AML Security Emphasizes Detection and Prevention

By Karen Epper Hoffman

Banks accelerate spending on staff and systems to support anti-money laundering efforts. Certain business ventures are being passed by to avoid risk of a compliance crackdown.

Over the past three years, anti-money laundering (AML) compliance has gone from a back burner to front- and-center in the attention of senior management.

The main reason is a regulatory crackdown in the wake of the Patriot Act, which requires financial institutions to "know your customer" and act as a first line of defense against both crooks and terrorists who would misuse legitimate financial systems. Banks now have a dual obligation to detect money laundering and also prevent it from happening in the first place — and the regulators intend to make sure banks comply.

"There has been heightened scrutiny around all of our AML practices," says Dan Soto, a global compliance executive for Bank of America Corp. in Charlotte, N.C. "We are feeling more scrutiny around this worldwide, throughout a lot of different lines of business."

To avoid the kinds of eight-figure fines and reputational damage recently heaped on Riggs National Corp. and AmSouth Bancorp for compliance violations, U.S. banks have been spending significantly more money on transaction monitoring and identity-verification systems. They have also pushed AML training programs out to the front lines and, in some cases, increased the number of dedicated AML staff by four times or more.

In a recent survey by KPMG International, 94% of North American banks reported increased AML costs, with almost one-third of those respondents saying their costs have more than doubled over the last three years. "This result reflects the impact of recent legislative and regulatory changes in the United States since 2001, most notably the USA Patriot Act," the report states, "and the fact that some institutions needed to 'raise their game' substantially to meet the strengthened requirements."

Beyond the rise in costs, financial institutions have also had to adjust their business practices — potential customers are screened much more carefully, for example. And they've become more cautious about potential business ventures, particularly when weighing the risk of doing business in a potentially hostile jurisdiction or acting as a correspondent or wire transfer agent for clients overseas.

Given the current political and regulatory climate, banks have little choice but to shoulder the new compliance burdens. There is some relief available in the form of more sophisticated transaction monitoring systems, which do a better job of recognizing unusual patterns in transaction activity and rating customers and transactions by risk levels. But for most banks, the unavoidable remedy is to simply devote more resources, particularly more employees, to the problem.

Wake-Up Call

The harsher regulatory regime can be seen in two recent high-profile cases. Last May, Washington, D.C.-based Riggs got slapped with a $25 million fine by the OCC over allegations that the bank failed to report suspicious activity that had been going on for years in its embassy banking division. Additionally, representatives of the victims of the September 11 attacks and their families filed suit against Riggs Bank in September claiming the bank allowed Saudi officials to channel money to at least two of the 9/11 terrorists.

In a case that hit banks even closer to home, AmSouth of Birmingham, Ala., was forced to pay $40 million to the U.S. Department of Justice over accusations of not filing appropriate suspicious activity reports (SARs) with the Treasury Department's Financial Crimes Enforcement Network (FinCEN) related to a Ponzi scheme. The $48.2 billion-asset bank received another $10 million civil money penalty for "systemic defects in AmSouth's program with respect to internal controls, employee training, and independent review that resulted in failures to identify, analyze and report suspicious activity occurring at the bank," according to an October 2004 statement by FinCEN. The fine was imposed with the Federal Reserve Board.

"The two recent decisions are certainly a wake-up call that regulators take this seriously," says William Langford, associate director for regulatory policy and programs at FinCEN. (For more on the regulatory view of these issues, see sidebar)

Ellen Zimiles, national financial services industry leader for KPMG Forensic's fraud and misconduct group, says the AmSouth case worried bankers more because "AmSouth is more of a standard bank" focused on domestic business and lacking the "sexy international side" — i.e., Riggs' embassy banking business — that attracted regulators' attention.

Given this heightened regulatory scrutiny, the larger scope of banks' responsibility and the ever-greater possibility for financial penalties, it's no surprise that banks are doubling up their investment in staffing and systems for AML prevention and detection.

