Is “compliance as a competitive differentiator” helpful or harmful?

“Compliance is becoming a competitive differentiator.” This phrase is growing increasingly fashionable within risktech circles today as a way of trying to articulate the value that having robust compliance technology in place can bring. It is a well-intentioned statement, but it is incorrect. Worse, its continued use could be damaging to the compliance discipline as a whole.

The most important goal of a compliance solution should be helping to ensure that the firm concerned is meeting its regulatory obligations in a particular area. For financial crime solutions, this means efficiently detecting potential and existing customers that the firm should not be doing business with. Technology cannot do the job alone, however. Globally, the compliance discipline has a long history of collaboration and information sharing to support the international mission of stamping out financial crime. None of this is, or should be, about competitive advantage.

The role of customer experience

However, providing the business with a great customer experience can be about competitive advantage. Reducing friction in onboarding, KYC and payments are critical to improving CX, which can enhance the firm’s reputation. This can both help to attract new customers and retain existing customers, making the customer experience a very powerful differentiator for financial services firms. So, the secondary goal of good financial crime software should be delivering the elements that support a great CX.

Customer experience is the competitive differentiator here, not compliance.

Why is it important to make this distinction? There is a real risk that if compliance is seen as a “competitive differentiator” among firms, the much-needed collaboration and information sharing among firms will simply dry up. This has happened in other areas in the past – the early days of the operational risk discipline saw unprecedented collaboration among firms, which ended, in part, when op risk teams began to pitch themselves as delivering competitive advantage. The discipline’s progress moved into the slow lane as collaboration collapsed.

Let us not risk the degradation of financial crime prevention collaboration in the pursuit of market share, placing the desire for growth ahead of the regulatory and ethical obligation to combat financial crime.

Best of both worlds

Firms need to work with a financial crime software solution that delivers on regulatory obligations and delivers an improved customer experience. A best-in-class core technology stack that provides low-latency, high-speed screening, and which is capable of massive scale, can process anti-money laundering checks and sanctions screening quickly and efficiently, enabling firms to onboard clients more rapidly than ever before. And because the solution is based on a much more accurate matching engine, false positives are reduced, and compliance requirements are met. ​

The right solution also enables the modelling and testing of the impact of new screening requirements, to improve speed to compliance​. This greatly reduces the risk of delays to customer onboarding when new requirements are announced, while at the same time ensuring that new screening requirements are implemented in such a way that they meet compliance demands.

The financial crime discipline needs to be careful about how it articulates the value that it delivers to organisations. Detecting and preventing financial crime – through meeting compliance obligations – should never be about competitive advantage. Instead, it should be about collaboration. However, the right software can support the compliance demands and ethical needs in the fight against financial crime, while at the same time providing a superior customer experience through robust technology delivered in the cloud.

The opportunities and challenges of ISO 20022 for fighting financial crime

The improved and expanded ISO 20022 messaging standard is being heralded in financial crime risk management circles as the key to lowering the significant volume of false positives that firms have to grapple with in payment transaction screening. Certainly, ISO 20022 brings with it more structure, data, and meta-data delivered with greater integration potential. However, potential benefits will not be achieved automatically – firms will need to adopt technology that supports ISO 20022 and can exploit the new messaging standard’s data model, or they may wind up with more false positives than they had before.

Richer, better screening data

Screening using current messaging standards presents a significant challenge – data can be fielded inconsistently, there can be missing data, and the data is often of varying quality. This is because the basis for this messaging standard was created in the 1970s – for example, the address field does format street, city, or other address information, but is one large unstructured text block. As a result, it can be very challenging to accurately match the data from payment transactions against sanctions data. This typically results in a large number of false positives and considerable human intervention in anti-money laundering and sanctions processes.

In contrast, ISO 20022 is an international and open messaging standard for the financial services industry set by the International Organization for Standardization, an independent, standard-setting body. ISO 20022 is based on an extensible mark-up language (XML) format and is structured in a three-layer data hierarchy. Messages based on ISO 20022 provide distinct and specific data on the transaction’s parties and their relationships, such as actual and on-behalf-of information, intermediate and receiving roles, and their geographic location. The messages can also contain rich structured party data, extended remittance information, and special characters and expanded character sets. This rich amount of data contained in each message means that individuals and entities can be identified much more clearly – potentially dramatically reducing false positives.

