FCP advise for banks

Advise #1: KYC analysts must not spend too much time examining individual transactions

When designing the Financial Crime Defence in a bank, it is important that each control activity provides a unique contribution without any overlaps between control activities and combined not leaving any gaps in the total defence.

All the employees working with the individual controls really want to contribute, and to do that optimally everyone needs to understand the various elements in the total defence to a level where it is clear how the employee’s own task fits into the total defence.

Otherwise, there is a risk that the individual employee or even an entire control function takes upon themselves to act as the total defence.

One example is that some KYC analysts examine single transactions to see if anything is unusual/suspicious. That should not be done by the KYC analyst, because the Transaction Monitoring control must – through the thresholds set in TM scenarios – secure that all individual transactions, that are outside the risk appetite of the bank, are examined by TM investigators.

Instead, the KYC analyst must focus on capturing and maintaining all the required KYC information on high-risk customers as the primary task. A part of this work is to evaluate if the total turnover across incoming and outgoing transactions are in line with expectations given the customer’s individual KYC information/profile. I also recommend including a relevance check of the top 5 credit- and debit counterparties.

In this way the KYC control and the TM control contribute differently, and overlap is avoided. There are a lot of situations where the two control functions must collaborate, but that will be a cliffhanger for a later advise in this series, which I hope you will follow in the future.

Advise #2: Prioritise TM alerts according to their deviation factor to the TM thresholds

All banks are prioritising the Transaction Monitoring alerts, and quite often the age of the alert is the dominant criteria (FIFO – First In First Out), as no bank wants to have (too) old alerts unattended.

There are a few criteria that overrule the FIFO prioritisation, e.g. alerts from TM scenarios focusing on identifying Terrorist Financing are prioritised highest of all alerts, and alerts on high-risk customers are investigated before alerts on medium/low risk customers.

I recommend including the TM alert’s deviation factor to the TM threshold in your prioritisation. The deviation factor is important, because scenarios are built with different thresholds for different customer types to reflect the differences in “normal behaviour”. The threshold is much lower for a teenager than a private banking customer and much lower for an SME than a large Corporate.

However, all TM alerts can be compared equally when using the deviation factor that the individual threshold is breached with.

The logic behind the recommendation is to find the most anomalous behaviour, and it is more unusual/suspicious if any given TM threshold is breached by a factor 10 than with 10%. Therefore, a teenager with a threshold breach of factor 10 should be prioritised higher than the corporate with factor 1,1 – even though the absolute amount on the same scenario for the teenager obviously is lower. Please note that the threshold factor also should impact alert prioritisation across all scenarios.

If an alert is breaching a threshold with a very high factor, I also recommend that TM investigators are required to be even more thorough before concluding if the customers behaviour is either plausible or suspicious.

By structurally using the deviation factors to TM thresholds on both the prioritisation and the depth of the investigation, the bank will provide high quality analysis of the most important SARs to the authorities as timely as possible.

Advise #3: Implement preventive controls to reduce the financial crime risk

Today banks spend many resources on Transaction Monitoring controls. These are conducted after the transactions are executed, and the effort focus on reporting suspicious behaviour to the authorities.

Most Sanctions and Fraud controls are conducted in advance of transactions, thereby preventing the transactions from being executed. In this post, I will discuss additional preventive controls that are valuable to implement as part of the total financial crime defence.

The easiest way to upfront prevent suspicious transactions, is to lower the customer limits for high-risk transactions, e.g. cash withdrawals and deposits through the bank’s ATMs and international transfers conducted through online banking to all or certain high-risk countries. This reduces risk and will additionally reduce workload as transactions that can’t be conducted, can’t result in TM alerts.

To avoid the negative impact on the relatively few customers that have a legitimate need for higher limits on such products, it is preferable to be able to increase the limit on individual customers after a pre-approval process. These customers will understand why such measures need to be taken to prevent misuse of the bank.

There are also preventive controls designed to prevent specific customers, that have acted outside the risk appetite of the bank, to continue their actions. These focus on customers with one or more SARs reported to the authorities.

The ultimate decision is to exit the customer, and this decision should in most cases only be taken after all other possibilities have been exhausted. Customer exits contain many dilemmas, and before taking an exit decision, the bank has several other possibilities.

The most common preventive action is to block/terminate the specific service used in the unacceptable behaviour. This can be blocking the access to conduct international payments either in total or to specific countries or it can – after an adequate number of warnings – be blocking the online banking access until the customer has provided the needed KYC information or explanation on a certain unusual transaction.

The least severe action that can be taken is simply to explain to the customer why a certain behaviour can increase the risk of financial crime in society and make an agreement, that it will be addressed by the customer. An example is to advise corporate customers receiving a lot of cash from their customers to encourage their customers to use electronic payments.

