Recently I was fortunate to be invited by the ACAMS Australasian Chapter to join their panel discussion on The Future of Transaction Monitoring: What Does It look Like. The panel included two other people who will be familiar to those in the AML/CFT community:
- Matthew Kennedy is the Director of Financial Services for EY. He's been working with banks and FinTechs for over ten years.
- Martin Dilly is an AML/CFT specialist who's worked with hundreds of entities across all sectors for several years. He's the ACAMS Australasian Chapter Co-Chair and CAMS-Audit.
I joined the panel in my role as Senior Product Manager for Jade ThirdEye, where I’ve had the privilege of working with a range of reporting entities around the world for several years. I love helping businesses implement and upgrade their transaction monitoring programmes. I'm a certified Anti-Money Laundering Specialist (CAMS), which should tell you how much I love AML!
The ACAMS panel discussion focused on different areas of transaction monitoring, including risk identification, key components of a monitoring programme, and (the fun part) imagining what the future might hold.
Here's a summary of what we discussed, along with some of my thoughts and recommendations ...
Identify your Risk
Most organisations that are defined as reporting entities have a regulatory requirement to complete Customer Due Diligence (CDD) and monitor accounts for suspicious activity. Martin led the discussion on this, sharing his legal expertise on section 31 of the New Zealand AML/CFT Act.
He highlighted the following requirements as some of its key aspects:
- When doing ongoing CDD and account monitoring, you must also consider what type of CDD was done when the business relationship was first established and what level of risk was involved
- Make sure the business relationship and the transactions relating to it are consistent with your knowledge of the customer and their risk profile
- Regularly review the CDD information you hold about customers
Because customer risk profiles can change over time, it's important to conduct ongoing, periodic account reviews that might be triggered by alerts. But it's also vital to make sure you regularly review your CDD information.
I recommend focusing on the overall account, not just on day-to-day transaction monitoring. Understand your monitoring risks and develop a comprehensive programme for reviewing risk and monitoring transactions.
Understand Your Monitoring Risks
Matthew reminded us that your risk assessment should also include a national risk assessment, red flags from SAR guidelines, sector guidelines—like those for lawyers and real estate agents—and international guidance.
He shared some examples of risk monitoring he'd seen in the UK. These included not understanding the huge range of products and services through which a customer has contact points. He's seen situations of "the tail wagging the dog”, where companies are presupposing things about the transaction monitoring system they choose before they have their strategy in place.
To avoid this, I recommend you develop your compliance response in the following order:
- Examine your risk assessment
- Define your risk strategy
- Set up your rules so they're effective for your strategy
- Implement your program
I sometimes encounter prospective Jade ThirdEye customers asking what rules we have so they can hit the ground running with an out-of-the-box solution. This isn't the best approach to take. Our AML/CFT solution includes an extensive rules library for customers to draw from. But I agree with Matthew that your rules should be defined by your risk assessment and strategy, not the other way around. Whether your process is manual or automated, you need to make sure your rules address the particular needs of your business.
Having said that, we do see similar needs, especially in the finance industry. So once we understand your requirements, we'll help you set up Jade ThirdEye so it fits your business like a glove.
Scale up Your Transaction Monitoring System
The panel also discussed the challenges companies face as they grow and scale up their monitoring programmes. Most businesses start with a manual approach to monitoring, and to some degree you'll always have some of this. This is true whether you're analysing and mapping specific human behaviour for red flags, or reviewing accounts for identifying changes in new patterns of behaviour that you might not have realised was possible.
Matthew described a tipping point for when it's time to move to a technology solution that has automated monitoring.
This is usually when:
- You have too many transactions to check manually
- Your monitoring requires complex decision-making
- You move from one rule to a suite of rules
But he cautioned that scaling up isn't just about technology. It's about increasing your understanding of risk and how to mitigate this by methodically developing rules and regularly reviewing these.
Martin mentioned that lots of companies are still using spreadsheets, which is obviously a very manual and time-consuming approach. Spreadsheets are also difficult for auditors to work with. Lots of companies interested in Jade ThirdEye come to us with a very complex set of spreadsheets they've developed. They realise they need more efficiency and transparency, not just for their compliance programmes, but for the sake of their own companies.
I agree with Matthew that scaling up has more to do with the size of transactions and risk assessment than it has to do with the size of a company. Many of our small-to-medium Jade ThirdEye customers have very complex monitoring needs and large volumes of transactions to analyse.
We also chatted about one of my favourite topics – the future of transaction monitoring. Most of our discussion focused on automation and machine learning and Matthew highlighted areas where machine learning could be really beneficial.
- Investigations into replicating human actions – like what's already happening with robotics.
- More sophisticated human decision modelling to help with investigations and detecting fraud.
- Artificial intelligence that's developed its own sense of normal, after analysing large datasets. (At the moment rules-based engines still need humans to tell them what to look for.)
I see a place for machine learning in small companies as well and I believe one day this will be as common as internet banking, that it will be accessible to everyone. We all agree there'll always be a need for skilled humans in this landscape, to guide and monitor whatever future technology might evolve. When computers were first invented there was a real fear of significant job losses and a ‘de-skilling’ of humans. Instead what we've seen, particularly in our industry, is a move to more specialist roles.
TELL ME MORE!
ACAMS runs regular virtual events like this panel discussion. It records many of them so you can listen at your leisure after the event. If you're interested in attending, head to ACAMS Australasia to learn more.
And if you'd like to know how to automate your AML compliance programme with the global financial crimebuster that is Jade ThirdEye, check out our recorded webinars and register for upcoming webinars!