This new data structure is a quantum leap from where messaging is today. Major market infrastructures such as SWIFT, the Eurosystem, the European Banking Authority, the Clearing House, the Federal Reserve, and the Bank of England have published plans to migrate to ISO 20022 between 2022 and 2025. Also, international financial crime entities such as the Financial Action Taskforce (FATF) and national regulators such as the Financial Crimes Enforcement Network (FinCEN) have already begun the regulatory and compliance work that will need to accompany adoption.

Benefit requires investment

However, firms will not automatically benefit from the transition to ISO 20022 in their financial crime programmes – there is quite a lot of work that most firms will need to do. For example, ISO 2022 brings with it many more data fields than the previous standard, and so financial crime technology will need to be able to screen all those fields, creating additional screening volume. Moreover, the increased volume of fields grows exponentially with each new message – creating a much greater overall quantity of data that financial crime technology will need to be able to process at speed.

Also, screening more fields will result in more alerts – that is a mathematical certainty – unless the financial crime technology has robust analytics that can maximise the potential that the ISO 20022 standard data has to offer.

In order to crunch all the new data, financial firms will need agile technology that has the scale and capacity to do so – it will need to be in the cloud. Firms will also need to work with financial crime technology that uses advanced matching technology that is able to cope with many more comparison objects. In some of today’s tools the matching technology shares a pedigree with the original 1970s messaging standard; some will not be able to adopt ISO 20022 without significant re-tooling.

Thinking strategically

Financial services firms that want to fully benefit from the adoption of ISO 20022 in their financial crime programmes will need to evaluate their current platform to see if it can meet these new demands – the answer is likely that it is not. Moving quickly now to bring in a financial crime technology platform that is ISO 20022 ready will deliver faster service within payment transactions, reduce customer friction, and greatly reduce the overall compliance burden. Firms that do not embrace the need for new technology could find themselves actually worse off, with accelerating levels of false positives.

Evolving payments ecosystem requires fresh thinking to combatting financial crime

Around the globe, the payments ecosystem is rapidly becoming more diverse – and more fragmented – as a once-in-a-generation transformation in how payments are made takes place. Financial crime risk management needs to adapt to the new ways in which transactions are being processed, and the fresh human behaviours these new payments ecosystems are creating.   

For example, in 2021 there were more than 40.4 billion payment transactions in the UK[i], including card transactions, which are rapidly replacing the use of cash. By 2031, cash is anticipated to be used to make just 6% of all payments, compared with 15% today. With increased digitisation, open banking initiatives and the falling cost of enabling technologies, new payment networks are springing up – including peer-to-peer and crypto-based payment networks. Examples include: 

  • Circle Pay – Launched by crypto firm Circle, it enables individuals to send money to 29 different countries in a variety of currencies.  
  • Remitly – A payments platform that has focused on enabling immigrant communities around the globe to send money faster and more cheaply.  
  • Ripple – This platform uses blockchain to complete payments in its network of more than 200 banks. Blockchain technology supports the encryption of each payment and the traceability of each transfer. 
  • Revolut – This online bank has launched a crypto payment service. Cardholders can access “spend from crypto” in the app and can choose from cryptocurrency holdings to make purchases on their Revolut card.  

FinTechs like these and others are beginning to change the face of the payments industry. For decades payments were completed by a small number of providers, such as credit card companies and Swift. Now, for example, experts are predicting that just the global crypto payment transaction value will rise to more than $16 billion in 2023.ii  

New challenges ahead 

This new explosion in payment networks is good news for consumers – it has the potential to bring lower costs and increased agility in their ability to send and receive money. However, it may also be good news for criminals, because the explosion in payment networks means they potentially have more ways to send money too.  

