At the end of 2021 the FCA issued a fine of almost £64m against HSBC for failing to have an effective anti-money laundering processes in relation to automated transaction monitoring, citing;
• A lack of evidence that the monitoring scenarios deployed were appropriate for the AML risks that had been identified;
• The absence of periodic reviews of rules, parameters and thresholds to ensure they remain effective;
• The inability to validate the accuracy and completeness of the data used by the monitoring systems.
So what could HSBC have done differently, and what do firms with similar concerns in respect of their automated transaction monitoring solutions need to consider:
Model Management
Model management is essential for effective automated translation monitoring, key components include;
Policies & Standards – enterprise-wide policies and standards fully implemented covering; model definition, model validation and model tuning;
Modelling Function – a dedicated team of Financial Crime model experts responsible for model definition and model tuning;
Model Definition – definition of product-based models, aligned to the firm’s risk assessment, employing multiple AML Red Flags;
Model Validation – an independent mechanism to perform independent validation of the models.
Model Tuning
The effectiveness of the models used in automated transaction monitoring need to be continually reviewed and refined.
The thresholds contained with the models also need to be continually reviewed to ensure that they are consistent with the inherent risk present in the associated products, geographies, customer types.
Firms should be able to demonstrate the performance of individual rules in terms of the volume and quality of alerts generated as well as the number of SARs that are subsequently generated.
Data Controls
Comprehensive controls need to be established and fully effective in respect of all of the data consumed by automated transaction monitoring controls, specifically;
Data Completeness – ensures that all relevant data, with the enterprise, at both a record and attribute level, is presented to the monitoring solution(s);
Data Quality – ensures the accuracy, consistency, validity, uniqueness, and timeliness of the data presented to the monitoring solution(s);
Data Lineage – ensures that completeness and quality are not compromised on the journey, including any transformations the data may go through, from source to monitoring solution(s).
Other transaction monitoring functions not specifically cited by the FCA in the HSBC case that would also be prudent for firms to consider;
Information Technology
• With all automated transaction monitoring, firms must be able to demonstrate understanding of how the solutions works, and that it has been configured to address the specific inherent risks and risk appetite of the firm;
• Where multiple monitoring solutions are in operation mechanisms need to be in place to ensure that monitoring is consistent across all instances;
• If the monitoring solutions are third party products they need to be fully supported versions and must comply with all relevant law, regulation and guidance, as well as all relevant internal policies.
Investigations
• Enterprise-wide Policies & Procedures need to be fully implemented for alert investigations and SAR reporting;
• Investigative tools must present analysts with all relevant intelligence to enable fully informed decision making;
• A robust quality assurance framework needs to be in operation supported by analyst performance metrics that enable targeted interventions and identify potential training needs.
There are also a number of strategic initiatives a firm could consider once a fully compliant automated transaction monitoring solution has been established. Each initiatives will improve monitoring effectiveness and / or deliver efficiency improvements with associated reductions in operating costs;
Entity Monitoring – older automated transaction monitoring solutions often operate at an account level however monitoring is more effective when conducted at an entity level (i.e. holistic consideration all of a customer’s accounts).
Data Lakes – the creation of a data lake offers a firm many advantages beyond automated transaction monitoring but from a monitoring perspective it simplifies the presentation of data to the monitoring solution(s) and enables the creation of an Analytics function.
Analytics – whilst automated transaction monitoring is an essential component of any AML Programme, an analytics function enables more agile, responsive and targeted monitoring.
Machine Learning – in a transaction monitoring scenario machine learning has two distinct applications; alert decisioning and model tuning.
If you wish to discuss any of these aspects and how they may affect you or your business, please contact a member of the Gracechurch Financial Crime Prevention team.
Steve Barnett
16 January 2022