Nothing strikes fear into compliance teams like an AML/Sanctions identified remediation, they know the next 12 to 36 months will be fraught with anxiety and unforeseen challenges, these may include:
Matters Requiring Attention
Matters Requiring Immediate Attention
Memorandum of Understanding
Deferred Prosecution Agreement
AML matters tend to put incredible strain on compliance teams and force the re-evaluation of the manner, method, technology and team that oversees the compliance program. Getting through these actions with a well-defined plan, identifying resources to oversee and implement the plan, and thoughtful communications with the Regulator can make all the difference in enabling organizational confidence of program success and articulating that the program can eventually revert back to “business as usual.”
Things Can Get Complicated Rather Quickly
None of these matters are simple to navigate, often necessitating significant program changes and hundreds or thousands of extra hours of work and hundreds of thousands or millions of dollars in costs. Things get complicated quickly, but keep the following in mind when responding to Regulatory action:
Respond decisively, getting it right the first time is important, and showing progress and being honest and conservative about your timeline is important. Disappointing the regulators or examiners regarding deadlines will erode your credibility over the course of the remediation.
It ain’t over until it’s over. Regulators or examiners can identify additional underlying program weaknesses that emerge as dependencies of the resolution; or as matters exacerbating program challenges and problems. For example, transaction monitoring weaknesses though independently problematic are made worse by ineffective Customer Due Diligence (CDD) risk ratings and data integrity matters.
You will need some help. Your Chief Compliance Officer, Head or AML or Sanction or AML/BSA Officer still has ‘business as usual” work to do. Of course, all your teams will work hard to help get through the remediation but doing so “off the side of the desk” and without additional resources, doesn’t add up. There is going to be more work, necessitating the need to hire highly skilled professionals and/or consultants. Reputable consultants can help financial institutions navigate remediation challenges, leveraging experienced teams and proven processes and methodologies.
Don’t “go at it alone” - get help early in the process. Too often, financial institutions call upon outside professionals only after deadlines have been missed, implementations are overdue and/or do not meet regulatory compliance, look-backs don’t withstand scrutiny or are taking too long or lack transparency, or gap analyses without actionable and precise recommendations are either not responsive to the Regulators’ issues, whether wrong or too high-level to remediate.
Top 10 Things to Remember When Navigating a Remediation
Set up a Project Management Office (PMO) and a Remediation Committee with its own Charter and Governance Requirements reporting into the Board directly or through its Compliance Committee.
Carefully select the stakeholders, include leadership from Compliance, Investigations, Technology, Internal Audit, Model Validation and the various businesses that you serve.
The PMO team will help keep your remediation plan on target, provide you with daily, weekly, monthly and milestone reporting, and let everyone know what work-streams are successful or going “off the rails.” Professional PMOs have Project Management Professional Certification and should, as a team, be experienced, fluent in financial institution compliance, technology and businesses.
Meet with your Regulator & Ask Questions
Take the time to understand the Written Agreement and meet with and ask any questions you might have of your Regulator. When you meet with your Regulator, be sure to have real program stakeholders with you, even international representatives, so that they know you are taking the matter very seriously. For Foreign Financial Institutions, don’t forget that changes in the US ought to be weaved into the global program from a technological and governance perspective. As such, you may make the case for needing more time to socialize US changes with international implications.
Check Your Timeline
Do a slow read of the Agreement and set up a timeline focused on remediation matters with dependencies and dates for each of them.
Note any date anomalies, for example, you might provide 90 days to present the new AML Program Policies and Procedures, but 120 days to remediate Customer Risk Scoring for CDD. Moreover, highlight any technology implementations that will require the participation of a third-party technology provider and/or third implementation team. These third parties might offer aggressive timelines to close the deal but disappoint you later. Always provide a range of time for your implementation to help mitigate vendor service issues or unforeseen data issues.
Be ready to discuss with your regulator by preparing a timeline and Gantt chart to show the dependencies on program enhancements and offer timing that permits you to implement with dependencies and test the new program controls.