In addition to this higher overall risk of criminals using new payment networks, compliance officers are going to face other challenges in this new, multi-channel world for payments. New payment networks will also bring: 

  • More data formats 
  • Different customer use cases 
  • A broader range of transaction behaviours 
  • Continued acceleration of changes in the underlying data and technology driving these systems 

These new payments networks will bring increased competitive pressures on traditional banks, who will want to be able to offer services that are as agile and easy as this new community of competitors, and often partner with these payment networks – while continuing to meet their existing compliance obligations.  

New technology for a new ecosystem 

To continue to combat financial crime in the face of this rapidly evolving payment networks ecosystem, compliance officers are going to have to engage with a new approach to technology. Existing on-premises financial crime tech stacks are not up to the coming challenges that traditional firms are facing. Instead, compliance teams need a technology solution in the cloud that is capable of delivering transaction monitoring faster, cheaper, and with increased agility in response to regulatory change and the continuing evolution of the payments network ecosystem. They also need a solution that has the capacity to engage with many payment media types, not just several. In addition, competitive pressures – and regulatory concerns – mean that compliance teams should be preparing for the need to adopt technology can already support sanctions and AML transaction monitoring in real time.  


[i] https://www.ukfinance.org.uk/system/files/2022-08/UKF%20Payment%20Markets%20Summary%202022.pdf

Anti-financial crime technology updates needed to meet regulators’ increasing supervisory capacity

The financial crime technology stacks within banks, investment firms and insurers are struggling to meet today’s regulatory expectations. Although many financial services firms are working hard to meet their compliance obligations, out-dated software is now holding them back from realising the best compliance outcomes. 

Growing regulatory sophistication around financial crime takes many forms. To begin with, regulators are much savvier about technology and data. For example, the UK Financial Conduct Authority (FCA) has access to cutting edge financial crime and anti-money laundering technology through its Regulatory Sandbox, Digital Sandbox, and FCA Innovation Hub programmes. Over the past two years, the regulator has also brought in key technology talent, including a new CIO, and a director – intelligence and digital. Jessica Rusu, chief data, information, and intelligence officer, established a new division – Data Technology and Innovation – after she joined in June 2021. Recent new rules, such as the Consumer Duty, contain informed data and technology expectations – a supervisory approach that is also being applied in some areas of financial crime, such as trade surveillance.  

The FCA is also making its expectations clear in what it is saying at industry events. For example, in a September 2022 speech, Sarah Pritchard, executive director of supervision, policy and competition – markets at the FCA said, “Embed your financial crime checks in your systems from day one but keep evolving as the threats evolve. Use the power of data and tech and stay alert for situations in which you may need to recalibrate your defences and alerts.” The regulator is not standing still when it comes to data and technology, and it doesn’t expect firms to, either. It wants to see compliance agility within firms. 

Increasing enforcement 

As well, the UK FCA is using enforcement actions to make its messages around financial crime processes – including data and technology – heard. For example: 

  • In mid-July 2022, a firm was fined more than £2 million for inadequate financial crime systems and controls, pushing the firm into liquidation. 
  • In late June 2022, a branch of a bank was fined more than £5 million for failing to have the right policies and procedures in place, having inadequate enhanced due diligence, and having inadequate enhanced ongoing monitoring.  
  • In December 2021, a large international bank was fined nearly £70 million because its policies and procedures for two of its key automated transaction monitoring systems were not appropriate or sufficiently risk- sensitive, and the bank did not ensure the policies that managed and monitored those systems were adequately followed. 

So, while the regulator is encouraging firms to raise their game around financial crime data and technology, it is also inflicting significant punishment on those which don’t meet the required standard. 

Fresh expectations 

Regulators want to see improved use of data and technology to meet financial crime compliance requirements within firms. They want to know why firms have the solution in place that they do, what their processes are, and how they manage the data. They are looking at the suitability of the firm’s controls and the effectiveness of those controls.  

In short, regulators are demanding more explainability of processes and outcomes. Much of current financial crime technology is a “black box”, and financial firms do not understand what is going on inside. Regulators are pointing out that this means that these firms do not have a sufficient grasp of key elements of their overall financial crime programme – the data and the technology – and this can lead to suboptimal outcomes.  

