Main Content

Designing a New AML System

There is growing recognition that the existing AML/CFT regime isn’t working as intended. Now is the time to rethink and rebuild a system to meet today’s growing demands.

By Juan C. Zarate and Chip Poncy

Over the past 15 years, concerns over the dangerous and corrosive impact of illicit financing have shaped core national security strategies and underscored the importance of defending the integrity of the financial system. The United States government and other authorities have used the tools of financial pressure, sanctions, and regulation to address every major international security concern – from terrorism and nuclear proliferation to kleptocracy and human rights abuses – with a growing demand on the financial community to prevent rogue actors and illicit capital from entering the financial system.

Given the attention, importance, and resources concentrated on the issues of financial integrity and security, this is a critical moment to clarify the purpose of the anti-money laundering/combating the financing of terrorism (AML/CFT) system and ask whether it’s working as intended. This question takes on more importance as organizations invest ever-increasing resources into compliance with financial regulations and as greater policy demands are placed on the tools and strategies of financial pressure. 

The AML rules and regulations developed over the past four decades were built to facilitate transparency, traceability, and accountability. The modern AML/CFT system is intended to be systemically effective to deter, detect, and disrupt illicit financing, but it can’t stop all illicit activity. The risk-based model upon which the AML/CFT regime relies assumes that not all dirty money will be stopped, nor will every dollar be detected, traced, and seized. No institution or country, however much it spends, can thwart all illicit actors. 

Billions of dollars of fines have been levied against banks for failure to comply with AML/CFT requirements, and billions more have been invested by the private sector in compliance systems, personnel, and remediation to meet increasing global standards.
There have been herculean efforts to make the system work. Even with such dedication, the current AML/CFT system isn’t working effectively or systemically. It’s inefficient in how it attempts to prevent financial crimes and ineffective in protecting the financial system from the flow of illicit financing. But this isn’t the time to abandon the principles embodied in this system. Quite the opposite – this is a moment of opportunity to design a new system that does more to protect the international financial system and reduce the costs and inefficiencies of the current model. 

This article explains why the current AML/CFT regime as designed and implemented is outdated and lays out a vision for a new AML/CFT approach – driven by new technologies and structural innovations – that is better designed to protect the integrity of the financial system.

 

Protecting the Integrity of the Financial System

The evolved goal of the AML/CFT regime is to protect the integrity of the financial system in a way that furthers key national security objectives, with a demand that financial institutions (especially major global banks) guard the gates of the global financial system. What was designed as a regime to help law enforcement “follow the money” has expanded to include a preventative web of sanctions and regulations used to deny rogue actors access to commercial and financial facilities. This evolution has placed enormous stress on the financial community to meet the expanding definitions of financial crime, complexities of sanctions regimes, and the heightened expectations of compliance. 

The costs have been high. Billions of dollars of fines have been collectively levied against banks for failure to comply with legal requirements, and billions more have been invested in compliance systems, personnel, and remediation to meet increasing global AML/CFT standards and expectations. The stakes for financial security are even higher. Amid the increased scrutiny, illicit funds – from state and non-state actors – continue to flow. Criminal networks, rogue regimes, and terrorist groups continue to gain access to capital; they use the dark corners of the financial system, old and new methodologies, and developing technologies to circumvent or overwhelm the best of controls. 

Estimates suggest that well over a trillion dollars of illicit financing are raised and moved globally every year, fueling everything from arms and human trafficking to environmental crimes and kleptocracy. These illicit flows also affect development and sustainable economic growth. In 2015, developing economies lost over a trillion dollars to illicit finance activities. Successful efforts to prevent illicit financing, uncover criminal networks, or trace rogue capital seem difficult and sporadic at best. Even with increased vigilance and more reporting of suspicious activity, the volume of illicit financing continues to present systemic challenges to AML/CFT regimes around the world. 

Recent events have reinforced the idea that the system isn’t working as intended. The Panama Papers leak exposed the purposeful opacity in corporate formation and the placement and layering of money and transactions that can facilitate all forms of financial crime and the evasion of sanctions. The continued fines and prosecutions of banks for failing to meet sanctions and AML obligations underscore the fact that compliance culture and practices haven’t met policy expectations. And global corruption investigations – such as the 1MDB scandal in Malaysia – reveal the corrosive force of unbridled power and money, and continued exploitation of the world’s seemingly most well-regulated banks.

The policy and regulatory communities are already grappling with the question of whether the system is effective. In 2014, the Financial Action Task Force (FATF) launched a new round of assessments to test whether jurisdictions’ systems are effective, as opposed to simply in place on paper. Regulators and policymakers are considering how best to judge and balance financial transparency policies, exclusion of suspect activity, and inclusion of vulnerable communities/sectors. The private sector is grappling with its compliance obligations and whether its investments are worthwhile and sustainable.

The AML/CFT System is Flawed

Current AML/CFT efforts are systemically ineffective because of both incomplete implementation and outdated design. 

