AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific...

28
AML Transaction Monitoring A Survey of UK Financial Institutions September 2014

Transcript of AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific...

Page 1: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

AML Transaction Monitoring

A Survey of UK Financial Institutions

September 2014

Page 2: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard
Page 3: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Contents Section 1 Executive summary

Section 2 General findings

Section 3 Governance

Section 4 Technology

Section 5 Coverage and quality

Section 6 Investigation management

Section 7 Conclusion – a lifecycle of maturity

Section 8 Contact information

Page 4: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Executive summary 01

Page 5: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Transaction Monitoring (TM) is a critical, and resource intensive, component of an effective Anti-Money Laundering (AML) programme. In response to demand from UK Financial Institutions for an industry benchmark for TM we conducted a targeted survey to provide a snapshot of the current state of TM as well as plans for the future. Our survey reveals that there is a large variation in how TM systems and controls are implemented, configured and managed. There appears to be a broad lifecycle of maturity that banks are following in their adoption of TM. Organisations earlier in the lifecycle are facing the challenge of how to improve their alert performance and adequately cover their AML risks; institutions that are further developed in their TM functions face the challenge of bringing operational costs under control. This variation amongst institutions is most evident in the alert effectiveness rates achieved (in particular conversion of alerts to Suspicious Activity Reports) and the number of alert investigators employed to monitor a given number of accounts. There is a clear correlation between the level of satisfaction with TM and alert performance. However, there is no clear consensus as to what level of alert performance institutions should be aiming for. The survey results show that there are significant variations in other areas. From a technology perspective, some institutions have a higher level of automation and sophistication across alert generation and case management than others. Similarly, some have much richer Management Information (MI) available than others. From an operational perspective, there are substantial differences in the way institutions have configured their vendor TM systems and the processes for ongoing alert tuning.

Survey Overview EY conducted a targeted survey of AML Transaction Monitoring (TM) professionals in order to obtain a benchmark of the maturity of TM controls across the UK Financial Services Industry. The 38 question survey comprised the following sections: ► Introduction and TM metrics (12 questions) ► Governance and management information

(10 questions) ► Technology (9 questions) ► Alert coverage and quality (5 questions) ► Investigation management (2 questions) The survey ran for several weeks in Q2 2014 following a TM round table event for UK banks.

Survey Participants ► The survey was targeted at compliance, operations

and technology leaders involved in AML TM at UK banks.

► Respondents’ roles included Money Laundering Reporting Officers, Heads of Financial Crime Compliance, Alert Investigation Managers and TM Systems Managers.

► Survey responses reflected different sectors within the banking industry including retail banking, corporate and wholesale banking, private wealth and securities brokerage.

► The survey was targeted at UK banks, but in many cases the responses reflected a global view across the organisation.

AML Transaction Monitoring 4

50%

30%

20%

Operations Compliance Technology

29%

43%

14%

14%

Corporate Banking (i) Retail Banking (ii)Private Banking (iii) Securities Brokerage

(i) Includes Corporate and Wholesale banking (ii) Includes Retail Banking, Credit Cards, Small/Medium Business Banking and

Retail lending services (iii) Includes Private Banking and Wealth Management Services

Figure 1: Distribution of respondents by role

Figure 2: Distribution of respondents by industry sector

Page 6: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

General findings 02

Page 7: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

There is a wide variation in both the number of automated TM alerts that banks generate and the operational cost of investigation. Our survey covered a wide range of regional and global banking operations, from a division monitoring 5,000 accounts to global banking operations monitoring over 100 million accounts. As expected, different sizes of TM operation generate different numbers of monthly alerts. What is surprising is the large variation in the number of alerts generated on average per alert investigator, i.e. when you normalise the data. This reflects a large variation in the operational cost of a TM function: even amongst institutions with similar business profiles, some have 20 times more alerts generated per alert investigator than others. There is an even wider variation in the alert generation rates per account, especially when looking across all business lines.

