By Priya Giuliani
In an era focused on accountability and the additional spotlight on the social element of ESG impacted by financial crime, firms should focus on both the execution and intention of compliance policies. Just as musicians must express music based on how it is written, they must also illustrate the conductor’s vision and expectations—an organisation must not only follow the board’s written rules but holistically interpret and enable its vision. When peeling back the layers of an onion of many enforcement actions, a common theme is the board not prioritising financial crime risk and the harm it causes society.
Boards set the risk appetite and approve policies that require the firm to follow the rules. However, rules can be haphazardly enforced without a strong “tone from the top,” which sets out what the firm stands for and what happens when employees do not adhere to that standard. In many instances of non-compliant behaviour, there is a clear gap between “what we say” versus “what we do.” Board members are responsible for helping define and document core beliefs and set the foundation for an ethical culture of compliance. Further, they should ensure that these beliefs are clearly delineated throughout the organisation and that management has implemented controls to measure and monitor compliance.
When the tone from the top is right and senior management is walking the talk, the next challenge is to make certain messages are not blocked by a layer of “permafrost” somewhere in the firm. To make real cultural change, middle management needs to be on-message—living and breathing the same messages set at the top, with repercussions for those that don’t.
The message across the firm should be that preventing financial crime is both a collective and individual responsibility – financial crime risk management should no longer fall solely on the compliance function. Link it to your firms’ “social” strategy and give employees that sense of purpose in complying with the regulations. All employees need to be regularly reminded of the harm caused to society by the fuelling of money laundering and all its predicate offences. There is a real risk that without this, frameworks to fight these offences become ineffective, just processes to tick boxes. The first line understanding of financial crime red flags should equal their knowledge of the products they are selling. Compliance can help the board be more effective by presenting issues in a manner that correlates compliance metrics with actual risk to the firm, interpreting numbers, identifying patterns and communicating how they are addressing issues.
To manage financial crime risk effectively, you should understand how it specifically manifests itself within your firm. Without this baseline information, it is challenging to build an effective risk-based approach. Performing a risk assessment is a mandatory requirement in some jurisdictions, but the risk assessment might be useless if it is just an annual rote exercise and then filed away. These assessments should be living and continuously updated. To strategically drive them, we suggest these tenets:
Ensure your controls are risk-based — A meaningful risk assessment will help identify high risk areas that require the most attention. Due diligence and transaction monitoring processes should focus on those higher risk areas and less on lower risk areas
Prioritise and respond — The risk assessment process may uncover new risks and control gaps. Firms, however, should understand that all risks are not equal. It is important to remember that prioritising is not the same as ignoring. Firms should develop a prioritised action plan based on the severity of risk
Assess change — A risk assessment should be a living and breathing document. It should adapt to the evolving internal and external landscape. For example, it should consider the impact of new criminal typologies and fluctuations in high-risk customers, transaction volumes, or transactions with high risk geographies. Firms should have mechanisms to monitor changes in risk in between assessment cycles so that they can act proactively instead of reactively
Board participation is key — The output of the risk assessment, ideally in a summary document, should be shared with the board so they understand how the risk landscape is evolving, to ensure risk management is funded to keep the organisation safe. The output may also impact the board’s risk appetite
Technology can help firms identify and mitigate financial crime risk through more effective data collection, processing, and analysis. Advancements in anti-financial crime technology provide firms with solutions such as automated screening and monitoring, the use of AI and machine learning to enhance systems, digital onboarding, etc. These tools can allow for continuous and comprehensive monitoring, increased speed, reduced cost, and improved customer experiences.
Technology solutions must be tailored to the firm’s risks. For example, it is better to create scenarios for your transaction-monitoring system based on your risk assessment and appetite rather than blindly activating all the scenarios the technology is capable of screening for. Firms must ensure proper oversight and governance over the technology during and after implementation. Firms need to understand what data is fed into the solution, how the black box operates, whether it is configured correctly, and whether the solution is effective in its output throughout the life cycle of its use, not just at implementation. Systems and their data inputs need to be maintained and tested regularly. Firms cannot outsource this risk to vendors or group companies effectively.
While technology can support the firm’s ability to better manage risk, humans must first understand the risk. Even the best technology will not allow you to manage the risk without an understanding of the underlying risk and how it manifests itself.
Many firms under regulatory scrutiny routinely fail at the basics—there is often a lack of understanding of the real risks, a tick-box approach to meeting regulatory requirements, a disconnect between the purpose of financial crime risk management and the process mindset, and a reliance on technology solutions where the risks are not fully understood. As firms improve their understanding of the threat, criminals mutate their activity looking for alternative ways to continue to wash their dirty money. Firms should continue to be alert to these mutations. The message to those responsible for financial crime risk management is clear: work together to safeguard your firm by regularly reviewing and improving the risk-prevention tools and the effectiveness of your approach, and focus on those elements that are within the control of you and your team.
Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.