This post first appeared on Risk Management Magazine. Read the original article.
Compliance is a critical function that receives attention
from both internal audit teams and regulatory and legislative agencies. Given
the sensitivity of their work, compliance functions have traditionally been
office-based, existing on a secured floor or area within the organization.
While some organizations were transitioning toward some degree of flexible
working practices for compliance professionals before the pandemic, the
majority of compliance employees were still primarily based in a secured office
environment due to the confidentiality and sensitivity of the work.
COVID-19 changed all that. Now, entire anti-money laundering
(AML) compliance team are working remotely. While many organizations have
successfully adapted and remain resilient, in the long-term, certain aspects of
remote work could create new challenges, such as maintaining team engagement,
ensuring team members share ideas and knowledge, maintaining investigation
quality, and securing sensitive data. When it comes to fighting financial crime
and ensuring compliance, what might the future look like?
The Evolution of Financial Crime
Regardless of external factors like the chaos of a pandemic,
regulated organizations still must adopt a risk-based approach and maintain
adequate systems and controls to prevent financial crime at all times. Indeed,
when the UK Financial Conduct Authority released updated guidance in May 2020,
it acknowledged the disruption to “business as normal” in financial crime
compliance, but stated that it still expected firms to maintain effective
systems and controls to combat financial crime and terrorist financing. It also
reiterated that firms should be aware of new or changing financial crime
threats and take an appropriate risk-based approach to mitigate these threats.
Before COVID-19, financial institutions had fairly
well-established processes for identifying suspicious activity for their
customers and in transactions flowing through their organizations. The current
climate has created challenges, as what is considered “normal” customer
activity has changed. As enterprises like restaurants and gyms try to stay in
business, they may have diversified their activities to earn revenue. Customers
who have historically relied primarily on cash have gone digital. Are these new
activities legitimate, or a suspicious change in behavior?
The majority of changes in customer behavior are likely to
be legitimate as people try to adapt to new circumstances. But some customers
are unlikely to revert to their old transactional behavior, so it will be
difficult for compliance investigation teams to keep up with legitimate changes
and spot suspicious behavior.
Going forward, we will likely see a quicker transformation
toward digital banking and reduction in the use of cash, both from legitimate
customers and criminals. Criminals will look for ways to digitalize the
cash-intensive parts of their operations, allowing them to move and layer their
illicit gains quicker, even when bank branches and money service businesses are
closed.
Not only will criminals change how they acquire and move
their illicit wealth, they will also exploit any opportunity to expand into new
ventures. For example, once the pandemic took hold, new instances of fraud
quickly appeared, such as phishing scams asking victims to click a bogus link
to claim a tax refund, scams alleging that someone came into contact with a
COVID-infected person, and sales of fake testing kits or non-existent or
substandard personal protective equipment. The Italian mafia even used COVID-19
to win over people and expand their criminal empire by offering support to
households that had run out of cash.
These changes mean that organizations must be alert to
potential new threats and review their detection systems so their models and
thresholds are appropriate. It is important to spend more time reviewing
unusual behavior to check if it is actually suspicious, and share new fraud
typologies with other regulated entities to help ensure all organizations can
adapt more quickly and maintain the front line against criminals.
The Need for Operational Resilience
Like criminal behavior, compliance is also evolving. The
pandemic has shown us that resiliency is a core requirement for any compliance
function and it will now be at the forefront of many compliance managers’
minds. As workers return to the office in some areas, organizations may be more
open to the possibility that employees can operate remotely and remain fairly
effective.
However, remote working creates challenges for
organizations, including how to maintain productivity and ensure appropriate
conduct and consistent, quality outcomes. Staff can feel isolated while working
from home, especially with little or no access to the office or limited access
to colleagues to share knowledge. To be successful, management must put
processes in place to ensure staff feel connected and reduce barriers to allow
employees to share ideas and knowledge. This could include daily or weekly
huddles, and ensuring that staff log into messaging apps to show their availability.
When possible, staff should also have access to video features during meetings
to promote better engagement than voice-only meetings.
At least some of the operational changes forced by the
pandemic may become permanent, making it important to maintain management
oversight regardless of work environment. When staff are not in the same office
as management to have a quick conversation or review, managers must maintain
discipline to ensure appropriate conduct among staff and quality and timeliness
of work performed.
Resiliency Through Technology
Not only do organizations need to help staff remain
operationally robust and resilient, they also need the right technology to
support workers and ensure the organization is complying with regulations. Technology
can help identify criminal activity and ensure compliance in various ways:
Better detection. Both contextual analytics and AI
can help improve detection, reducing false positives and ensuring true
negatives are not missed. Contextual analytics monitors all known information
about a customer, checking know-your-customer data against transaction data.
Organizations can integrate third-party data into the analytics, such as
adverse media or corporate information, or additional internal data sources such
as voice or digital communication with a customer. The more information you
know about a customer, the easier it is to spot abnormal behavior.
AI and advanced customer segmentation can also reduce alert
volumes, allowing you to concentrate on the alerts that are likely to result in
a suspicious activity report (SAR) filing. This, in turn, reduces the number of
staff required to respond to alerts and will provide capacity if there is an
absence on the team, allowing you to reallocate your workforce.
Improved alert and case management. Technology can
provide greater efficiency in the way alerts and cases are managed and
investigated. Predictive scoring using machine learning can predict how likely
an alert is to result in a SAR. This includes automating the alert allocation
process, sending some alerts directly to specific teams, and hibernating alerts
with low predictive scores until other suspicious activity occurs. Ensuring
higher-risk alerts are addressed first will help manage risk where investigation
teams may be stretched. Integrating third-party data into the platform can also
reduce manual processing, allowing investigators to quickly access all customer
activity.
Greater transparency and auditability. Integrated
management information and quality assurance tools can allow management to
quickly see what detection models are working effectively. They can also
monitor alert throughput, investigation and disposition quality, and ensure all
of this is completed quickly. Digitizing this process mitigates risk and
provides faster and higher quality oversight. It also ensures the organization
is fully compliant and able to justify its processes and decisions.
Effective communication. Communication is key when
staff are working in multiple locations. Both staff and management need the
ability to interact with each other. This helps with staff development and
decision-making, and builds a successful, coherent and aligned team. Isolation
and lack of communication among team members could result in reduced quality
and productivity, increasing the risk of something going wrong, such as an
incorrect disposal decision.
COVID-19 will continue to introduce new challenges. Whatever
the future holds, compliance teams will have to become more resilient and
flexible without sacrificing quality or consistency.