Know-Your-Data: Key Lessons from AML Failures

Stephen Platt has spearheaded countless investigations on behalf of regulators into the conduct of financial services businesses, both on- and offshore. He is the original author of the International Compliance Association Diplomas and author of bestselling book Criminal Capital. He is widely regarded as one of the world’s leading financial crime prevention experts

Before he founded KYC Global Technologies, Stephen was regularly appointed by regulators to investigate and assess the financial crime risk management performance of businesses, including Tier 1 banks, trust and corporate service providers, and investments funds and brokerages. Experience taught him that the best place to start understanding how a business was managing its vulnerabilities was to look at its board of directors.

We spoke to Stephen about his experience in running systemically important regulatory enquiries and the lessons that he learned.  What follows is an edited transcript of that discussion.

Why did you start with the board in your analysis of AML performance?

Every fish rots from the head. I knew that, if a board wasn’t leading from the front on financial crime, the compliance performance of the business would be sub-optimal or worse. Board packs—the information supplied to directors in advance of their meetings and upon which key decisions are based—are like retinas. If you know how to examine them, they provide a window into the compliance health of a business.

What did you look for?

Many of the businesses I investigated had highly complex and what appeared on their face to be sophisticated governance architectures involving business units, risk functions, group risk functions, assurance functions, committees of the board and the board itself. Viewed one-dimensionally, the structures looked very impressive on paper, particularly so if they were populated by professionals who appeared to know what they were doing and at the apex non-executive directors (NEDs) with titles or honours conveying a measure of sophistication.

The truth is that, however sophisticated or complex a governance regime and the people responsible for it appear, risk governance is only as good as the fuel that drives it. Management Information (MI) is the fuel that drives every risk governance regime and the only management information worth a spit when it comes to financial crime prevention is data that most businesses are unable to marshal and report upon before it becomes out-of-date and inaccurate. The data that should be in board packs just isn’t there.

What data should a board be in possession of when it comes to financial crime?

To steward financial crime risk effectively, a board should have the following data divided by sector, country or business line and with the historic comparators for quarterly board meetings which should be contained within MLCO/MLRO reports:

• Total customer numbers by risk category, both in absolute and percentage terms, plus trend versus last quarter and previous annual and 5-year periods
• Periodic customer review performance and trend analysis
• Number of customers with identified KYC deficiencies
• Remediation progress on KYC deficient customers reported at the previous board meeting
• Number of customers whose risk profile has trended up or down by a certain percentage since the last board meeting
• Batch screening performance data
• Number of PEPs
• Number of sanctioned entities
• Number of customers connected to sanctioned entities
• Results of all monitoring/assurance tests conducted by the compliance function and any identified weaknesses
• Number of internal SARs
• Number of externalised SARs
• Fee income per customer risk category, in absolute and percentage terms.

For any of these data items to fuel effective risk governance, they must be reportable dynamically and in real-time.

In reality, I have never seen a board pack with all of these data items. At most, the majority contained a handful of the items but the data was too outdated to be of any meaningful value. This failure persists within many financial services businesses, which is why so many have been struggling with National Risk Assessment disclosure exercises.

Why is it so difficult for businesses to marshal, analyse and report data that is critical to effective financial crime risk governance?

It’s really quite straightforward; the data is a mess. Customer data is frequently held across disparate and disjointed data sets within systems that don’t speak to one another. There are frequent inconsistencies in the data. The challenge is even more acute across legacy systems in businesses that have grown through acquisition multi-jurisdictionally. In the worst cases, customer data is not fully digitised with some information being held only in hard copy. In such scenarios, it is impossible for MLCO’s to get their arms around the data. The best that can be done is for the data to be mined from each system (or filing cabinet) manually for inconsistencies to be identified and remedied, and for it to then be distilled and reported on Excel spreadsheets. By the time this happens, the process will have taken so long that the data is worthless.

