Significant upcoming change in managing money laundering and terrorist financing
There is significant regulatory change coming down the line, with the EU AML Authority (AMLA) being established in 2024 and a new, directly applicable regulation is also imminent. These changes fall under the EU’s AML Package, which the European Commission published in July 2021.
With this in mind, AML and CFT remains a key focus for regulators, senior management and boards.
Implementing a robust AML/CFT framework can be challenging due to the fast pace of regulatory change. Criminals are also adapting and evolving their methods of money laundering / terrorist financing on an ongoing basis.
Majority of firms only reviewing their AML/CFT risks on an annual basis
A key part of the BWRA process is ensuring it remains up-to-date and relevant. 85% of respondents conduct their BWRA annually, while just 2% update their BWRA in real-time.
AML/CFT legislation and guidance is based on a risk-based approach to money laundering and terrorist financing. This means firms must know and understand the related risks for their particular business and apply appropriate controls to manage these risks.
The AML/CFT BWRA underpins all procedures and controls. In 62% of firms, second line compliance is responsible for their BWRA. However, risks are happening in the front office and only 31% noted a collaborative approach between the front office business units and second line compliance.
An effective BWRA process involves both functions:
- Second line compliance: responsible for the development, implementation and oversight of the BWRA methodology; and
- Front line business units: responsible for identifying, assessing and owning the risks.
75% of respondents confirmed that their BWRA process is entirely manual, with only 3% of firms able to rely on a fully automated process. This can lead to human errors, be resource intensive and can result in a lack of audit trail. Additionally, a manual BWRA process can take up to 6 months to complete. This may result in an outdated board-approved risk assessment, which may not reflect the current AML/CFT risks within the business and ultimately result in inadequate controls. Real-time risk assessments are far more effective in the prevention of financial crime.
Only one-third considering investing in new AML/CFT technology
84% of respondents have some form of automation or technology to manage their AML/CFT processes. However, the technology used is fragmented, with 31% of respondents’ AML/CFT technology infrastructure based on multiple interconnecting AML/CFT systems and 30% operating multiple systems that are not interconnected.
The use of technology to manage AML/CFT processes has increased exponentially over the last number of years with a significant focus on:
- reducing operational costs;
- leveraging the use of data analytics; and
- obtaining a ‘single customer view’ to provide a complete customer risk assessment.
Surprisingly, only one-third are considering investing in new technology within the next 12 months. Although, more than half of respondents are considering investing in new AML technology over the next three years.
When designing a technology strategy, it is not possible for a single system to address all AML/CFT requirements. However, it is important to have a coordinated strategy built around a small number of core processes and systems. The absence of a coordinated strategy can lead to challenges in managing AML/CFT risks, as it can be more difficult to collate information and obtain a single customer view and golden source of truth.
Majority believe there is scope for further automation in the onboarding process
52% of respondents have automated some or all of their Know Your Customer (KYC) collection processes. However, a lot of manual intervention is still required, with 72% collecting documents via email and almost 50% requiring hard copy documents from some customers. These results vary significantly across industries, with e-money and payment firms further advanced in their automation journey than more traditional financial institutions. Unsurprisingly, almost 90% of respondents believe there is scope for further automation to improve their CDD onboarding process.
Customer due diligence (CDD) is a critical control against the entry of potential crime into a firm. The CDD process gathers information to help firms know their customers and understand and document their expected patterns of behaviour. This allows them to identify and report suspicious activity throughout the customer life cycle.
Unexpectedly, only 75% of firms conduct annual periodic reviews for their high-risk customers. This was surprising given the risk that higher risk customers can pose to businesses. Using a risk-based approach, medium-risk and low-risk customers are reviewed less frequently (every two years or more). Over 30% of firms use trigger events to keep information up-to-date for their lower-risk customers. This was significantly lower for respondents in the Asset & Wealth Management (AWM) industry, where over 80% of firms rely on periodic reviews to keep their medium-risk and low-risk customer information up-to-date. One firm is wholly reliant on trigger events to refresh their customer information.
Governance remains a hot topic for the CBI
Key challenges for AML MI & Reporting
Governance is a critical component of all compliance frameworks and a consistent theme in all types of CBI feedback. The CBI holds the board ultimately responsible and without appropriate governance, the board will not have complete visibility or understanding of the AML/CFT threat to the firm. Strong AML governance includes:
- timely and regular data-driven management information (MI);
- active oversight across all three lines of defence; and
- a board that is familiar with the BWRA and ensures that the residual risk is within the firm’s risk appetite.
Within organisations, AML MI reports and updates develop and grow organically over time. Additional data points are added without considering the implications for managing this on an ongoing basis. This results in time-consuming and sometimes irrelevant reporting. Almost 90% of firms reported challenges with their reporting processes. The most common challenges include:
- highly manual processes (69%);
- inefficient processes (49%); and
- duplication or reworking (33%).
Nearly two thirds outsource some or all of their AML/CFT activities
AML is operationally resource-intensive, and this is why 61% of respondents outsource some or all of their AML/CFT activities. This is a hot topic for the CBI, and the board should be as close to outsourced activities as they are to internally managed activities.
KYC/CDD activities are the most popular AML/CFT activities outsourced by firms, with 56% of respondents noting that all or some elements of this activity are outsourced. The outsourcing of transaction monitoring activities is also particularly high in e-money and payment firms, with 87% of industry respondents outsourcing elements of this activity.
Key actions businesses can take today
1. Be prepared
With a new EU regulator on the way, having a robust AML/CFT framework is crucial in managing the threat of financial crime. To ensure your AML/CFT framework is set up for success, review the following areas for gaps and enhancement opportunities:
governance and oversight;
people and capabilities, with clearly defined roles and responsibilities across the three lines of defence;
risk-based approach; and
processes and controls.
2. Emerge stronger
Without reliable data and innovative technology, regulated entities in Ireland cannot effectively respond and adapt to emerging AML threats. Over the next three years, more than half of firms will invest in their AML/CFT technology.
Before you do, assess your firm’s current infrastructure. Sometimes, enhancements to existing technology can be as efficient and effective as new technology—and a significant cost-saving.
We are here to help you
Our specialised team has vast experience and expertise in AML and can help firms address new and existing money laundering and terrorist financing risks. We can help you create an AML-focused risk management plan; conduct large-scale AML remediation programmes; assess and enhance your firm’s AML framework; develop and review your AML compliance monitoring programmes; and transform your AML and financial crime target operating model. Contact us today to discuss any of these challenges and explore our solutions in more detail.
AML Survey results
Read our detailed AML Survey results
Contact us
