Developing strategies around enterprise risk management has been on the agenda of the industry's risk and IT executives for years. In these days of greater threats and greater regulatory scrutiny, banks are taking steps to ensure they have a holistic view of risk in any of its forms. Anti-money laundering is no exception.
Jon Elvin, SVP, Bank Secrecy Act/Anti-Money Laundering officer with PNC ($286 billion in assets; Pittsburgh), says that establishing this enterprisewide view of risk should form the basis of any AML program. "You must look at your cross-channel exposure," he says. "From a risk perspective, particularly when related to fraud or an AML event, you either have dollar loss or reputational loss—sometimes both. An organization's ability to understand what its exposure is early on is challenging for financial institutions. But the ability to understand this exposure quickly helps them prepare a response to deal with it from the internal, external and regulatory points of view."
Elvin is encouraged to see banks moving away from the siloed, piecemeal approach to AML and risk management that characterized such initiatives for so many years. Whenever a new regulation was put in place, banks would respond by creating a new policy, procedure and technology to cope with it. "The industry is evolving and the speed with which an organization should implement such solutions is important," he says. "So an organization should look at how its past investments in people, process and policy can be leveraged to meet emerging regulatory demands."
The typical bank was structured so that it had separate teams for fraud, AML and other individual forms of risk. One of these teams would take the lead on a problem, depending on the nature of the issue. There was no holistic view, Elvin comments. "ERM is the only way to view risk," he says. "I don't think any organization has the perfect model for this yet, but it is the direction, the theme around how banks are staring to think about risk."
The key to success here is the data and properly mining it, Elvin says. "Part of the challenge is determining from where to get the information. But if you can pull nuggets of information from disparate data sources and provide meaning to it, that's where the value of [a holistic approach to risk] comes into play. But this is going to continue to be a challenge if the consolidation in the industry keeps up."
Elvin is seeing more banks look at better risk mitigation through the cooperation of technology, business and compliance people. Having all these groups at the same table in the day-to-day operations and strategy meetings adds value to the entire organization.
"Each has a different perspective that equates to earlier identification of potential solutions to problems. This approach has made a difference for PNC," he explains. "This is a cultural change and it doesn't happen overnight. It's the idea of collective success and finding balance and trust in one another. This has been part of PNC's way of doing business for quite some time."
The IT part of PNC's evolution toward monitoring enterprisewide risk involved developing a centralized case management approach, something he is seeing his colleagues at other institutions implement as well. Elvin says PNC uses a combination of vendors in its AML/risk strategy, including Oracle (Redwood Shores, Calif.). The bank employs the Reveleus and Mantas risk management solutions as part of the larger Oracle suite. By connecting all the important data points in an organization, implementing a centralized case management system and changing the organization's culture, Elvin says a certain level of confidence is established that the bank can respond appropriately when events occur.
"And if something does occur, you'll be able to assess the problem, quickly gather the facts and take appropriate action, like interacting with law enforcement, dealing with reputational issues and triaging the situation more quickly in general," he explains. "You can't approach this through an AML lens alone."