Firms should seek a financial crime solution that delivers an open-box approach, providing transparency of the logic behind every risk decision, and an audit trail of decision-making. Also, the solution should enable the compliance team to model and test the impact of new screening requirements – to improve speed to compliance –​ and provide specialised support for all major commercial watchlists. A cloud-based solution delivers more agility, which gives regulators confidence that the firm is capable of complying with future regulatory change. ​​ 

For many firms, now is the time to upgrade the data and technology that supports their financial crime processes. New approaches to financial crime processes deliver on regulatory demands, while at the same time enhancing the ability of firms to detect and prevent financial crime taking place within their organisations. 

Financial Firms Run Real Risks with Legacy Sanctions Screening Software

The financial crime technology most firms have in place today is ageing quickly and needs to evolve. Incumbent screening tech stacks for anti-money laundering (AML) compliance have not kept pace with the increasing complexity, scale and velocity of new risks.  This creates substantial operational pressures that are grow larger with each passing month.

A rapidly changing world

A good example of this situation can be found in the volume of Russian sanctions that have been implemented since February 2022. The US has put in place 1,375 Russian sanctions, the UK 1,375, and the EU 1,143. This is 73% of all the sanctions against Russia issued since 2014.[i] Legacy technology-based AML screening technology simply cannot respond with agility to this pace, and so firms have had to increase compliance headcount to support their sanctions screening processes. However, this expediency is unsustainable because of talent shortages, rising salaries and increasing training costs. Without robust sanctions screening processes, firms are exposed to considerable compliance risk and operational risk, which could lead to significant social consequences, regulatory action, and reputational damage.

Legacy screening technology is creaking under its own weight for other reasons, too. For example, most of today’s screening software is located in on-premises servers. However, current digital transformation programmes mean that most firms are increasingly moving their data and business processes to the cloud. Also – as a direct result of the pandemic – many client processes are being automated through new FinTech approaches, often breaking down internal silos. Legacy AML screening software usually struggles to operate outside of the silo in which it sits, and to integrate with cloud-based data and new technology – for example, with new customer management systems or onboarding portals – to create enterprise-wide end-to-end processes that firms need to stay competitive.  

Now is the time

Logically, firms should be investing in cloud-based sanctions screening technology today to close compliance gaps, reduce risk and enhance their organisation’s ability to achieve its strategic goals through digital transformation. Ironically, it is the rapid pace of current change that has put many firms off from implementing a new AML screening platform. They say that they are waiting for a “quieter time” to do this. The reality is that there will never be a “quiet” time because the world has changed. Firms need to take a new strategic approach to financial crime compliance or risk having this important part of their infrastructure fall behind, and non-robust processes increase the risk of getting sanctions wrong – leading to enforcement action, including fines.  

Screening in the cloud

To meet the demands of digital transformation and today’s compliance environment, firms need to embrace a cloud-based approach for AML sanctions screening. Taking this path will lower IT costs without compromising security or performance​. The cloud has big benefits, too. It is the best way to manage large or complex data volumes – a key requirement for today’s high velocity of sanctions issuance. Indeed, today’s screening platform should combine the cloud with a best-in-class core technology stack providing low-latency ETL and high-speed screening, capable of a million transactions a day.

Firms also need tools with high levels of self-configurability that can address requirements without product customisation or professional services. This enables firms to adapt to regulatory change quickly and easily in the future, without the weight of high cost installed software.

In addition, today’s screening platform should include APIs that enable the solution to exchange information directly with other systems, such as CRM platforms, no matter where those systems are located. This enables screening to overcome silos within firms – communicating and harvesting data across the whole enterprise at lightning speed.  

Financial firms that fail to invest in a cloud-based sanctions screening platform today are potentially significantly increasing the risks that they face, while also failing to meet the demands of digital transformation. Firms should think more strategically about sanctions screening technology and the benefits it can bring to their organisation today and in the future.


