For the past four years, compliance with anti-money laundering and suspicious activity reporting (SAR) requirements has been the highest agenda item for most U.S. banks. For some institutions, it also has been the most significant overall risk management issue.
U.S. bank regulators expect banks to have a front-to-back compliance, audit and IT system to ensure compliance with applicable AML and SAR requirements. Banks must have automated and integrated information systems and IT systems for collecting customer identification information for monitoring ongoing activity in customer accounts and for identifying and reporting potentially suspicious activity. The monitoring software, for example, has to be regularly reviewed and adjusted to respond to changing external circumstances and changes in the customer base or patterns of customer activity. It must be flexible enough to be varied for different types of customers, products and geographic markets.
Robust, integrated systems are critical to AML and SAR compliance. For most large institutions, this has meant that there must be very close coordination among the compliance, risk management and IT departments in designing customer information files, software-monitoring systems and SAR reporting systems, and links among all of these systems.
There have been several prominent law enforcement actions against U.S. and foreign banks for failure to have these kinds of robust systems. Regulators do not necessarily have to find an instance of money laundering -- if they find that a bank lacks key elements of an AML or SAR compliance system or that the system is not operating effectively, that's enough for a regulatory enforcement order and a fine.