04:19 PM
Connect Directly

Creating Enterprisewide AML Program Is Huge but Necessary Task: SIFMA Panel

The growing calls for enterprisewide systems at financial institutions range from risk management systems to payments systems and a host of other things. Anti-money laundering can also be added to the list. According to panelists who spoke at SIFMA's annual Anti-Money Laundering and Financial Crimes Conference in New York on March 4, banks and other financial institutions should work toward implementing a more holistic view of their AML policies and procedures if they really wish to remain compliant.

"An enterprisewide policy is critical to protecting the firm from abuse, for maintaining good relationships in jurisdictions and for making its employees understand they are all responsible for detecting suspicious activities," Arlene Semaya, SVP, compliance managing director for J.P. Morgan Chase, told attendees.

Enterprisewide means enterprisewide, stressed the panelists, and the policies should even apply to exempt parts of the business. "You don't want to create any gaps in the firm," Semaya said.

One of the first steps in creating an enterprisewide AML program is to understand the firm's structure, explained Semaya. "You need global, high-level policies and practices. The different lines of business also need their own AML policies to supplement the company's global AML policies."

Lines of business will create their AML policies based on their particular risk exposures while also remaining compliant with firmwide AML policies. This risk assessment will form the basis for AML policy by unit and for the enterprise. "You must first understand the firm's risk before establishing an AML policy," continued Semaya. "Each line of business will be responsible for doing its own risk assessment."

She said it is important to look at such areas as products and services offered, customers, geographies where customers operate and the strategies of the lines of business. "You also want to look at your controls—what controls do you have in place to mitigate these risks—such as customer verification and identification controls, transaction monitoring and due diligence."

Semaya acknowledged this is a time-consuming process that takes a good deal of thought. But she also noted risk assessments must be done periodically since risks change.

However, if the firm doesn't have buy-in from executive management, even the most well-structured AML programs may fall flat. "To really engage management early on is so important for getting buy-in on what you're doing," stated C. Rachel Romijn, SVP, compliance director, with Wachovia. "Make it some form of a partnership."

Having a dedicated entity to oversee AML efforts also helps. This should occur at both the enterprise level and at the line of business level, according to JPMorgan Chase's Semaya. "You need a committee to provide guidance on things like high-risk countries, customer types, additional due diligence for a particular product line," she suggested. "Firmwide, this must be brought to the level of an AML committee to ensure there is a firmwide standard and that the additional standards are implemented by the lines of business."

And don't forget any international affiliates when formulating an AML program. Their requirements consist of local AML requirements and those of the firm, noted Semaya. Adds Alan Williamson, managing director, forensic science, with KPMG, "Make sure your offshore affiliates understand the regulations and what they mean. There are cultural differences worldwide."

To emphasize Williamson's point, Suzanne Williams, manager, BSA/AML risk, bank supervision and regulation with the Board of Governors of the Federal Reserve, recalled an incident in an unnamed country where the firm told her team they were asking for maiden names of their customers' mothers. It may sound similar to the practice in the U.S. for authenticating someone's identity, but upon further questioning, the local supervisor said it was because they wanted to make sure the customer comes from a good family.

Of course, the question of cost comes into play with any major project such as enterprise AML, noted KPMG's Williamson. "If you implement an AML program, especially globally, who is going to pay for it?" he posed. "It must be very clear whose cost center is going to be charged." He said this was a common stumbling block in many of the AML projects he has seen.

Cost is even more important in today's world where discretionary spending is being kept at a minimum by most banks. Look for efficiencies in the due diligence process, Semaya recommended. Banks can use the due diligence information obtained by one line of business and apply it to another business unit, especially if there are common customer relationships. "The key is communications and having a database where people can find this information," she said. "When investigating red flags, you have the due diligence for the same customer across lines of business."

"This goes back to corporate governance," added John Panagopoulos, director, head of investigations and surveillance, global financial crime, at Barclays Capital. He said that if the bank exits a relationship, it better make sure all silos are aware of the action.

It's just not about transactional risk anymore, but reputational risk as well, emphasized Wachovia's Romijn. All agreed that banks need plans for dealing with negative information. KPMG's Williamson said much of what happened in the Madoff case could have happened to anyone. "Think about what something will look like once it blows up," he said.

At its heart, creating an enterprise AML program is a tremendous task. However, it makes no difference whether a firm buys a vendor solution or uses proprietary technology to accomplish its goals, related Barclays' Panagopoulos, "as long as you can map risks in the line of business to a model, an exceptions report and policies or procedures."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.