Banks and other financial institutions entered 2017 facing an increasingly daunting framework of anti-money-laundering (AML) laws and regulations. During the past several years, regulatory agencies have been aggressively stepping up their enforcement actions, and they’ve levied huge fines for compliance failures. Having a comprehensive compliance program in place is becoming more critical than ever.
Financial regulatory bodies in the United States and Europe have increasingly emphasized customer due diligence (CDD) as a means of combating money laundering and terrorist financing. In May 2016, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) imposed formal CDD requirements, and US financial institutions will have until May 11, 2018, to comply with those rules. The European Union Fourth Anti-Money Laundering Directive is the most sweeping AML legislation in Europe in several years. On June 25, 2015, the EU Fourth Directive was enacted, which replaces the previous Third Directive. With a two-year window for implementation, all EU member states had until June 26, 2017 to be compliant with the new mandates.
The CDD requirements place an increased responsibility on financial institutions to be cognizant of their customers and the ways in which a financial institution’s products and services are being used. Some critics argue that the regulations have grown to a point where financial institutions are involuntary “proxies for law enforcement”1 because regulators now may take enforcement actions against them for failures to thoroughly investigate and report crime and suspicious activity passing through their services rather than just ensuring that their own direct actions are lawful. Whether or not that criticism is fair, the reality is that increasing compliance demands have been placed on financial institutions. Heading into 2017, financial institutions should thus review their anti-money laundering (AML) and CDD programs, update them as necessary, and retain independent, outside counsel or auditors to separately assess the efficiency of these controls.
Most of the regulations that are within the CDD rule have already been considered regulatory expectations for some time, yet in light of the formalization of those regulations, financial institutions should consider taking the following actions.
- Review AML risk assessment, with particular focus on current legal entities underwriting and loan documentation practices
- Review automated transaction-monitoring systems and procedures to make sure the results of their monitoring efforts get considered when reassessing or refining a customer
- Make sure that CDD rule requirements are implemented seamlessly across the entire global operation.
- Develop—and periodically enhance—existing policies and procedures to meet the technical requirements of the CDD rule and to align the technical rule requirements with the financial institution’s risk appetite.
Robust information technology systems have always been critical parts of AML compliance. However, as recent enforcement actions have shown, detecting and reporting suspicious activity appear to be ongoing struggles for financial institutions—and the trend will likely continue.
Many financial institutions are saddled with legacy IT compliance systems that were built over long periods of time, and can no longer meet current needs and regulatory expectations. That situation results in many cases of manual workarounds, which usually lack accuracy and efficiency and can cause head count to spike unnecessarily. In light of FinCEN’s CDD rule, sophisticated IT systems that are well integrated into a company’s day-to-day operations will be critical for keeping up with regulatory requirements in 2017 and beyond.
Financial institutions should evaluate whether their current systems can handle the additional information and field requirements, which some legacy systems may not be able to do. For example, when it comes to payment transactions at a bank or a financial service provider (inbound and outbound), it is typically required they be checked against the Office of Foreign Assets Control (“OFAC”) sanction list. When using a legacy system, any “hits” would need to be manually verified to determine the validity, resulting in room for human error, and the service offered at major risk
Additionally, given the kinds and volumes of customer information required under the new CDD rule, narrowly designed systems might prevent financial institutions from being able to comply. Closing those gaps effectively will require potentially significant investments and close partnerships between compliance, IT, and senior management.
Find out how SEEBURGER can help your financial institution become compliant:
1Financial Industry Playing the Role of Law Enforcement, Thomson Reuters (November 2016).