In 2005, Wachovia Corp. will have more than 100 employees dedicated to AML — more than double the staff three years ago, according to Betty Jo Zbrzeznj, director of the AML office. While the increase comes, in part, because the bank itself has grown, Zbrzeznj admits that the Charlotte, N.C.-based bank is putting many of these new staffers to work on furthering customer identification and investigation efforts necessitated by the Patriot Act. To support these employees, Wachovia is also providing AML training across all its business units.

SunTrust Banks Inc., meanwhile, has grown the AML staff at its Atlanta headquarters from just five people to 19, according to Thomas W. Martin, first vice president for the bank's Financial Intelligence Unit. Bank of America's Soto declined to be precise about his staff's expansion, saying only that the bank has "enhanced the number of associates dedicated to AML compliance" in recent years.

Transaction Monitoring

But investment in staffing isn't the only area where AML budgets are growing. In fact, it's not the largest expenditure. According to KPMG's research, over the past three years, banks both in the United States and abroad have been spending the biggest piece of their AML budgets on improving their transaction monitoring systems. And, the research predicts this will be the main focus of AML spending over the next three years, as virtually all the top U.S. banks scramble to install the latest and greatest systems, which are reportedly much more astute at weeding out unusual patterns.

Neil Katkov, a Tokyo-based analyst with Celent Communications, estimates U.S. banks spent about $125 million in 2003, and again in 2004, on AML technology alone. "In addition to expanding anti-money laundering and compliance personnel," he says, "banks are spending millions to install new state-of-the-art technology to spot suspicious transactions."

Breffni McGuire, a senior analyst for global payments at TowerGroup Inc. in Needham, Mass., says that all 15 of the nation's top banks either bought new monitoring technology, or made a decision to buy it, between June of 2001 and June 2003 — most spending between $1 million and $5 million.

This AML system shopping spree has meant a raft of new business for companies like Searchspace, one of the leaders in transaction monitoring software, with clients that include Washington Mutual Inc., U.S. Bancorp, Wachovia, and Wells Fargo & Co. Jim Wills, AML business line manager with the New York City-based vendor, says that banks are "in the capital expenditure mode now," but believes spending on these systems will decrease in the next few years as the major banks get new systems in place and get comfortable with using them.

Transaction monitoring itself, it seems, is going through a sea change — similar to the radical improvement in fraud detection systems used by credit card issuers in the late 1980s and early 1990s. Buoyed by ever-improving technology and interest from regulation-wary banks, these solutions have become much more sophisticated, according to industry experts.

In addition, market demand has encouraged other providers to enter the market, such as SAS Institute Inc. of Cary, N.C., the enterprise software vendor. New monitoring systems are not only more attuned to recognizing unusual patterns in transactions or accounts, says Wills, but they are also being built to rate customers and transactions based on their level of risk. Under pressure to make sure that risky transactions don't go unnoticed, Wills says, "banks want to learn about what can be done in transaction monitoring…they have to monitor each and every transaction."

Know Your Customers

Flagging suspect transactions is good. Pinpointing the customers who may commit illegal activities is even better. Hence, banks are also applying technology that helps them "know your customers," as required under the Patriot Act.

Nearly three-quarters of bank respondents in the KPMG report said that they have "programs in place to remediate information gaps on their existing customers, who may have been taken on before the introduction or strengthening of know-your-customer or account-opening laws and guidance."

Searchspace's Wills says a bank is forced to consider its own needs as well as regulatory requirements. For example, says Wills, can the bank's current solutions offer comprehensive risk-based analysis, determine what is normal and usual activity for a customer, look at wire activities in high-risk jurisdictions? Wills says some Searchspace customers have been able to uncover situations where personal accounts were being used as business accounts and should have been subject to business account fees. Others have been able to reallocate staff to other positions as the quality of the alerts improves. But the biggest payback — and one less easily calculated — is a satisfactory result from examiners, he says.

"The cost of noncompliance or incomplete compliance is expensive, as demonstrated by recent fines and the need to employ extra consultants and legal resources," says Wills.

In addition, banks are now also required by the Patriot Act to regularly search databases for the names of individuals who are under investigation. According to one executive who asked not to be named, every two weeks her large multinational U.S. financial institution is given a list of names by FinCEN to run through its database of millions of customers.

