AML-KYC – balancing effectiveness with operational sustainability

The year-on-year increase of AML-KYC workload sometimes feels as much of a certainty as death and taxes. Institutions must manage screening obligations that become more expansive and complex, with fewer exceptions for simplified processes. At the same time, the cost of a compliance failure becomes greater, in terms of societal impact, regulatory fines, remediation efforts, and the damage to reputation. In response, the scale, cost, and complexity of institutions’ countermeasures and controls have increased exponentially. An unintended consequence of stretching resources to meet compliance obligations is that an organisation becomes less well-placed to focus on customers and business goals. Simply reducing AML-KYC budgets or down-sizing teams is not a viable option because of the increased risk of an unacceptable gap emerging between compliance obligation and operational capacity. The traditional approach of adding large numbers of compliance FTEs might offer a short-term fix but is unsustainable over the long-term. Finding the middle ground between compliance effectiveness and operational sustainability now depends on technology innovation. 

External pressures not diminishing 

In recent years, compliance operational capacity has scaled significantly in response to new regulatory requirements. The consequential sustained increase in compliance budgets is well-documented, affecting all tiers of institution, in every region. At the same time, regulators’ expectations of the standard of compliance effectiveness have risen at a faster rate. An addressable and relatively immediate response to meeting these expectations has been to hire more compliance staff. However, continuing this approach is not just economically unsustainable, it creates large, complex control frameworks that are more prone to systemic failure. Meanwhile, customers are faced with an increasingly high rate of compliance friction – at a time when fintech challengers can provide a more seamless experience. The demands of continuously improving compliance excellence and customer satisfaction cannot be mutually exclusive. New ways of addressing these dynamics are needed. 

Automation is just the first step 

Large financial institutions can employ, directly or indirectly, thousands of compliance analysts. Even if these organisations are largely outsourced or offshored, operational costs are still significant. The combination of internal op-ex pressures and regulators seeking higher levels of effectiveness – that go beyond mere technical compliance – has inevitably led to the wider use of automation technology. The repetitive actions of a compliance process are typically very suitable tasks that can be transferred from humans to Robotic Process Automation or AI-led machine learning technologies. When applied to tasks such as investigating alerts, false positive reduction rates of 60-80% is a common outcome, particularly in retail banking. Such outcomes typically yield a massive cost-saving, without introducing significant new risks. However, whilst automation is delivering big operational efficiencies in many institutions, the opportunity to improve compliance effectiveness is often not realised fully. If restricted to making existing processes quicker and cheaper, the compliance up-side of automation is limited. Yes, there are benefits in that staff can be re-deployed to focus on more qualitative tasks. But a bigger impact will be made if new technology is utilised more fully to provide smarter processes using risk analytics.  For projects to be successful, technology must deliver more than operational agility and high speed-to-compliance. Full transparency must also be delivered to enable every automated decision to be contextualised and understood. 

Mind the gap  

Compliance technology strategies are often a series of tactical reactions to short-term objectives. Whilst the velocity, scale, and complexity of AML-CFT requirements are unlikely to diminish, attempting to manage these challenges by adding more people is not sustainable. Similarly, a failure to realise the full potential of technology innovation will not improve compliance effectiveness. 

No institution can afford a gap to develop between regulatory obligation and operational capacity. Finding the right balance needs risk analytics technology that can deliver both massive efficiencies through automation and improved compliance effectiveness from more insightful customer intelligence. 

Effective screening and long-term sustainability

Delivering effective AML-CTF risk management is a complex and resource-intense task that requires institutional focus and resilience. The regulatory requirements of obliged institutions are progressively more complex, expansive, and volatile, requiring additional operational agility and capacity. Faced with additional workload, institutions can find it difficult to maintain control frameworks, even with significant increases in technology and FTE budgets. Finding an approach to delivering effective compliance – that is also sustainable – is critical. 

Pragmatic and tactical capability – but limited strategic potential 

The roll-out of an enterprise-wide platform with the flexibility and capacity to manage risks across jurisdictions, lines of business and products is a goal for many financial institutions. In reality, despite considerable progress, AML-CFT controls are still often based on complex frameworks with multiple points of evolution. Instead of centralised platforms with holistic reporting and governance controls, many institutions use an array of different core Reg-Tech platforms and point solutions. Such scenarios are typically the outcome of a series of pragmatic decisions designed to meet critical and immediate challenges. However, the result is difficult and expensive to scale to new risks. It is also difficult for institutions to standardise a consistent approach to compliance across all areas of a large business. Furthermore, the complexity of these arrays often leads to a very conservative approach to technology innovation – driven by the fear that change could cause unintended consequences. Whilst enabling short-term compliance, this tactical approach impedes the development of a comprehensive FCRM technology and operations strategy that can respond – effectively and efficiently – to risks and obligations over the long-term.  

Risks evolve – but has technology kept pace? 

The definition, scope and not least the risks of money laundering and terrorism financing have evolved significantly since the times when financial institutions first started addressing these issues as a legal responsibility. However, much compliance technology infrastructure is still based on cores that were built to respond to challenges as they existed 10-20 years ago. For example, sanctions screening technology often has a direct lineage to the first generation of OFAC screening tools. Similarly, some screening products are based on simple extensions of sanction filters. These pedigrees have some advantages, such as longevity, stability, and resilience. However, these attributes also make it harder to scale capabilities, to deploy with agility and to enable transparent decisioning. In parallel, the evolution of banking and financial institutions – from digitisation, payments standards, open banking, and new products – can lead to a gap between the original design purpose of screening technology and today’s requirements. 

Inertia versus the cost of change 

Deploying new generation FCRM technology platforms in place of legacy arrays offers many advantages, most tangibly in the form of improved compliance effectiveness and operational efficiency. A new approach can also provide clear lines of sight that enable insightful operational and regulatory reporting, enterprise-wide standards of governance and compliance consistency across all areas of a complex organisation. Despite these advantages, institutions might defer replacing older incumbent systems due to the perceived cost of change. The complexity and effort required to migrate and engineer new tools should not be under-estimated. However, cost-of-change should not be an impediment to implementing a strategic plan for FCRM controls. Maintaining the status quo has an intrinsic expense that grows as older technology becomes more difficult to support. However, the greatest potential cost is that older tools are progressively less capable of responding to new risks and regulatory requirements. Sweating FCRM technology to the limit of efficacy or utility raises the risk of a control failure. In this context, the cost of organisational inertia is far greater than the cost of technology change.