As banks turn to their business continuity plans to weather the COVID-19 pandemic and operate with large numbers of employees
working from home, they must hone their risk-based approaches to anti-money laundering compliance and ensure that they
communicate changes to transaction-monitoring or other systems to regulators, experts said during a webcast on Monday.
Applying the risk-based approach is something “we all talk about and want to do,” but the “ongoing discussion about whether or not that is possible and what that looks like” is especially important during the COVID-19 crisis, said Sarah Runge, global head of financial crimes compliance regulatory strategy at Credit Suisse. Runge spoke during the event held by the Association of Certified Anti-Money Laundering Specialists (ACAMS).
“It applies all the way across, from where we’re putting our resources, where we may be moving people around in the context of the different type of activity and active risks we’re seeing. This is something we can see as a good practice coming out of this as I think firms are very good at doing this when given situations like this,” said Runge, a former U.S. Treasury Department AML official.
Financial institutions are being forced to reevaluate their risk-based approaches to AML – the ways their people and systems are deployed – as they work to address the greatest financial crime threats in the face of the pandemic, said Sarah Beth Felix, who runs Palmera Consulting LLC, an AML consulting firm.
The term risk-based approach “is thrown around a lot at conferences,” but this crisis is a time to see “what it actually looks like when the rubber meets the road,” she said.
“If your pandemic plan, or business continuity plan, doesn’t already incorporate language that gives you the opportunity to pull on that string and activate that parachute to get you and your AML program down on the ground safely, that’s something that I think needs to happen,” Felix said.
It is important that AML professionals not let their guard down during these “unprecedented times,” said Kieran Beer, director of editorial content for ACAMS, who moderated the webcast.
“Sadly, financial criminals don’t take a rest during a time of crisis, but in fact kind of heap the anxiety and the cruelty of a time like this onto people who they choose as victims, so I think the importance of everyone keeping their systems going, everyone keeping their own health, this is the real purpose during this time for the ACAMS community, for the entire anti-financial crime community,” he said.
Banks should align their transaction-monitoring systems with their highest risks and weigh the efficiency ratings of alerts their systems have historically produced, Felix said.
“If you have inefficient alerts and you’re looking at less than 1% (positive hits), table those, get those off to the side, and try to focus your efforts on those customers who are going to behave differently,” she said.
The goal should be to identify activity involving criminals “who are probably ramping up” their frauds and other schemes “because they know you’re going to be distracted,” Felix said. To that end, banks should tweak their transaction-monitoring systems to avoid producing alerts on customers flagged simply because their activity drops off, a natural effect of the pandemic.
“Look at your transaction monitoring rules to make sure you’re not getting overwhelmed by people who just deviate in behavior, meaning that they had a whole bunch of activity and then they stopped, especially if your city has a restriction (on restaurant, bar and other business activity),” she said. “If you have a behavioral-based system, that should be incorporated into your BCP, because you will have people who are just stopping business because they have a city or state level restriction, so that may flag an alert, and those people you don’t really need to look at.
“You need to take a triage kind of approach. That’s where having those (business continuity) statements that give you the freedom to make risk-based decisions is really kind of the life saver in all of this.”
On the other hand, AML experts have suggested that unchanged levels of activity among businesses that would be expected to show declines, such as restaurants and bars, might be a sign of potential laundering activities.
Some systems and banks may be equipped to make quick changes to transaction monitoring systems, but others may not, said Megan Hodge, Bank Secrecy Act officer for Ally.
“I think the concept around identifying what is considered the new normal in terms of your customer activity and making sure that you’re providing very clear direction to your analysts are very good ways to respond to an uptick in alerts even if you’re not going in and changing thresholds,” Hodge said. Chain of governance is “critical” for documenting the changes banks are making to their AML programs to ensure “nothing gets confused at a later point,” Hodge said.
Beer asked whether banks are modifying transaction-monitoring systems to reduce alerts during the pandemic so that that they can be managed by fewer employees and how such decisions are being communicated to regulators.
Felix said it is “a little dicey” to limit alerts, especially if such an approach was not outlined in a bank’s continuity plan. The reasoning for such steps must be documented, she said.
“I would make sure that you make your case in a change control form or a risk acceptance form of sorts, especially if you’re a smaller institution,” she said. “Have your chief in charge, or your board, sign off on the changes that you are willing to accept that risk, that you will deactivate on a temporary basis some of the less efficient alerts and that you will refocus,” Felix said.
She added: “I think it’s not just turning it off and not adding anything, I think it’s turning off the ones that don’t have anything to do with the typologies that we’re going to be seeing for fraud, for Ponzi schemes, for money laundering (during the COVID-19 crisis). Turn those off (that are less than 1% in efficiency rating) and add in custom-tailored alerts.”
Hodge, however, said she “would be a little bit nervous to turn anything off” because it will be easy for regulators to later ask what potentially illicit activity may have been missed as a result. A different approach might be to adjust policies to give analysts additional time – perhaps three or four months – to “get to everything.”
