Transcription:
Leigh-Anne Moore:
Hello. Hi, everyone. Welcome back. Thank you so much for rejoining. Just a reminder, you can register for additional sessions using the menu bar on your left, and you can view those on-demand even if not attending live. And I definitely encourage you to please ask questions of our panelists using the chat features.
So, our next panel session is titled key elements of an effective global AML/KYC compliance program in 2022. And this will be hosted by Sujata Dasgupta, the global head financial crime compliance advisory of Tata Consultancy Services so over to you.
Sujata Dasgupta:
Thank you, Leigh-Anne. Hello and welcome everyone. We are here today to discuss on the topic of key elements of an effective global AML/KYC compliance program in 2022. A quick few lines about myself and then we’ll move on to the rest of the panel members. I head the global advisory at Tata Consultancy Services on financial crime compliance, where I cover the entire portfolio of KYC sanctions, anti-money laundering, fraud, anti-bribery, corruption, and the ever increasing typologies in financial crime compliance.
I’ve had a career spanning about 22 years where I focused heavily on all these functions in AML/KYC and so on. And I’m currently based out of Stockholm in Sweden while having worked earlier in US, UK, other countries in Europe and Asia Pacific as well. Let me introduce you to the rest of our panelists today. First, there’s Devraj Basu, a professor from Glasgow. Hello, Devraj. You have to unmute yourself, I see you on mute.
Devraj Basu:
Sorry, force of habit. Hi Sujata, thanks very much for the introduction and great pleasure to be here. I’m Devraj, I’m a finance academic at the University of Strathclyde in Glasgow so that’s sort of the day job, but really, the kind of focus of this discussion, I convene a [Regtech 00:02:51] forum, which is demand led knowledge based innovation network, mostly focused on financial Regtech and financial crime, anti-money laundering is one of the key areas of interest. And so in our forum, we’ve been looking at how Regtech methods and particularly data sharing could help improve AML and financial compliance and that’s why I’m very happy to be on this panel to sort of work with the practitioners on this issue.
Sujata Dasgupta:
Certainly, your outlook from the whole academia, where you’re seeing the industry from the other side. And like you mentioned, you’re doing some research and having a forum. I’m sure all those inputs will be very useful in our discussion today. Our next panelist is Talal Shoukat and he’s joining us from Qatar, but I think he was having some issues. I’m not sure if you can hear us Talal. He was having some technical issues. Talal, can you hear us? Okay. I think he’s got some issue there and I’m sure he’ll get it sorted and be back with us very soon. So, meanwhile, let us get started on the context. As we know, the topic for today is the key elements of an effective AML compliance program. So I think I see a yes from Talal.
Talal Shoukat:
Hie.
Sujata Dasgupta:
Hello Talal, you finally made it.
Talal Shoukat:
Yes, yes.
Sujata Dasgupta:
Yeah. Could you just speak a few words about yourself before we start?
Talal Shoukat:
Sure, sure. Thank you so much, Sujata and first of all, thank you, GRC World Forum for arranging this session today, inviting me to speak on a very important topic that is, key element of an effective global AML/KYC program. To introduce myself, I would say I’m a professional working in financial industry for more than a decade and half. I was part of a financial institution, [FI’s 00:04:51], ranging from large global banks and MSB’s. I’m always committed to play a small role as part of my responsibilities to protect FI’s against financial crime.
Currently I’m serving as a compliance manager and MLRO in a local MSB here in Qatar. I was also part of regulatory compliance side and the compliance management and customer onboarding teams in my previous organization. I’m also a certified AML specialist and certified compliance manager. And finally, I would say that I’m a learner and a contributor in order to play a small role effectively in mitigating money laundering and terrorist financing risk at a global scale in financial crime domain and to support wherever it’s necessary for the institute, which I’m committed to work and definitely it’s our responsibility wherever we are to stop financial crime. That’s the brief introduction of me. Thank you so much.
Sujata Dasgupta:
Sure. Thanks Talal. And very impactful words there when you say that we are all learners and contributors. I think all of us, whoever is fighting financial crimes, I think we are all in the same boat. We are all learning and trying to contribute, trying to collaborate and help each other. And that is where we have platforms like this GRC world forum, which is bringing so many people from so many different industries. If I see our panel now, we are from three different industries. I come from the IT and consulting, Devraj from the academia and Talal, you’re from the financial services industry yourself. And we cover three different geographies as well. So Europe, UK and Asia or [inaudible 00:06:35] , as we call it. So I think platforms like this help us to hone our own skills. And that is why we are all here.
So before we get into the discussion, what are the key elements, I think let’s take a step back and try to understand why do we need an effective KYC/AML program in the first place. So in my view, I think financial institutions are the gatekeepers of all the money that’s flowing through all the economies globally. And they are at the forefront of fighting financial crimes because that is the means which criminals use to hide and move their money around. So institutions are at the first line of defense, if we talk about fighting financial crimes. So it’s only when they have an effective defense mechanism in place through these effective KYC?AML programs, that is how their ability to fight such criminals is enhanced. So I think that is one of the key drivers, I think, that financial institutions should have.