[i] https://www.statista.com/statistics/1294752/sanctions-imposed-on-russia-by-actor/

Mind the growing financial crime technology gap

There is a growing gap between increasingly demanding anti-money laundering (AML) and sanctions compliance requirements and the technology capabilities of financial services firms to respond to those requirements. Regulatory change and increased sanctions activity have created operational pressures that are being tactically plugged by working incumbent technology harder and expanding compliance headcount. This situation is unsustainable because of its cost and complexity – organisations need to increase the amount of automation in their financial crime processes to improve compliance effectiveness, increase operational efficiency and increase the responsiveness of controls to new risks.  

Continuous AML rule changes

In the AML space, regulatory change is constant. For example, in the UK, amendments to the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 had an implementation deadline of 1 September 2022. The amendments include an explicit legal right of access for regulators to suspicious activity reports (SARs), so that they can consider the quality of their content. This is putting new pressure on firms to improve their SARs processes.

In the EU, a 7th Anti-Money Laundering package is working its way towards being finalised. This creates a single AML rulebook for the whole of the EU, and will also produce a new EU Anti-Money Laundering Authority which would directly supervise large, cross-border entities and provide support to national regulators. The new rules also require compliance functions to have adequate resources, staff and technology in place. The goal is to raise supervisory standards, and therefore AML compliance standards, overall.

At the international level, the Financial Action Task Force adopted amendments which require countries to prevent the misuse of legal persons for money laundering or terrorist financing in March 2022. They also require firms to ensure that they have adequate, accurate and up-to-date information on the beneficial ownership and control of legal persons. All of these evolving rules – and others – add to the compliance burden firms are under and create significant regulatory change complexity. Firms are often finding they cannot easily adapt their existing technology to cope without growing complexity in the underlying code that supports the technology, and the liberal use of manual processes.  

Managing thousands of sanctions

Organisations are also struggling to keep up with the pace of sanctions issuance. Since the start of the war in Ukraine, more than nine thousand sanctions[i] have been published against Russian individuals and entities. These Russian sanctions have strained operations within firms, especially where there is a reliance on manual processes, or where significant manual intervention is required. Regulators like the UK Financial Conduct Authority say they expect firms to have established systems and controls to counter financial crime risks – and that includes compliance with financial sanctions obligations.  However, many firms privately admit that they are having to try to hire and train people to keep their sanctions processes from being overwhelmed.

Firms are resorting to tactical responses because they have not kept up their investment in financial crime technology. While firms are heavily investing in digital transformation in other areas of their business, their financial technology can be a decade old or more. As a result, activities such as AML and sanctions screening can require significant human intervention – for example, to reduce false positives. Hiring more talent to try to keep up is no longer a viable solution as there is a significant talent squeeze in compliance roles, which can be evidenced by the escalating cost of hiring. According to the 2022 Thomson Reuters Cost of Compliance survey 67% of respondents expect the cost of senior compliance staff to be more than today over the next 12 months, compared with 47% in the 2021 survey[ii].

Firms need to change their strategic approach to meeting financial crime compliance requirements and implement technology that is fit for purpose. They need technology that is agile enough to meet regulatory change demands, reduces workloads through AI-automated false positive remediation, and is configurable to meet an individual company’s risk profile. Firms that do not invest in the next generation of financial crime technology may find themselves facing greater compliance risk, regulatory risk, and reputational risk down the road.


[i] https://www.statista.com/statistics/1293531/western-sanctions-imposed-on-russia-by-target/

[ii] https://legal.thomsonreuters.com/en/insights/reports/cost-of-compliance-2022-competing-priorities/form

AML-KYC – balancing effectiveness with operational sustainability

The year-on-year increase of AML-KYC workload sometimes feels as much of a certainty as death and taxes. Institutions must manage screening obligations that become more expansive and complex, with fewer exceptions for simplified processes. At the same time, the cost of a compliance failure becomes greater, in terms of societal impact, regulatory fines, remediation efforts, and the damage to reputation. In response, the scale, cost, and complexity of institutions’ countermeasures and controls have increased exponentially. An unintended consequence of stretching resources to meet compliance obligations is that an organisation becomes less well-placed to focus on customers and business goals. Simply reducing AML-KYC budgets or down-sizing teams is not a viable option because of the increased risk of an unacceptable gap emerging between compliance obligation and operational capacity. The traditional approach of adding large numbers of compliance FTEs might offer a short-term fix but is unsustainable over the long-term. Finding the middle ground between compliance effectiveness and operational sustainability now depends on technology innovation. 

