‘What rules should I run’ is worrying AML Compliance question

Art for "What Rules should I run?"--shows wood cutter about to fall by cutting a branch he's sitting on

The AML Compliance Question That Worries Me the Most

By Frank Cummings, CEO of AML Partners

“What rules should I run?”

That’s the question I get asked most often by AML Compliance colleagues–and it’s the question that worries me the most.

That question tells me that the financial institution likely has a major problem with its Risk-based Approach. I’ve been doing AML for close to 20 years now, the first seven implementing “other people’s software” or just Ops work. Those early years inside Compliance shops, Audit shops, and IT shops focused on slaying the shape-shifting monster of new laws, rules, and expectations. It’s the rules and expectations that get you every time, because it’s tempting to jump straight to rules without first doing a deep dive into Risk.

The process of selecting what “Rules” to run begins and ends with your Enterprise Risk Assessment (ERA). You have one; every financial institution is required to have one. Now that being said, most ERAs I have read have a few parts lacking.

To their credit, most ERAs do identify the risks in conducting business; they look at where, with whom, and how business is conducted. The common lack lies not in the identification of the risk, but rather in the Risk Mitigation Plan (RMP).  Simply stated, the RMP should detail exactly what the institution will do to mitigate this identified risk.

We need to remember that running an AML Rule is an internal control to mitigate an identified risk. Examples abound. Collecting information during on-boarding is mitigating an identified risk. Screening for sanctions is mitigating a risk. When you do your geographic risk analysis, you are identifying the riskiest places to do business; specifying the reasons why an area is risky will help you determine what risk-mitigating rules you need.

I recommend extracting the identified risks from your summaries and creating a simple spreadsheet: entries in column one identify the risk; column two specifies the reason for the risk; and column 3 specifies the mitigation plan.  It may look something like this:

Excel sheet showing an RMP (only 2 examples)

So, the first example of risk is for Terror Financing for customers transacting business in or through Afghanistan. Enhanced Due Diligence is the mitigating factor to this risk.  So, the internal control you are instituting is EDD to further identify higher risk customers. The second example of risk is high ‘source of funds’ risk due to high cash-transaction counts and amounts. The Velocity rule will find inbound money followed by an internal transfer and a transfer out; and the ‘Regular Large Crypto Purchases’ rule will find abnormal crypto purchases that are not consistent with the business’s purpose.

If you have been around awhile, you will recognize that this is the classic Risk-based Approach—logical, systematic, and easy to justify to anyone who asks. The rules to run result from the specific risks identified rather than from general experience or personal preference.

So what AML rules are you going to run?

_____________

Chartis RiskTech Quadrant® ranks AML Partners a Category Leader in KYC Solutions

Governance, Risk, and Compliance: Software solutions that transform results, costs, and efficiency

With AML Partners’ platform technology for RegTech, updating and upgrading your AML and eGRC software solutions is easier, faster, and much less expensive. Contact us today to explore how platform technology and our end-to-end AML Ecosystem powered by the RegTechONE platform–can transform the efficiency and effectiveness of your unique AML Compliance efforts. RegTechONE software for AML Compliance includes fully integrated modules for CDD KYC software for on-boarding, behavior and transaction monitoring software, and sanctions screening software for comprehensive AML screening. And AML Partners simplifies your end-to-end fully integrated AML Compliance efforts even further with an optional Subpoena Search module for FinCEN 314a and similar subpoena searches. Contact us today to learn about our proof-of-concept option or schedule a demo of RegTechONE, the AML software ecosystem. With extraordinary configurability and built for API extensibility, the RegTechONE AML software platformpowers not only an end-to-end AML software solution but also vendor management, AML client lifecycle management, eKYC Golden Records, Perpetual KYC, and so much more.