Of course there are regulatory mandates. We know there are global and local regulators who provide those guidelines, who provide the mandates, directives, they are then transposed into national law and transposed by the institutions themselves as to how they want to go by those guidelines. So regulatory mandate is of course, again, one of the key drivers and that if the institutions have an effective AML program, that is, which helps them to adhere to all these regulatory guidelines and compliance mandates, avoid your penalties for deficiencies or non-compliance and of course, with that, whatever follows, if you’re penalized, you have this reputation damage, legals and criminal proceedings. So all that can of course be avoided. So I think these would be the key drivers of why an effective KYC/AML program is required in the first place. So with that, maybe I’ll hand it to Talal, your views on that.
Talal Shoukat:
Yeah. Thank you once again, Sujata. See what I would see in this context, basically, the question was more related to the enterprise-wide, KYC/AML program, if you say like that. So for that, if we speak about larger financial institution, there’s a critical need which I think is that, there should be an enterprise-wide approach that allows for consistency in the manner in which financial institute manage its money laundering, terrorist financing risk. So if I say consistency, it’s very important because your program at a global level should match with the program which your head office is having. So this is very important, a consistency. However, we also endorse that there is a need to accommodate the regional or the business line, a specific requirement for that specific region. For example, enterprise-wide money laundering risk models in financial institutions that operate in multiple region or countries, will need to reflect the local regulatory requirement for sure.
So this may be achieved by having different versions of [AMLCFT 00:09:53] program, but that is not likely because your AMLCFT program, again, need to be consistent. But you can have a country specific addenda to the global AMLCFT program. So that addenda or addendum, what you call, it’ll cover the local or the regional program, but the consistency will remain. To be more specific again to endorse your point is that, the laws and regulation is one of the key drivers of an enterprise-wide AMLCFT program, because your regulator where you operate, it mandates you or it mandates the financial institution to comply with AML/KYC regulation at an enterprise level to cover the money laundering and terrorist financing risk. And secondly, I want to continue again with your point, where you mentioned that financial institutions internal policies and their risk management standards are also one of the drivers to implement an enterprise-wide program to mitigate the identified risk.
And one of the very important factor is to consider that whenever financial institutions is having presence in countries or jurisdictions which are not effectively applying the [inaudible 00:11:13] recommendation financial action task force, then the concern or then the global policy need to be very stringent in order to follow the recommendations, which you set at your base. Here I would like to also highlight the case study of HSBC, where back in 2012, HSBC Holding plc and HSBC Bank USA agreed to pay around 1.2 billion to several US agencies. So why they paid a penalty of 1.2 billion? The reason was there was failure to have an enterprise-wide view of compliance across the global institution. So as an example, the headquarters in London were aware of the weaknesses in its Mexican operation. The US operation processed many transaction of Mexican operation, but were never informed of the weaknesses in the Mexican operation by anyone within the organization.
So if such cases arise, where you have gaps in your enterprise wide AMLCFT program, that need to be addressed and that need to be addressed promptly. Otherwise, if it continues for years and it’s detected, a strong penalty will occur in such cases. So therefore to conclude that, I would say that a strong centralized oversight of the program is very much required for an organization to implement an enterprise-wide program. So oversight is important, oversight of the board of the directors, oversight of the global… If we say a global compliance function or a group level MLR or group level compliance function is important to mitigate the risk of money laundering and terrorist financing. Over to you, Sujata.
Sujata Dasgupta:
Sure, I think we would like to hear from Devraj as well, because he comes from this unique academic background. So I’d like to hear from him as well.
Devraj Basu:
Yeah, no, thanks for that, very insightful Sujata and Talal. Yeah, so the academic perspective and we see this reflect in our Regtech forum, I suppose could be summarized in sort of two words, which is helping large FI’s via instructing them on best practice. So, the idea of bringing together an ecosystem type approach involving regulators, people from FI’s as well as innovators of large number of startups, very innovative startups in this space, to kind of have a cooperative approach to this, to try to understand where the problems are. So at least a couple of things that Talal talked about, problems existed at least two levels. So there’s both the sort of execution level, which is for example, the issues about multiple regions and the fact that, for example, data can’t move between multiple regions. So you’re going to need a enterprise wide approach, but it’s going to have to devolve down to the individual region as well.
So maybe you then have to have interaction between regulators and different players in that space. And then the other thing that Talal spoke about, which is the governance issues and that sort of has to sort of escalate upwards. So maybe if you could prototype. So our idea, I suppose, it’s sort of evolving from our forum discussions, is if you could somehow prototype this at a fairly small scale and try to sort of understand what all these issues are, and then maybe give some recommendations or look at best practice and suggest further recommendations, which any given FI would then have to end up adapt to their own specific needs. There isn’t the one size fits all. There isn’t any such thing, but maybe if you can kind of do a bit of sort of enterprise architecture almost, at a fairly general level and then share that widely. So that’s sort of our thinking along in this setting.
