“Is this us?”
When it comes to penalty actions that include insufficient resources, that is one of the first questions the average AML compliance officer should ask after reading some of the more recent enforcement cases, like the one that resulted in an $8 million penalty for Raymond James, or the $16.5 million headache for Credit Suisse.
The usual reaction is typically somewhere between, “I hope not,” and, “Gee, I’ll have to check that out.” And then it goes on the back burner because, really, who has time to look into it?
The reality is that recent enforcement cases have cited insufficient resources, thus bringing an important issue to the forefront – and not for the first time. Allocating adequate resources to critical AML functions is paramount to ensuring internal controls are working as designed, contributing to an effective AML program.
So how should you confirm whether resources in your firm are, in fact, sufficient? If you can keep up with the many tasks required to maintain an effective AML Program, then you likely have sufficient resources. If you find yourself trying to keep up, yet always behind the curve, then take heed.
- Perform a risk assessment. If you don’t already have a risk assessment, then it’s time to create one using the many resources available to you through your AML networks or the Internet. If all else fails, engage a third party expert to assist you. An important resource for guidance is the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual, which describes the many aspects of assessing risk. Additionally, a sample Quantity of Risk matrix is available to guide you further.
- Identify the number of high-risk customers in your portfolio. Review the geographic locations where your firm transacts business, particularly countries where there may be heightened risk. With regard to OFAC, perform an analysis of how many false-positives you clear each month. And don’t forget your automated systems’ alerts – as they may lead to investigations and suspicious activity reports (SARs), all of which take time. You need qualified and skilled personnel to perform these critical tasks. It’s endless, which is why it is so important to know where you need resources.
- Look at your last independent review. If your provider is an industry expert, then the report should cite any violations or deficiencies, and/or include recommendations for improvement. Were there any exceptions in CIP/KYC, enhanced due diligence (EDD,) investigations and suspicious activity reports, wire transfers? Exceptions typically reveal that additional staff training is needed because personnel don’t fully complete the task, or personnel are rushed and miss key elements in completing the task correctly because they are covering too many critical tasks.
- Look at your critical AML tasks. Are you collecting all your documentation in a timely manner? How many hours per day are focused on CIP/KYC, and what are the quality assurance controls associated with the function? What about transaction monitoring alerts – approximately how many alerts appear per week and how many hours does it take to clear them? How many move to investigation, and how many hours does it take to investigate cases, regardless of whether they result in a SAR filing? Assessing the hours required to effectively complete all BSA/AML/OFAC tasks and calculating that against the number of full time employees (“FTEs”) assigned will assist you in assessing staff sufficiency and any shortage.
Approximate your needs and then compare them to your current personnel. Consider the overall skillset while you’re at it. Do you have a good mix of skills? Do you have all the functions you need? Then, create a memorandum document outlining your findings identified in categories. First, list the critical functions (high risk) and assign the approximate number of hours needed to complete the work in each category, while keeping in mind part-timers, floaters and personal time off.
Don’t have enough resources to get it all done? Time to make a change.
Gone are the days when a firm can say, “…we just don’t have the budget.” In the AML world, that is not acceptable. AML compliance is here to stay, so make the investment now, before you have to write a check to your regulator.