Mastering Money Laundering Regulation Efficiently
Swiss banks will soon be subject to new anti-money laundering (AML) requirements – are you well prepared?
In the coming year, several regulatory changes will come into effect and force in Switzerland to combat money laundering. Revisions are being made to the Anti-Money Laundering Act (AMLA), the Money Laundering Ordinance of the Swiss Financial Supervisory Authority FINMA (AMLA-FINMA) and the Agreement on the Swiss Banks’ Code of Conduct with regard to due diligence. The draft of the AMLA with the associated message to parliament is expected in due course. After discussion and the expiry of the 100-day referendum period, the new law is expected to enter into force in 2021. With these new AML regulations, Switzerland is catching up with the European requirements of the 4th Anti-Money Laundering Directive (4AMLD), which has been applied by European banks since the beginning of 2018.
Impact on banks
Banks are expected to apply the revised regulations starting in 2020 and 2021 respectively. The new requirements include an extension of the regular verification obligation, a specification of the group-wide compliance with AML principles, and the extension of the criteria for high-risk relationships. While European banks have largely implemented the requirements of the 4AMLD, it is now high time for banks in Switzerland to analyze and incorporate the new requirements. EU banks faced a couple of challenges implementing the 4AMLD and not every institution has tackled them successfully. Based on this experience, we expect the following new requirements to be particularly challenging for Swiss banks to implement:
Regular verification of KYC data (Art. 7 para 1 AMLA)
Group-wide compliance with AML principles (Art. 6 para 1 AMLO-FINMA)
- New criteria for high-risk relationships, in particular frequent high-risk transactions (Art. 13 para 2 AMLO-FINMA)
Regular verification of KYC data
This new requirement addresses the lack of a general and explicit obligation for financial intermediaries to ensure that the data obtained as part of due diligence procedures remains current and relevant. For this reason, the revised AMLA introduces the obligation to regularly review, and if necessary, update, the documents and information obtained in the course of due diligence. This extends the regular verification requirement currently limited to high-risk relationships to all clients. However, banks may apply a risk-based approach regarding the frequency and scope of the review. Generally, all data collected as part of the client due diligence under Articles 3–6 AMLA is subject to the regular review (hereinafter referred to as «KYC data»).
Given the potentially huge amount of KYC data that has to be verified, it is crucial to apply a prudent risk classification to relationships in order to limit the scope of KYC data to be reviewed and frequency. Merely extending the review process for high-risk relationships to all clients will be neither efficient nor effective, as this would involve an enormous amount of work for the bank and increase the risk of overlooking actual risk indicators in the huge amount of information – the needle in the haystack often cited in compliance.
For this reason, the first step for banks that have not yet adopted a multi-level risk classification but only differentiate between «enhanced due diligence» (EDD) and «simple» relationships should be to develop a model for a more sophisticated risk classification which provides the basis for the second step – the definition of data scope and frequency per client risk class. The work involved in calibrating the risk classification model should not be underestimated. Besides the design of the risk classification model and definition of the data scope and frequency, banks must assess the sources can be used to verify KYC data. There are various options: the clients themselves can be asked to review their data, or their lawyer, tax advisor, accountant, or a similarly trustworthy person can be asked to confirm KYC information. The relationship manager could also be assigned to check whether KYC data are up to date. In addition, there are public data sources available, for example KYC databases with PEP information, information on sanctions and negative news, company registers, and credit databases. Moreover, information sources inside the bank can be used, for example payment data. The quality and amount of information available as well as the effort required to retrieve it will vary depending on the source of data. There is no single best source; different sources may be chosen depending on the risk classification, the amount of KYC data to be verified, and the frequency with which reviews are performed.
