There is a growing gap between increasingly demanding anti-money laundering (AML) and sanctions compliance requirements and the technology capabilities of financial services firms to respond to those requirements. Regulatory change and increased sanctions activity have created operational pressures that are being tactically plugged by working incumbent technology harder and expanding compliance headcount. This situation is unsustainable because of its cost and complexity – organisations need to increase the amount of automation in their financial crime processes to improve compliance effectiveness, increase operational efficiency and increase the responsiveness of controls to new risks.
Continuous AML rule changes
In the AML space, regulatory change is constant. For example, in the UK, amendments to the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 had an implementation deadline of 1 September 2022. The amendments include an explicit legal right of access for regulators to suspicious activity reports (SARs), so that they can consider the quality of their content. This is putting new pressure on firms to improve their SARs processes.
In the EU, a 7th Anti-Money Laundering package is working its way towards being finalised. This creates a single AML rulebook for the whole of the EU, and will also produce a new EU Anti-Money Laundering Authority which would directly supervise large, cross-border entities and provide support to national regulators. The new rules also require compliance functions to have adequate resources, staff and technology in place. The goal is to raise supervisory standards, and therefore AML compliance standards, overall.
At the international level, the Financial Action Task Force adopted amendments which require countries to prevent the misuse of legal persons for money laundering or terrorist financing in March 2022. They also require firms to ensure that they have adequate, accurate and up-to-date information on the beneficial ownership and control of legal persons. All of these evolving rules – and others – add to the compliance burden firms are under and create significant regulatory change complexity. Firms are often finding they cannot easily adapt their existing technology to cope without growing complexity in the underlying code that supports the technology, and the liberal use of manual processes.
Managing thousands of sanctions
Organisations are also struggling to keep up with the pace of sanctions issuance. Since the start of the war in Ukraine, more than nine thousand sanctions[i] have been published against Russian individuals and entities. These Russian sanctions have strained operations within firms, especially where there is a reliance on manual processes, or where significant manual intervention is required. Regulators like the UK Financial Conduct Authority say they expect firms to have established systems and controls to counter financial crime risks – and that includes compliance with financial sanctions obligations. However, many firms privately admit that they are having to try to hire and train people to keep their sanctions processes from being overwhelmed.
Firms are resorting to tactical responses because they have not kept up their investment in financial crime technology. While firms are heavily investing in digital transformation in other areas of their business, their financial technology can be a decade old or more. As a result, activities such as AML and sanctions screening can require significant human intervention – for example, to reduce false positives. Hiring more talent to try to keep up is no longer a viable solution as there is a significant talent squeeze in compliance roles, which can be evidenced by the escalating cost of hiring. According to the 2022 Thomson Reuters Cost of Compliance survey 67% of respondents expect the cost of senior compliance staff to be more than today over the next 12 months, compared with 47% in the 2021 survey[ii].
Firms need to change their strategic approach to meeting financial crime compliance requirements and implement technology that is fit for purpose. They need technology that is agile enough to meet regulatory change demands, reduces workloads through AI-automated false positive remediation, and is configurable to meet an individual company’s risk profile. Firms that do not invest in the next generation of financial crime technology may find themselves facing greater compliance risk, regulatory risk, and reputational risk down the road.