Communicating Tone at the Top & Tone at the Middle
Leadership should set the tone for the remediation and emphasize how important it is for the financial institution to resolve compliance matters. Management should be equally as vocal in emphasizing the tone and fostering a culture of compliance. Linking tangible rewards such as performance evaluations and bonuses help reflect leaderships commitment to compliance and integrity.
Clear Any Backlogs and Keep Them Clear
If your Agreement includes clearing AML transaction monitoring alerts, OFAC dispositions or CDD file reviews, be sure to clear them and keep them clear.
To accomplish this, you may need outside help to identify the root causes of the backlog. The backlogs could be due to overbuilt processes and procedures, poor case management, technology that generates too many false positive alerts or simply staffing shortages. Finally, your Management Information System could be incorrect, untimely or simply not detailed enough for you to predict volume or the required effort to clear the backlog(s).
Be sure to identify the root causes and show your examiner when and how you will move to a more sustainable program and become back-log free. That said, be sure that “efficiency” measures that reduce volume are paired with evidence of increased “effectiveness” so that you can prove that you are still risk responsive and have maintained compliance program integrity.
Set Frequent Meetings With Regulators
Set regular and frequent meetings with your Regulator to apprise them of your progress. Even though the Agreement itself may prescribe some reporting or meeting dates, try to set more so that you can communicate program enhancement milestones and any timeline changes or adjustments where you have run into unanticipated timing challenges. Give detailed reporting on the largest workstreams/project.
Engage Internal Audit
While it is possible that enhancements to Internal Audit itself may be a finding in the Agreement, Internal Audit will likely also be overseeing the progress of the workstreams, as well as testing the program and the manual and technology-based controls being implemented. For example, revised AML or Sanctions Risk Assessments or newly implemented technology that become part of the ongoing compliance program, will likely undergo significant scrutiny.
Largest Workstreams & Program Enhancements
Some actions require AML Lookbacks, Sanctions Lookbacks, CDD Remediations, and other large-scale remediation projects, demanding a significant and rapid uptick in staff. These projects often necessitate new AML transaction monitoring rules to be implemented, or that historical Sanctions filtering be conducted. As such, these projects require the convergence of complex technical and operational workstreams along with the challenges of identifying and onboarding additional staff.
When timing is critical and requires that technical and operational workstreams converge, execution risks run high. Moreover, the challenges of onboarding dozens to 100s of staff requiring multiple systems access to remediate, these items raise those risks exponentially higher. As such, these workstreams should be highly scrutinized, including proactive communication with key stakeholders, regarding any potential challenges or issues.
Technology Implementations Might Represent Your Biggest Risks
Selecting and implementing a new AML transaction monitoring system can take from 18 to 36 months. Preparing the business requirements, selecting and assessing each of the systems, conducting proof of concepts, and pre – post and mid-stream validations can all take significant amounts of time and require the attention of numerous stakeholders. Other considerations include performing a coverage analysis to identify the appropriate detection scenarios to implement, setting the detection scenario parameters, and testing the alert outcome for effectiveness and efficiency.
These are all highly complex processes that are likely to get scrutinized by the Regulator and Internal Audit. Moreover, the complexity, time and effort required for such an undertaking often results in the biggest timing and budgetary risks. Additional time, attention and efforts for this workstream are critical to success.
Track Your Compliance Story and Tell It
Every action or remediation is a story that has a beginning, middle and end. Investing time and energy to describe the AML program in its entirely, including its challenges, strengths and weaknesses is important to show internal and external stakeholders the progress your financial institution is making. In fact, discussing the program, relative to where it was at the beginning of the action can be a powerful way of reminding your Regulator or your Board just how far you have come, and equally important, how much further you have to go. Documenting your compliance story and tracking the milestones, progress and wins, losses and reasons is often also a very helpful way to highlight the amount of effort that has onto the remediation and help describe the AML program’s progress from some longer frame of reference, not just day by day, which tends to minimize the magnitude of your progress.