Anti-money-laundering regulations: new teeth, new tools

RMA Journal, The, Nov, 2003 by Rona Distenfeld

It's not a pretty picture when an individual or institution is caught with its guard down. There's the double whammy of being defrauded and being nailed by fines--or worse--for not having the proper processes in place to guard against money-laundering activities. And technology tools are not without their own risks.

Recent regulations enacting Title III of the USA PATRIOT Act have focused new attention on anti-money-laundering (AML) compliance. Public enforcement actions--such as the written agreements between the Federal Reserve and several of its member banks, including HSBC, Banco Popular, and Southern Commercial Bank--specifically cite Bank Secrecy Act and related Due Diligence, OFAC, Customer Information Programs, Currency Transaction Report, and Suspicious Activity Report requirements. Therefore, any technology-based solution must be able to address all of these areas to be effective and provide the regulators with evidence that such a system is in place.

At the center of the new requirements is a heightened expectation of a bank's ability to identify its customers and understand their usual transaction routines. This starts with such basic steps as recording identification documents, such as a driver's license, when an account is opened. With more affordable and portable equipment for scanning the magnetic strips and/or bar codes that most of these documents now carry (and OCR machines for the few states that don't yet use either), more banks are making this the first step in their know-your-customer programs. Since driver's licenses are the most fraudulent document in use, the data captured from the magnetic strips and bar codes offers banks an early alert if the face of the document has been altered. However, this is just a first step in an effective AMI, program.

Finding Your Best Technology Solution

According to a recent American Bankers Association survey, AML is now the most expensive compliance cost in the bank. What you spend can range from the thousands into the millions, depending on your bank's needs. That's why it's critical to evaluate your bank's current business and capabilities, future growth areas, and existing technology before looking for specific technology solutions.

"There is nothing in the BSA that specifically states that a bank must have an automated system," says Pamela (P.J.) Johnson, senior anti-money-laundering coordinator at the Federal Reserve Board in D.C. "However, according to our rules, a bank must implement a program that ensures compliance and must operate in a safe and sound manner. This includes being able to file the appropriate forms, identify suspicious activity, and maintain the required records and be able to produce them when requested within the required time frames. If a bank is able to do this effectively using a manual system, that's fine. The bottom line is a bank needs to have a system that is commensurate with its size, complexity, and risk. By the same token, simply having an automated system isn't enough if it doesn't do what's necessary to effectively manage the risk."

This makes it clear that any system must match your bank's actual activities and be backed by a reliable vendor that will keep it up-to-date with both changes to the rules and changes to your operations. Some community banks believe they face minimal AML risk due to their location or because they don't participate in high-risk activities. While this is true in theory, they still must be able to provide regulators and law enforcement agencies with requested records in a timely manner--72 hours if their records are subpoenaed.

Before AML became a hot button, most comprehensive programs required a mainframe, so they were available only to large institutions. Today that has changed. A growing number of companies--many of them new and a few, such as Atchley Systems Inc. and SAS, around for decades--now offer in-house or outsourced solutions to community banks. Long-term familiarity with this issue can be a plus in a vendor, especially for community banks that may not have the internal resources to keep their systems up with the latest changes.

There are a lot of packages, and more are coming every day. You can buy something off the shelf, customize or develop something yourself, or outsource. So how do yon determine what's best for your bank--or if you even need an automated system? And how do you choose the right technology partner for your needs?

Choosing the wrong solution or technology vendor can increase a bank's risk by providing a false sense of security. There's strong agreement among bankers, regulators, and vendors about the questions to ask when looking for your best AML technology solution:

1. Is a technology solution appropriate for my bank's activities?

2. Do we have the resources to develop and/or manage this function in-house? Can we maintain and update an in-house system properly? Would outsourcing be a better solution?

3. Do we want to find a single vendor that can provide technology solutions for all the pieces (BSA, OFAC, KYC, CTR, and SAR filing, etc.) or do we want individual "best-of breed" packages?