Sujata Dasgupta:
Absolutely, absolutely. So I think what comes from this conversation is, while every institution is unique, the jurisdictions there, they conduct their operations, are widely different. And then of course there are products, channels, industries, customer segments so each institution is unique in so many different ways, but I think the best practices, which the industry follows should be invite everywhere and like we were all talking about bringing in income and the global as well as the local. So now the new term we are hearing is [glocal 00:15:46], right? So build global and execute local. So with most institutions operating in multiple jurisdictions, as are the criminals. The criminals are also operating across borders so it cannot be a localized form of an assessment. In fact, there is a question which has come on our chat box as well.
It says, are the regulators in general, encouraging a localized or an enterprise-wide financial crime risk model program? So I think in my view, what I have seen of regulators talking, it’s everywhere, EWRA, enterprise wide risk assessment, right? So, it’s from Singapore. The authorities in Singapore and one side to Europe and the rest, I think it’s everywhere. They’re calling out the enterprise-wide risk model, which has to take into account everywhere that the organization operates, because criminals are operating everywhere. So you cannot keep your controls localized to one place. So with that, maybe allow both Talal and Devraj to share your views on this question as well, as to whether the regulators are looking for a localized or an enterprise wide.
Talal Shoukat:
See, yes, I would like to take it. Basically, as you rightly mentioned, the regulators are looking for enterprise-wide model. Even the instructions which regulator issues, that covers that you need to have an EWRA approach, that you need to manage your enterprise level risk and also you need to strengthen your global presence or wherever, in which country they are operating, they should follow. If they’re upper than the local standard, that’s fine, there is no issue, but at least minimum level, local standard need to be followed. So, that is approach, I think, globally it’s accepted and also recommended by the financial action task force as well in the recommendations.
Sujata Dasgupta:
Sure, sure. I think Devraj-
Devraj Basu:
Maybe just to add to that from what I’ve seen. So the FC… I mean, in the UK, of course, the local, the FCA guidelines are mostly focused in the UK, but they’ve also got things like GFIN, global financial innovation network, which tries to have these discussions sort of maybe a sort of regulator version of [FATF 00:18:03]. So they are, I think in some small way and this is a very slow process obviously, trying to move towards sort of common elements. So if you look at maybe the latest FATF report, they are trying to look at sort of common elements like data sharing… Sorry, I keep coming back to data sharing because I think it’s quite an important thing here. That could help with all of that, but just to sort of echo and reiterate your points, this is all to help an ERWA.
Sujata Dasgupta:
Yeah, sure, sure. So with that, I mean, we all understand that it’s essential to have an enterprise-wide effective KYC?AML program. So now, I know Talal also mentioned about one large global bank having… they’ve been there in operations for so long. They have a lot of controls and processes, still they landed up with some penalties. So then what should be those key components which should be part of an effective KYC/AML program, right? So again, in my view, if I can start off maybe, very, very broadly, I think… I mean, the institutions should align with the three kinds of frameworks, again, at a very summary level. First would obviously be at the highest level, that’s the governance where you set the policies, set the structures as the three lines of defense, what should be the structures?
What should be the roles and responsibilities? What are the boundaries? Which team should be independent? I mean, that water tight nature is required because one should not get into the other’s feet. Of course, the policies, the structure. So that is what the governance framework is about, because they are the ones which transpose the regulations into the institution’s own control so that’s the governance framework. The second would be the execution framework. Of course, it is a mix of people, process technology and a lot of other things. But I think in the execution, people play a very important role. And we’ll talk about that in probably a lot more detail as we will do about process and technology as well. So that is the execution framework. And third, I think would be a continuous review and monitoring framework, because risks and threats are not static.
They change dynamically. And as of now, we are seeing with every new technology innovation, with every new product or payment channel that is coming through, there is a new kind of a threat. So we cannot stay static, like you do a risk assessment today and then you don’t review it for the next five years. So that is about the risk assessment part. Then of course your controls, whether the controls are being applied properly, they’re being executed properly. So I think all of these, and then of course there is your internal audit function which is an independent reviewer of all that’s going on in this compliance execution and policy space so just to see that both are matching. So I think in my view, those are the very, very broad level, the governance, execution and the monitoring and review framework. Talal, your thoughts on that.
→SEE ALSO: FinCrime World Forum
Part of the Digital Trust Europe Series - will take place through May, June & July 2022, visiting five major cities;
Brussels | Stockholm | London | Dublin | Amsterdam
Get to the edge of the financial crime debate at FinCrime World Forum.
Talal Shoukat:
Yeah. As you rightly mentioned, Sujata, basically, it evolves around three lines of defense. First is the internal policies or the governance framework, which you rightly mentioned, but to add on on that governance framework, what I would like to say is that when we design enterprise level policies, procedures, and controls, that should be flexible. So when I say flexible, because money laundering and terrorist financing risk varies across jurisdictions, customers, products and delivery channels and also over time. So, your model instead of the policies and procedures of control which you’re developing, it should be flexible in nature so you can match the requirement or the regulations across the globe. Then I would further add in this point, is that it should be effective as well, because as companies are better equipped with the… because legislator, they will set the tone.
They will share the guidance, but as a company or as a financial institution, you can more effectively assess and mitigate the risk of money laundering and terrorist financing. So for example, there is a set of guidance issued that if you follow these standards, you’ll be protected. But internally you might have certain other risks, which you need to manage. Okay? So therefore, your policies or enterprise global level controls which you set, definitely it’ll match the standards but you know better to design it effectively for your organization. And lastly, I would say that it should be proportionate. So when I say proportionate, it means a risk based approach, that promotes a common sense and intelligence approach to fight against money laundering and terrorist financing, as opposed to the checkbox approach.