Advise #4: Implement the average gross time for handling KYC files/TM alerts as key KPI’s

It is an absolute no-go to have any guidance on how long time an employee is allowed to spend on a given control within your Financial Crime Defence, e.g. a KYC file or a TM-, Fraud- or Sanctions investigation.

The appropriate time spent will always be the time needed to come to the right conclusion documented in the right quality.

However, it is still very important to measure how much time is spent in average on the different controls and thereby that the defence over time becomes more efficient (measured by an average time KPI) without compromising the effectiveness (measured by a quality KPI).

In some banks the KPI measured is the effective time used by the analyst/investigator on a control. While that is also interesting, the development in gross average time is the only one that can encompass the effects of all possible improvement initiatives.

The average gross time KPI is calculated on a monthly/quarterly frequency by assigning all the gross time of all the employees involved in each control, divided by the number of files/investigations finalised in the period. That specifically means that also time spent by 4-eye controls, team leads, MLRO’s etc. must be included in the gross time KPI.

The KPI should be possible to break down into subsegments, thereby making it possible to identify surprising facts that should be further investigated, e.g. if more time is spent on normal retail customers than private banking customers and more time on SME’s than on larger Corporates.

If a bank has not measured the average gross handling time before, I promise, it will come as a wakeup call on how many hours it takes in average to finalise one single control/investigation.

It is very important not to spend the time trying to explain why the value of the KPI is as high as it is, but instead asking the right questions – what drives our time spent and how can we reduce it without compromising on quality?

It might be that KYC analysts spend too much time on single transactions (see my advice #1), it might be that the staff turnover is too high and therefore too much time is spent on training new staff – or it might be something completely different – that is for you to identify and address.

Advise #5: Evaluate if the customer risk scoring model identifies too many high-risk customers

It is of utmost importance that the Financial Crime Defence is risk based, and that makes the customer risk scoring model one of the key components having a huge impact on all the controls.

The customer risk scoring model typically contains the quite static risk factors like Customer Type, Industry/Occupation, Geography, Products & Services and Delivery channel.

Depending on the complexity of the model, each risk factor has different scores – e.g. being present in a high-risk country gives a higher score than being domestic only and being in a high-risk industry gives a higher score than in a low-risk industry. The model then applies some weight to each risk factor and the result is that a customer ends up being high- medium- or low-risk scored.

The banks Standards typically require that high-risk customers have ODD each year, medium risk every 3 years and low-risk every 5 years. There is also a huge difference in the depth of the work ranging from KYC analysts scrutinizing each high-risk customer, while simple automatic deviation controls are applied to the low-risk customer’s self-service KYC information.

These huge differences in workload makes it clear why it is so important to calibrate the customer risk scoring model correctly.

Risk scoring models only focusing on the standard risk factors tend to result in too many high-risk customers. As an example, it is simply not a strong enough reason for a customer to be classified as high-risk just because it operates in a high-risk industry or because it uses the banks most risky products. It must be a combination of several of the risk factors before a customer is classified as high-risk.

What matters more is the actual transactions the customers are conducting through the bank. The TM scenarios go across and cover all customers (if correctly designed with lower thresholds for high-risk customers), and putting the effort into having strong scenarios, combined with analytical capabilities like network and payment content analysis, results in a much better defence than having KYC analysts spending a lot of time analysing customers classified as high risk by a customer risk scoring model that is not sufficiently granular. 

Advise #6: Consider how many people should be involved in the same customer case

Whenever there are multiple individuals involved in the same customer case, there is a loss of time, because each individual use some “base-time” to get acquainted with the case, even if they have different roles in the process.

At the same time it is difficult for a single person to understand and master all process steps, so designing the optimal process becomes a balance between the advantages of specialisation and the time lost by having too many handovers.

The first thing to do is to measure how many people are involved in the same customer case. For illustrative purposes, I will use a customer case that theoretically could end up with too many people involved: There is a TM alert on a low-risk customer that leads to a SAR as well as an upgrade of the customer to high-risk and finally a decision to exit the customer.

The flow might be: The TM 1st level escalates to TM 2nd level that escalates a UAI (internal SAR) to an MLRO that creates the SAR to the authorities. This results in a KYC analyst conducting an EDR resulting in an exit recommendation, where yet another person is handling the practicalities. That is “only” 5 individuals.  

However in the financial crime prevention process flows, there are also often 4-eyes and/or team leads involved to secure the needed level of quality. That is potentially 10 additional individuals and having 15 people and on top also the customer exit committee with several members involved in the same case is for sure overkill.

