Anti-financial crime technology updates needed to meet regulators’ increasing supervisory capacity

The financial crime technology stacks within banks, investment firms and insurers are struggling to meet today’s regulatory expectations. Although many financial services firms are working hard to meet their compliance obligations, out-dated software is now holding them back from realising the best compliance outcomes. 

Growing regulatory sophistication around financial crime takes many forms. To begin with, regulators are much savvier about technology and data. For example, the UK Financial Conduct Authority (FCA) has access to cutting edge financial crime and anti-money laundering technology through its Regulatory Sandbox, Digital Sandbox, and FCA Innovation Hub programmes. Over the past two years, the regulator has also brought in key technology talent, including a new CIO, and a director – intelligence and digital. Jessica Rusu, chief data, information, and intelligence officer, established a new division – Data Technology and Innovation – after she joined in June 2021. Recent new rules, such as the Consumer Duty, contain informed data and technology expectations – a supervisory approach that is also being applied in some areas of financial crime, such as trade surveillance.  

The FCA is also making its expectations clear in what it is saying at industry events. For example, in a September 2022 speech, Sarah Pritchard, executive director of supervision, policy and competition – markets at the FCA said, “Embed your financial crime checks in your systems from day one but keep evolving as the threats evolve. Use the power of data and tech and stay alert for situations in which you may need to recalibrate your defences and alerts.” The regulator is not standing still when it comes to data and technology, and it doesn’t expect firms to, either. It wants to see compliance agility within firms. 

Increasing enforcement 

As well, the UK FCA is using enforcement actions to make its messages around financial crime processes – including data and technology – heard. For example: 

  • In mid-July 2022, a firm was fined more than £2 million for inadequate financial crime systems and controls, pushing the firm into liquidation. 
  • In late June 2022, a branch of a bank was fined more than £5 million for failing to have the right policies and procedures in place, having inadequate enhanced due diligence, and having inadequate enhanced ongoing monitoring.  
  • In December 2021, a large international bank was fined nearly £70 million because its policies and procedures for two of its key automated transaction monitoring systems were not appropriate or sufficiently risk- sensitive, and the bank did not ensure the policies that managed and monitored those systems were adequately followed. 

So, while the regulator is encouraging firms to raise their game around financial crime data and technology, it is also inflicting significant punishment on those which don’t meet the required standard. 

Fresh expectations 

Regulators want to see improved use of data and technology to meet financial crime compliance requirements within firms. They want to know why firms have the solution in place that they do, what their processes are, and how they manage the data. They are looking at the suitability of the firm’s controls and the effectiveness of those controls.  

In short, regulators are demanding more explainability of processes and outcomes. Much of current financial crime technology is a “black box”, and financial firms do not understand what is going on inside. Regulators are pointing out that this means that these firms do not have a sufficient grasp of key elements of their overall financial crime programme – the data and the technology – and this can lead to suboptimal outcomes.  

Firms should seek a financial crime solution that delivers an open-box approach, providing transparency of the logic behind every risk decision, and an audit trail of decision-making. Also, the solution should enable the compliance team to model and test the impact of new screening requirements – to improve speed to compliance –​ and provide specialised support for all major commercial watchlists. A cloud-based solution delivers more agility, which gives regulators confidence that the firm is capable of complying with future regulatory change. ​​ 

For many firms, now is the time to upgrade the data and technology that supports their financial crime processes. New approaches to financial crime processes deliver on regulatory demands, while at the same time enhancing the ability of firms to detect and prevent financial crime taking place within their organisations. 

Mind the growing financial crime technology gap

There is a growing gap between increasingly demanding anti-money laundering (AML) and sanctions compliance requirements and the technology capabilities of financial services firms to respond to those requirements. Regulatory change and increased sanctions activity have created operational pressures that are being tactically plugged by working incumbent technology harder and expanding compliance headcount. This situation is unsustainable because of its cost and complexity – organisations need to increase the amount of automation in their financial crime processes to improve compliance effectiveness, increase operational efficiency and increase the responsiveness of controls to new risks.  

Continuous AML rule changes

In the AML space, regulatory change is constant. For example, in the UK, amendments to the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 had an implementation deadline of 1 September 2022. The amendments include an explicit legal right of access for regulators to suspicious activity reports (SARs), so that they can consider the quality of their content. This is putting new pressure on firms to improve their SARs processes.

In the EU, a 7th Anti-Money Laundering package is working its way towards being finalised. This creates a single AML rulebook for the whole of the EU, and will also produce a new EU Anti-Money Laundering Authority which would directly supervise large, cross-border entities and provide support to national regulators. The new rules also require compliance functions to have adequate resources, staff and technology in place. The goal is to raise supervisory standards, and therefore AML compliance standards, overall.

At the international level, the Financial Action Task Force adopted amendments which require countries to prevent the misuse of legal persons for money laundering or terrorist financing in March 2022. They also require firms to ensure that they have adequate, accurate and up-to-date information on the beneficial ownership and control of legal persons. All of these evolving rules – and others – add to the compliance burden firms are under and create significant regulatory change complexity. Firms are often finding they cannot easily adapt their existing technology to cope without growing complexity in the underlying code that supports the technology, and the liberal use of manual processes.  

