The growing calls for enterprisewide systems at financial institutions range from risk management systems to payments systems and a host of other things. Anti-money laundering can also be added to the list. According to panelists who spoke at SIFMA's annual Anti-Money Laundering and Financial Crimes Conference in New York on March 4, banks and other financial institutions should work toward implementing a more holistic view of their AML policies and procedures if they really wish to remain compliant.
"An enterprisewide policy is critical to protecting the firm from abuse, for maintaining good relationships in jurisdictions and for making its employees understand they are all responsible for detecting suspicious activities," Arlene Semaya, SVP, compliance managing director for J.P. Morgan Chase, told attendees.
Enterprisewide means enterprisewide, stressed the panelists, and the policies should even apply to exempt parts of the business. "You don't want to create any gaps in the firm," Semaya said.
One of the first steps in creating an enterprisewide AML program is to understand the firm's structure, explained Semaya. "You need global, high-level policies and practices. The different lines of business also need their own AML policies to supplement the company's global AML policies."
Lines of business will create their AML policies based on their particular risk exposures while also remaining compliant with firmwide AML policies. This risk assessment will form the basis for AML policy by unit and for the enterprise. "You must first understand the firm's risk before establishing an AML policy," continued Semaya. "Each line of business will be responsible for doing its own risk assessment."
She said it is important to look at such areas as products and services offered, customers, geographies where customers operate and the strategies of the lines of business. "You also want to look at your controls—what controls do you have in place to mitigate these risks—such as customer verification and identification controls, transaction monitoring and due diligence."
Semaya acknowledged this is a time-consuming process that takes a good deal of thought. But she also noted risk assessments must be done periodically since risks change.
However, if the firm doesn't have buy-in from executive management, even the most well-structured AML programs may fall flat. "To really engage management early on is so important for getting buy-in on what you're doing," stated C. Rachel Romijn, SVP, compliance director, with Wachovia. "Make it some form of a partnership."
Having a dedicated entity to oversee AML efforts also helps. This should occur at both the enterprise level and at the line of business level, according to JPMorgan Chase's Semaya. "You need a committee to provide guidance on things like high-risk countries, customer types, additional due diligence for a particular product line," she suggested. "Firmwide, this must be brought to the level of an AML committee to ensure there is a firmwide standard and that the additional standards are implemented by the lines of business."
And don't forget any international affiliates when formulating an AML program. Their requirements consist of local AML requirements and those of the firm, noted Semaya. Adds Alan Williamson, managing director, forensic science, with KPMG, "Make sure your offshore affiliates understand the regulations and what they mean. There are cultural differences worldwide."
To emphasize Williamson's point, Suzanne Williams, manager, BSA/AML risk, bank supervision and regulation with the Board of Governors of the Federal Reserve, recalled an incident in an unnamed country where the firm told her team they were asking for maiden names of their customers' mothers. It may sound similar to the practice in the U.S. for authenticating someone's identity, but upon further questioning, the local supervisor said it was because they wanted to make sure the customer comes from a good family.
Of course, the question of cost comes into play with any major project such as enterprise AML, noted KPMG's Williamson. "If you implement an AML program, especially globally, who is going to pay for it?" he posed. "It must be very clear whose cost center is going to be charged." He said this was a common stumbling block in many of the AML projects he has seen.
Cost is even more important in today's world where discretionary spending is being kept at a minimum by most banks. Look for efficiencies in the due diligence process, Semaya recommended. Banks can use the due diligence information obtained by one line of business and apply it to another business unit, especially if there are common customer relationships. "The key is communications and having a database where people can find this information," she said. "When investigating red flags, you have the due diligence for the same customer across lines of business."
"This goes back to corporate governance," added John Panagopoulos, director, head of investigations and surveillance, global financial crime, at Barclays Capital. He said that if the bank exits a relationship, it better make sure all silos are aware of the action.
It's just not about transactional risk anymore, but reputational risk as well, emphasized Wachovia's Romijn. All agreed that banks need plans for dealing with negative information. KPMG's Williamson said much of what happened in the Madoff case could have happened to anyone. "Think about what something will look like once it blows up," he said.
At its heart, creating an enterprise AML program is a tremendous task. However, it makes no difference whether a firm buys a vendor solution or uses proprietary technology to accomplish its goals, related Barclays' Panagopoulos, "as long as you can map risks in the line of business to a model, an exceptions report and policies or procedures."