Operational perspectives on anti-money-laundering management

Rather than revisit the sine qua non elements of an anti-money-laundering program or propose a one-size-fits-all AML risk model, this article examines operational perspectives of managing money-laundering risk that are not commonly addressed in conventional AML literature. A mini case study is used to stimulate thought about lessons to be learned.

Money laundering--filtering illegal proceeds through the financial system to disguise their origin--is big business, accounting for 2-5% of the global gross domestic product. Today's players include bankers, brokers, lawyers, and accountants. They take advantage of the increasing complexity of financial services and integration of world financial markets through electronic interfaces to effect a maze that thwarts the tracing of illicit funds.

Be it a case of heightened regulations or a genuine concern for enterprise-wide risk management, the immediate response of most financial institutions has focused on formalizing anti-money-laundering (AML) policies and procedures. The standard drill includes detailed written policies and procedures for knowing the customer; escalated processing and resolution of inconsistent findings; staff awareness, training, and education; and realization of the importance of management support. The goals are to demonstrate compliance with regulatory and legislative guidelines as well as protect the bank. The problem that arises is a focus on form (procedural framework) rather than substance, which can result in a prescriptive AML framework that lacks the operational capabilities necessary in identifying, tracking, and reporting suspicious activities.

Case Study

D10, a small trading company purported to specialize in sourcing and reselling products to ultimate buyers, went to a banking branch for import letters of credit (LCs). Typical of trading companies, D10 had a very thin balance sheet. To provide assurance of performance, the owners agreed to partially cash collateralize the LCs (a cash deposit was calculated as a percentage of the LG amount). Like most credit proposals, D10's credit application was approved by local bank management. D10 was an active user of LCs and promptly paid off monies owed. With the company's proven repayment record, the bank gradually increased the LC limits to support increased demand for LG issuance. Sounds like a decent deal? Following a tip-off of alleged improper practices, an investigation revealed the following:

* D1O's appetite for LC utilization appeared unusually large for its size. The aggregate of LCs issued exceeded the bank's authorized approving limit and, in accordance with the bank's global credit policy, head office approval was needed for any subsequent increase in trade limits. To bypass this "cumbersome" requirement, D1O offered 100% cash deposit as lien for each LC issued that was over the limit. Further, the bank was authorized to uplift the cash deposit for subsequent payment to the exporter. As its position was fully secured, the bank allowed further LG issuance without seeking head office approval. The ability of DIO to fully cash collateralize its LGs, however, seemed uncharacteristic of conventional middleman operations. Where were D10's funds coming from? There was no evidence that the bank had exercised due diligence to ascertain the source of funds.

* D1O did not request issuance of back-to-back LCs. As such, the bank could not ascertain whether a genuine transaction existed, since a prime LO (export LC) was never lodged to support the issuance of the import LG.

* The type of goods imported varied. The bulk of D10's imports were chemicals, which did not tie in with the owners' expertise.

* Where inward funds were received in favor of D10, the company instructed the bank to retransfer the monies to third-party companies, purportedly as intercompany loans. The bank did not question the nature of these inward remittances or verify the purpose of the outward transfers on the argument that these were the client's monies.

* Before a full-fledged investigation could be carried out on the alleged laundering activities, the account officer left the bank. Not surprisingly, D10's relationship with the bank ended abruptly as well. What AML management perspectives could bank practitioners draw from this case study?

Not Just High-Risk Financial Activities

Some banks focus their surveillance on certain financial activities, such as private banking, deposits, over-the-counter retail remittance services, and securities brokerage. These are considered high-risk activities because of their vulnerability as money-laundering conduits. For instance, it was reported in the "Minority Staff Report for Permanent Subcommittee on Investigations Hearing on Private Banking and Money Laundering"1 that private banking would continue to be used by those intent on laundering money. Indeed, the conventional view presumes that high-risk financial activities invariably increase a bank's exposure to money laundering.

While monitoring high-risk activities appears logical from a risk-focused perspective, it has inherent risks. Consider, for example:

* If a bank were to focus solely on high-risk activities, other activities might inevitably be excluded from monitoring. This problem is accentuated in a situation where the compliance officer or designated money-laundering reporting officer (MLRO) has other operational priorities. As such, the bank might not be alerted if "non-high-risk" financial products were being used to launder funds.

* Some banks do not place AML monitoring as a top priority. These institutions perceive their laundering risk exposure as insignificant because they neither engage in high-risk activities, such as wealth management, nor do they entertain walk-in customers without proper- identification and/or sufficient referrals. Such an assumption disregards the possibility that laundering can arise through a range of financial products. Prevailing AML literature places such significant emphasis on money-laundering risk in relation to high-risk activities (e.g., private banking and correspondent banking) that other financial activities are not examined.

Although the case study did not conclude whether monies were actually laundered through the bank's trade-services platform, it highlighted the vulnerabilities of the banking system. Trade-financing services may provide the right tool for laundering in an environment where sound controls and active due diligence are lacking. To an unsuspecting bank practitioner, monies could be remitted readily from one country to another under the guise of legitimate business activities, say, payments to suppliers. This potential loophole is exacerbated because banks are not required, under the Uniform Customs and Practices2 framework, to ascertain the existence of goods. Documentary credit compliance is the key in international trade financing.