Sujata Dasgupta:
Yeah.
Talal Shoukat:
It allows firms to minimize the adverse impact of money laundering procedures. On the low risk customers, it’s not required to have that much stringent procedures for low risk customer. So if you follow these three important steps, flexible, effective and then proportionate. So your policies, your procedures, your control will be customized with the need of your organization. So this is the governance framework. And then again, definitely the execution part, which is a compliant function and a global… what we call a group level, compliance officers are there to manage the enterprise-wide program and their connection with the compliance officer which are globally operating in different jurisdiction. The communication is very important in designing even the policies and procedure at a global scale. Then I would also add that employee training is one of the important factors that should be a program, maybe a e-learning approach is used for a global program.
And again, as you rightly mentioned, testing is very important, a frequent testing, independent audits or external audits is also one of the key components of an enterprise-wide program where your local auditors here will visit your global branches around the globe. And they will do the checks or the quality assurance program if we call it internally from a compliance function as well. So I feel that these are the key components of enterprise-wide AML compliance program that need to be there, in order to effectively manage the risk of money laundering and testfinanncing.Over to you.
Sujata Dasgupta:
Very much. Yeah. In fact, when you mentioned the points like enterprise wide risk assessments, the proportionate nature of controls, I think that is where institutions are now moving from the rule based to the risk based approach, right? So we’re right at the time of onboarding, you are categorizing your customers as high, medium, low risk and applying those kind of controls. So at onboarding, if it’s a regular simplified due diligence or an enhanced due diligence. Similarly, your transaction monitoring scenarios are designed for customers which are low risk, customers which are high risk, your periodic reviews are done like that. So I think very, very much in line with what you were just mentioning. Devraj, your views around the key components.
Devraj Basu:
No, I don’t think on a technical level, I would’ve very much to add. I just want to maybe frame this again with an academic hat on, in a broader context, maybe in a GRC governance risk management compliance context. The way I see it, coming as an outsider is sort of… It goes back to what Talal was saying in the tick box approach, is more R is related to C, right? So there are the regulators, they lay down these things and your risk management is to make sure that you are compliant with what the regulators are saying and everything that you should have done, Talal have been saying, is a suggestion. And I think this is the key to everything, is to move that to a G framework. R is now more of a G. So, as you were saying, it has to be transposed.
The C bit has to be transposed into a G bit, which means you’ve got to educate the C-suite and it has to start from there. And then the framework as all the elements that Talal was outlining in terms of flexible, effective, and proportionate [inaudible 00:26:47] risk based, has to really come from that governance framework. The big… it has to be outlined in the governance framework. And then of course, then this comes back to what you’ve been saying, Sujata, about people processing technology and particularly data. But then one of the questions here points out that the data has to be right as well, and that bad data is worse than no data at all. So again, that’s a key part of the governance process, data quality, data veracity, all of these points being raised. But rather than this being sort of specified, by the regulator, it needs to come from the governance framework within the FI.
And then the link, as you said, at the end to onboarding and emerging issues like PKYC, perpetual KYC, linking it to that. And that, again goes back to the point Talal was making earlier. It’s an example of enterprise wide, not just AML, but linking it to the onboarding function and using these multiple data streams to try to profile in an effective and proportionate way. And so the more you can get data sharing and breakdown silos within the organization… I mean, that’s easier said than done, but I think the suggestions that you’ve made here about linking more with the KYC and the onboarding function, I think is a very concrete thing. And wearing my Regtech hat, it would just be that, is what we might call Regtech by design. Rather than looking at it as a business optimization of a process, you look at it as a business development process. So be proactive about doing these things. So that’s really just a framework which tries to encapsulate, hopefully most of the things that you’ve just talked about.
Sujata Dasgupta:
Sure. And I know, Devraj, you were also referring to one of the questions which our audience has mentioned here, when you were speaking about data. The question just for everyone in the audience, the question says data is both an asset and a liability. To what degree are organizations addressing the management of this data to include data governance in an effective AML/KYC program? So I think that is what, Devraj, you also mentioned. I think you answered it partly so yes, data is a very integral part. I think it will come up in our discussion again because we will keep touching on this people process technology part throughout our conversation and to enable technology, especially when we are talking about effectiveness, we cannot miss talking about how technology is enabling the effectiveness and efficiency of our KYC/AML programs.
And that is where data becomes of paramount importance, because it’s all about processing the data. And if the quality of input is not good, the quality of output will also not be good. So it is very essential that data governance is closely integrated with the AML/KYC program. But then what I’ve seen in institutions is data governance runs a lot, I mean, through the organization. It’s not just meant for AML/KYC, but data governance runs across the institution. And yes, there are concrete say centralized AML data hubs or say [inaudible 00:29:52] master data. Those kind of initiatives are there, which started, I would say, three to four years ago, where these kind of very specific initiatives are being taken around data just to facilitate effective AML/KYC programs, because it starts with KYC, that’s the customer data.