It’s easy to spot businesses where this is an issue. They are characterised by what I call Excelitis – a dangerous affliction in which risk is managed reactively on Excel spreadsheets that are out-of-date the moment they are produced. Another characteristic of such businesses is huge risk/compliance functions (or massively overworked under-resourced functions) dedicated to trying to mine and make sense of the data. The wasted compliance resources necessitated by data friction in such businesses is enormous.

Apart from excessive reliance on Excel, are there are other signs that you looked for that indicated AML weaknesses?

Yes, IT systems with archaic reporting functionality. Even for what should be very straightforward processes, such as customer batch screening, legacy screening systems have such outdated reporting functionality that they require reports to be written before any valuable MI can be extracted from them.

Many legacy CRM and screening systems are not fit for purpose in managing financial crime risk because they were not designed to help create frictionless internal data economies. Instead of solving the problem, the systems actually contribute to it. I have frequently observed, for example, global businesses in which the Global Head of Financial Crime does not have a handle on the systems (let alone the results) utilised for the screening of customers at on-boarding and periodic review. It is truly appalling that some businesses don’t even know whether their customers are being screened within certain parts of their group and, if they are, to what standard.

Given the public interest in financial crime prevention, how is it that these failures persist?

That’s a very good question. Many financial crime risk professionals understand that their legacy systems and the risk management reporting practices they employ are sub-optimal. They appreciate that the MI they are feeding the board is flawed. They know they are exposed. Their biggest challenge is to get senior management to see the world through their lens. Herein lies a huge problem because many board directors don’t have the first clue how to govern financial crime risk. Many of them don’t even know what financial crime looks like as it manifests itself through their products and services. They don’t know what information they should be demanding and, as a consequence, they don’t appreciate the flaws in the data they are being fed. It’s a case of the blind leading the blind.

How do you educate your boss to begin to demand data you know you can’t give them?

That’s obviously problematic because of the natural instinct towards self-preservation on the part of risk professionals!

“Boss I’m sorry to tell you that, despite significantly increased headcount in our risk functions in recent years, the data you’ve been relying on to steward financial crime risk has been flawed. To correct this going forward we need to look at our systems architecture and invest so that we can interrogate and report on any aspect of individual customer risk across populations of customers, dynamically …….”

What are the chances of such a conversation ending constructively? In the final equation, it’s better to have that difficult conversation than to stick your head in the sand and hope that you don’t come into the crosshairs of a regulator.

Aren’t RegTech innovations enabling businesses to overcome these challenges?

Yes, where they are adopted, but there is still huge resistance.

Why?

There are many risk professionals who, despite being fully aware of the flaws in the systems architecture and data analysis capabilities of their business, refuse to address them because they are resistant to the efficiencies that will be created. If a Head of Group Risk sitting at the apex of a function with 1,500 employees is told that the size of his empire is being reduced to 250 people with the other 1,250 effectively being replaced by technology capable of optimising data generation and analysis, what is his reaction likely to be? Ego is a common brake on progress towards more effective financial crime risk governance within industry. If board directors who are supposed to hold their reports to account don’t ‘get it’ for the reasons outlined above, Heads of Risk will wallow in their self-importance, resistant to any need for change that might undermine their power base.

Are you hopeful for the future of AML compliance or will we continue to see the same failures?

Failure isn’t inevitable, but it’s guaranteed if new technologies aren’t adopted. Many other industry sectors have tackled the data challenge successfully and are now reaping the rewards. Formula One is an excellent example of an industry full of businesses that place advanced data analytics at the centre of their operations, recognising that flawed data leads to sub-optimal performance and defective risk management.

Next generation AML technologies such as RiskScreen Batch and RiskScreen Enterprise from KYC Global Technologies, styled on the type of data analytics technologies used by Formula One, enable businesses to create frictionless internal data economies for risk management purposes. These technologies create a paradigm shift in financial crime risk governance while simultaneously delivering huge cost efficiencies.