There is a large variation in the effectiveness of alerts generated by automated TM systems, particularly across different sectors. Typically the Retail Banking sector achieves the best conversion rates of alerts into Suspicious Activity Reports (SARs) – up to 20% in some cases – and the best overall rates of alerts worthy of investigation – as high as 90% in some instances. At the other end of the spectrum, Securities Brokerage and Corporate Banking businesses have SAR conversion rates as low as 1% and alerts worthy of investigation as low as 5%. Whilst some of this variation may be attributable to differing policies as to when to file a SAR and as to what constitutes a worthy alert, it is notable that institutions with higher alert performance rates register higher satisfaction ratings with their TM technology and overall TM programmes. The differences in alert performance appear to not be correlated with the underlying systems used or with the individual scenarios configured within those systems – in other words, all vendor systems were considered effective at detecting activity worthy of investigation. Rather, the level of maturity of the alert investigation organisation and governance around the TM function seems to be a factor. But the most significant factor is likely to be the nature of the business itself: suspicious activity is easier to identify in the Retail Banking sector where customer behaviour more naturally falls into well-defined segments.

AML Transaction Monitoring 6

100

10,000

1,000,000

100,000,000

10,000,000,000

1 10 100 1,000 10,000

No

of a

ccou

nts

mon

itor

ed

No of alert investigators

100

1,000

10,000

100,000

1,000,000

1 10 100 1,000 10,000

No

of a

lert

s ge

nera

ted

pe

r m

onth

No of alert investigators

Average Maximum Minimum

357 833 22

Average Maximum Minimum

1,506,102 8,333,333 143

Figure 3: Number of alert investigators vs. number of alerts per month

Figure 4: Number of alert investigators vs. number of accounts

Approximate number of alerts per alert investigator per month

Approximate number of accounts per alert investigator

Page 8: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

14%

36%

50%

No - on-going challenge to keep up with alert volumesNo - but alerts mostly processed within SLAYes - all alerts all processed within SLA

0%

40%

33%

20%

7%

Very Satisfied SatisfiedNeither satisfied or dissatisfied DissatisfiedVery dissatisfied

Similarly, institutions with better alert performance tend to have more sophisticated MI, for example tracking operational efficiency, data quality and system performance in addition to basic alert metrics From a technology perspective, more mature institutions tend to have all accounts monitored by a single TM system, but with multiple instances across different business lines and geographies.

Financial Institutions rely on both automated TM and manual alert generation Despite the sophistication of automated TM solutions, nearly all institutions still process significant volumes of manually generated alerts. Assuming manual alerts are of higher ‘quality’ than automatically generated alerts, there is an opportunity to feedback learnings from manual alerts into the configuration of the TM systems.

AML Transaction Monitoring 7

0%

10%

20%

30%

40%

50%

0-1% 1-2% 2-5% 5-10% 10-20% 20-50% 50-100%

Res

pond

ents

Alert Worthy Rates and SAR Conversion Rates SAR % Worthy%

10

1,000

100,000

100 10,000 1,000,000

Num

ber

of m

anua

l ale

rts

per

mon

th

Number of automated alerts per month

Alert effectiveness and operational expenditure correlate with maturity of Management Information (MI), technology implementation and alert investigation We see a correlation between overall alert performance and associated operational expenditure on alert investigation and the level of maturity of the TM organisation in other areas. For example, more sophisticated institutions tend to have their alert investigation more specialised by business line rather than relying on a single shared service model.

Figure 5: Percentage of worthy alerts vs. SAR rates

Figure 6: Are your alerts investigated in a timely manner?

Figure 7: How satisfied are you with the overall effectiveness and value of your Transaction Monitoring (TM) solution(s)?

Figure 8: Number of automated alerts vs. number of manual alerts

Financial Institutions know they need to do more, but what this means is unclear Financial Institutions want to do more with their TM programmes. For institutions with poor alert conversion rates, this means getting more out of their technology and evolving their operational processes. For institutions that already have TM programmes with which they are broadly satisfied, the focus is more on reducing operational expenditure. In summary the bar for TM and what constitutes “good” is unclear. Respondents indicated that investment in TM is seen as harder to justify than sanctions screening, where the results may be seen as more binary, and that TM deployments even within the same organisation can vary significantly in their effectiveness.