And then along the way, the institutions adds up account data, transaction data, alerts data, associated party data, that is what gets added during the life cycle of a customer. And all this is what runs through either the scenarios or the list management or whatever detection we are doing. So data is extremely important and that is why data governance should be a part of this whole AML/KYC program. But what we see now is, it’s a horizontal running across the organization. How it gets integrated is again, varying within each organization. And just to Talal’s discussion, when he was talking about the global and the local. I see a question here. So probably, I’ll allow Talal to answer. It says, what if the local regulations differ from the one at the FI head office? I know you referred partly to it when you said that, wherever it’s most stringent, but I’ll allow you to answer that question for the audience.
Talal Shoukat:
Yeah. So definitely, as I mentioned earlier, is that if your local regulations differs. So in differs in what sense? For example, local regulations are not following a global standard. So in that case, definitely you need to follow because that country will not allow you to operate if you don’t follow the local regulations so that is very important. Actually, your local regulations need to be followed, but if it is globally, your presence require more stringent procedures. So you need to comply with that, which is there in the global market. But the local regulations are must to be adopted. So I think that’s what I would like to say in this question.
Sujata Dasgupta:
Yeah, sure. So I think, whichever large organization we talk about, they’re always there in multiple jurisdictions. The headquarters will be in one country, but the operations will be in 20 different countries. And as Talal rightly mentioned earlier as well, that not all countries are at the same level. Even if you look at the FATF mutual evaluation of countries, not every country is at the same level, right? So some may be very highly compliant while others may be they’ve still not reached there so they’re under continuous monitoring. So for any organization which is operating in multi jurisdictions, I think my view is that, have a global standards across the globe, that is more of the institution’s own level. Now, in whichever country those standards are below this, you should follow the institution’s global institutional level and wherever the levels are higher, follow that.
So I think it’s the higher of the two, the companies global standards or that country’s standards. Whichever is the higher one, follow that. So there may be a delta which needs to be adhered to, but I think it’s worth it. And we have seen like Talal was mentioning earlier, that have a global standards, rules, policies, and country specific addendum, wherever there are country specific, because every country will have its own set of additional nuances, right? If we talk about onboarding, there may be specific set of documents that may be required for onboarding. If it’s about the risk assessment, there may be certain industries which are identified as high risk. For example, jewelry, maybe a high risk in some country whereas in the other countries, it may be not. So there are specific mandates that every country’s own regulators also provide, right?
So I think that is what should feature in the addendum that Talal was talking about so, yeah. So just to say that delta about the country component makes it worth it. I mean, the institution’s life becomes so much more easier. So, having spoken about a lot of what should go into an effective AML/KYC program, Talal, do you think it’s that easy or institutions face a lot of challenges in going through all of that? Because I’m sure they would’ve also done their assessments. They also would’ve considered a lot of these things, but why is it, what are the challenges do you think that they face?
Talal Shoukat:
Yeah, definitely. See, it’s not easy for a financial institute to comply with the challenges they face. So banks and financial institutions really are facing some serious AML compliance challenges, I would say, that can typically attributed to faulty mitigation approaches. Basically firms fail to prevent money laundering and tend to pay heavy price in the form of declining revenues, customer dissatisfaction, huge penalties, loss of reputation and ultimately the stock prices which goes down. So what I would say is that first of all, the increased governance, which is also one of the challenge when we talk about enterprise-wide approach. So banks and financial institution can find it difficult to manage a cross border, as we spoke earlier about cross border and multi-jurisdictional AML compliance requirement and also an ever growing customer due diligence requirement. I would say also identifying beneficial ownership is one of the challenges which FI’s face it when they’re dealing at a global scale and initiating remedial measures to address any regulatory findings or gaps uncovered during regulatory reviews.
Because in that case, you need to have an understanding of global level issues, which arises through these gaps. So increased governance is one of the challenges which firms are facing. In addition to that, I would say that lack of skilled personnel is one of the challenge. Getting a skilled resource with an in depth knowledge of AML can be a great challenge for an FI currently. As we can see, there is a gap of… the demand is more while the supply is less when it comes to skilled AML professionals and other issues will definitely… Let’s suppose the onboarding time, it takes a time to onboard a skilled professional, a cost and it’s very important to consider all these things and especially retaining the skilled labor.
This is one of the challenges, which I feel is that if you onboard some skilled staff and then retaining him is a big challenge because he develop himself during the phase you onboard him and then for an FI to retain that individual, it becomes really a challenge because opportunities are there in the market. So a trained staff retaining is one of the challenges which I think FI’s are facing. Also for their global operations as well. And also I would say that complicated processes and technology is also one of the challenge because compliance require a financial institution to place a processes and technology solution that will be consolidated based on data and systems, which ultimately will consolidate in one system. So it means, this create infrastructure across channel detection suspicious activities or improve data quality, a standardized data to enable a centralized analysis. So the challenge is you need to integrate multiple systems, where you have a core system, then you have an AML system and there are multiple other data centers, which your data will be processed.