Given that high-risk financial activities attract attention from bank practitioners and supervisors alike, launderers are moving away from such activities. Methods used to launder funds have become more sophisticated, and the range of financial services being targeted has expanded. As such, an obsessive focus on monitoring high-risk activities does not necessarily ensure adequate oversight of laundering issues. After all, what constitutes "high risk"? Perhaps, as an alternative to differentiating low-risk from high-risk activities, bank practitioners should divert their attention toward understanding how laundering activities pass through the banking system.

Managing Risk Entry Points

What controls could mitigate a bank's exposure to laundering risk? Would the answer lie in current AML literature, where best practices on client acceptance criteria, et al., have been discussed at length? Before considering which controls are applicable and designing them, it is imperative to conduct an enterprise-wide analysis of the business processes with a view to understanding how laundering risk arises or where laundering risk entry points occur.

Concept of risk entry points. Risk-point analysis considers risk in two dimensions-- entry and exit points. A suspicious activity could enter the bank through the front line--for example, a customer requests to open a deposit account urgently with minimal verification--or through such back-end processes as an unusually large inward remittance in favor of a customer. Generally, risk entry points permeate the organization from front-office to back-office processes. In an ideal control environment, suspicious activities are isolated and no further processing is allowed, pending investigation and satisfactory resolution. In cases where the bank does not have concrete evidence of laundering activities, the transaction might be processed but subsequent activities would be closely monitored. In the absence of sound operational controls and/or inadequate surveillance, however, the suspicious activity is not detected and exits from the bank's monitoring system. The risk entry point concept is illustrated in Figure 1.

Suspicious inward funds transfers were received in D10's favor (entry point). If controls were in place, the bank would have carried out the necessary investigations. However, as illustrated in the case study, the monies were subsequently remitted out to third parties (exit point) without further queries, reflecting the absence of requisite controls.

Risk-entry-point analysis goes beyond a risk identification exercise, as it facilitates proactive risk management by addressing fundamental questions, including:

* Where are the likely sources for laundering activities?

* What controls are currently in place to identify suspicious activities?

* Under what circumstances would a suspicious transaction evade detection?

So, apart from understanding how laundering risk exposure arises, the bank needs to review the robustness of its business processes and control framework.

Designing controls around risk entry points. Operational controls against money laundering are developed on the basis of identified risk entry points. It is wrong, however, to assume that risk entry points are restricted to business processes. Two other critical elements, people risk and information technology risk, should be incorporated into AML controls in the developing of a holistic monitoring system. For instance, the capability of information systems in churning exception reports based on predefined or ad hoc parameters would facilitate transactional monitoring and pattern analysis. Table 1 illustrates a risk-entry-point framework that links the risk management strategies to the risk entry points identified.

Benchmarking Process

As the length of the bank-client relationship increases overtime, relationship managers tend to focus on the client's profitability more than the "know your customer" requirement. After all, what can go wrong with an established client? And isn't growth in the client's business a good sign? That being true, why should the bank be unnecessarily alarmed over the client's profitability?

As illustrated in the case study, what appears to be a high-growth trading firm disguises questionable business activities. The prudent banker will thoroughly review every angle. That said, how does one draw the line between normal and unusual activities? AML surveillance is not a witch-hunting game, and the effectiveness of an AML program hinges on the bank's operational capability in weeding out unusual activities. In this respect, benchmarking may serve as an effective AML surveillance tool.

Understanding benchmarking. Benchmarking refers to the generic process in which a firm adapts and establishes its performance standards against best practices and/or predefined performance criteria with a view to improving its performance. In the context of AML surveillance, benchmarks serve as warning indicators. When a transaction deviates from a benchmark, it should be treated as an anomaly and investigated. It is important to understand that the benchmarking model cannot be applied universally across institutions because banks differ not only in size but in scope of business activities as well. How can banks apply the benchmarking process against potential laundering activities?

Benchmarking methodology. Table 2 illustrates a simplified benchmarking model. The first benchmarks--or performance indicators--(Column 2) to be identified are those that are relevant to the bank's core operational processes (Column 1), such as trade financing, corporate banking, deposits, securities, electronic funds transfer, etc. To facilitate comparison, benchmarks should be measurable and could be expressed in the form of revenues and/or costs. In practice, the benchmarks illustrated in Column 2 must be quantifiable. A hypothetical example might be that small and medium-sized companies in the wholesaling business with average annual sales of $20 million are unlikely to use import LCs with an aggregated notional value of $36 million from their primary financing bank. Therefore, an unusually high LC usage rate might warrant further investigation, say, into the client's business modus operandi. The benchmarks are institution specific and should be crafted to reflect the types of business activities, the vol ume of activities, and the client's profile.