Group-wide compliance with AML principles
The requirements regarding global compliance of foreign subsidiaries and branches («foreign branches») with AML principles have been specified as follows, with banks required to apply the following steps, including at their foreign branches:
Perform a risk classification of relationships and transactions
- Regularly analyze global AML risks on a consolidated basis
- Report on legal and reputational risks with quantitative and qualitative information (at least once a year)
- Obtain information from their foreign branches on the initiation and continuation of high-risk («significant») relationships
- Regularly perform risk-based controls, including on-site spot checks on relationships at foreign branches
In other words, banks need a global KYC risk and control framework which allows them to apply a uniform methodology for risk classification of relationships and transactions in all countries, perform consistent KYC controls worldwide, develop a consolidated global risk reporting, and regularly test the effectiveness of KYC controls.
New criteria for high-risk relationships, in particular frequent high-risk transactions
In the revised AMLO-FINMA, frequent high-risk transactions have been added to the list of criteria for classifying a relationship as high-risk, bringing KYC (know your customer) and KYT (know your transaction) closer together. This is reasonable − and according to the FATF report logical − but will be a challenge for banks to implement.
For transaction-monitoring banks typically apply multiple static scenarios with variations of criteria for high-risk transactions. Unfortunately, this approach is not very effective: up to 90% of hits generated by such static transaction monitoring turn out to be false positives. Frequently, genuine positives are overlooked, and only around 20% of suspicious activity reports are based on banks’ transaction monitoring. Even more problematic than false positives are so-called desired negatives – cases where the analysis of a hit reveals AML indication, but the business is too attractive to be declined. This syndrome can only be addressed by adopting an unmistakable position towards AML risk, assigning clear responsibilities, and documenting relevant decision-making. Before information on high-risk transactions can be reasonably considered for the risk classification of relationships, many banks will need to improve the effectiveness of their transaction monitoring, alert analysis, and decision-making processes.
Automation being the solution
It is evident that most banks will not be able to implement the upcoming revision of AML regulation on a purely manual basis – just as most European banks have used digital compliance solutions to implement the 4AMLD. To avoid increasing costs and risks, an automated or at least semi-automated solution will be necessary. The question arises as to what technology solutions can best support the implementation of the new AMLA/AMLO requirements.
Regular verification of KYC data
The client risk classification is key to a sensible approach to the regular verification of KYC data. The risk classification model should be reliable, globally consistent, calibratable, and traceable for audit purposes. Rules engine technology providing visual rule design, testing functionality, and an audit trail can support the setup and calibration of a global risk classification model meeting these criteria. A role-based access control system assures compliance with the defined governance. Depending on the risk classification of a relationship, various manual steps may be necessary (for example a manual review by the relationship manager and a management decision on whether or not to continue an EDD relationship). A rules engine should therefore be integrated in a workflow platform supporting such manual steps.
Further, a rules engine can be used to monitor relationships for PEP status, sanctions, and negative news. Hits from background checks can be submitted to the relationship manager and compliance officer for review via the automated workflow. In addition to a manual review of relationships and leverage of external data sources, payments data can be used for the regular verification of KYC data. We asked Gian Reto à Porta, co-founder and CEO of Contovista AG, a Swiss provider of transaction analysis solutions, how this could work.
Interview with Gian Reto à Porta, Co-Founder & CEO of Contovista AG
Synpulse: Gian Reto à Porta, what information does payments data provide, and how could it be used to verify KYC data?
Gian Reto à Porta: Thanks to our data enrichment, there’s a whole range of data available in addition to the usual information such as the posting text or amount:
- type of expenditure, geoinformation, and information on whether the counterparty is a trader or a private individual
- recognition of employer, regularity and amount of salary payments, and change of employer
- recognition of changes to the client’s residence and places they regularly stay, especially in high-risk countries
- recognition of transactions that are unusual for the client or their peer group
- relationships with other banks, unusually high outflows via money exchange or money transfer offices
recognition of pass-through transactions and unusual shifts in assets
Synpulse: How does that work from a technical point of view?
Gian Reto à Porta: First we add certain meta-information such as the merchant, type of expenditure, and geoinformation to transactions. We then use algorithms and machine learning on this enriched information to be able to draw client-specific conclusions. In addition to providing statistical data, this allows us to recognize changes and unusual behavior in the context of a customer or their peer group. The final step is to use a machine learning model to summarize the individual risk indicators in a final score. Through the manual processing of cases, the model is able to learn by way of a feedback process and over time to reduce the false positives rate. This adaptive approach is possible even if certain information is missing from transactions.
