When it comes to AML/CFT compliance, all building societies and credit unions face ever-increasing challenges - including constantly evolving regulations and legislation, plus changing patterns of money laundering. These dynamic challenges create a complex regulatory environment in which reporting entities must operate and comply. Getting compliance wrong is not an option - there is too much at stake. Furthermore, when events such as COVID-19 occur, those regulatory environments get even more complicated, providing yet another opportunity to consider whether you need to update your AML programme, processes, and tools. And this is where rules come into their own.
Rules are the backbone of any good transaction monitoring programme, regardless of whether it is manual or automated. The writing, tuning, and evolution of rules over time can be daunting due to its complexity, heightened expectations from regulators, and ongoing changes in the business. For reporting entities with manual review processes, the implementation and managing of rules can be expensive as they typically rely on extensive teams of personnel. For reporting entities who have automated their AML programme, the level of complexity and cost can vary. Nevertheless, it is still prudent to regularly reassess rules set up in AML software.
So how can you make sure the rules and process you use are working to remove the risks, simplify the process, and result in a transaction monitoring programme that is cost-effective over time? After working with reporting entities in three countries over nine years to implement, as well as update and optimise rules, we have distilled our experience into two themes – the foundation of effective rule writing and the need to evolve rules constantly. Under these two themes are takeaways that you can put into practice in your organisation, which will help ensure your rules achieve the best possible outcomes through the lifetime of your programme.
Set a solid foundation of effective rule writing
Rules must always start with your risk assessment. As the purpose of rules is to address risks, where you don’t have a risk, you won’t need a rule. If your risk assessment has changed, it’s important to change your rules accordingly, since having unnecessary rules is likely to impact the productivity of your AML compliance team negatively. Conversely, if you identify a new rule, you should update your risk assessment.
Best practice 1: Simplify your rules
Simplification increases the likelihood of rules delivering accurate results. And the best way to this is through testing but this needs to happen one step at a time. Take one rule and load data that you know will raise an alert. Then load more data that is close but won’t raise an alert. Step back and think what data or quality of data will make the rule fail and test that too.
Testing often causes you to modify a rule and you’re more likely to ensure it catches the behaviour you need it to without raising unnecessary false positives.
Best practice 2: Use storytelling to understand your rules
Another key to simplifying rules is through storytelling. Stories are a great technique for writing rules as they help you understand in plain language exactly the type of behaviour you are looking for and how it relates to your risk profile. And this doesn’t matter whether you are starting from scratch or updating your current rules. Ultimately, stories help ensure rules do what they should.
Best practice 3: Let data back up your story
Knowing what data you have available is critical. You can’t write a rule if you don’t have the data to analyse it.
According to Australian regulations:
A known risk in our business is deliberate overpayment followed by a request for a refund. John Smith called to explain that he has “accidentally” overpaid his loan and asked to have a refund on the overpaid sum. His regular payment is $635 but he paid $6,350. The refund was paid. He asked for a similar refund six months ago.
For the example above, you would need to ask whether you can unambiguously identify a refund transaction, for instance. And you would need to be sure the quality of the data is high enough to yield good results.
If your risk profile identifies people living in a high-risk country, but the customer’s country of residence is only recorded if they're overseas, the rule has to assume that no country entered means the customer is local. Rules don’t like this sort of assumption. They work best with hard data.
It’s not always easy to get the high-quality data and level of specificity you want, so it’s important to have continuous discussions with your IT team. In the meantime, make sure your rules are written in a way that takes your current data situation into account so you can rely on the alerts and information the rules are producing.
Best practice 4: From small beginnings, robust compliant programmes grow
Start simple and build a good base, so you get value right away without creating unnecessary work. Pick your top five or ten rules and get them working properly. Make sure you understand the alerts they are raising and adjust them if needed. When those rules are under control, add a few more.
Theme 2: Make your rules evolve with the times
Having good workflows in place helps make sure your rules deliver more – you can reduce false positives, decrease unnecessary workload, and even use your rules to do more than AML.
Best practice 1: Conduct regular rule reviews
As markets, risk profiles, and regulations change, so too do reporting entities with regards to rules, in order to demonstrate a commitment to AML compliance. Along with enabling reporting entities to make valuable updates in response to changing environments, frequent re-evaluation typically reduces the associated cost and effort.
Depending on the risk profile, transaction volume, and other factors, review frequency could be either daily, weekly, fortnightly, or monthly. This level of regularity potentially avoids lengthy, time-consuming, and disruptive rule reviews.
Best practice 2: Review as a group
The regular reviews mentioned above are even more effective when reviewed as part of a larger group. For example, one of our building society customers with a small compliance team has a weekly team huddle to identify any potential updates based on changes in behaviour, data, feedback from the business, near-real-time information from branches, and the surrounding environment. The team can write rules on the fly and was able to quickly tweak a few rules to address COVID-19 concerns.
Best practice 3: Utilise your AML service providers
If you’re using automation, lean on your provider to find out if they offer support capabilities or features that allow you to easily test and update rules as you do reviews.
Better yet, your AML service provider may offer an optimisation or rules review service that can give you a forum for coming together and efficiently reviewing, documenting, and changing your rules on a regular basis.
Future practice: Innovate your rule alerts with moderated machine learning
Where rules really start to get interesting is when they involve machine learning. By analysing current and historical data, machine learning can identify patterns that your AML compliance programme to minimise the number of false positives it reports. Facilitated less frequently than standard rule reviews, these patterns can trigger alerts, which require moderation or oversight, such as initiating further investigation or the tweaking of a rule.
A final word on transaction monitoring rules.
Inefficiency, ineffectiveness, and non-compliance are three concrete reasons why you can’t afford to let your rules go. It’s widely known that it takes a network to bring down a network. That’s why we’re more than happy to share these tips in the fight against financial crime, helping you create transaction monitoring rules – and an AML programme for that matter – that rule.
Want to learn more about this topic? Register to watch our recent webinar on ‘Optimising your AML programme in times of change'.