External pressures not diminishing 

In recent years, compliance operational capacity has scaled significantly in response to new regulatory requirements. The consequential sustained increase in compliance budgets is well-documented, affecting all tiers of institution, in every region. At the same time, regulators’ expectations of the standard of compliance effectiveness have risen at a faster rate. An addressable and relatively immediate response to meeting these expectations has been to hire more compliance staff. However, continuing this approach is not just economically unsustainable, it creates large, complex control frameworks that are more prone to systemic failure. Meanwhile, customers are faced with an increasingly high rate of compliance friction – at a time when fintech challengers can provide a more seamless experience. The demands of continuously improving compliance excellence and customer satisfaction cannot be mutually exclusive. New ways of addressing these dynamics are needed. 

Automation is just the first step 

Large financial institutions can employ, directly or indirectly, thousands of compliance analysts. Even if these organisations are largely outsourced or offshored, operational costs are still significant. The combination of internal op-ex pressures and regulators seeking higher levels of effectiveness – that go beyond mere technical compliance – has inevitably led to the wider use of automation technology. The repetitive actions of a compliance process are typically very suitable tasks that can be transferred from humans to Robotic Process Automation or AI-led machine learning technologies. When applied to tasks such as investigating alerts, false positive reduction rates of 60-80% is a common outcome, particularly in retail banking. Such outcomes typically yield a massive cost-saving, without introducing significant new risks. However, whilst automation is delivering big operational efficiencies in many institutions, the opportunity to improve compliance effectiveness is often not realised fully. If restricted to making existing processes quicker and cheaper, the compliance up-side of automation is limited. Yes, there are benefits in that staff can be re-deployed to focus on more qualitative tasks. But a bigger impact will be made if new technology is utilised more fully to provide smarter processes using risk analytics.  For projects to be successful, technology must deliver more than operational agility and high speed-to-compliance. Full transparency must also be delivered to enable every automated decision to be contextualised and understood. 

Mind the gap  

Compliance technology strategies are often a series of tactical reactions to short-term objectives. Whilst the velocity, scale, and complexity of AML-CFT requirements are unlikely to diminish, attempting to manage these challenges by adding more people is not sustainable. Similarly, a failure to realise the full potential of technology innovation will not improve compliance effectiveness. 

No institution can afford a gap to develop between regulatory obligation and operational capacity. Finding the right balance needs risk analytics technology that can deliver both massive efficiencies through automation and improved compliance effectiveness from more insightful customer intelligence. 

Effective screening and long-term sustainability

Delivering effective AML-CTF risk management is a complex and resource-intense task that requires institutional focus and resilience. The regulatory requirements of obliged institutions are progressively more complex, expansive, and volatile, requiring additional operational agility and capacity. Faced with additional workload, institutions can find it difficult to maintain control frameworks, even with significant increases in technology and FTE budgets. Finding an approach to delivering effective compliance – that is also sustainable – is critical. 

Pragmatic and tactical capability – but limited strategic potential 

The roll-out of an enterprise-wide platform with the flexibility and capacity to manage risks across jurisdictions, lines of business and products is a goal for many financial institutions. In reality, despite considerable progress, AML-CFT controls are still often based on complex frameworks with multiple points of evolution. Instead of centralised platforms with holistic reporting and governance controls, many institutions use an array of different core Reg-Tech platforms and point solutions. Such scenarios are typically the outcome of a series of pragmatic decisions designed to meet critical and immediate challenges. However, the result is difficult and expensive to scale to new risks. It is also difficult for institutions to standardise a consistent approach to compliance across all areas of a large business. Furthermore, the complexity of these arrays often leads to a very conservative approach to technology innovation – driven by the fear that change could cause unintended consequences. Whilst enabling short-term compliance, this tactical approach impedes the development of a comprehensive FCRM technology and operations strategy that can respond – effectively and efficiently – to risks and obligations over the long-term.  