About Contovista — Delightful Banking Contovista enables data-driven banking. Its white-label software and data analytics services allow financial institutions to optimize their digital banking experience and gain actionable customer insights. The company helps to understand, engage, and serve customers better based on the enrichment of financial data and machine learning.
Group-wide compliance with AML principles
Group-wide compliance with the same AML principles requires a globally consistent client risk classification which is the basis of a global KYC risk and control framework. If performed by a rules engine, the classification can be provided as a service to foreign branches applying different rules tables to different countries (and without the need to exchange client data cross-border). With this approach, global and local rules can be combined in a transparent and consistent way. In addition to a risk classification, a rules engine can be used to automate KYC controls such as background checks, checks on the availability of required documentation, and data plausibility checks. Controls that are based on global minimum standards and are documented in one central repository make it much easier to perform regular reviews and testing at foreign branches. Furthermore, since rules engines document «their work» on risk classification and controls, they facilitate a consolidated global risk analysis and reporting. Here you will find more information about the use of rule engines – from a KYC whitepaper to a KYC video to a webinar.
New criteria for high-risk relationships, in particular frequent high-risk transactions
Banks use a range of technologies for monitoring transactions. In the past, they have mainly applied analytical and rule-based models. Rule-based transaction monitoring can be supported by rules engine technology described above but has the disadvantage of applying static patterns which quickly become obsolete and are often not sophisticated enough to keep the number of false positives within reasonable limits. For this reason, banks are increasingly looking into algorithm-based models that, over time, are able to learn from the evaluation of false positives and change of patterns.
With regard to the algorithms, however, banks often face challenges when it comes to validating algorithm quality and documenting the methodology. Nevertheless, using algorithms and machine learning appears to be a promising approach to assessing high-risk transactions for purposes of the client risk classification. We asked Michael Mráz, partner at Wenger & Vieli AG, a Swiss business law firm specializing in financial services, about the use of technologies in the fight against money laundering.
Interview with Michael Mráz, Partner at the business law firm Wenger & Vieli AG
Synpulse: Michael Mráz, do you think verifying KYC data with information from payments data is a feasible approach?
Michael Mráz: Absolutely. This kind of information can validate or challenge existing information or information drawn from other channels and, if appropriate, trigger further verification. At a financial institution, payments information is easy to access and highly reliable. By way of a simple example, regular cash withdrawals or grocery purchases could indicate a location that doesn’t match the customer’s specified place of residence.
Synpulse: Some dream of intelligent KYC robots that will assume the lion’s share of compliance work one day. How do you see the future of compliance in terms of artificial intelligence?
Michael Mráz: : As long as breaches of the anti-money laundering rules are subject to criminal proceedings, we cannot abandon the concept of individual, in other words human, responsibility. And as long as this is the case, even the most intelligent KYC robots will still only be tools. There won’t be less compliance work, either. As we’re already seeing, the focus of work will merely shift from the collection of information to the challenging interpretation of the aggregated data with technical aids. Given the time factor, transaction monitoring is particularly demanding in terms of the quality of the data and of the data generated from it. It obviously makes sense to exploit the possibilities of AI, particularly in this area. In particular, the question arises as to whether quality is given preference over quantity in money laundering regulation. If the answer to this question is in the affirmative, I do indeed see an area of application for AI, especially if such a system incorporates findings from criminal prosecution. However, the following applies in principle to the use of technologies in compliance: blind trust in the functioning of such systems is dangerous. Maintaining and monitoring their results remains an important task.
To summarize, workflow platforms, rules engines, and transaction data analysis tools can considerably facilitate the implementation of the new AMLA and AMLO-FINMA requirements. If you’d like to find out more about the new AMLA and AMLO-FINMA requirements and about using these technologies, please visit our KYC website