News & Commentary

10:11 AM
Richard Paxton and Joe Veckerelli, The Alacer Group
Richard Paxton and Joe Veckerelli, The Alacer Group

Proactively Adopting AML Best Practices Saves Money and Averts Government Headaches

Most financial institutions have the same issue -- the AML department has more work than it does resources. How does a bank solve this?

Financial institutions often adopt Anti Money Laundering (AML) best practices as an afterthought, usually in response to significant fines. But there are sound fiscal reasons why banks should be proactively establishing processes that can identify more efficient ways to conduct AML reviews before they are needed to comply with regulatory examinations. So why don’t they?

Most financial institutions have the same issue -- the AML department has more work than it does resources. This is partially due to growth, but is highly correlated with the level of detail now part of regulatory reviews and the significant fines being levied on organizations that do not fully comply. These factors are the catalyst for maximizing both the efficiency and effectiveness of AML reviews, as well as upstream and downstream processes. By addressing these inefficiencies head on, financial institutions have been able to optimize their processes, which in turn have enabled them to increase capacity to handle incremental volume without materially increasing expenses.

To deliver this type of change requires cross-functional support as well as a proven approach to continuous improvement such as the Lean Kaizen method. Lean is a methodology that eliminates waste and boosts efficiency; Kaizen refers to continuous improvement. By applying Lean Kaizen tools and engaging the appropriate AML/compliance/business stakeholders, almost any AML process can be dramatically improved.

To be successful, key stakeholders must come together, baseline performance data, and document the current state process. During the Lean Kaizen session, defects and non-valued activities, or waste, are identified. And since all of the key stakeholders are in the room, process improvements can be brainstormed, and a future state or ‘to be’ process documented. Kaizens are a key tool in accelerating the pace of change. In one recent Lean Kaizen event, a global financial institution found that approximately 35 percent of the steps in the AML investigation process added no value. The steps were in place due to historical norms and the fact that the processes had not been updated or revisited despite a series of acquisition integrations, system changes and dramatic growth of the organization. By identifying the steps that did not add value, obtaining the requisite approval and updating the process (including procedures, manuals, etc.), the end-to-end process became 44 percent more efficient. This led to a commensurate reduction of cycle time and increased capacity to handle growth without adding new headcount.

In another real world example involving a large financial institution, the mood was optimistic in the kick off meeting, but the situation was daunting:

-- There were backlogs in many areas

-- Metrics were not clearly established and agreed to within the organization

-- There were dozens of internal audit and regulatory findings which needed to be addressed

-- Many of the AML processes and systems were not optimized

Despite these challenges, the team established a plan to tackle each of the core issues it was facing and set up a resource plan and operating rhythm to chart progress versus goals.

The first step was to identify metrics with Green/Yellow/Red definitions for each of the key processes within the AML department. The team then established a consistent process that facilitated weekly reporting in a standard, structured format. This enabled AML managers to provide their executives with weekly status updates on a consistent and timely basis. Within 6-8 weeks, each manager was reporting his or her metrics consistently and armed with data to intelligently and confidently speak to the performance of their processes. And, even if they were in Red or Yellow status, they could now more accurately communicate the data and develop a credible remediation plan.

The next step was to establish staffing models based on several months of historical data. This made annual resource planning much more effective and the managers who could ‘talk to their numbers’ became more successful in receiving approval for their resource requests.

Finally, process efficiency and productivity reviews for each critical AML function were performed. The goal was to streamline the processes as much as possible and make them easier – with fewer bottlenecks, fewer steps and insuring that the control points were in place where they needed to be. One year later, the organization was operating within their targets, had much greater control over their processes and had achieved a level of stability which increased the regulator’s and senior management’s confidence in growing the business.

All financial institutions should proactively evaluate each pillar of their AML programs. Waiting for internal audit or the regulators to do this during their examination can be even more time consuming and costly than performing this review before they arrive. Being able to articulate the pillars of your AML program is essential and it is helpful to be able to identify the improvements you are making to each pillar along with the rationale. Having this in place can lead to a more proactive discussion with auditors and regulators.

Granted, the AML function is complex, but when you really break it down, AML is a series of processes. Despite their complexity, AML processes can be analyzed and improved using Lean, Kaizen, Six Sigma and other process improvement and reengineering tools that can greatly improve their effectiveness and efficiency.

Richard Paxton is CEO and Joe Veckerelli senior manager of AML for The Alacer Group

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/15/2013 | 9:24:03 PM
re: Proactively Adopting AML Best Practices Saves Money and Averts Government Headaches
This was one of the areas discussed at BAI Payments Connect where new regulations may be forthcoming this year.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.