The focus on anti-money laundering may not be hitting the headlines as consistently in 2013 as in 2012, but regulators have been working quietly to ensure the wide-spread failings of the past don’t happen again. As a result, the BCBS has been taking time away from capital standards to prescribe new and far-reaching requirements on how banks handle financial crime. Unsurprisingly, however, these standards are facing criticism.
Last year’s high profile cases – HSBC, Standard Chartered, et al. – demonstrated problems with banks’ management of AML processes that went beyond mere compliance breaches and became systemic and structural failings. Regulators, then, are now looking to go beyond setting granular objectives-based policy but instead set complementary standards on how financial crime should be handled in the wider context of the banking system.
The BCBS’ consultative document, released in June, titled ‘Sound Management of Risks Related to Money Laundering and Financing of Terrorism’ proposes that customers’ identities, as well as the identities of their beneficial owners, should be properly verified, appropriate records kept, and that suspicious activity should be reported.
This in itself is nothing new. The Financial Action Task Force (FATF) has had these requirements set down since their inception, and are continually updating them. However, rather than expanding on the existing global policies set and maintained by the FATF, the BCBS is looking to mandate policies based on practicalities, rather than pure objectives. What is new is that the BCBS is taking a much more technical approach to ensure that banks have the capabilities, as well as the policies, to combat money laundering, that are appropriate to the complexity of multi-national banks as they exist today. As a result, a whole chapter is dedicated to managing financial crime on a group-wide basis:
“each group should develop group-wide AML/CFT policies and procedures consistently applied and supervised across the group. In turn, policies and procedures at the branch or subsidiary levels, even though reflecting local business considerations and the requirements of the host jurisdiction, must still be consistent with and supportive of the group’s broader policies and procedures.”
IT systems are also given significant attention:
“IT systems should also have aggregation capabilities (by customer, product, across group entities, transactions carried out during a certain timeframe, etc.) and be able to handle a risk grading of customers and the management of alerts.”
The BCBS’ objective, then, is for banks to have consistent, centrally managed and technologically mature approaches across their entities. Because of this approach, AML would be managed more as operational risk, rather than as a separate and external requirement. There is considerable criticism of this however.
From a technical perspective, many of the respondents to the consultation noted that building systems able to accurately aggregate customer data will be expensive, complex and time consuming. Many banks have hundreds of systems in which they record customer data and transactions across the products, services and jurisdictions in which they operate. While cost has never been of much concern to regulators (much as they may dispute it), this is a problem that should not be underestimated.
However, a larger criticism from respondents is related to the tension between the risk-based approach and the BCBS’ somewhat prescriptive standards. The risk-based approach allows banks to scale the size and depth of their AML measures in accordance with the perceived risk of financial crime. Therefore, putting in place a set standard to which customers should be investigated, as the BCBS does, partially abrogates this ability.
Finally, though, data protection regulations between jurisdictions indirectly prohibit much of the centralisation that the BCBS is asking for. Aggregating customer data across borders is not possible in many situations without breaching local data protection rules. To its credit, the BCBS recognises this is a problem in their report; nonetheless it remains a significant stumbling block.
These are stringent and potentially costly requirements. However, the report should be seen in the context of the sheer number of KYC regulations such as FATCA, AMLD IV, Funds Transfer as well as trading regulation. It should be interpreted as a tool for IT managers to leverage when advocating for the upgrade of legacy systems and processes in order to move to a smoother, more cost-efficient model.
After all, if you can prevent paying $1 billion for a AML violation through better systems, the upgrade may pay for itself.