How to Marry AML and FraudIntegrating Systems and Silos is Challenging, But Not Impossible
Julie McNelley, a financial systems and payments fraud analyst at Aite, writes about the uneasy relationship banks and credit unions have tried to build between their fraud-prevention and AML departments.
"On the surface, this concept makes a lot of sense," McNelley says in her blog, AML & Fraud Prevention. "[But] one of the most significant challenges that financial institutions cite is the culture clash between AML and fraud groups," she adds. "Individuals in the AML group have a more legalistic or compliance background, and those on the fraud side generally are more operational."
Building on research conducted by McNelley, Aite recently published "AML and Fraud: Don't Order the Wedding Cake Yet," which focuses on the need for providers of AML solutions to offer platforms that more readily integrate with fraud prevention. Based on separate 2011 studies of executives at banking institutions from around the world, Aite finds that about half of the business executives surveyed expect to increase AML technology investments and staff over the next two years. Regulatory compliance is the primary driver.
"Some financial institutions have to varying degrees been experimenting with integrating their fraud prevention and AML functions into cohesive financial crimes units," the report states. "While this concept makes sense on the surface, institutions that have attempted this integration cite a number of challenges, including organizational and cultural barriers. Fraud prevention, therefore, ranks low on the list of features sought in an AML solution - well below the desire for robust analytics and rule sets, tuning flexibility, and case management."
Breaking Down Silos
Hugh Jones, CEO of AML solutions provider Accuity, says the Aite findings are not surprising. "AML and fraud departments don't get along well," he says. "Typically, institutions have siloed groups - some try to comingle, but it is difficult."
And divisions between fraud prevention and AML are more complicated than the Aite report suggests. That's because most top and mid-tier global banking institutions don't just have fraud and AML groups that are competing for attention and dollars; they often have as many as five separately focused groups, and walls that divide them are so thick that breaking down the silos will likely take several years and numerous integration incarnations.
"What we typically see is a PEP [politically exposed persons] group, a KYC [know your customer] group, an AML group, a fraud group, which is looking for actual fraud, and an SEC [Securities and Exchange Commission] group, which looks at things like Dodd-Frank compliance," Jones says. "Corporations do not try to co-mingle these silos, but in best practices, they can leverage the disparate systems through technology. Then you have CISOs who can look at the overall picture to see where they have hits, to see if they can pick up on fraud. You really should be able to take a look from on-high, and then take a look at your overall risk perspective."
But not all technology solutions are created equally, and regulators are upping the levels of scrutiny they apply during compliance audits.
"While there is no clear-cut answer regarding whether AML and fraud-prevention functions will increasingly merge over time, integration efforts that focus on sharing data between these groups appear to have the most momentum," McNelley says. "Vendors of enterprise risk management solutions should ensure that their solution has the flexibility to facilitate this sharing on an entitlements basis, and reflects the unique needs and approach of financial institutions seeking to meld fraud prevention and AML."
Meeting minimal requirements for suspicious activity reporting and compliance with the Bank Secrecy Act and the USA Patriot Act will no longer be enough for financial institutions operating in the U.S. Regulators want to know that fraud-prevention and AML systems are designed to go above and beyond what the letter of the law demands.
"Checking the box is not enough," Jones says. "The regulators want to see things that go beyond the black-and-whites of the regulations. They want to know that you've done the extra work. They're saying: 'It's your job, Mr. Banker, not the federal government's job, to explore this.'"
The problem is that a majority of financial executives, including those surveyed by Aite, say they are satisfied with AML systems that simply meet compliance requirements. "They are not saying that they are satisfied with the system because it catches fraud," Jones says. "Most are satisfied because they are protected, but not because they are catching bad guys. And many are not actually trying to stop the bad guys. If you put your AML system in five years ago, it's not going to pick up on everything. It's too dated."
Regulators are mindful of those gaps and will be on the lookout for dated technology. And they won't be giving breaks to smaller institutions when it comes to required investments in AML and fraud prevention.
Jones' Top 3 Tips:Jones summarizes his thoughts on the uneasy marriage of AML and fraud prevention:
- Don't be intimidated by divisions between fraud and AML departments. "Just because your groups are different, you should not avoid integrating," he says. "Different is good. Embrace it. People who investigate fraud should be different than those who investigate AML. Enjoy the differences, but use software to bring the two together."
- Review software solutions carefully before making investments. "Don't just buy a solution because it satisfies compliance," he says. "Go beyond the satisfaction threshold."
- Think about compliance as a platform rather than multiple silos. "This is the wave of the future."