General findings 02

Page 9: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard
Page 10: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Governance 03

Page 11: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Very few institutions implement a dedicated strategy for TM, rather it is part of a broader AML or Financial Crime strategy. When surveyed on TM strategy, respondents were evenly split between those that included their TM strategy within an AML strategy and those which included their strategy as part of a wider approach to financial crime.

However, few institutions are considering synergies with other areas of financial crime in their strategies, such as fraud and tax evasion. With regards to the content of TM strategies most frequently cited were initiatives to upgrade technology platforms. The exploitation of synergies with other areas of financial crime was the least mentioned initiative – this could be considered contradictory considering that a significant volume of institutions have a TM strategy that is part of a wider approach to financial crime.

Only a minority of institutions surveyed feel that they have comprehensive coverage in all areas of their TM policy. Over half of respondents acknowledged that they have gaps in the implementation of their TM policy that need to be addressed. Most respondents indicated that a separate TM policy is in place for each business line or region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard with local augmentations was the objective of most institutions.

AML Transaction Monitoring 10

8%

46% 38%

8%

No dedicated TM strategyTM strategy is a component of a wider AML strategyTM strategy is a component of a wider Financial Crime strategyWe have a dedicated, stand-alone strategy for TM

Figure 9: Which of the following describe the TM strategy in your organisation?

Figure 10: Which of the following initiatives are contained within your TM strategy (select all that apply)?

Figure 11: How fully implemented is your TM policy (select all that apply)?

0%

10%

20%

30%

40%

50%

60%

Some policy areas have significant

coverage gaps

Tactical or strategic solutions

in place for all major areas but gaps exist which are still to be

addressed

Tactical or strategic solutions

in place for all major areas and all gaps have

remediation plans in place

Comprehensive coverage of all areas

The majority of respondents utilise a shared service function to process TM output; however, few share this information with an FIU (Financial Intelligence Unit) With respect to institutions’ operating models two-thirds of respondents indicated that they use a shared service model crossing multiple regions and lines of business. However, there were still significant responses that indicated siloed business line models. These responses were commonly mentioned in the context of providing specialist investigation services for areas such as correspondent banking and trade finance. A small number indicated that they used a shared model interfacing to an FIU for information sharing. This approach is seen as the one that most institutions are inclined to move towards.

0% 50% 100%

Our strategy includes initiatives to mergeor exploit synergies with other Financial

Crime areas, e.g., fraud

Our strategy includes initiatives to createor use an analytical function for coverage

and quality activities

Our strategy includes initiatives to createor use an off-shore or near-shore

investigation function

Our strategy includes initiatives toimplement new technologies

Our strategy includes initiatives to createor use a shared service investigation

function

Our strategy includes initiatives toupgrade technology platforms

Page 12: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

The level of satisfaction toward MI is mixed, with institutions more satisfied by richer information covering not only alerting volumes, but, coverage, effectiveness and operational metrics. The satisfaction toward MI is mixed amongst respondents. Responses appear to be correlated to the amount of information that is available – the broader number of metrics the greater satisfaction that is expressed. Areas for future consideration are focused in data quality and technical performance for most institutions. Only around 60% of respondents’ current capabilities measure alert effectiveness and less than 40% capture MI on data quality.

Most institutions have semi-manual MI but are moving towards more automated MI production. The majority of institutions use a combination of reports generated using their TM platform which is supplemented with semi-manual processes. Usage of dedicated MI tools is limited with provision of interactive reporting even less prevalent. Institutions are however moving toward an environment where dedicated MI capabilities are used to a greater degree with a number mentioning a planned transition in the next 1 to 2 years.

