2018 Thomson Reuters Anti-Money Laundering insights report
In May 2018, the Financial Crimes Enforcement Network’s Customer Due Diligence Requirements for Financial Institutions became effective. Three months later, Thomson Reuters partnered with ACAMS to conduct a survey of 253 anti-money laundering compliance leaders related to processes and activities used in response to “know your customer” requirements. The responses showed the impact the CDD Rule has had – and will continue to have – on the operations and practices of financial institutions.
The survey shows organizations spent resources and time to address the new requirements, added staff and enhanced technological capabilities. Organizations also fine-tuned their typologies for alerts around CDD issues and sought to improve their response time to red flags with an eye toward addressing potential fraud and money laundering.
To meet the identity verification requirements under the CDD Rule, more organizations are insisting on a comprehensive collection of information required by the rule at the outset of the customer relationship.
For example, survey responses show information needed for enhanced due diligence is collected at the time of account opening to meet “know your customer” requirements while addressing beneficial ownership issues.
The CDD Rule requires organizations to develop customer risk profiles based on the nature and purpose of customer relationships. The implementation of this requirement is visible from the increase in use of customers’ statements of expected activity to develop the customers’ risk ratings. Survey respondents also reported an increased effort to understand the operations of customers by utilizing information associated with their geographic footprint in creating risk profiles and preparing for any associated EDD.
Process changes abound, including a jump in the use of central records management systems. In addition, there was a notable shift in speed in clearing red flags raised by assessment processes. A growing number of respondents reported clearing alerts within one day rather than the three noted in the 2017 survey. However, despite the quicker pace, the number of reports generated for both false positives and false negatives remained relatively stable.
Notably, staffing appears to be a space in which many organizations are working to increase efficacy of process to keep CDD rule compliance on track. For example, the survey found 42 percent of respondents anticipate an increase in staffing related to AML and the CDD Rule. Of those, 28 percent of respondents anticipate an increase in staffing for AML compliance purposes compared with 8 percent in 2017. On the other side, respondents expected only a 1 percent increase in staff attention to new rules compared to 17 percent in the 2017 survey.
Key differences in process, efficiencies, technologies and staffing have been set in motion for organizations due to the CDD ruling, and most organizations are working to find the best ways to operate and remain compliant. The 2018 Thomson Reuters Anti-Money Laundering Insights Report provides a comprehensive analysis of the survey findings to help organizations better understand the current state of the industry.
Adoption of the CDD Rule
The CDD Rule’s implementation in May 2018 was two years in the making, and organizations spent a significant amount of time preparing operations to address its criteria. The rule’s regulatory criteria remain the greatest challenge organizations report; 51 percent of respondents cited it as a challenge. They spent time creating processes to address implementation and are now shifting focus to fine-tuning those processes.
The implementation of the CDD Rule contributed to a substantial decline in respondents reporting additional regulations as a major operational challenge compared to 2017, when organizations were still in the thick of preparing for the rule’s imminent implementation.
Increased focus on AML/CDD compliance appears to be yielding fruit: fewer organizations have experienced a CDD or AML regulatory enforcement, down to 22 percent from 2017’s 31 percent. A similarly higher number of organizations have not experienced any regulatory action (up to 61 percent from 53 percent in 2017).
Although regulatory enforcements seem to be a less common occurrence, respondent concerns about personal civil and criminal liability continue to grow, with 28 percent of respondents stating they were very concerned about the issue, up three percent from last year.
Considering the continued existence of the Department of Justice’s policy of holding individuals accountable for corporate wrongdoing, specifically as described in the so-called “Yates Memo,” these figures should come as little surprise, and may even offer a partial explanation for the increase in efficiency in compliance processes.
Tracking additional compliance rules
In spite of growing CDD/AML compliance efficiencies – or perhaps because of them – fewer respondents are tracking specific AML/CDD topics in 2018 than in 2017, down to only 34 percent from 51 percent on the 2017 survey.
Of those following AML/CDD topics, the top issue remains CDD and beneficial ownership but several new trends are emerging. For example, this year’s survey saw a notable jump in interest for both virtual currency/cryptocurrency and EU directives among those searching out additional topics related to AML.
Top interest areas of those following AML and CDD topics
• CDD/UBO regulatory changes
• Virtual currency/cryptocurrency/blockchain
• EU directive
The CDD Rule was far from the only issue regarded as a challenge facing respondents. Thirty-five percent noted the Fourth EU Anti-Money Laundering Directive, which replaces the third directive. Similar to the CDD Rule, the directive places greater emphasis on ultimate beneficial ownership and enhanced customer due diligence.
In addition, 31 percent of organizations reported the Foreign Account Tax Compliance Act as posing a challenge, and 30 percent cited the EU’s General Data Protection Regulation, which took effect in May. Many organizations also stated that FinCEN’s proposed Rulemaking to Investment Advisors (28%), Dodd-Frank (26%), the Foreign Corrupt Practices Act (26%), and Brazil’s Clean Companies Act (11%) also presented challenges.
The changing AML process
With the CDD Rule now in place, organizations are increasingly shifting from planning and establishing processes to ensuring an efficient process in practice, including changing methods, using up-to-date tools, and ensuring staff is highly trained to keep ahead of enforcement actions.
Major areas of growth include:
- Developing an effective process for due diligence and enhanced risk assessments through the course of a customer relationship, as well as clearing red flags and refining areas of investigation to ensure customer risk profiles are accurate.
