News

02:50 PM
Connect Directly
RSS
E-Mail
50%
50%

Banks’ AML Strategies May Increase Risk Factors

The manner in which banks implement AML strategies could put them at further risk, study warns.

Banks' anti-money laundering programs could be risks in themselves, according to a report by Ernst & Young. Steve Beattie, coauthor of the report and a principal with E&Y's business risk services practice, says there is a lack of consistency when it comes to the ways banks implement their AML plans. "Implementing a consistent AML program across the enterprise is a challenging endeavor," he explains.

According to Beattie, regulators' main issues with AML plans tend to be very fundamental in nature -- training, customer identification programs, design, execution, Office of Foreign Asset Control (OFAC) (OFAC) checks and not using enabling technology enough. Financial institutions are aware of what needs to be done, he adds, but the trick is making sure consistent policies are implemented across the entire organization.

"You may have a nicely articulated program on paper, but how do you know it's being consistently applied globally across the enterprise? Money launderers always look for the weak point in the chain," Beattie says. "That's why you need consistency of policies across the organization." Not properly doing so can lead to regulatory risk, reputational risk and a significant amount of spend, he contends.

At the most basic level, according to Beattie, banks must meet the four pillars of AML regulations: a designated AML compliance officer; a system of internal policies, procedures and controls; an ongoing employee training program; and independent testing of the program. Ideally, an AML program starts with the right tone at the top, he adds, and takes into account the perspectives of the appropriate risk professionals.

"If a program is built in a vacuum, it may lack in areas," Beattie says. "So it's necessary to bring in areas -- compliance, internal audit, technology executives, risk managers and business managers. And it must be endorsed by executive management. This brings accountability." Banks also need to properly measure the ongoing effectiveness of their AML programs, Beattie continues.

The final component of an effective AML program, adds Beattie, is the technology. "Large organizations cannot accomplish all of the requirements for monitoring transactions and managing case loads without the use of technology," he says. "Technology is about more than efficiency -- it may in fact identify more potential issues requiring investigation."

While technology can assist a bank's AML efforts substantially, "There's no one-size-fits-all solution," Beattie notes. "They range from transaction monitoring solutions to pattern recognition and rules-based technology, even to artificial intelligence." The challenge, he adds, is integrating data silos. "Having this distributed information may hinder the ability of banks to aggregate their risk monitoring," Beattie says.

And things will only become more complicated as banks expand into new markets, Beattie points out. "It is necessary to ensure solutions are able to operate under different regulatory regimes," he says. To help alleviate this added rigor, future AML strategies will need to look at creating more-integrated solutions and enhanced aggregation of compliance activities, Beattie suggests.

"We're going to continue to see technology moving toward multidimensional risk indicators rather than looking at information within silos," Beattie says. "Open architectures will help banks react more quickly when adjusting profiles and staying a step ahead of money launderers."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.