AML Transaction Monitoring 11

8%

38% 46%

0% 8%

Very Satisfied SatisfiedDissatisfied Very DissatisfiedNeither satisfied or dissatisfied

0% 10% 20% 30% 40% 50% 60% 70%

Regional shared service model across multiple lines of business/regions –

Current

By line of business

Enterprise wide alert investigationunit for TM output

Enterprise wide alert investigationunit for TM output and interface to an

FIU for information sharing

Figure 12: How is the TM operating model defined within your organisation (select all that apply)?

Figure 13: How satisfied are you with the overall effectiveness of your TM MI?

Figure 14: What MI do you currently produce relating to TM (select all that apply)?

Figure 15: What level of automation do you have for your TM MI (select all that apply)?

0% 10% 20% 30% 40% 50% 60% 70%

Semi-manual process (e.g. using somespreadsheet templates and macros)

Use the functionality supplied by theTM system

Dedicated MI tool with static reports

Fully manual process

Dedicated MI tool with interactivereports

Governance 03

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Alert volumes(e.g., by lineof business)

Timeliness ofalert

investigation(e.g., alert

ageing)

Alerteffectiveness

(e.g., SARconversion

rates)

Coveragemetrics (e.g.,

volumes ofalerts by

scenario/AMLrisk)

Operationalefficiency

metrics (e.g.,alerts

processed perinvestigator)

Systemperformance(e.g., batchrun times)

Data qualityand

completenessmetrics

Page 13: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard
Page 14: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Technology 04

Page 15: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Institutions have typically deployed multiple instances of automated TM platforms across businesses and regions.

Respondents use a variety of vendor supplied TM systems. NICE Actimize (Monitor and Suspicious Activity Monitor (SAM) and Oracle (Mantas) are the most widely used TM vendors in our sample, with the majority of respondents either currently having these products installed in some part of their organisation or planning to implement them in the next 12 to 24 months. Note that some respondents utilise more than one TM vendor in their technology landscapes.

AML Transaction Monitoring 14

0% 10% 20% 30% 40%

NICE Actimize (SAM)

Oracle (Mantas)

NICE Actimize (Monitor)

BAE Systems (Norkom)

Fiserv AML (NetEconomy)

Internally developed system

Avaloq AML

BAE Systems (Detica)

SAS AML

0%

46%

23%

0%

31%

Very Satisfied SatisfiedDissatisfied Very DissatisfiedNeither satisfied or dissatisfied

Figure 16: What level of automation do you have for your TM alert generation (select all that apply)?

Figure 17: Which of the following describe the use of TM software in your organisation (select all that apply)?

Figure 18: What vendor TM systems do you use (select all that apply)?

Figure 19: How satisfied are you with the overall effectiveness of your TM software?

0% 20% 40% 60%

Mostly automated (e.g. a fewspecialist products/businesses only

have manual alert generation)

Fully automated

Partially automated (e.g. some linesof business only have manual alert

generation)

All alerts generated manually

0% 20% 40% 60%

Multiple instances of a common TMarchitecture across lines of business

and regions

Multiple disparate TM platformsacross all lines of business and

regions

Single centralised TM platformacross all lines of business and

regions

No automated TM

Satisfaction levels on the overall effectiveness of TM software varied amongst respondents with more than half expecting more from their existing platforms. Overall TM satisfaction varied and is generally correlated with the alert conversion rates discussed in the General Findings section.

Page 16: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Data transformation processing across institutions is quite similar with transaction data being directly extracted from source system and prepared in a staging area prior to being ingested in the TM platform. Over two-thirds of the respondents had a similar approach to data management by extracting data from source systems into an Extract, Transform and Load (ETL) platform before being ingested into the TM software.

The majority of respondents have TM alert data fed into their investigation platform or have provided access to alert data from the source systems. When queried on how they would describe their investigation platforms for AML alerts, half of respondents described conducting manual investigations. Other responses were extremely mixed with less than a third utilising a centralised or integrated case investigation platform. There exists a high incidence of varied platforms used across divisions and geographies.