So manage this is a very critical role, which the IT functions need to play as well to integrate the data properly, to integrate the transaction, it should come in the system. The governance of this model is one of the challenge. As the processes are complicated, the support this process technology will play important role and to manage this technology definitely, FI faces some challenges around that as well. There are several other challenges, but I will give it to Devraj.
Sujata Dasgupta:
Yeah, you shouldn’t be too negative about it. Shouldn’t be too negative about it. But I totally agree. I mean, Talal, when you mentioned about the people, so you spoke about again, the people, process technology, all of it, and very, very important points there. So when you mentioned about the skill related resource gap in the industry, well, I completely agree because the demand is so much and it’s not just financial institutions. Now we see that even non-financial institutions, I mean, in the retail sector, in the communication sector, shipping sector, everywhere, they are now complying with these AML/KYC functions, right? So because the financial crime has… It’s getting prevented so there are so many defenses in the financial system. Now they’re moving out of the financial system and we are seeing how they’re dealing in art.
So instead of using the money through the financial system, they’re buying yachts and retail goods and luxury watches and real estate, of course. So, because it’s moving to so many other sectors, the need for skilled compliance professionals is now required in the other sectors as well, apart from financial institutions. And that is where, like you rightly said that, it takes so much time to train up a person making, because investigation, finding out that needle in the haystack requires a lot of experience. It’s not a checklist kind of a thing. It requires a lot of experience. And once you train somebody, he becomes a niche resource and then he or she kind of finds a better placement somewhere, because the whole industry, it’s not just financial institutions, the whole. Every industry is now looking for [fincrime 00:40:21] professionals.
So professionals who are out there listening to this, this is a huge hope that there are a lot of job prospects out there. So, that was about the people part that you mentioned. The process part, again, we have to continuously, where we say the challenges continuously doing the risk assessments, finding the threats. For example, take a disaster situation. When there was COVID, there were so many new kinds of crimes that emanated, right? So it’s not easy for a financial institution to change their processes overnight. It takes a lot of time and that is where… They did take some time, maybe eight months to one year to change their detection models, because it was a disaster situation… Do the entire onboarding digitally because customers could not come to the bank.
So these are process related challenges where some black swan event happens and you cannot just change your processes overnight. So that was about more of the processes where it requires a continuous review and monitoring. But again, like you said, it’s not easy. And then, with technology, of course, we discuss that data is fragmented. Platforms are siloed. So in most banks, what we see is every country uses its own onboarding system. The AML system may not be the same, investigation platforms are different. So if you want to have a centralized view of a particular customer across their operations across different lines of businesses, you will not get that centralized view. And I think that aggregation is extremely essential when we are talking about detecting crimes, looking at what is the behavior.
Because if I’m a criminal, I will not use just one method or just my savings account. I will use multiple different channels, multiple different products, right? And if the bank does not have a centralized view of this customer across all the products, all the channels, all the countries, I think that is where the criminals can slip through the cracks. So I think these are all the various challenges across the people, process, technology as well. And I see Devraj nodding so I’ll allow him to share his views as well.
Devraj Basu:
No, no, thank you. That was most educational. I must say I can’t completely agree with yeah, there’s so much that you’ve, both of you, have said there. Again, wearing the academic hat, maybe all I can do is try to summarize a number of issues. So, yeah, I mean, just maybe start off where Talal started, for example, ultimate beneficial ownership so that’s more almost a legislative issue. In the UK we are looking, people are talking about companies house reform. So there’s bits of it that have to be done at a legislative, at a system wide level. And then the skills thing, of course, as an academic, this is a sort of thing I’m quite concerned with. So, this sort of problem has arisen in many, many different fields. I mean, we teach stuff now that even 50 years ago, would’ve been very, very niche and very, very only available to a few people.
So there’s a standard process and that really works through standards. So for example, data standards, you have to develop a standardized approach to these things. And then you have to develop standards and then a teaching process, a pedagogical process around it. So I think what there really is a need for is for skilled professionals like yourselves to sort of sit down and maybe reflect on what the common elements of what you do are. And however simple it might look is to simply take that complexity and sort of distill it to a few key elements, that’s how the standard pedagogy works. And then sort of collect those in some sort of a standard for data. The same would apply for technology. Now, technology is tougher because it’s always evolving, but you still kind of get an idea.
So the needle in a haystack, for example, there are certain kinds of data methods most to do with unsupervised learning, that are probably better suited to this than supervised learning. So AML is a very specific problem as people are mentioning, it’s more about needle in a haystack. So you need the right methods for that. And so, taking a more sort of systematic approach to all of that. But your last point, Sujata, which I think is not emphasized enough. And I think would be really helpful from a governance perspective if people took this down. Look at things from the viewpoint of the criminal, then instead of, so this is where the C gets replaced by the G. Financial crime is a problem, but can we understand the criminal typologies better by understanding maybe the behaviors and they have access to certain technologies so they would try to use those.
And so, again, that would be a more flexible approach. I don’t quite know how you go about this, but I think I’ve heard a number of people talk about this. And I think it really could be a very interesting new angle on how to tackle this particular problem. So I think that’s about all. I mean, that’s really just summarize everything you’ve said. I think, if you could reflect on these things and find the common elements, if professionals in this space could reflect on this, then we could try to maybe construct programs that are sort of more public good based. Obviously, there’s a competitive aspect to this, but clearly if a baseline of knowledge can be created, then this would help people enter the field, get jobs in the field and then they would have to be trained more specifically in an institution. There would always be a competitive aspect to this, but we should try to maybe find the cooperative aspect to this. And that relies on professionals as well as academics coming together and finding that body of common knowledge.