- Improving data management and technology tools to ensure information is organized and able to be efficiently accessed.
- Investing in staff training to manage workloads and build expertise among current staff, as well as hiring additional staff to fill the growing AML investigation needs to keep up with CDD Rule compliance.
Due Diligence and Risk Assessment Process
For most organizations, the due diligence process begins right at account opening. Gathering EDD information at account opening is on the rise: 40 percent of respondents ask for details at the beginning of a relationship with a customer, compared with 31 percent last year. Among the noted topics being watched for EDD checks:
• Criminal history (81 percent)
• Geography (80 percent)
• Derogatory news (74 percent)
Reliance on reporting directly from customers is a continuing trend. For example, 59 percent of organizations now report reliance on customer’s own statements of expected activity when developing risk profiles. In the process of gathering beneficial ownership information, 93 percent of respondents report collecting information directly from the customers, slightly higher than 89 percent in 2017.
When it comes to assessing customers for risk and making this a routine, 32 percent report only tracking a select number of high-risk customers following the initial screening. Most commonly, these customers are reviewed on an as-needed basis (47 percent), but a large number of respondents also note their process calls for annual reviews (28 percent).
One other notable change this year is the process for clearing red flag alerts related to SARs and CRTs. According to this year’s survey, significantly more organizations have decreased the amount of time it takes to clear alerts from three days to one day. However, the number of false positive and false negative reports is remained steady year over year.
Data solutions and decisions
As organizations struggle towards improved operations efficiency in meeting new compliance requirements, they are changing technology use to support the new processes. For example, central records management systems have been playing an increasingly critical role for organizations’ AML programs, but 2018 saw a significant decrease in automated systems for screening.
Due to the ongoing monitoring requirements of the CDD Rule, along with mandates for increased maintenance and updating of customer information, organizations are dealing with increases in dataflow demanding a central management system. Use of these tools increases efficiency of process, seemingly a main reason for the notable jump in focus.
On the other side, the process shift to a more hands-on approach to EDD is likely fueling the use of automated systems to manage screening workflow and records management
With the focus on improving existing processes rather than exploring new ones, organizations seem to have settled into their preferred methods regarding the use of a third-party provider to collect AML and CDD information. The survey reflects almost no change in the percentage of respondents opting to use third party services from last year.
What’s more, the factors used in deciding on a third-party data provider are also largely unchanged. One notable area of increased importance to organizations in third party selection is the speed of implementation (from 2017’s 81 percent to this year’s 85 percent), a sufficient enough rise to increase this factor’s overall ranking. This trend supports organizations’ increased push for efficiency in their AML/CDD processes.
Data accuracy and data structure continue to be the two most important factors to organizations in choosing a third-party provider. This is consistent with the increased focus on accuracy mandated by the CDD Rule, and the desire to improve data organization and maintenance as a part of streamlining and improving AML/CDD processes on the whole.
A noteworthy change relating to technology is also underway. More organizations appear to have found the technology solutions best suited to their needs, as evidenced by a decrease in priority for two issues:
• improving data management and quality (down to 53 percent from 2017’s 62 percent); and
• investing in new technology solutions and process automation (down to 40 percent from 2017’s 48 percent).
The technology focus for organizations now appears to be on replacing outdated or end-of-life technology, which saw an eight percent increase from 2017. Organizations appear to be concentrating more on upgrading technology, rather than shopping for services.
2018 saw a jump in the percent of respondents reporting insufficient or outdated technology as one of their greatest operational challenges related to AML and CDD compliance (up to 24 percent of respondents from 2017’s 17 percent).
Budget and staffing
Organizations are working to fully optimize operations for compliance with the CDD Rule now in place, centering primarily on training staff and increasing headcount of properly-trained staff. Most prominently, 54 percent of organizations report training for existing staff as one of their highest priorities for their AML and CDD compliance program in the next 12 months, a ten percent jump from 2017.
Workloads for existing employees are high: 60 percent report an increase in personal workload in the past year. Most respondents still expect to be busy in the coming year, with slightly more than half anticipating a workload change next year.
Organizations are also shifting budget priorities to support the action and engagement in the process. Among those expecting an increase, more are reporting an increase in budget for staffing (80 percent in 2018 over 71 percent in 2017) and processes (49 percent in 2018 over 39 percent in 2017).
When asked about their reason for the expected increase in staffing in the coming year, considerably more respondents cited to an increased focus on AML and compliance (28 percent in 2018 up from 8 percent in 2017) and regulatory requirements/best practices (18 percent in 2018 up from 4 percent in 2017).
Implementation of the CDD Rule was the culmination of a two-year journey for organizations. The process required transformative change for many AML and CDD processes, leaving the CDD Rule a defining and permanent fixture for these processes moving forward.
Not surprisingly, three months after CDD Rule implementation, the impact of the rule is exceedingly apparent in the responses to the survey. Organizations are getting faster in their collection of CDD information and their clearing of generated alerts. They are getting more of their information directly from the customer. Organizations have largely settled into their CDD compliance practices and processes and compliance professionals are following fewer CDD and AML topics in the news.
That isn’t to say that the journey is over. Organizations may have worked furiously to prepare for implementation, but along the way, new challenges are becoming clear as organizations begin executing CDD Rule-inspired processes. Staffing and process refinement will see budget increases. Organizations will give more training to their employees. In short, CDD Rule implementation helped organizations build the framework for their current AML/CDD processes, but now they need to focus their attention on fully optimizing their processes.