IT Support for KYC Norms by xumiaomaio


									CAB CALLING   April-June, 2008

                    IT Support for
     Compliance to KYC Norms and
        AML Guidelines by Banks
                                                                                                      Nitin Khanapurkar*
                 Over the years, banks have undergone a huge transformation with the growth of new and structured
                 products and operations across countries. Banks are also facing increased challenges due to
                 customers demand for an efficient means of moving money globally. Consequently, money
                 laundering methods have also evolved and adapted to these changes and launderers are using
                 sophisticated means and technologies to launder ill-gotten wealth and for financing of terror.

                 To counter money laundering, regulators, government agencies, self-regulatory associations have
                 come up with a plethora of guidelines and recommendations. A good Anti Money Laundering (AML) IT
                 solution should help in identifying and preventing the risk of potential money launderers from using
                 their system for illegal purposes. Failure to comply is not an option as it may lead to stiff penalties and
                 bad publicity.

                 *Senior Director and ** Manager, Deloitte Touche Tohmatsu India Private Ltd., Mumbai. The views presented in
                 this document are the personal views/opinions of the authors and not of the organization they represent and are
                 informative in nature only. It is not intended to be relied upon, nor be used as a substitute for, specific professional

                                                                                              CAB CALLING             April-June, 2008

    As part of these guidelines, banks are required to address the following areas
        Designing AML policies and procedures
        ØYour Customer (KYC) norms
                                                                                              Banks need a
        Ø of 'Hot Files' on customer profile
                                                                                           comprehensive AML
        Surveillance on customer accounts and transactions
        Ø                                                                                framework to avoid the
        Reporting Suspicious Activity Reports (SAR) and Cash
        Ø                                                                                    charge of 'willful
        Transaction Reports (CTR)                                                              blindness’
        Documentation and record keeping
        Ø of employees

This article describes the need for a bank to go in for an AML solution. It also         of transactions to determine a
elucidates the components of a comprehensive AML solution and the important              suspicious activity. Besides this, the
considerations/ challenges banks face while undertaking this important initiative.       system should also be able to monitor
                                                                                         series of cash transactions within the
Need for an Anti Money Laundering Solution                                               threshold and generate reports. The
                                                                                         system should be able to generate
The day-to-day operations of a typical financial institution encompass a series of
                                                                                         alerts for suspicious activities and
events like opening/closing an account, depositing/withdrawing money or
                                                                                         minimize false alerts.
transferring funds. The complexity of the KYC requirements for a bank can be
gauged from the fact that opening an account for a trust, for example, requires
verification of around ten parameters which will require at least nine documents for
verification. Moreover, the banks are required to create a profile for each customer
account and monitor the transactions based on this profile. This goes beyond just
                                                                                                 Launderers can hide
the act of identifying the customer, and extends to understanding all information,
internal or external, that relates to a particular client or prospect. Banks are also             themselves but not
expected to review these profiles on a periodic basis.                                             their transactions
Spotting the transactions that a clever money launderer is trying to push through is
a daunting task as it requires comparing a series of transactions to an event, linking
of related accounts, considering the account profile and determining whether it is
suspicious or not. The number of transactions in a bank can be large depending on
their customer base. So, monitoring each and every transaction manually can
                                                                                         Case Management: The system
become a herculean task with the increase in the number of accounts and
                                                                                         should enable users to investigate
transactions. Moreover with the increase in banking channels like internet
                                                                                         alerts generated in the system by
banking, ATM facilities, etc. have left banks with no choice but to seek an effective
                                                                                         providing for drill down facility. It should
technology driven solution to combat this menace.
                                                                                         also have a robust workflow process for
Components of a Comprehensive AML Solution                                               assigning alerts and monitoring
                                                                                         investigations. The system should
A good comprehensive AML solution should enable banks in:                                adapt the lear nings from the
Account Opening: The system should provide for a workflow for account opening            investigation process into alert
process based on the KYC policy for various types of customer accounts. It should        generation.
also be able to digitally store documents provided by the customer during the            Reporting: The system should provide
account opening process. The system should also assist in creation of customer           templates for reporting the SAR and
profiles and identifying hidden relationships, if any, between various customer          C T R re p o r t s t o t h e F i n a n c i a l
accounts and group them for monitoring. The system should be able to access the          Intelligence Unit (FIU) in the specified
banned entity list or 'Hot List' as prescribed by the regulators before account
                                                                                         Record Keeping: The system should
Transaction Monitoring: The system should be able to monitor transactions                provide a facility to store and retrieve
online as well as offline. In online transaction monitoring, the system should be able   documents during the account
to monitor the transactions with banned entities and stop transactions at its            opening and alert investigation
origination. In offline transaction monitoring, the system should have the capability
                                                                                         process in a digital form.
to monitor transactions with the expected profile of the customer and linking series

CAB CALLING            April-June, 2008

                                                                                             A simple depiction of the various
                                                              Wire           Teller
           Manual                CBS             CRM                                         components of an AML solution is
                                                            Transfer        System
                                                                                             as under:

                           Bank Data Sources Systems

                                                                                              Regulatory Reporting
              Data Aggregation
              Apply Suspicious                      & Workflow                                     FIU          Other
               Rules Criteria

                     False Alert                       Reporting

                 Alert Generation

                                 Hot List Scan
                                  PEP Scan                                                         Watch Lists
             Customer               Customer      Account Grouping
                                                                       Risk Profiling
            Information            Documents        Beneficiary

                                   Know Your Customer

                                          AML System

Consideration for Implementing an AML Solution
There are numerous solutions in the market which cater to specific requirements of the banks or provide a comprehensive
solution. Some of the important features of an AML solution are:

                 Features                                                Importance

                                                       Know your Customer
   Workflow for Account Opening             Should enable parameterization as per KYC norms. Allow for storage of
                                            documents in digital format

   Hot List Monitoring                      System should be able to access and download the hot list/PEP and have
                                            ability to minimize false positives

   Risk Profiling                           Should have the facility to rate the customer based on their relationship with
                                            different entities, expected transactions, etc. It should also assist the bank in
                                            developing risk profiles

                                                                                             CAB CALLING          April-June, 2008

                Features                                              Importance

                                                Transaction Monitoring
   Pre-populated Domain Expert           Should have shorter implementation time so as to realize early benefit

   Predictive Intelligence, Analysis     Should enable customer transaction analysis, preparation/updation of customer
   and Adaptive Learning                 profiles. Should minimize false alerts.

   Automated Intelligent Alerts          Should improve monitoring efficiency

   Robust and Proven Technology          Should operate in mission critical and high transaction value environment

   Audit Trails & Reports                Should help in meeting the regulatory compliance requirements

   Adaptable                             Should cater to changes in modification to rules/guidelines.

The financial services industry has been complying with numerous rules and regulations from time to time. To achieve this
compliance, banks have made ad-hoc changes or quick fixes to their existing systems and as a result, they are saddled with
numerous applications which are not integrated.

As technology has evolved over time, a proper IT Strategy, as described below, needs to be in place before undertaking
implementation of any new system.

       Strategy: As a first step, banks need to understand the business imperatives for the project. This will enable the
       management to define the strategic objectives and the benefits that will accrue and integrate this with other
       compliance initiatives. Regardless of the AML technology that a bank wishes to implement, they will need to ensure a
       fit with existing technology infrastructure or consider implementation of new infrastructure to support the banks IT

       Build Vs Buy: Banks need to decide if they want to develop the system in house or buy an off-the-shelf product for
       implementation. Development of an in-house system takes a long time and with numerous solutions available in the
       market catering to various functionalities; it is judicious to go for a package implementation. It is challenging to sort
       through the numerous vendor offerings and make a long term technology decision since regulatory requirements and
       software features keep evolving. Many questions arise: How much to automate? Which functions to automate first?
       How should it integrate with the current systems? What other benefits can I get out of this investment? Banks can then
       decide on one or more solutions catering to various functionalities and integrate them for a comprehensive solution.
       In such a case, banks will decide on the priority of their requirement and implement solutions in a phased manner. The
       interface requirements between these solutions need to be managed to ensure success of the initiative.

       Data Quality: The success or failure of implementation depends on the data quality. Deficiencies or inconsistencies
       in existing financial and KYC data can have large implications for the effectiveness and reliability of the information
       provided by the best of the breed AML system. The bank will need to undertake a data gap analysis and undertake
       remediation measures to fill the data gaps by enhancing the source systems.

       Roles and Responsibilities: There have been many instances of projects going haywire because of lack of clear
       responsibilities. Bank should define clear roles and responsibilities for each personnel involved in the project. This
       exercise should be undertaken at the project planning phase itself to ensure the success of this initiative.

       Vendor Selection: Selecting the right software is an arduous task. It is very important to understand the
       functionalities and capabilities of the software clearly. It is the responsibility of the bank to ensure that the
       functionalities envisaged in the AML software are implemented and work as per expectations. Besides, this vendor
       capability and reputation is an important factor while selecting an AML solution. For this, the bank may want to
       enquire with their peer group and gain from their experience.

CAB CALLING           April-June, 2008

       Software Customization: Customization and parameterization of rules needs to be done very diligently. A high
       threshold will allow transactions below that threshold to pass through without detection. On the other hand, a lower
       threshold will result in inundation of the users with false alerts. Banks should be able to fine-tune the rules based on the
       results and arrive at an optimal level. As the profile of the customer and the transactions change over time, banks also
       need to continuously monitor the alerts and fine tune the rules even after implementation.

       Testing: The responsibility of the AML program rests with the bank. Hence, it is imperative that the bank tests the
       functionalities of the software implemented and satisfy itself of its capabilities. One has to remember that it is the bank
       that has to answer the regulator and not the software vendor. It is also suggested to get a post implementation review
       done through an independent third party. The audit should highlight data integrity issues, and issues related to system
       controls, user access and user rights. This exercise will also help in confirming that the objectives defined at the start
       of the project have been achieved.

       Change Management: Implementing an AML solution affects the length and breadth of the organization. It may
       result in changes to the profile of various personnel within the organization. A proper change management process
       should be established to educate the users and develop a comfort level across the organization for the new system. A
       training program will be most essential for training the users on the software. Moreover, commitment from the top
       management will drive the change management process and ensure its success.