AML Transaction Monitoring 15

0% 20% 40% 60% 80%

Ad-hoc – checks/changes only made when issues occur; focus on

remediation only

Programme of periodic data qualityreviews in place

File level reconciliation, i.e., checks onexpected size of file

Sample based checks of completenessand data quality against upstream

systemsCombination of automated and

manual data quality controls at boththe file and data element level

Risk based sampling used

Fully automated exceptionmanagement for data quality issues

Volume based sampling used

Figure 20: How is data obtained for your TM system(s) (select all that apply)?

Figure 21: Which of the following describe the processes for ensuring good quality data in your TM system(s) (select all that apply)?

Figure 22: Which of the following describe your investigation platform for AML alerts (select all that apply)?

Technology 04

Institutions do not rely on a single control mechanism to monitor the quality and completeness of data being ingested into the TM software; instead they typically use a combination of ad hoc checks around a dedicated programme level data quality review. When surveyed on the approach towards data quality and completeness the results were quite evenly distributed amongst respondents, with a combination of ad hoc checks, periodic data quality reviews, file level reconciliation and sample based checks. There appears, however, to be a correlation between the sophistication of data quality controls, the completeness of MI and overall satisfaction with TM. Similarly, institutions with good MI and data quality also typically have better alert performance.

TM system extracts data directly fromsource systems to perform monitoring

against -

Data is extracted and prepared atsource system for load into TM

platform

Data is collected into an ETL platformand prepared for load into a TM

platform

0% 50% 100%

0% 20% 40% 60%

AML alert data ingested into integrated investigation platform –

e.g., TM, sanctions & filtering

TM Investigation platform with nocase management

Single case investigation platformfor all Financial Crime activity

Automated case creation from highpriority alert sources

Disparate investigation platformsin use across geographies and

divisions

Manual investigations

Page 17: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

With respect to data availability most respondents relied on the data ingested into their relevant TM or specific investigation platform. A minority have the more advanced capability to link their analysis to other relevant AML systems and a similar minority rely on just using references to link cases with relevant data.

Almost all institutions described having a multi-level investigation workflow, with some configured by geography and half of respondents enabling a restricted workflow for specific customer types – such as employees and sensitive customers.

AML Transaction Monitoring 16

Figure 23: What data is available on your investigation platform (select all that apply)?

Figure 24: Which of the following describe the workflow on your investigation platform (select all that apply)?

0% 50% 100%

Limited data transferred to case – e.g., alert reference with customer and/or

account reference

Link analysis from case view to allrelated AML systems

Access to AML data in investigation platform – e.g., TM profiles & alerting

analysis

TM alert data ingested into theplatform

0% 50% 100%

Workflow configurable bycountry/region

Workflow configurable for privateinformation (e.g., restricted

customers, employees)

Workflow has multiple levels ofinvestigation

Page 18: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Coverage and quality 05

Page 19: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Although all respondents are using vendor built scenarios, the majority feel these only partially met their monitoring needs. When queried about their software vendor purchased monitoring systems only a small minority of respondents felt that that the provided scenarios were very robust. Use of alerting entities such as social networks and groups of connected entities is limited with transactions, accounts and customers remaining the key alerting entities in TM. Of developing interest however, is alerting against the customer’s customer being the most popular alerted entity to be planned in the next 12 to 24 months.

There is a fairly consistent set of TM scenarios used across most institutions. Rapid movement of funds and large value/volume transaction pattern scenarios are pervasive across all respondents.

AML Transaction Monitoring 18

0% 20% 40% 60% 80% 100%

Transactions

Accounts

Customers

Correspondent Banks

Households/addresses

Customer’s customer

Social networks

0% 50% 100%

Rapid movement of funds

Large amount, large volume

Cash focussed

Change in behaviour

High risk focused (e.g. MoneyService Bureaus, cash intensive

businesses)

Cheque focussed

Structuring

Wire focussed

Originator/Beneficiary

Peer comparison

Hidden relationships

Credit card specific scenarios(e.g. credit usage not consistent

with profile)

Loan specific scenarios (e.g.early repayment)

Anticipated profile

Securities trading specificscenarios (e.g. excessive

cancels/corrects)

Figure 25: Which of the following best describes the scenarios provided with vendor purchased TM systems?

