Technology
Anti-Money Laundering Software - the Build or Buy Dilemma
At the most important international money laundering conference in the calendar, hosted by Money Laundering Alert in Miami, the world’s expe...
At the most important international money laundering conference in the calendar, hosted by Money Laundering Alert in Miami, the world’s experts weighed up the pros and cons of anti-laundering software; the prognosis was not good.
The conference started by looking at the basic steps a financial institution should take when deciding whether to build or to buy AML software. All agreed that the picture had changed in the last two years. On the panel were Jim Richards, director of the financial intelligence unit at Fleet Boston; Susan Galli, compliance director for Citigroup e-business and an expert at reducing risks inherent in correspondent banks and cross border transactions; Gregory Benson, director of compliance and security at E*trade who used to be on the US government’s Bank Secrecy Act supervisory panel; and Ernesto Armenteros, a senior vice president at Remesas Quisqueyana, a New York firm which transmits funds to South America and the Caribbean. Armenteros was the only speaker who had supervised the building of an AML software system himself.
Each firm represented on the panel is in its own way a massive force in international finance. E*trade, based in the USA and four times larger than its closest competitor in e-banking, trades with Australia, Canada, Denmark, Korea, New Zealand, Norway, the UK and Sweden and has $11bn in assets and $5bn in deposits. Fleet is a $200bn organisation, which handles 15m accounts and has 2,000 branches in 24 countries. Citigroup is one of the world’s largest banks and Remesas is a recognised leader in AML software.
The buy option
Jim Richards started the ball rolling with a few pearls of wisdom about purchasing a system. "I wouldn’t do a due diligence exercise on the vendors when I was starting out. I’d do it on myself, on my own bank. I’d ask myself the following questions:
do we have the data to run the software? My business has 723 mainframe applications in the US alone. It doesn’t play well with packages.
do we have the necessary personnel to operate an IT system? Whatever number of people the vendors tell you that you’ll need, triple it.
"I’m saying this at the risk of being unpopular with the vendors, but when you’re listening to vendors, you should pay attention to three things they’ll talk about:
(i) fraud prevention: I don’t believe that fraud prevention
techniques apply to money laundering software;
(ii) false positives: I don’t think they apply either and
(iii) the use of the word ‘solution': you’re not purchasing a
solution. It’s only a tool. Don’t be fooled. You must do a know
your customer programme on yourself because no software you buy
will work if you don’t do good KYC.
"Lastly, the system must be flexible, not hard wired. If your bank suffers from a scandal such as the one that hit the Bank of New York, you will have to adapt."
Galli had her own warning for the audience. "As each day goes by, the expectations of what banks should be doing about monitoring the launderers are going up. There are no silver bullets. If you came here looking for a miracle, you won’t find it. The software is a tool that’ll help your people get there, but it’s really all about your people."
As delegates kept telling Complinet throughout the conference, AML software cannot cater for every eventuality and is always producing exceptions. Galli said the same thing before looking at the shortcomings of AML software. "You get one of these tools in there, and the exceptions start kicking out. Till you get the system, you don’t know if the parameters you’ve selected are the right ones. Regulators also will expect you to be looking at all the exceptions. You therefore need all the resources to do that.
"Not all products are alike. Through the recent spate of mergers and acquisitions that has swept the banking world, many of us are trying to cope with legacy systems, and just getting them to talk to one another is hard. To cope with this, you must do risk assessment. Look at how the system will deal with your defined risks.
"Software vendors are popping up all the time. I have a checklist of questions which you must ask them or ask yourself about them:
look at how long they’ve been around. They must be capable of staying around;
as a crucial second step, you must look at the content they’re monitoring - and if they are suited to it;
find out what their customer base is and how long they have been in the AML business;
can they help you in all the areas in which you need their help;
what’s the level of their manager’s commitment;
can they handle the demand if they get a surge of interest in their products and
beware of what we call vapourware. The vendors must be able to tell you what’s available now - not that you’re going to be a guinea pig for their experimentation. If you are content with vapourware, you might do worse than ask them for a discount.
"Upper management support for you at your bank is very crucial. There are two points here:
they must agree to pay upfront; and
appropriate cases must be ‘surfaced’ to them for action."
The build option
Ernesto Armenteros told the audience that his business was more or less forced to build its own system. "I’m not a banker. I don’t have the dilemmas in choosing software that my fellow panellists have. Up to this year, software vendors have developed their products solely for the banking industry. That’s changing now, but up till now we’ve had to build our own.
"Thanks to the way in which the Bank Secrecy Act is written, there’s no such thing as an honest mistake - you’re guilty until proven innocent. So if you don’t have AML software, make it your number one priority to do it. If you’re being investigated right now, it’s your only claim to being a good guy, to demonstrating the fact that you’re part of the solution and not part of the problem.
"If you’re going to build the thing yourself, there are several things you must do:
you must get help;
you must think like a criminal. Nobody knows the company as well as you do. Find ways of breaking the system;
think like a policeman. See what works in stopping those attempts;
get everyone in one room for a brainstorming session - you should invite advisers, managers, compliance officers and IT people to it;
make decisions about what steps that software should follow;
install it and
finally, try to break it. In our case, we called in external
auditors to break it. We gave them $20,000 each and told them to
launder it. You want someone from the outside to do it, not
someone from the inside.
"In my view, the only alternative to building it is to subcontract it. Download your transactions and the subcontractors will cross check the data for you and cross check it with other companies in the area to see if criminals are using those other companies to help them structure their dirty money."