Managing thousands of sanctions

Organisations are also struggling to keep up with the pace of sanctions issuance. Since the start of the war in Ukraine, more than nine thousand sanctions[i] have been published against Russian individuals and entities. These Russian sanctions have strained operations within firms, especially where there is a reliance on manual processes, or where significant manual intervention is required. Regulators like the UK Financial Conduct Authority say they expect firms to have established systems and controls to counter financial crime risks – and that includes compliance with financial sanctions obligations.  However, many firms privately admit that they are having to try to hire and train people to keep their sanctions processes from being overwhelmed.

Firms are resorting to tactical responses because they have not kept up their investment in financial crime technology. While firms are heavily investing in digital transformation in other areas of their business, their financial technology can be a decade old or more. As a result, activities such as AML and sanctions screening can require significant human intervention – for example, to reduce false positives. Hiring more talent to try to keep up is no longer a viable solution as there is a significant talent squeeze in compliance roles, which can be evidenced by the escalating cost of hiring. According to the 2022 Thomson Reuters Cost of Compliance survey 67% of respondents expect the cost of senior compliance staff to be more than today over the next 12 months, compared with 47% in the 2021 survey[ii].

Firms need to change their strategic approach to meeting financial crime compliance requirements and implement technology that is fit for purpose. They need technology that is agile enough to meet regulatory change demands, reduces workloads through AI-automated false positive remediation, and is configurable to meet an individual company’s risk profile. Firms that do not invest in the next generation of financial crime technology may find themselves facing greater compliance risk, regulatory risk, and reputational risk down the road.



AML-KYC – balancing effectiveness with operational sustainability

The year-on-year increase of AML-KYC workload sometimes feels as much of a certainty as death and taxes. Institutions must manage screening obligations that become more expansive and complex, with fewer exceptions for simplified processes. At the same time, the cost of a compliance failure becomes greater, in terms of societal impact, regulatory fines, remediation efforts, and the damage to reputation. In response, the scale, cost, and complexity of institutions’ countermeasures and controls have increased exponentially. An unintended consequence of stretching resources to meet compliance obligations is that an organisation becomes less well-placed to focus on customers and business goals. Simply reducing AML-KYC budgets or down-sizing teams is not a viable option because of the increased risk of an unacceptable gap emerging between compliance obligation and operational capacity. The traditional approach of adding large numbers of compliance FTEs might offer a short-term fix but is unsustainable over the long-term. Finding the middle ground between compliance effectiveness and operational sustainability now depends on technology innovation. 

External pressures not diminishing 

In recent years, compliance operational capacity has scaled significantly in response to new regulatory requirements. The consequential sustained increase in compliance budgets is well-documented, affecting all tiers of institution, in every region. At the same time, regulators’ expectations of the standard of compliance effectiveness have risen at a faster rate. An addressable and relatively immediate response to meeting these expectations has been to hire more compliance staff. However, continuing this approach is not just economically unsustainable, it creates large, complex control frameworks that are more prone to systemic failure. Meanwhile, customers are faced with an increasingly high rate of compliance friction – at a time when fintech challengers can provide a more seamless experience. The demands of continuously improving compliance excellence and customer satisfaction cannot be mutually exclusive. New ways of addressing these dynamics are needed. 

Automation is just the first step 

Large financial institutions can employ, directly or indirectly, thousands of compliance analysts. Even if these organisations are largely outsourced or offshored, operational costs are still significant. The combination of internal op-ex pressures and regulators seeking higher levels of effectiveness – that go beyond mere technical compliance – has inevitably led to the wider use of automation technology. The repetitive actions of a compliance process are typically very suitable tasks that can be transferred from humans to Robotic Process Automation or AI-led machine learning technologies. When applied to tasks such as investigating alerts, false positive reduction rates of 60-80% is a common outcome, particularly in retail banking. Such outcomes typically yield a massive cost-saving, without introducing significant new risks. However, whilst automation is delivering big operational efficiencies in many institutions, the opportunity to improve compliance effectiveness is often not realised fully. If restricted to making existing processes quicker and cheaper, the compliance up-side of automation is limited. Yes, there are benefits in that staff can be re-deployed to focus on more qualitative tasks. But a bigger impact will be made if new technology is utilised more fully to provide smarter processes using risk analytics.  For projects to be successful, technology must deliver more than operational agility and high speed-to-compliance. Full transparency must also be delivered to enable every automated decision to be contextualised and understood. 

Mind the gap  

Compliance technology strategies are often a series of tactical reactions to short-term objectives. Whilst the velocity, scale, and complexity of AML-CFT requirements are unlikely to diminish, attempting to manage these challenges by adding more people is not sustainable. Similarly, a failure to realise the full potential of technology innovation will not improve compliance effectiveness. 

No institution can afford a gap to develop between regulatory obligation and operational capacity. Finding the right balance needs risk analytics technology that can deliver both massive efficiencies through automation and improved compliance effectiveness from more insightful customer intelligence.