Risks evolve – but has technology kept pace? 

The definition, scope and not least the risks of money laundering and terrorism financing have evolved significantly since the times when financial institutions first started addressing these issues as a legal responsibility. However, much compliance technology infrastructure is still based on cores that were built to respond to challenges as they existed 10-20 years ago. For example, sanctions screening technology often has a direct lineage to the first generation of OFAC screening tools. Similarly, some screening products are based on simple extensions of sanction filters. These pedigrees have some advantages, such as longevity, stability, and resilience. However, these attributes also make it harder to scale capabilities, to deploy with agility and to enable transparent decisioning. In parallel, the evolution of banking and financial institutions – from digitisation, payments standards, open banking, and new products – can lead to a gap between the original design purpose of screening technology and today’s requirements. 

Inertia versus the cost of change 

Deploying new generation FCRM technology platforms in place of legacy arrays offers many advantages, most tangibly in the form of improved compliance effectiveness and operational efficiency. A new approach can also provide clear lines of sight that enable insightful operational and regulatory reporting, enterprise-wide standards of governance and compliance consistency across all areas of a complex organisation. Despite these advantages, institutions might defer replacing older incumbent systems due to the perceived cost of change. The complexity and effort required to migrate and engineer new tools should not be under-estimated. However, cost-of-change should not be an impediment to implementing a strategic plan for FCRM controls. Maintaining the status quo has an intrinsic expense that grows as older technology becomes more difficult to support. However, the greatest potential cost is that older tools are progressively less capable of responding to new risks and regulatory requirements. Sweating FCRM technology to the limit of efficacy or utility raises the risk of a control failure. In this context, the cost of organisational inertia is far greater than the cost of technology change. 

Improving screening effectiveness

In a volatile AML-CTF landscape it is critical to improve the speed-to-compliance. However, achieving a faster response can be self-defeating if it introduces compromises to compliance effectiveness. Simply making existing processes faster might yield short-term tactical gains but can lead to a primary focus on supporting the status quo. This approach can lead to a lesser resource capacity for continuous compliance improvement. Innovation in screening programmes must therefore also consider how the standards of compliance effective can be raised in the short-term whilst also delivering capability and capacity that is ready for future challenges.

Screening capabilities for all target types

Compliance screening used to be a relatively binary process: governments issued lists of sanctioned geographies, persons, or entities; these lists were then screened, with the outcome of a determination if a target matched against a client record or transaction. Today the task is more complex. Screening requirements now include a broader range of risk types, for example, beneficial owners, persons of significant ownership, family members and professional associates, or even certain capital markets instruments, financial services, or manufactured goods. Furthermore, not all sanctions targets are cited on tangible lists or even pseudo-lists. This reality requires more investment in understanding screening data requirements and for the procurement of the right data. Institutions must also ensure that screening technology has a comprehensive technical capability to screen the full spectrum of risk, regardless of type. To be successful, appropriate screening methodologies must be implemented and maintained for each type of sanctions target.

Matching techniques for diverse risks

Expansive and complex sanctions requirements require a continuous review of the rules used to determine potential correspondence to risk. For example, would an alert be triggered for a sanctioned company from Russia if a Ukrainian variant of that name was transcribed phonetically for use in Germany? Phonetic name matching has been developed into many screening tools. However, achieving a deep understanding of how matching technology works – so that rules can be defined and maintained properly – is difficult if the “explainability” of matching algorithms is not a fundamental design feature.

