Validation: The pièce de résistance of anti-money laundering
Even the best kitchen in the world—equipped with a brick oven, top-of-the-line equipment, and the sharpest knives—can’t turn a bad cook into a great one (even though it could help). The substandard cook still needs to learn some critical cooking skills before the dream kitchen can produce the pièce de résistance.
So it makes sense that even the best anti–money laundering (AML) monitoring system in the world—perfectly optimized with no expense spared for the most current technology and automation—can’t guarantee effective AML (even though it helps). No matter how good the system is on its own, AML is a much more involved matter than simply determining what is noise and what is not; it requires documentation, research, and quality control.
If your AML system—something you’ve invested time, money, and due diligence in—generates an alert and you determine that the alert does not merit an investigation, you can’t leave it there; you must say why. From my reviews of financial institutions throughout the country, I’ve noticed that this lack of explanation seems to stem from a lack of quality control standards for triaging. Basically, this means that the initial evaluation of alerts lacks documentation of why the alert was generated and why it does or does not merit an investigation. Many institutions don’t appreciate that closed alerts often receive as much scrutiny as escalated alerts — so much so that documenting the reason for even non-escalation is important.
Let’s go back to the kitchen analogy: let’s say you want to make tomato basil soup (a very rewarding desire). The first step for any culinary creation is gathering the necessary materials, most importantly the ingredients. Now, while you may have many ingredients available in your refrigerator or pantry, it is important to only select the foods relevant to your recipe (tomatoes… garlic… heavy cream… fresh basil…). After all, selection requires choosing what is used and what gets left out of the pot, and of course the great chefs only want the best of ingredients. Similarly, the person responsible for conducting the triage is, in part, selecting what goes forward and what gets dropped. This process of alert triage is perhaps one of the most critical parts of any AML system and often one step we find lacking.
Unlike the sous chef choosing which ingredients to use, the person conducting the triage cannot expect to escape scrutiny of that information which he or she chooses to drop. No, there will most certainly be scrutiny at this stage because poor decisions at this level often mean the FI is wasting valuable resources on incorrect alerts. The person handling triage can’t simply present a yes/no decision; it must be a yes/no decision with documented rationale. Many employees don’t realize that the best practice for this is writing (yes, writing) a summary narrative that includes an introduction, alerted activity, basic customer due diligence information, analysis of activity, review of other activity, external research, and a conclusion. This process is so important that failing to document these steps will frequently leave the institution missing the mark in its decision to escalate its alerts.
Where a lot of institutions, including the big guys, come up short is in quality control on this key step. Ensuring thorough triaging takes a quality control check. If the alert was properly escalated (or properly categorized as noise) and QC agrees with this, congratulations—you have a good triage process. If not, you need to make modifications. Institutions with strong AML processes have uniform standards for each step in this process (triage à investigation à escalation à SAR/no SAR). And of course, ubiquitous quality control grows in importance the larger your institution is and the more people you employ.
For example, pretend with me that you’re a level 1 analyst. You have a list of alerts in front of you. You also have some quotas to meet, so you elect to just close the alerts. In this case, if the process has no controls over the quality of each alert closure, then transactional activity that warrants escalation (and potential SAR filing) is missed. Corrective action must be pursued or the problem will likely worsen into a far more serious, potential-headline-grabbing problem.
The key in this initial stage is to establish standards that promote documentation and quality control. From there, it makes sense to use independent sources to evaluate the effectiveness of this process. We call that quality assurance. After all, the regulators are looking for a system that is both valid and effective. That’s typically where we step in. When conducting a validation, we’re trying to see one thing: Is the system working as designed?
However, if we’re to evaluate effectiveness, then the institution must have those quality standards and outcome documentation that includes support rationale. Without these, the entire AML system optimization effort is like picking your ingredients in the dark and using them without knowing what they are. It almost never works.
For information on AdvisX’s AML validation services, please visit: http://www.advisx.com/services/validation/