“Perhaps you could generate all of your alerts, but give yourself a bit more flexibility in terms of when you’re going to be able to look at all of those alerts, prioritize them by the types of alerts that tend to lead to more fruitful outcomes, maybe even prioritize how much depth of a review you put in there,” she said. “If you’ve got particularly unproductive alerts, a very abbreviated review would be appropriate.”
Sanctions compliance impact of COVID-19
One key challenge for sanctions compliance has been a “significant” decrease in staffing in certain geographic areas, such as the Asia- Pacific region, in recent weeks, said Chloe Cina, director of global sanctions and embargoes for Deutsche Bank.
“That’s really impacted on our ability to be able to manage some of these alerts and the changes in circumstances. So although the sanctions and legal landscape hasn’t really changed, it’s more about the staffing problems that we are facing and how we manage that through the teams,” Cina said.
Deutsche Bank has “split its teams down and we’ve tried to prioritize our work and look at those things that can be… kicked into the long grass,” she said.
“We’ve done a lot of work with our regulators and tried to understand what is most impactful. We’ve tried to prioritize work from the highest risk issues to the lowest risk,” Cina said.
At Deutsche Bank, 90% to 95% of the workforce is able to work from home, she said. She said one challenge has been that “the technology is not there for everyone,” but added that the issue “has more or less been resolved.”
“We’ve had a few teething problems with operations and systems but we’ve shut down a lot of our offices to drive efficiency, save on costs, but also reduce the risk posed to staff who would otherwise have to operate in those offices. It’s really the key infrastructure individuals who are remaining on-site,” Cina said.
Credit Suisse was well-prepared to roll out an operational plan that involved splitting up teams and allowed the “vast majority of staff” to work from home, Runge said.
“We’ve had teething issues (with remote-working technology) in some jurisdictions more than others. But while we are broadly operational… some of the systems, in terms of speed, getting kicked out, those do continue to occur,” she said. “Some things are taking longer, whether it’s periodic review, whether it’s access to client data, whatever it is can result in delay in some of our activities.”
Regulatory relations during pandemic
Banks are all operating in an entirely new environment, and “I think that just as we as individuals and professionals and firms are working through this, I think it is fair to say that all of the regulators are too,” Runge said.
Runge noted that a number of regulators, including the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN), have “put messages out there, making clear that they understand this is a difficult time and that firms are going to be adjusting.”
“The most important thing is … having that check-in, which obviously is remote, but totally doable, with our primary regulator to say ‘This is what’s going on, this is how we are thinking about it, this is the impact it may or may not be having on … any outstanding regulatory commitments,'” Runge said. “The starting point for this isn’t ‘What is it we are not going to do,’ it’s ‘How are we going to do what we need to do in the environment we’re operating in? And I think it’s fair to say that that’s consistent with what we’ve heard from our regulators as well.”
For AML and sanctions units involved in remediation work, it is important to “strike up relationships with regulators and try to achieve a sort of moratorium,” Cina said. It is vital to come to an arrangement, even an “under the counter agreement,” on an extension of time to resolve any issues, she said.
“It’s just about having that open dialogue,” she said. “We really need to record and document everything, even if we haven’t got a pandemic plan in place, but we’re just sort of making it up as we go along and using our business continuity plan, and if two or three years from now we’re challenged by our regulator, we can sit down and say ‘This is what our rationale was, this was the decision we made for these reasons.”
The FinCEN guidance simply said to reach out to regulators when AML compliance issues arise, but there “has been no guidance that I’ve seen that officially provides any relief,” Hodge said.
A lack of public guidance or relief is one reason it is important for firms to individually have “open discussions” with regulators, Cina said.
“I think it would be very unlikely that we would see a relaxation of any regulation or rules on filing SARs or blocking reports, or whatever it is, openly because governments are working with crisis management teams and the last thing they want to do is put something out there that they will then be held to account for,” she said.
Credit Suisse recently had a scheduled exam of its New York branch changed to a virtual exam and then ultimately delayed, Runge said. The bank nonetheless provided all of the information requested in advance and is prepared for “deep dive background calls,” she said.
“We’re still sort of waiting to hear for the next steps on that,” Runge said.
However, to the extent there is every day AML compliance work, and remediation, that can be accomplished despite the pandemic, banks should continue moving as quickly as possible to demonstrate their commitment to regulators, she said.
“If there are some things that don’t go exactly according to plan, and we proactively communicate them, what we are finding is the extent to which we remain on schedule for different things our regulators already are (pleased) that we kept to the schedule,” Runge said. “If we went into our regulator and said ‘Across the board … everything is going to be delayed,’ that will not be well-received.”
(For a regularly updated list of U.S. federal regulations related to the COVID-19/novel coronavirus update, please click on this link to the Skopos Labs Cornoavirus Policy Tracker)