Sujata Dasgupta:
Of course.
Devraj Basu:
I mean, that’s kind of my view on that.
Sujata Dasgupta:
No, I completely agree with you, Devraj, when you say that… I mean, the market participants and professionals should come together and collaborate on the non-compete aspects, of course. I mean, we are seeing a few of those initiatives, for example, in the [Nordex 00:45:58], we have seen this, in [inaudible 00:46:00] which is a KYC unity which has come to, in the Netherlands there’s there’s TMNL where five different [inaudible 00:46:06] have come together. So, these kind of initiatives have started and that’s completely aligned with what you just mentioned that, because criminals work in networks, they don’t work alone, they don’t work in a single channel. So even the defenses have to be collaborative. It cannot be left to one bank alone, right? So we’ve discussed about the challenges and we’ve also discussed what should be done. I mean, what should be components of an effective KYC/AML program while also appreciating that there are challenges in the process. But even with these challenges, what could be done to make the current incumbent programs more effective? So maybe Talal, you can share your opinion on that. What can be done now to make things more effective?
Talal Shoukat:
Yeah, so we are speaking for the collaboration within a Fie, the financial institution or team, but what I would say is that it’s very important within the financial institution also, the collaboration. When I say it, it means breaking down the silos. It is important for a compliant professional to learn the business first itself. So how they can learn the business? Building a strong relationship with the executive on the business side, in order to foster an open dialogue and facilitate learning on both side and allow partnership between the business and the compliance as a function. This is very important to understand the requirement on the both ends to come up with the solution. So when I say in reaching out the business partners, if a compliance personnel or compliance department itself, if they have a regular discussion with business units, so that will definitely… Compliance can become an advisory or they can update on the other end, they can also gain greater product knowledge.
So that is very important aspect that need to be considered. So it will improve the efficiency of a compliance function and also improve the needs, which is required on the business side as well. So that synergy, I think, is very important for both of the side, which will enhance the processes, help the business as well to mitigate the compliance risk and compliance definitely improve the processes. This is one of the aspect which I consider is, breaking down the silos.
Sujata Dasgupta:
Yes.
Talal Shoukat:
Then I would also say that if we think about the enterprise level for a compliance function or in a organization, you need to think out of the box and out of the country as well. Because as you know, we are evolving the compliance itself as a function. You need to understand and formalize, as we already spoke, a global level standard, that can be effective globally. So you don’t need to change it frequently. So if you comply with some global standards, you follow the standards of [inaudible 00:49:15] or a global level standard. So you need to follow it effectively so you can operate anywhere in the world while complying with the international standards. That will save time to reinvent your policies and procedures if you are scaling up at a global level. So at the beginning itself, if your policies or your procedures or your controls are globally compliant, then it’ll give you a competitive edge as well, because you don’t need to upskill yourself. You’re already ready to start at globally if you want to scale up. So this is also a process which can be effective.
So when I say, lastly, is definitely building a smarter compliance function or AML team. We can merging the data analytics and investigation, as we spoke already about data a lot. I say that data analytics is a key of building a smarter compliance function. Once data is mined, analysis of these metrics can be used to identify risk and refine rules and engines in order to achieve further efficiency in the investigative processes. So constantly updating the rule based on critical feedback, because once you set… Let’s say well, there is a transaction monitoring rule or as you, Sujata, mentioned about the list management. So if you get the feedback and continuously update, so it’ll become more effective in detecting suspicious transactional customer activity. And you can also have more accurate alerts that can turn to improve the quality of your suspicious activity report. And the review is very important. I would also say that formalizing quality assurance program, that is very much important for FI’s to have it in built in their compliance program.
So to assure the quality, whatever you have implemented so far, what is the quality of that? Are you in line what is expected or you went out of that? So that is important, the feedback, whatever you are doing, you should receive a feedback regularly on your program that how it’s performing. So, these are some of the aspect, which I consider. If we, [FFI’s 00:51:41] think on that, their processes will improve definitely.
Sujata Dasgupta:
Definitely, definitely. Very, very important points, especially on the last bit where you mentioned about the feedback loop and that is integral to breaking down the silos, right? So traditionally we have seen a KYC team working in isolation and a transaction monitoring team sitting separately. But we do understand that there is so much of synergy between the two. And in fact, I’ve seen a couple of banks now making the KYC and the transaction monitoring investigations team sitting together, because then the flow of information is so much easier. In fact, some banks at the technology level, they are having a common enterprise case management platform, so that if you are doing a transaction monitoring in the investigation, you can also check for a fraud, whether this customer has done any fraud or not. So that’s integration of fraud in [AML 00:52:32], right?