All of this effort has represented a noteworthy change for most banks — not only in money and manpower, but also in mindset. "Information sharing is a huge problem for banks," says McGuire of TowerGroup, adding that these new AML rules seem to run counter to the privacy-protecting approach that banks have been careful to follow for years. Now, she points out, identity verification often requires banks to keep copies of driver's licenses — a rule that seems to conflict with privacy laws.

Terrorist financing is much harder to track than other forms of money laundering, and this is a problem banks struggle with. Unlike drug trafficking or embezzlement cases, which deal in high volumes of cash, terror schemes may funnel small pockets of cash through the system, usually less than $10,000. And often, these activities may be operating under the cover of an embassy or a charity organization.

"Money laundering usually is a crime of profit, so we'll see spikes in the activity or unusual dollar amounts," says SunTrust's Martin. "But terrorism is hard to sort out because it's a crime of purpose."

Aside from the fact that these schemes often use low-dollar amounts and operate under the cover of legitimate fronts, says Mark Moorman, vice president of the financial services practice with the SAS Institute, terror financing is also tough to track simply because banks and vendors "don't have much experience detecting it." In the years since the Patriot Act, the industry has experienced a "good deal of learning about terrorist financing… we've had some breakthroughs, even found people who are probably terrorists," Moorman says.

Celent's Katkov concurs that "finding terrorist money is harder, but mostly because it accounts for such a tiny fraction, probably less than 1% of total money laundering." As a result, he adds, "the Patriot Act comes down to massive legislation focused on finding a few needles in a very large haystack. Despite its intent, the real effect of the Patriot Act has been to uncover standard money laundering, not terrorist money."

Risk Avoidance

In the end, this new regulatory reality is not only going to affect banks' AML staff and systems, it is having reverberations throughout banks as a whole. The more intense focus on money laundering has caused many banks to be far more cautious about embarking on certain endeavors perceived as risky.

Banks are being particularly careful when participating in certain correspondent or wholesale money service businesses, especially where a bank may be doing business — even indirectly — in unfriendly countries, or in cases where the bank may not have firm control over the customer information. One case in point: J.P. Morgan Chase & Co. announced in 2004 that it would exit the wholesale money transmitter business — a risky venture because the bundling of multiple transactions makes customers more difficult to trace — after narrowly avoiding regulatory sanctions due to the improper actions of one of the bank's clients.

"Our expectation is that banks are going to assess the risk," says Langford of FinCEN. "People are entitled to do business. They just need to add in the controls that are appropriate."

Soto says Bank of America takes a "risk-based approach when looking at all of the bank's lines of business and its customers." In some cases, he says, the bank has opted not to enter certain businesses, declining to be more specific.

Some lines of business have become financial hot potatoes — no one wants to touch them for fear they'll get burnt. So many banks have declined to do embassy banking — which was the line of business most directly implicated in the Riggs regulatory action — that "many embassies can't even get their payroll checks cashed any more," according to Wills.

Private banks also have had to "rethink a lot of their procedures" in recent years, says Katkov of Celent. Since private banking services often place client assets in overseas bank accounts, he says, "the Patriot Act cited private banking as a potential hot spot for money laundering, and placed a particular focus on tightening up governance of correspondent banking relationships."

And banks probably won't get the opportunity to lighten up any time soon.

"Money launderers are getting smarter," says Wills of Searchspace, "and using more bank products to disguise their activities." Since regulators have invested the resources to make sure that examiners are up-to-date on all the latest money laundering techniques, technologies and best practices, banks have to do the same or may risk regulatory action, he adds.

And, as a number of bankers and vendors point out, the number of regulatory enforcement actions and the level of fines was the highest ever in 2004. The recent re-election of President Bush and the Congressional boost to the Republican party, also "confirms the leadership that was behind most of this legislation," says Moorman of SAS.

Questions or comments about this article? Post them at the Banking Strategies blog.

Ms. Hoffman is a freelance writer based in Poulsbo, Wash.

Copyright © 2005 by Banking Strategies, published by BAI.

back to top