Additional false negatives countermeasures

False positives reduction, or optimisation, is a priority for many institutions managing the inevitable consequences of screening massive client or transaction data volumes. Much progress has been made in these scenarios to deploy robotic automation or machine learning to investigate, categorise and route alerts quickly and efficiently. This push to increase operational efficiency has clear compliance benefit of releasing resources for more qualitative tasks. However, institutions could also consider implementing a second layer of controls to reduce the risk of false negatives. For example, re-screening data that did not trigger alerts in a primary screening process could identify undetected risks, notably when newer technology is used in a secondary process.

Responsive impact assessments

The intensity and velocity of AML-CTF screening – and the high cost of a compliance failure – has created operational environments that have little time to model the impact of new requirements and then to configure accordingly. This is often an issue when there is a dependency on older, less nimble technology that is difficult or time-consuming to test new rules quickly. The lack of a timely impact assessment can then create downstream operational issues. Moving to towards more responsive testing and modelling in can mitigate these issues and ensure a better focus on managing risk.

Beware – Technology Debt

In summary, technology should always be an enabler of compliance effectiveness, never an inhibitor. The focus of screening technology is, inevitably, on short-term imperatives. However, the impact of technology debt on long-term compliance should not be underestimated.

Achieving effective speed-to-compliance

A critical objective of a financial crime risk management strategy is to ensure a rapid and agile response to new or evolving AML-CTF risks. Screening programmes that respond quickly and effectively to new compliance expectations not only reduce institutional risk exposure: they can also ensure that sanctions targets have less time to move or hide assets. 

However, achieving speed-to-compliance that is effective and sustainable operationally is increasing difficult. These challenges have increased in the contemporary context of complex, expansive and high velocity international sanctions following the invasion of Ukraine by Russia.  

In addition to the continuous assessment of threats and regulatory requirements, a strategic FCRM plan must also consider the capacity and utility of operations and technology resources. Components of an AML-CTF control framework that are critical in delivering speed-to-compliance include: 

List Management

Ensuring that all the sanctions lists required by an institution are available in screening programmes has become an increasing complex task. Unique list requirements are set by many different jurisdictions and by multiple government agencies within those jurisdictions; and these agencies can publish multiple lists. Operational complexity is increased by multiple types of data formats and targets. At the same time, a higher update velocity must also be managed to ensure that all required list data is available for continuous screening. Managing these tasks requires list management software that can be configured quickly in response to increases or changes in any of these variables and that there is adequate capacity to address future demands.  

Data quality assurance

Whilst there are laudable initiatives to standardise the formats of sanctions lists, it remains the case that an institution is likely to source sanctions data in many standards or formats. Once retrieved, these disparate data sets are typically primed for screening using various data management processes. Ensuring the speed, accuracy, consistency, and resilience of these processes is critical. As a result, additional investments are being made in data management and governance capabilities to improve data configurability, real-time reporting, and operational analytics – with the objective of ensuring the timely response of screening technology to compliance policy objectives. 

Screening speed and scalability

The expectation that screening technology will respond promptly to new compliance requirements is accompanied with the assumption that compliance goals will be met without compromise to search accuracy or performance. However. adjusting to increasing operational load and heightened expectations, whilst maintaining, if not improving, speed, is increasing difficult if incumbent screening technology is constrained by technology debt. This requires institutions to reassess whether screening operations can continue to deliver sustained operational excellence – and for how long – or if newer technology can provide improved speed, risk detection and scalability to increasing data volumes. 

Tuning and testing

Increases in the range of direct and in-direct sanctions targets have the potential to slow down compliance processes, especially if screening systems are not supported with additional resources. The traditional short-term response of adding headcount to operational capacity might still be valid but investment in AI-led automation is increasingly preferred. However, either approach can be made more effective and efficient by more focus on the upstream modelling and testing of the impacts of new screening requirements. To avoid a compliance gap, this testing should take place in real-time, without incurring an operational penalty. 

In summary, the pace and intensity of today’s regulatory compliance requirement is placing additional demands on screening operations. Technology innovation that delivers low-latency processing and capabilities for handling massive data can mitigate these challenges whilst increasing speed-to-compliance and providing additional capacity for future needs. 

The next post in the series will consider the challenges of improving the compliance effectiveness of screening and how technology can lead the response.