Actual performance against benchmarks is compared in two dimensions--business performance focused (Column 3) and AML focused (Column 4). Each warrants investigation, though for different reasons, to determine whether the transaction concerned is related to potential money-laundering activities (Column 5). The benchmarking model facilitates timely detection and, thus, immediate review of suspicious activities. Further, it helps auditors and the MLRO to review potential suspicious transactions on a postmortem basis.

Conclusion

Regardless of the sophistication level of a bank's AML risk management system, bank management cannot afford complacency. Anti-money-laundering efforts are a continuous process, and such risk management initiatives as know-your-customer programs and suspicious transactions reporting capabilities should be periodically validated and enhanced. The spectrum of international money-laundering activities is diverse and its depth is akin to an iceberg. It's a strategic necessity, from legal and reputational risk management perspectives, for banks to review their AML programs to ensure they are addressing more than the tip of an iceberg.

Table 1

Identifying the Risk Entry Point


Risk Entry Points        Where to Focus?

People              Not limited to compliance
                    officers and/or internal audit
                    specialist. Includes front-
                    and back-office staff as well.




Business processes  Enterprise-wide.
                    Emphasis should be given to
                    operational processes identi-
                    fied as "high risk."





I.T. capability     Targeted at:
                    Isolating unusual trans-
                    actions.
                    The ability to generate
                    exception reports.



                      Identifying the Risk Entry
                                 Point

                        Reason(s) for
Risk Entry Points      Risk Occurrence

People              1. Inadequate training.
                    2. "Cultural" problem,
                       e.g., indifference.
                    3. Attempt to defraud.




Business processes  1. Policies and proce-
                       dures lagged behind
                       business environmen-
                       tal and changing regu-
                       latory requirements.
                    2. Inadequate under-
                       standing of opera-
                       tional lapses.

I.T. capability     1. Old paradigm focuses
                       on monitoring physical
                       cash transactions.
                    2. I.T. capability not suffi-
                       ciently harnessed to
                       analyze firm-wide
                       data.

                       Designing Controls

                        Risk Management
Risk Entry Points         Strategies

People              * Customize AML train-
                      ing.
                    * Inculcate firm-wide
                      AML culture.
                    * Ensure adequate
                      "four-eye" mecha-
                      nisms.

Business processes  * Enhance robustness of
                      business processes on
                      ongoing basis through
                      identification of issus
                      and problems.




I.T. capability     * Address current inade-
                      quacies in the firm's
                      I.T. capability to mee
                      AML requirements.

Table 2




Column 1               Column 2

Operational            Benchmarks/
Areas                  Performance Indicators

                       * Frequency of LCs issued
1. Trade Financing.      per client.
                       * Amount of issuance and
   Issuance of           handling fees earned per
   import LCs.           client.



2. Corporate Banking.  * Rate of delinquent loans
                         recovery.
   Management of
   delinquent loans.




                            Performance Analysis

Column 1               Column 3

Operational            Business-based
Areas                  Explanation

                       High fees earned indicate
1. Trade Financing.    profitability of client
                       relationship; low fees
   Issuance of         indicate the opposite.
   import LCs.



2. Corporate Banking.  Low write-offs and recovery
                       of delinquent loans indicate
   Management of       highly successful loan-
   delinquent loans.   recovery strategies.



                           AML-Based Surveillance
                            Performance Analysis

Column 1               Column 4

Operational            Laundering-based
Areas                  Explanation

                       Increased use of trade
1. Trade Financing.    lines must be reviewed,
                       especially if there is a
   Issuance of         sudden surge in LC issuance
   import LCs.         that appears to deviate
                       from the client's normal
                       business activity.

2. Corporate Banking.  Unexpected loan payoff
                       from an uncooperative
   Management of       delinquent client is unusual,
   delinquent loans.   especially if the client's
                       operation is strapped for
                       cash.

                          AML-Based Surveillance


Column 1               Column 5

Operational            Red Flags for
Areas                  Further Review

                       * LC notional amount is
1. Trade Financing.      unusually large.
                       * The exporters' countries.
   Issuance of         * Types of goods dealt in.
   import LCs.



2. Corporate Banking.  * Source of funds cannot be
                         sustantiated and is
   Management of         ambiguous.
   delinquent loans.

Notes

(1.) http://levin.senate.gov/issues/psireport2.htm

(2.) ICC Uniform Customs and Practice for Documentary Credits (UCP 500). According to Article 4: Documents v. Goods/Services/Performances, "In credit operations all parties concerned deal with documents, and not with goods, services and/or performances to which the documents may relate."

[c] 2003 by RMA. Chen Jee Meng, an auditor and freelance writer, currently lectures part-time at a local polytechnic in Singapore. The views expressed herein are the author's own, unless explicitly specified or apparent from the context. His organizaiton assumes no responsibility for the accuracy of the information. The concepts discussed in this article are meant as a guide for further deliberation. It does not purport to offer professional advice.

Contact Chen at learningresources2003@yahoo.com

COPYRIGHT 2003 The Risk Management Association
COPYRIGHT 2005 Gale Group