Figure 26: Which of the following describe the ’entities’ that your TM system monitors or alerts on (select all that apply)?

Figure 27: Which of the following scenarios do you use in your TM platform (select all that apply)?

0%

10%

20%

30%

40%

50%

60%

70%

Very robust,allowing my firm

to pick andchoose those thatare most relevant

Offer reasonableoptions, but onlypartially meet our

needs

Are too genericor irrelevant, thus

requiringextensive build

for ourorganisation

Vendor built TMsolutions are notemployed withinmy organisation

Page 20: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Many institutions are planning to build a dedicated analytics team, utilising formalised scenario libraries with a rapid development capability Most institutions are yet to implement a standardised approach although many have a more advanced approach to tuning planned in the next 12 to 24 months. Additionally, current analytical techniques are limited with most relying on historical data to tune for coverage and alert volumes.

AML Transaction Monitoring 19

Figure 28: How are your TM scenarios developed and maintained (select all that apply)?

Figure 29: How are your TM scenarios tuned (select all that apply)?

0% 20% 40% 60% 80%

Parameters tested against historicaldata

Tuned for coverage and alert volumes

Statistical analysis of data to createrobust customer segmentation and

peer groups

Parameters agreed with complianceand business teams

Above and below the line testing andtuning

Dedicated optimisation team

Statistical analysis to demonstrate theeffectiveness to third parties

Coverage and quality 05

0%

10%

20%

30%

40%

50%

60%

No standardapproach

Scenariolibrary

formalisedand aligned to

directlymitigating

inherent AMLrisk

assessment

Dedicatedanalytics

team developand modifyrules basedon identified

risks anddeveloping

risksformalised by

an FIU

Rapiddevelopment

anddeployment

of newdetectionscenariosbased onmoney

launderingintelligence

Interactive “What-if” analysis

available to users to test

scenarios

Current% Planned%

Page 21: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard
Page 22: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Investigation management 06

Page 23: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

The alert investigation process is generally consistent across institutions The majority of institutions surveyed have a separation of duties in alert investigations between level 1 and level 2 teams to ensure obvious false positives are discarded and only worthy alerts are reviewed for further analysis.

Only half of institutions use automated SAR filing 50% of the institutions surveyed use automated SAR filing. The reason this figure is not higher may be due to the relatively low SAR conversion rates experienced by many organisations as mentioned earlier in the general findings section.

AML Transaction Monitoring 22

Figure 30: Which of the following best describe your investigation process/workflow (select all that apply)?

Figure 31: How are Suspicious Activity Reports (SARs) filed within your business line (select all that apply)?

0% 20% 40% 60% 80%

No standardized investigationprocess

End to end investigation by a singleinvestigator

Financial Intelligence Unitinvolvement in specialist cases

Suspicious cases passed back toindividual lines of business for

further analysis

Alerts initially investigated by generalist “Level 1” team to gather information and filter obvious false

positives

Suspicious cases passed on to specialist “Level 2” team for further

analysis

0% 50% 100%

Single SAR preparation, filing andrepository platform deployed across

financial crime areas (e.g., AML,fraud, KYC and Sanctions)

Automated SAR reporting formultiple jurisdictions, outside the

main market, where technicallyfeasible

Manual reporting of SARs via paperbased filing

Automated SAR reporting for a singlejurisdiction, predominately the main

market in which my FinancialInstitution operates

Manual reporting of SARs via dataentry on web pages

Page 24: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Conclusion – a lifecycle of maturity 07

Page 25: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Financial institutions face common fundamental challenges in AML Transaction Monitoring of keeping operational costs under control whilst ensuring adequate mitigation of money laundering risk. The survey results support the view that many organisations follow a common lifecycle of maturity in addressing these challenges. We see six discrete stages aligned to the management of risks and the control of operational costs. These are summarised below.

