Speakers: Regulatory Systems Only As Good As Their Data

Chris Gaetano
Published Date:
Oct 25, 2017

While financial institutions are eager to implement automated systems to help them catch suspicious activity, a panel of regulators at the Foundation for Accounting Education's Oct. 25 Anti-Money Laundering Conference said that none of that helps if they're not fed the right data. 

Sheila Haney, associate district director for the Financial Industry Regulatory Authority, noted that the vast majority of examinations her agency conducts have no issues regarding anti-money laundering procedures, and even when something does come up, only 10 percent ever lead to formal action. However this doesn't mean there's no room for improvement. She said that FINRA has decided to make data integrity a priority in the coming year, as that's where a lot of the shortcomings of automated programs lie. 

"It's been an ongoing topic: We're talking data integrity, the idea of garbage in, garbage out. There could be poorly set parameters that never actually trigger anything because they're not tailored to the firm's business, there could be source data information issues so the program just isn't working as intended, and it could be just [that] surveillance patterns in place don't capture risky activity," she said. 

One example she pointed out had to do with suspense accounts: in-house accounts that store money that can't be immediately transferred to a customer--for example if the financial institution receives an interbank transfer it doesn't understand and needs clarification on. A problem FINRA examiners have observed is that this "layover" can, whether intentionally or unintentionally, circumvent automated controls because it is viewed by the system as an internal transfer. 

"It doesn't recognize [that] the initiator had been from a high-risk jurisdiction or customer or product, which normally would have triggered the firm's systems, but because it had this little layover, the system is not picking up on that. We see that with various in-house accounts," she said. 

This problem could arise for many reasons. It could be because the IT department wasn't looped into the setup, because the system parameters aren't applicable to what the firm does, because there's been a recent merger that makes the system outdated, or because the firm relied on a third-party data system that didn't inform the firm of a change. She said that financial institutions are often surprised when examiners bring the issue to their attention. 

"Something to think about: Is anything ever hitting? ... It's never going to work if the data isn't getting to you how you expect. These are not places where you want to set it and forget it. This needs constant attention," she said. 

Darley Steide, an anti-money laundering specialist with the Office of the Comptroller of the Currency, said that too many financial institutions do indeed have a set-it-and-forget-it mindset when it comes to their automated systems. He said that he has seen banks move ahead and change their risk profiles but then make no corresponding changes to their controls. 

"You move into new products, new services, new customers, and the controls remain the same. That is something we're seeing as well, specifically when looking at your suspicious activity monitoring systems. We find they're not robust enough and they're also not tuned to address the risk at hand, so it is critical that this is taken care of," he said. 

There's a similar mindset when it comes to doing due diligence on customers. He said it's not something that can be done just once when first entering a relationship with them. It's something that needs to be done continuously, as people and circumstances can change. If financial institutions are not doing this, he said, then they are not gathering sufficient data when implementing the required customer identification programs or currency transaction reporting. 

Beverly Jules, supervisory examination team leader at the Federal Reserve Bank of New York, said that regulators are able to catch these sorts of data errors because they have large amounts of data of their own. The Federal Reserve has access to raw transactional data that can be very useful when conducting regulatory examinations. 

"When we look at transactions, we can compare payment details to an [Office of Foreign Assets Control] list [our examiners] have downloaded, look at similarities and names for potential matches, and compare that to matches from the firm and then have a conversation about how well your tools work when it comes to sanctions screening," she said. 

The system also allows examiners to visualize data flows so they can get a more holistic look at a system. A basic example would be color-coding jurisdictions by risk, which in turn allows examiners derive a risk profile for a bank based on its actual activities. And so while the bank might tell the examiner that it doesn't do any transactions in the Middle East, the examiner knows the data says otherwise. Previously, examiners could only look at bank policies and procedures, and maybe do a little testing. While the program is still fairly new, she said that they have gotten a lot of utility out of it so far. 

"It supplements what we do. Auditing can be very memory intense... It's a huge thing for us and we're very excited about it," she said. 

Click here to see more of the latest news from the NYSSCPA.