                                              Common Risks                               Mitigation Approach

                                Lack       business commitment and            l
                                                                              Focus   on providing
                                   funding/resources                             measurable/quantifiable benefits
            Overall                                                           Develop
                                                                              l          a Vision and Implement a strong
                                                                                 goverance model backed by a cultural
                                                                                 change Program

                                l           best practices not considered     Integrate
                                                                              l            proven practices and tailor to the
                                   during implementation                         structure of your organization
         Process/Data                                                         l
                                l insufficiency/quality                       Undertake    data gap analysis and
                                                                                 remediation exercise

                                l                in software tools used       l
                                                                              Develop    and IT Strategy based on
                                   across businesses, regions, “stacks”          business imperatives
                                                                              Include    technology analysis in the
                                lof        enthusiasm in using the software
          Technology                                                             assessment phase and use integrated
                                                                                 software tools where possible
                                                                              Training    of personnel on the software

                                l planning        and understanding of        Understand
                                                                              l           the requirements first before
                                   requirements                               software selection and initiate a
           Project                                                            professional project setup with people
          Execution                                                           from functional and technical domains
                                                                              ladopt and incremental approach

According to International Monetary Fund (IMF), the aggregate size of money laundering around the world could be
somewhere between 2 and 5 percent of the world's GDP. No wonder, regulators are very concerned and banks have come
under increased scrutiny. A comprehensive AML solution provides the foundation for identifying illegal or suspicious
activities and prevents the banks from being used as a conduit for money laundering.
Moreover, the financial services industry is facing a tidal wave of compliance regulations like AML and Basel which has a
significant impact on the IT systems. The silver lining is that there is a confluence of these forces on the impact on IT systems
like customer data. Banks have realized that it is prudent to have an IT strategy in place which will leverage the technology
investments across various compliance requirements and also profit from it by using the same infrastructure for other
business needs as well like customer profitability, channel utilization and marketing.

                                                                                                CAB CALLING           April-June, 2008

The cost of implementing an AML solution can range from a few lakh to hundreds of lakh of rupees. The implementation cycle
can vary from a few months to more than a year depending on the functionalities being implemented, approach and
complexity of integration/interfacing with existing systems which increases the chances of failure. But the cost of failure is
very high as it leads to reputational, legal and operational risk.
Adopting a long term vision in formulating a response to AML with a strategic approach will help banks achieve a competitive
advantage. However, the key to develop a successful AML program lies in a judicious mixture of best in class technology,
effective human inputs, successful change management and above all, commitment from the organizational top
management for this initiative to nip money laundering in the bud.

   What Bank Directors Need to Know About AML and Basel II
   The regulations encompassed within anti-money laundering (AML) legislation have put banks and other financial
   institutions under tremendous pressure, necessitating a need to secure the interest of genuine customers on the one
   hand, while also avoiding liability exposures on account of failure to report suspicious transactions to the regulatory
   authorities. Compliance with some of the most stringent regulations under both AML and Basel II will have a large
   impact on systems infrastructure in almost all cases. It will require a bank to amass and process a considerable
   amount of historical data. Databases will have to be built and integrated with the bank's processes, as data must be
   available to banks and their subsidiaries across all geographical locations.

   Some of the key regulatory requirements that the board of directors of banks must be aware of and be able to act on
   are as follows:

   l should be aware of the major aspects of operational risks as a distinct category, and they should approve
        and periodically review the bank's operational risk management framework.

   lThey     must ensure that the bank's operational risk management system is subject to continuous internal audit,
        and that this internal audit process is carried out by staff members who are well qualified, well trained and
        operationally independent.

   l must ensure that the following processes are being used to identify and assess operational risks:

        Risk mapping: under this process, organizational functions or process flows under various business units are
        mapped by risk type.

        Key risk indicators: these are statistics, often financial, which can provide insight into a bank's risk position.

   l        board should implement a process to regularly monitor operational risk profiles and material exposure to
        losses. There should be reguiar reporting of pertinent information to senior management and the board of
        directors that supports the proactive management of operational risk

   There are synergies that can be created by appropriately linking the investment made in an AML solution with those
   required under Basel II. This solution should be capable of collating the same banking data where data required by
   AML regulations directly relates to data required under Basel II regulations. The bank's AML system should have the
   ability to monitor all transactions all the time. It should provide the right data management capabilities, with common
   feeds from the transaction systems in the chart of accounts to the data warehousing for broader finance and risk data.

   Since AML and Basel II cover virtually the entire spectrum of banking operations, a methodological approach to
   address these two challenges will equip banks to substantially lower their risk profiles and to improve profitability. The
   sooner banks are able to perceive this, the earlier they will be equipped to push themselves through the crisis. Banks
   that move fast to implement, integrate and upgrade strategically their internal and external risk management
   capabilities will gain competitive advantage in the form or efficiency, transparency and security.

                          [ Source: Dr Dennis Germishuys, of HLB-NGA International originally published in Banker Middle East ]


To top