By Dustin Palmer, Christopher Sidler and Conor Stanhope
Bank Secrecy Act /anti-money laundering programs have faced substantial impacts during the COVID-19 pandemic, including operational shocks, rapid and dramatic changes in economic activity, and lasting shifts in customer behavior. While many severe impacts of the pandemic on financial institutions soon may be in the rearview, several factors will continue to affect BSA/AML programs. Here are five lessons learned from these experiences designing and operating effective compliance programs:
1. The risk landscape is changing
The pandemic corresponded with the emergence of new risks and an increasing awareness of the dangers posed by changes in existing risks. These include pandemic-related fraud and cybersecurity, ransomware and others. Regulators have signaled their focus in response to and anticipation of changes in the political and economic landscape, illustrated by the issuance of the Financial Crime Enforcement Network’s “National AML/Countering the Financing of Terrorism (CFT) Priorities.” Its emphasis on fraud, cybercrime and domestic terrorism financing indicates that the pandemic and its impacts will continue to shape banks’ risk profiles.
Banks should address these threats in their enterprise risk assessments, in terms of both risks inherent to the firm and the effectiveness of controls. For example, changes in the customer base, product usage, and expansion of geographic footprint beyond physical locations will affect risk exposure. Controls such as transaction monitoring should be evaluated, with the understanding of how such shifts have affected the efficacy of the bank’s rules and detection processes. Additionally, as banks evaluate the forward-looking direction of risk, it will be important to look at how these changes will play out in 12 to 18 months.
2. Technology supports but does not replace due diligence
To support businesses affected by the pandemic, the U.S. government turned to banks to help distribute more than $800 billion in relief to small businesses. Fintech firms also were enlisted to assist in processing loans. By the third draw of funding, fintech firms accounted for roughly 80 percent of issued loans, with borrowers often not subjected to the same degree of due diligence and know your customer controls as banks. Paycheck Protection Program loans processed by fintech firms were substantially more likely to be obtained fraudulently, contributing to an estimated 15 percent of funding issued to entities that likely were not eligible. This emphasizes that technology and efficiency cannot serve as a substitute for due diligence and KYC.
Further, customers and their behaviors have changed, and banks should ensure, when applicable, that their KYC programs are capable of reassessing the nature of their customers and the corresponding expected behavior. This should involve the use of automated solutions, via the reconciliation of publicly available and internal information, to identify key changes in the customer behavior and risk profile, which can supplement traditional periodic refresh. These event-based triggers, such as significant changes in customer information (such as a change in beneficial ownership) and through feedback from downstream processes such as suspicious activity reporting, provide sound bases for defending the bank’s risk-based approach to ongoing KYC.
3. The importance of strategic data analytics
Although financial institutions have experimented with dynamic approaches to identify suspicious transactions, many continue to rely on static methods that compare “anticipated versus actual” activity.
The pandemic undermined the effectiveness of these methods, as comparing recent to historical activity proved to be much less effective at identifying abnormal activity that warranted further review. The anticipated versus actual concept, in the context of comparing historical to present activity, is predicated on the idea that legitimate businesses generally are more consistent in their behavior and that significant changes can be explained more readily than in cases where the party is acting criminally.
The pandemic demonstrated how consistency can be a weak indicator of benign activity; in some cases, it could indicate the opposite (such as customers purporting to be restaurants that had unchanged transactional volumes during early parts of the pandemic).
This experience illustrates the need for creative solutions to detecting financial crime, such as:
Rule and scenario efficacy. The remarkable economic recovery has been far from uniform. Many sectors continue to face significant disruption, such as service-providing industries, which have struggled to recover fully from the roughly 20 million jobs eliminated due to the pandemic. Consumer spending has altered significantly, with consumption skewing toward goods over services accompanied by a deepening trend toward digital over brick-and-mortar shopping. Suspicious activity also appeared to change in this period, prompting a 43 percent increase in Suspicious Activity Report filings related to cyber events since the onset of the pandemic as more transactions moved online.
