Currencies Direct
