AML risk management as an effective operating system
Purpose | The Challenge | Environment | Risk Mgt | Governance | Operations
The purpose of an organisation’s AML program is identified in multiple national and interrnational frameworks, guidances, and regulations:
to protect the organization against money laundering, terrorist financing, and other financial crimes, and
to ensure that the organization is in full compliance with relevant laws and regulations.
The purpose
To meet the AML program objectives an organisation needs a set of capabilities which come together and operate as an effective risk management system to prevent, detect, and deter the organisation’s products and services being used for money laundering.
There is a vast body of information on what should comprise an AML program for an organisation bearing in mind that every organisation is different in what it does, where it operates, and thus the inherent risks it has. Given that well established and regarded organisations are still frequently fined for not having their AML programs at the required standards indicates that the how is still very challenging for many organisations.
From my experience in multi-national banking with clients operating in multiple countries, AML operations are in fact extremely complex, and require that organisations have strong capability in both understanding and risk managing financial crime, and in operational science to create the operating model to effectively manage complexity.
AML regulations require a designated and suitably skilled compliance officer to be appointed by the Board for managing AML risks. Such an officer needs to be clearly expert in the financial crime subject matter, but how often will they be equally expert in complex operational systems? How do organisations effectively close this gap?
The challenge
The Financial Institution in the wider AML environment
A Financial Institution is a key participant in a wider eco-system of anti-financial crime measures and capabilities intended to reduce the impact of financial crime on society.
Predicate offences continue despite the efforts of law enforcement resulting in a continued demand for money laundering from criminals. As AML measures become more effective criminals look for new ways to launder money, resulting in financial institutions needing to be alert for new techniques and to put in place protection from being used for money laundering.
There is no standing still for Financial Institutions in the fight against money laundering resulting in a continued need for maintenance and investment in their internal AML capabilities.
AML risk management is effectively an operating system
The idea that an organisation’s risk management activities can be considered as similar to a biological immune system is useful for determining which capabilities are needed to effectively mitigate the risk of money laundering.
As a biological body is continually exposed to both existing and new threats it is continually needing to repell known threats, and identify and work out effective responses to new threats. If it cannot do both then the body will be weakened and eventually succumb to the attacks.
An organisation’s AML risk management system needs to be effective for known and new threats. This involves activities of detection, communication, learning, and responding. AML risk management needs to be a continuously learning system, just as an immune system is.
AML risk management activities cut across both the first and second line of defence with the overall system effectiveness needing to be considered as a whole and limited by the effectiveness of each of the component capabilities.
For a designated person to have confidence in the effectiveness of their organisation’s AML framework they need to have strong understanding of both the first and second lines even although they, as risk custodians, will usually sit in the 2nd line.
The importance of a strong governance function
The Governance side of the organisation’s risk management framework is paramount because the Operational side will only deliver what is laid out in the requirements set by Governance.
Effective and timely incorporation of risk mitigation activities into the organisation’s governance artifacts requires a set of new threat detection capabilities with a regular refresh of the enabling artifacts and effective change management into Operations.
A typical process for this flow of new risk identification, assessment, mitigation, and operationalisation is shown in the diagram at left.
The risk immune system is only effective though when all staff are executing the new controls. The effectiveness of the risk management system is compromised if AML operations are not operating at the levels of required or are not effectively adopting new action requirements.
The criticality of strong AML operational performance
Whilst the Governance side of the AML risk management system is essential to define what known AML risk the organisation will accept and how quickly it responds to new threat identfication, how well the organisation is protected from known threats depends on how well AML activities are performed in business operations.
AML operations comprises executing a set of ‘detection’ services as shown in the diagram at right. Where AML risks are identified from the information collected during the execution of these services, the risks are investigated and assessed, mitigated, and then accepted or declined.
Risk acceptance gaps occur when the services are not executed or are delayed, are not executed to the standard required or, are ineffective in design. A strong AML risk governance framework can be compromised by AML operations not being performed to the required levels.
Whilst the AML function is about risk, it is also very much about operations, and it is therefore essential that the organisation is as strong in its operational capabilities around AML as it is in its governance capabilities.