My advice is that you aim at reducing the number of people involved in each customer case, but you do a thorough and differentiated implementation, guided by the development in the quality KPI.  

Firstly, differentiate the involvement of 4-eyes, so analysts and TM investigators with proven quality track record is only subject to the normal parallel sample-based quality control process, while new individuals need the 4-eye until they also have a proven quality track record.

Secondly, involve the team leads effort only in the sample control process instead of in the daily 4-eye flow.

Thirdly, consider if TM Operations 2nd level can file SARs directly, thereby eliminating all UAI’s/internal SAR’s. Use the number of UAI’s/internal SARs that was rejected or improved by the MLRO as the starting point for a differentiated implementation. Regardless how many handovers you manage to reduce, you will still end up having several persons involved, so make sure each role is very sharply defined, thereby keeping duplication of the same task to a minimum.  

Advise #7: Replace TM scenarios with intelligent methods of identifying financial crime risks

Even though banks have been working with optimising their TM scenarios for many years, false positive ratios on TM alerts are often way above 90% and that results in a lot of waste.

The reason is the (too) simplistic nature of TM. There are many good reasons to transact with high-risk countries or to deposit a decent amount of cash, and therefore the TM Operations unit still ends up looking for the few needles in the haystack representing the suspicious behaviour.

The simplistic nature of TM scenarios also results in more complex criminal patterns remaining undetected, so the answer seems to be quite straight forward – upgrade the financial crime defence by using the more complex analytical capabilities like network- and payment content analysis.

These tools have already been embraced by larger banks, but most often as something on top of the existing defence, not as a replacement. I believe the entire industry should be brave enough to transform the defence, even if that leads to some simple suspicious behaviour remains undetected.

Some TM scenarios are simply not representing a proportionate effort – especially considering that the authorities don’t have the strength to investigate all the “small stuff”.

The intelligent tools can identify the complex crimes that also are the most severe. These should be prioritised end to end, e.g. from identification in a bank to a conviction in court.

Without going into network and payment content solutions in details, I will still provide you with a bit of insight on why they work much better.

Banks have already identified thousands of SAR’s. When someone is already identified as suspicious (or e.g. proven criminal through adverse media), it is likely that someone connected to them is also demonstrating suspicious behaviour.  

Another area is to conduct theme-based analysis. One example is to define patterns that can indicate if trafficking for black labour in the construction industry or prostitution are occurring. Naturally these solutions also result in false positives, but not anywhere near 90% of the time.

One final advice from an often-missed operational excellence point of view: Be very careful with broad access to the network and payment visualisation tools. If they are made available for the entire operations team, they will be used to go down many rabbit holes – also where there is nothing to find. Instead use scores created by the tools and only investigate the highest scores and only done by people that have learned how to use the tools.

Advise #8: Establish a clear connection between predicate offenses and individual controls

When regulators evaluate the financial crime defence in a bank, one of their primary demands are that the bank has an updated enterprise risk assessment and that the entire defence is built in a way that addresses the inherent risk identified – thereby leading to a residual risk which is inside the risk appetite of the bank. And if outside the risk appetite of the bank, it should lead to the identification of additional controls needed to get inside risk appetite.

A strong risk assessment should not only be made based on the high-level generic terms like money laundering, tax evasion and terrorist financing, it should go deeper into the predicate offenses.

The AMLD6 mentioned a few new predicate offenses like cybercrime, environmental crime, and wild-life trade, so the total number is now 22. For banks in Europe that means even from the perspective of living up to the law, they must be concrete on how to set up control mechanisms for these.

But for banks it should not just be about living up to the law – it is all about catching the criminals. I believe best practice is to be as concrete as possible on the predicate offenses – not only in the enterprise risk assessment, but all the way to the design and implementation of the individual controls.

By using the intelligence and analytics type of controls I mentioned in advise #7, it is possible to define modus operandi for specific predicate offenses, not just “potential money laundering” and thereby provide very qualified alerts/leads.

Also in the more traditional Transaction Monitoring, it is important that the TM analysts understand what they are looking for – it is very different signs depending on if you are looking for signs of illegal wildlife trade (e.g. the money-flows must in the end go back to the countries with supply of wild-life) or for tax crimes through invoice factories (e.g. there are no/limited signs of all the resources that should be used to create the value equal to the invoices).  

This is best done by integrating descriptions of the signs of the different predicate offences into the analyst/investigator guidelines and educational material, thereby strengthening the entire defence.

It is actually quite comprehensive – e.g. take a look at the FATF guidelines on preventing money laundering from wildlife trafficking. This deep level of understanding the risk indicators on customers and transactions demonstrates the need for further specialization of the workforce.