These changes in consumer behavior have coincided with rising inflation. Transaction-monitoring rules should be reevaluated to ensure that thresholds are appropriate. However, this might not be as simple as adjusting the threshold itself by the measurement of inflation, as prices have changed by substantially different degrees across the economy. These changes make the detection of illicit activity more difficult, as the question of “Is this activity reasonable for this customer?” becomes more challenging to answer.
Collaboration and the benefit of sharing information. Banks can use publicly available data on PPP recipients to screen for relationships with entities or individuals known to have abused PPP funding, and potentially to create their own typologies on unusual borrowers to examine risk exposure further. Additionally, information sharing between financial institutions (such as through FinCEN’s Section 314(b) program) provides substantial benefit to law enforcement. Banks should continue to cooperate in detecting and reporting potential wrongdoing.
Advanced analytics. Categorizing normal customer behavior has become more difficult. Banks can combat this by using unsupervised machine learning techniques such as clustering to group like customers based on nuanced characteristics—such as transactional volatility, market characteristics of associated industries and geographic demand for substitute goods—and trigger alerts based on substantial deviations from the cluster. Additionally, supervised machine learning techniques have been shown to reduce false positives and identify previously undetected risks. Regulators have long signaled their support for experimentation and adoption of innovative approaches.
4. Review and update filtering criteria
Model risk management has long been a component of financial crime compliance programs, and banks should assess the appropriateness of transaction-monitoring and name-screening tools, including the value of the alerts. As described in the 2021 interagency statement: “For automated transaction monitoring systems, prudent risk management involves periodically reviewing and testing the filtering criteria and thresholds to ensure that they are still effective, as well as independently validating the monitoring system’s methodology and effectiveness to ensure that the monitoring system is detecting potentially suspicious activity.”
This could include sampling alerts within typological areas to assess the degree of risk presented by the alerts and to support an overall decision of whether and how to calibrate rule and scenario thresholds.
5. Retain top talent by empowering and engaging staff
Financial institutions are not escaping the effects of the “great resignation,” the term coined to describe the (arguably) pandemic-sparked phenomenon of workers across the United States choosing to leave jobs not aligned with their preferences. Banks will be forced to assess priorities in staffing and ensure that they can establish incentives adequate to retain top talent, particularly in certain operational functions, where pay and employee engagement are generally lower.
The core of the BSA/AML compliance function is its people. Each team member contributes to the bank’s understanding of its customers and its risks through the thousands of hours dedicated to adjudicating alerts and investigating potentially suspicious activity. However, many compliance teams struggle to attract and retain talent, and providing upward mobility and career development can be a challenge.
The pandemic’s impact on the job market will reward banks that foster collaborative, inclusive compliance departments, including those that involve remote or hybrid environments. Banks should consider results of validation exercises. Banks also should ensure that only work items of true risk-based merit are reviewed by analysts and that processes promote a more robust review of the risk presented by an event. Those that involve a range of personnel in the risk assessment, process enhancement and programmatic elements will empower staff by encouraging a more participatory environment and will better retain talent.
The pandemic has affected society and business permanently. Banks that address the above factors through thoughtful innovation in their processes, people and technology will be well placed to develop, implement and maintain effective BSA/AML compliance programs.
Dustin Palmer, a managing director and a leader of BRG’s financial institution advisory practice, is an expert in regulatory compliance, with a focus on BSA/AML, sanctions, fraud, anti-bribery and corruption and related areas. He can be reached at DPalmer@thinkbrg.com. Christopher Sidler is a managing director and a leader of BRG’s financial institution advisory practice, specializing in financial crime compliance, with a focus on BSA/AML, sanctions and export controls for domestic and international banks. He can be reached at CSidler@thinkbrg.com. Conor Stanhope is a senior associate in BRG’s financial institution advisory practice, focusing on KYC, due diligence and compliance program design. He can be reached at CStanhope@thinkbrg.com. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.