[FRAML 00:52:33] is the word which is coming through. So these kind of breaking the silos and appreciating that all of these are connected in very strong ways, especially around the data, around the transaction behavior, around the customer’s own behavior. For example, whether he has changed the addresses or changed the industry or those kind of customer behavior is so essential in actually monitoring their transactions and activities, also finding their networks. So breaking the silo of course, is one of the things that becomes the key to all of this and then harmonizing the global and the local. We all discussed about it. And probably one thing which I just want to add to all that Talal mentioned is, the technology aspect. Because I come from that background and I cannot leave this conversation without discussing about the virtues of AI and machine learning and the advanced technology, because we do understand that criminals are using a lot of cutting edge advanced technology.
So when we look at the traditional banks, they may have a lot of fantastic systems, traditional platforms, very strong, very robust and they are going on adding all the new regulations that are coming through. So there’s a lot of customization happening, but they still have to go a long way in matching up to the criminals, as far as being tech savvy is concerned. So that is where AI, machine learning, they will help in detecting all these hidden networks, hidden transaction behavior because rule-based thresholds, criminals are all aware that there are rule based thresholds and they do everything just not to bypass those thresholds. So they will do everything below those thresholds. Now, this is where AI machine learning are enabling pattern detection, hidden network detection, risk detection. So all of these are enabled by advanced technology. So if criminals are using it for their benefit, I think the institutions and regulators as well.
So we are now talking about Regtech is what institutions use. We are also now talking about [Suptech 00:54:30] or supervisor technology, which regulators have started using, right? So I think technology is now enabling a lot of this detection, prevention, all of this. Even investigation case management. So I think it’s again, a combination of all of these things, right? So it’s data, technology, people, process… In fact, there was one question on this people bit. It says, given the need for skilled talent, any thoughts on bolstering relationship amongst industry, academia and professional development associations to create pathways to meet industry needs? So I think this was probably inspired by when Talal mentioned that there is a lot of demand, but supply is very less. So, I’ll share what I know and then I’ll allow you both to speak.
So, everybody in the industry now appreciates that there is a huge skill gap when it comes to financial crime compliance professionals. Probably that is the reason that most institutes are now offering courses on financial crime compliance. When I was a student, I had not even heard of this term or a course in the university, but now I think most universities are providing this. And I know in Denmark, there is this Copenhagen business school, which a bank has tied up with that, so there is already that collaboration between the bank and this business school. So this business school offers courses on financial crime compliance and the bank is associated. So I’m sure there, there will be that tie up on the skill, supplying that kind of skill. And like I said, universities at other countries also I’ve seen, because I have been speaking, I’ve been mentoring students in one of those universities where that kind of association, I think it helps a lot, where from the university level itself, your students are getting to know of what is their career path and they’re getting a direct entry into these banks.
So, it’s more of a win-win for both.
Talal Shoukat:
Yeah.
Sujata Dasgupta:
Talal, overview.
Talal Shoukat:
Yeah. I think, Sujata, we are out the time, I think so..
Sujata Dasgupta:
Yes. Yeah but you are allowed a few minutes of time. I’m okay.
Talal Shoukat:
So what I would like to say is definitely, as you rightly mentioned, universities can initiate courses on this domain as AMLCFT or a compliance function. So definitely, it’ll meet the need of skilled labors, but the global institutions which are already, like [ACAMS 00:57:04] or GCI, these institutions are already there in the market to support, if somebody is interested. But definitely awareness need to be created for the youth to come in this sector as to meet the gap. It should be supported by some initiative from the regulatory side as well, to allow some institutes to work in that specific country as well or to create the sense of partnership with a global institute, like ACAMS is having some chapters around the globe. So that is also, I think, is a good way to create an awareness in this sector. That’s what I would like to say. You can-
Sujata Dasgupta:
Sure. So we’ve actually spilled over by quite a few minutes, probably seven, eight minutes. But I think this… Because there was a question, I thought we would address it here so thank you both. Thank you Devraj and Talal and I enjoyed thoroughly our conversation.
Talal Shoukat:
Thank you.
Sujata Dasgupta:
Hope our audience also enjoyed this. Thank you all and have a good rest of the evening. Thank you all.
Talal Shoukat:
Thank you Devraj, thank you. Thank you.
Leigh-Anne Moore:
Thank you so much. And thanks to our amazing panelists for sharing their insights with us this afternoon. That was a very interesting session and certainly lots more to discuss in this space. Please stay tuned for our next session, the comparison between the EU’s July 2021 AML reform proposals and the current US AML regulations. So we’re going to take a short break now, half an hour. Please grab a coffee and check your emails. And we’ll see you back here at ten past three. Thank you.
FinCrime World Forum
Part of the Digital Trust Europe Series - will take place through May, June & July 2022, visiting five major cities;
Brussels | Stockholm | London | Dublin | Amsterdam
Get to the edge of the financial crime debate at FinCrime World Forum.
FinCrime World Forum is a two-day in-person event taking place as part of the Digital Trust Europe series. The event will feature presentations and panels from thought-leaders and anti-financial crime professionals that are leading the way on how we can better, more efficiently and more effectively fight financial crime.
Key Elements of an Effective Global AML/KYC Compliance Programme in 2022
- 1Currently reading
Key Elements of an Effective Global AML/KYC Compliance Programme in 2022
- 2
- 3
No comments yet