Corporate buy-in - the compliance officer’s most intractable problem
Whenever a compliance department comes up with a grand programme, it always faces the same problem: the company’s board has no time to give it detailed attention. "My new AML programme has all the bells and whistles you could imagine. It would be very good if I could enforce it throughout the organisation, but I haven’t been able to have so much as a lunchtime session with my CEO in all the months I’ve been there," another delegate told Complinet at this conference. The same theme emerges whenever senior compliance officers meet each other.
This syndrome is evident in the field of AML software as well. The best the compliance/AML officer can hope for is to arrange meetings between people at his own level. The conference gave a great deal of thought to this and the best list of ‘people who should get involved in the decisions’ was presented by Jim Richards.
"It’s always good to get a cross-functional committee to look at it. I would include compliance, the law department and IT people but I wouldn’t give them the final decision because they always want new tools and toys to play with. And I always make sure that we get the least IT-proficient and most technically cynical person at the table as well. If you can convince him that the software arrangements are good, you might be onto a winner," Galli told the delegates.
Galli also suggested the inclusion of the product marketing people who deal with front-end business. "At the end of the day, these are the people who are responsible for compliance, so they have to buy into the solutions. It’s cheaper to pay for education in the company up-front rather than pay for mistakes later," he said.
The human element
Of course, even an automated system cannot be expected to run all its checks without a good deal of human legwork. "We use a compliance person to chase up our relationship managers. If you’re getting 100 exceptions a week or month, you must pinpoint the relationship manager and find out if the transactions make sense for that customer. We have 6,000 staff, so if our AML system did that, it would take two weeks to get to all the relationship managers. So a compliance person hooked up to the system has to do it," said Jim Richards to illustrate the point.
ACH - a warning
Susan Galli said automated clearing houses are something of a black hole for AML software. "A lot of e-commerce is shifting away from funds transfer to ACH, a payment mechanism not found outside the US yet. This is a bank transfer system where you’re transmitting a file. It’s a very cheap alternative to doing an individual funds transfer. Once the records are consolidated, i.e. once the payments have been amalgamated, you can’t do due diligence on that. We haven’t worked out how yet. Credit cards are already being monitored for money laundering, but ACH isn’t yet. This issue will become more important when other countries start using ACH."
Here and there
Other points were mentioned briefly by the panel:
AML software for small banks: Large banks have infrastructures that can deal with the expense and trouble it takes to set up AML software, but small banks are another matter. When asked whether there was good enough software on the market for small banks, the panel’s answers were only vaguely encouraging. "You don’t even have to have your own software for verifying social security numbers, phone numbers, tax IDs etc. You can get off-the-peg systems, but they’re not cheap," Citigroup's Galli told delegates.
Jim Richards added a warning. "You don’t need to verify someone’s tax identification number when they open a non-interest bearing account, so a KYC system based on people’s tax IDs is going to miss a large population for money laundering," he said.
The legal problems of sharing information about suspicious transactions: "A bank can’t share this information with the money transmitter company. If the bank isn’t knowledgeable enough about the money transmitter industry, they’ll often see activity as suspicious when it is not. They’ll then close accounts. The only remedy for this is to give them information about how our system works, give them documents, send files and bring them into our offices and let them see the system working," warned Ernesto Armenteros.
Continuity on the software team: More than once, the panellists emphasised the importance of ensuring that not too many people on the software team of an AML programme were allowed to leave the company at any one time. Armenteros’ system, for example, looks at 20 to 30 types of red flag and is supplemented by a manual system. The infrastructure that this demands is intricate. "If too many people leave at once we lose the ability to run it," he admitted.
Software advice from regulators: As in the UK, American regulators are struggling to catch up with the internet revolution and are hanging onto the coat-tails of the larger firms on this subject. Gregory Benson told the conference that E*trade is on good personal terms with its regulators at the Office of Thrift Supervision but has received no useful guidance from them. "This is a new area for them. They don’t have a very good grasp, so they’re looking to us," he added.
At the teller level: CTRs, according to FinCen, are generated at the push of a button. The panel agreed that many people who work at branch level are reluctant to ‘push the button’ because it slows down branch business.
Buy, build or compromise?
The panel then had to make up their minds whether to advise financial institutions to buy a system, build it or develop a compromise, which is partly bought and partly built. Their verdict was overwhelmingly in favour of the buy option.
Ernesto Armenteros, the man with most experience, made it plain that he never wanted to go through the building process again. "For the remittance industry, my advice would be to try to avoid having to build it. Buy it, or try to subcontract the filtering of your transactions. To build, get the best programmers and involve everybody. To build a bad one takes the same effort as building a good one," he explained.
As a rider to this, the panel once again urged delegates to involve the compliance department and as many other relevant people as possible in the commissioning process. "Get everybody in, or it’ll be GIGO - garbage in, garbage out," Galli said.
Jim Richards ended by giving the audience a ‘hot tip’: "You need to use the internet or the invisible web, of which I’m not a huge fan. If you don’t do this, you probably can’t make use of the software that the vendors are offering you. Also, pivot tables within Excel are probably the best AML tool that you can use today."
Is the AML software on the market appropriate?
Do any software vendors have mature, tried and tested AML systems or are compliance experts’ worries about being used as guinea pigs valid? Gregory Benson was in no doubt about the usefulness of existing software to e-banking. "Most of the software applications are saying ‘it’ll be there, the cheque’s in the post, it’s in the works’. We want to see a customer who’s already been satisfied. We’ve found very few. If we buy anything, it’s got to have worked already. We don’t want to be guinea pigs."
As for the usefulness of AML software to banking in general, Complinet talked to a representative of Mantas, one of the main software suppliers. Her opinion echoed those of the panellists. "No product provider has a mature AML system. We and Searchspace are the nearest to that, but we’re still a long way away from it. And yes, we do have monumental mess ups with the systems all the time," she revealed.