AML Transaction Monitoring 24

Figure 32: The relative relationship of operational costs and residual risks in Transaction Monitoring across the stages of maturity.

AM

L TM

Ope

rati

onal

Cos

t

Res

idua

l AM

L R

isk

Stage 1 Introducing an

AML TM solution

Stage 2 Stabilisation of an

AML solution

Stage 3 Improved coverage

of AML risks

Stage 4 Rationalisation

Stage 5 Steady state

Stage 6 High performance

AML function

Not to scale – for illustrative purposes only

Stage 1 – Introducing an AML TM solution. The first stage of maturity is simply the implementation of an automated TM solution where previously one did not exist. This provides a minimal level of risk management with an initial, increasing operational cost. Stage 2 – Stabilisation of an AML TM platform. As a result of lessons learnt from the initial solution implementation institutions are able to achieve efficiencies and balance a basic level of cost and risk. Stage 3 – Improved coverage of AML risks. Pressure from regulators and internal control functions demand that TM provide better coverage of AML risks, but this comes at a significant increase in technology and operational cost as system coverage is extended, new rules are added and thresholds are lowered.

Stage 4 – Rationalisation. Refinements in operational processes and systems management, and more effective application of analytical tools and methods drives decreases in costs and further decreases in residual AML risk. Stage 5 – Steady state. Mature governance, MI and a dedicated TM analytics function ensures new threats are addressed effectively whilst keeping operational costs under control. Stage 6 – High performance AML function. Leading edge technologies and investigative processes are applied on an opportunistic basis to drive further cost reduction and improved risk management.

From our survey it appears that many UK Financial Institutions in are aligned to Stages 2 and 3 with a smaller number in Stage 4 in the maturity model. The challenge for institutions that are in the earlier stages of the model is to avoid the impending rapid increase in operational cost that will likely result from regulatory pressure to drive down risks. For institutions that are more progressed, their challenge in Stage 4 is to quickly reduce the already high operational costs caused by increased alert volumes and large investigation operations. For institutions considering how to further control their AML risk, the approach is not as simple as increasing the depth of coverage, as this will drive increases in alert volumes and consequently investigation operations. A more sustainable response appears to be for institutions to enhance their fundamental capabilities in TM, by investing in: ► Strategy, policies and governance that drive consistent approaches to technology and operations, where

necessary highlighting requirements for specialist monitoring situations ► Regular MI not only on aggregate output of monitoring scenarios, but on the quality and completeness of data

ingested into the system, and effectiveness of investigations ► Analytical functions that are able to optimise coverage with evidenced results and respond to new threats with

rapidly developed scenarios and controls ► Smarter operational management with specialized teams, a risk focused approach and better defined processes

and procedures

Page 26: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Contact information 08

Page 27: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

Patrick Craig Partner, Financial Services Advisory

[email protected] +44 20 7951 9999

Contact information

Debbie Ward Partner, Financial Services Advisory

[email protected] +44 20 7951 1134

Jodie Forbes Senior Manager, Financial Services Advisory

[email protected] +44 20 7783 0744

Matt Reed Senior Manager, Financial Services Advisory

[email protected] +44 20 7951 7870

Page 28: AML Transaction Monitoring · region and some implemented an enterprise wide TM policy. Specific feedback in this area indicated that a policy emphasising a consistent minimum standard

EY | Assurance | Tax | Transactions | Advisory

About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales with registered number OC300001 and is a member firm of Ernst & Young Global Limited.

Ernst & Young LLP, 1 More London Place, London, SE1 2AF.

© 2014 Ernst & Young LLP. Published in the UK. All Rights Reserved.

ED NONE

1488612 (UK) 09/14. Creative Services Group.

In line with EY’s commitment to minimise its impact on the environment, this document has been printed on paper with a high recycled content.

Information in this publication is intended to provide only a general outline of the subjects covered. It should neither be regarded as comprehensive nor sufficient for making decisions, nor should it be used in place of professional advice. Ernst & Young LLP accepts no responsibility for any loss arising from any action taken or not taken by anyone using this material.

ey.com/uk