Closing “risk windows” – assessing your options for cost effective compliance & risk management

Assessing options for risk management and compliance requires consideration of the cost to integrate the results of these different capabilities.  Creating an integrated view of risk and compliance is challenging since risks include fraud and credit issues while compliance must address anti-money laundering (AML) and foreign asset control (OFAC). 

Both of these areas, for example, need to be updated with data from events or substantive changes in member status.  The sharing of information across people and applications is critical to providing a more unified approach to controlling risk.

Point solutions for AML, OFAC & sanctions screening, identity verification, ID theft red flags, member identification programs and related capabilities adds cost beyond their individual price tags.  Point solutions can force a credit union to integrate, to the best extent possible, data from each system as well as feeds from transactional systems.

Larger, highly integrated systems that provide AML, OFAC and Fraud detection are often too expensive or too complex to implement and operate.  Cost effective options are needed as well as a way to quickly assess their potential costs and benefits.

Here are 3 simple steps to create and assess options:

1. Map current coverage against a risk matrix by considering “risk windows”, needs and growth rate
2. Identify current vendor and service improvement options
3. Consider the costs and benefits of adding new internal or external controls

1.  Mapping Current Coverage Against The Risk & Exposure Matrix

Many credit unions and banks use a “risk window” approach to understanding current and emerging gaps in their finical crimes coverage.  The term financial crime prevention (FCP) is often associated with an enterprise program to provide coverage against anti-money laundering (AML), Foreign Asset Control (OFAC) and other Watch List Monitoring  (FinCEN 314a) as well as Fraud.

So, risk windows are just areas of financial criminal activity we must track, alert and resolve.  Using a simple table, it is easy to craft a risk.  The primary AML, OFAC & Fraud areas are listed and each is reviewed to verify what types of controls are in place.  Generally there is a manual effort or control associated with each area., this is true even when there is also some level of automation.  An example is the tracking and reporting of large currency transactions.

This tracking is almost always automated through core systems but there is often a need for manual preparation of regulatory reports or a manager review of them before submission – so this area has both manual and automated controls.  Some areas may already have achieved some level of integration.  The ability to track information security triggers for online accounts can be tied to the fraud tracking and reporting via alerts, then it is a manual process to update the Customer Identification Program information in the AML side to trigger a recognition of risk for AML.

Risk windows become obvious when we color code our matrix for all areas not currently covered.

Here is a sample Risk Matrix depicting Risk Windows:

This Risk Matrix example summarizes a list of Risk Areas and the level of controls in place for each area, red areas indicate little or no current control.  Note that manual and automated often occur together since automation does not typically address all phases of detection, alerting, reporting and tracking issues.

2.  Identify Coverage Improvement Options

This step involves an internal discussion of the current and committed goals of the credit union.  It is important to include in your assessment current changes underway including product and channel expansion, potential merger or acquisition events, and all outstanding or anticipated regulatory as well as internal audit issues.  Using credit union industry resources, trade groups and trusted outside partners to identify options for automation and integration.  These options typically include application modules or components from currently licensed application suites, additional software, compliance data stores and analytics using internal database development, and external managed services.

Cost effectiveness is often achieved or improved when internal communication and work flow systems can be leveraged to cover risk windows.  A great example is the use of current or readily available work flow and case management systems that allow for easy definition of your rules, work flows, escalation paths and tracking approach.  These systems are well suited to tracking financial crime events from detection through reporting and resolution.  The challenge is that they do not typically have automated detection tools for complex transaction monitoring or external search and filtering of media reports of member activities or relationships.

Similarly, most AML systems now provide at least some fraud coverage features and integration of membership data from on boarding, risk rating, due diligence and case management.  Unified reporting is another benefit.  These systems are still costly and complex requiring significant internal expertise to integrate and operate.

External resources, from outsourced AML tracking and investigation to managed services with end to end support, all provide additional options with incremental costs.  The key is to identify how the credit union team can handle the effort and oversight required to close risk windows cost effectively.  Managed service options are increasingly popular since they provide the resources and expertise to monitor and manage issues across risk areas.  Managed services also provide credit union management with dashboard views of current conditions and issues.

3.  Consider the Cost/Benefits

The costs of various options can vary widely, so can the benefits!  Assemble a short list and prioritize based on the risk window(s) they help you address.  Then consider their impact on current staffing, expertise and management levels to determine their total impact on the credit union.  Review recent history and news to determine which of the risk areas is most concerning and integrate your current internal audit and risk management recommendations into your considerations.

Finally, consider multichannel planning since fraud has taken on a very strong multi-channel profile targeting members and unions using online and traditional channels in unison.  If your online and mobile channels are growing and improving rapidly then it might be time to concentrate your focus on controls coverage for those areas.

Summary

A simple assessment of credit union risk windows and current coverage quickly exposes important risk windows.  Prioritizing these risk windows and understanding the potential costs and benefits of the solution options is critical to closing these windows.

Contributing Author: Gregory Lampshire
Gregory Lampshire is a Partner at K2-Solutions. He has focused on a variety of business and technical areas including geophysics, commercial MPP systems for science and business computing, data mining and data science work at multiple consultancies (large and small) and general data management disciplines. Gregory has managed multiple consulting practices in the telecommunications, energy, biotech, pharmaceutical and healthcare insurance industries. Recently, he has focused on CRM analytics, healthcare analytics and financial crimes prevention. He holds degrees in electrical engineering, aerospace engineering and business administration and is a member of ACAMS.  He can be reached at glampshire@k2-solutions.com