Poor training and procedures key triggers for AML violations

Insufficient training has been the root cause of many enforcement actions relating to anti-money laundering (AML) and know your customer (KYC), and firms need to ensure they allocate enough resources to training staff, an official said.

Alison Jimenez, president of Dynamic Securities Analytics, said that in 20 percent of 120 AML enforcement actions from various U.S. regulators between 2006 and 2015, regulators concluded training was part of the problem — and possibly also the solution.

"Enforcement actions still cite training issues," she said. "For infractions, the AML training was part of the problem. Regulators use the term 'inadequate training' to reflect that the training was not specific to the job, service or line of business and some departments may not be receiving AML training at all."

Jimenez was speaking as a panelist at a webinar hosted by the Association of Certified Anti Money Laundering Specialists (ACAMS). 

"Mandatory attendance once a year is not enough. Some sanctions require firms to rethink their AML training frequency," she said. Often, materials need to be updated due to changes in the law, amendments to internal policies and procedures, as well as the different systems and reporting structures that can arise after mergers and acquisitions.

One thing is clear, she said: U.S. regulators expect those working in the financial sector to know more than just the basic definitions of money laundering and suspicious activity reports.

"Regulators expect more than just recognising placement, layering and integration," Jimenez said. It is not just about reciting the three elements of money laundering."

Effective training

Organisations need to determine what their training goals are and exactly what their staff need to be able to do, she said, noting that this would ultimately be the best gauge of whether a training programme is effective. While some regulators have suggested that taking more of a risk-based approach to training is justifiable, the net results are often untested in any meaningful way. Jimenez said firms should hire adult education experts to measure training effectiveness. 

"They [outside consultants] can come in and see if you are using the right platforms and whether staff are actually retaining and applying what they learned from training courses to their daily roles," she said.

From the perspective of regulators, training is only adequate if staff can use it to perform their required duties.

"Sometimes, if you just do one hour on AML, it may be effective, so you do not need training every quarter for three hours. Training needs to be adequate and specific to one's job role," Jimenez said. "If it is too generic and not job-specific, then it is not adequate and it will be hard to justify to regulators that one hour once a year is enough. Still, effective training means more than just adding more hours."

Deficient procedures

Among the 120 actions AML enforcement actions mentioned in the data set above, the most cited deficiency area was not specific rule violations, but substandard procedures where institutions had procedures in writing that were not up to par.

"Procedures are important, but must be tested. You wrote them down, but what is the purpose of your AML audit? You must verify whether your procedures are achieving their intended goals," Jimenez said.

The second most cited zone of deficiency when it came to procedure was when firms had procedures on paper, which, had they been followed, would have done what they were supposed to do. Jimenez said this underscored the importance of consistency between what was written down and applying it in a compliance context.

The third biggest procedural deficiency noticed is one that training would likely not have changed because it pertains to personal ethics, namely: staff being willfully and actively involved in money laundering by knowingly engaging in the placement, layering and integration of dubious funds.

"Furtherance of financial crimes like penny stock and 'pump-and-dump' schemes are also tagged as money laundering violations by regulators," Jimenez said.

Orlando Lopez, principal at PwC, said this problem would only grow. "It is unfortunate when it happens, but we will likely see more willful disregard [by financial institution staff] in future enforcement actions. How many institutions are really learning their lessons?" he said.

Compliance officers are regulatory targets

The panel also discussed the rising trend of regulatory action being taken against chief compliance officers (CCOs) and their equivalent counterparts, with a new regulation from the New York Department of Financial Services targeting compliance officers.

The NYDFS' Part 504 regulation, which becomes effective on January 1, 2017, aims to hold CCOs responsible for their institutions' AML transaction monitoring or transaction screening watch-list filtering programmes. Part 504 requires compliance officers to certify that such programmes have been tested, reviewed, validated and function as stated through governance data selection and data quality/input and output analysis. Compliance officers must attest to the above on a signed form and submit it to the NYDFS. The original regulations were introduced in December and cover both banking and non-banking institutions.

Lopez said the move was in response to regulators noticing a trend in recent years of senior management at firms not having enough oversight or accountability for such AML programmes. 

"It is part of the initiative of raising awareness for boards of directors to keep compliance officers accountable," he said.

The initial proposal included criminal charges for CCOs as part of the process of requesting information, but that was dropped. Still, Part 504 certifications are documents carrying liability upfront for senior compliance staff and their equivalents. Comparable requirements exist with respect to chief executive and chief financial officer certifications under the Sarbanes-Oxley Act, the Appendix B certifications under the infamous Volcker Rule of the Dodd-Frank Act, or the responsible officer certifications under the Foreign Account Tax Compliance Act (FATCA).

"It is not a new concept as similar laws already exist," Lopez said. "It is just being introduced to the AML space now by the NYDFS."

There have also been concerns about the applicability of 504 outside New York.

"It does include any branches or agencies of foreign banking corporations located in New York … being a hub of financial activity, it does have far reaching consequences for overseas and U.S. banks and those that are registered as banks in New York state. When the NYDFS issues guidance, it becomes an 'industry guidance' of what a solid and effective programme should entail," Lopez said.

While an institution may not fall under the jurisdiction of New York state, the bank examiners within its jurisdiction will probably be keenly watching what other U.S. states do.

"Again, it raises the bar of what is expected … it is an additional piece of industry guidance," Lopez said, with examiners and internal audit teams’ expectations looking to compliance with the NYDFS guidance as an "independent validator of the health and effectiveness of your programme".