There has not been a full commitment globally to the current model of compliance and transparency. Efforts have been hindered by the absence of a culture of compliance and a failure by financial and commercial actors to appreciate the heightened global expectations of financial integrity. The current system has also failed to regulate and shine a light on all vulnerable sectors of the global economy. A lack of resources and expertise within government authorities has led to weak enforcement, with a heavy reliance on the United States to police the system. Some of this ineffectiveness can be explained by a failure to effectively adopt, apply, supervise, and enforce appropriate risk-based models. The growing demands and risks to the financial sector have also engendered a defensive mindset that is less about risk management and more about risk avoidance.

It is legitimate to argue that the current system has never been fully or properly implemented. This ineffectiveness, however, is not just about a lack of understanding, commitment, or enforcement. The design of the AML/CFT system is outdated, and there are inherent limitations in the design of the current paradigm.

Structural Design Challenges

As designed, the current system is intended to support law enforcement in the investigation and prosecution of financial criminal cases and not as a way to defend the entire financial system from abuse. Traditionally, law enforcement agencies viewed the financial system as a means to discover and obtain information on criminals. The Bank Secrecy Act (BSA), the foundation of today’s AML/CFT system, was created in 1970 to assist law enforcement agencies in “following the money.” The Suspicious Activity Reporting system that requires regulated entities to file suspicious activity reports (SARs) on dubious customers and transactions remains a tool for law enforcement to build cases. 

As a result, AML/CFT reporting requirements and obligations are built on a “one-to-one” model, where each institution typically reports to an authority (usually a financial intelligence unit) about singular customers and transactions. The stove-piping of information is intended to protect customer data and reporting to law enforcement for the purpose of investigations. This model does not create a dynamic flow of information between authorities and institutions within the private sector, or across borders. In short, there is no facility for real-time responses, dynamic feedback, or collective learning. 

There is a creeping recognition by regulators and the financial community that there need to be new AML/CFT models to deal with the pressures of managing compliance risk and more opportunities to do so in a cost-effective and sustainable way.
Thus, each institution’s visibility into illicit activity ends with its touch points with customers and transactions, and most authorities aren’t seeing systemic vulnerabilities across institutions on a real-time basis. Within institutions, information sharing between business lines and compliance teams happens on a customer-by-customer basis. It’s difficult for both the public and private sectors to monitor and respond to systemic vulnerabilities without specific focus and enormous resources. And if the private sector proactively uncovers vulnerabilities, such focus is often met with additional regulatory scrutiny.

All attempts and structures to facilitate broader information sharing, such as through the Egmont Group of Financial Intelligence Units (FUIs) or Section 314(b) of the USA Patriot Act, which permits financial institutions to share information under certain criteria, are intended to break these barriers. The major global banks have tried to shape this with the development of their own FIUs. Regulated institutions have developed “Super SARs” to report networks of concern within their platforms or businesses. Despite these innovations, the current design is still a transactional-based model that is not geared toward systemic defense.

 

Policy Challenges

The increased use and blending of sanctions and the AML/CFT system to exclude financial rogues and to maximize financial transparency has created a series of escalating risks and policy challenges for the private sector. Regulators and policymakers continue to demand that the financial community understand and manage its risk – often demanding that institutions know and monitor not only their customers but also their customers’ customers, transactions, and suppliers. Authorities are deputizing these same companies, ramping up requests for banks to register, collect information, and report suspicious activity. This also includes discovering and even predicting where illicit actors are operating before authorities list related individuals or entities. 

These escalating risks are compounded by the costs of catching up with financial transparency expectations now codified with the new customer due diligence (CDD) rule in the U.S. and the heightened global importance of understanding ultimate beneficial ownership.

The need to address these systemic vulnerabilities has contributed to decisions by institutions to bluntly de-risk customers, business lines, and jurisdictions. The justifiable concern with these risks has often overshadowed the need to focus on threats that institutions face from illicit financing networks that exploit their businesses. 

The reality is that sophisticated organized crime groups, terrorists, and rogue states continue to find ways to leverage the financial system to increase their wealth and global reach. Mexican drug cartels have used banks to move billions of dollars; North Korea is a criminal state that has evaded sanctions through front companies and its trade with China; and terrorist groups such as Hezbollah have developed global trafficking networks that laundered funds through banks and money service businesses (MSBs). The very elements of globalization that facilitate trade and commerce also allow illicit actors to leverage that system for profit.

Institutions faced with expanding policy expectations are left with no choice but to de-risk or expend enormous resources to invest in the tools and personnel needed for compliance. This puts a premium on quantitative metrics used to show seriousness of purpose and effectiveness, such as the filing of SARs and the number of compliance officers hired. However, these metrics often fail to produce qualitative differences in risk management. These factors haven’t necessarily led to a more effective AML/CFT system. 

Technical Challenges

The mission of countering illicit finance also faces a massive technical challenge. The 1980s analog model that developed to understand, screen, and monitor customers and transactions has not kept pace with the amount, speed, and fluidity of data available in the 21st century. The new digital and big data economy is transforming all businesses. In the past, most regulated institutions segmented their data systems to meet business needs, not to optimize compliance management. That is changing, but financial crime risk management depends on the platforms, data, and analytics upon which compliance relies. 

The risk of making the wrong compliance decision has put a premium on creating more sophisticated escalation processes and tweaking the algorithms and models used to flag suspicious behavior. The refinement of these systems is limited, however, by unstructured or missing data as well as lack of connectivity between internal and external data sources. Even with attempts at technical patches and greater automation in the public and private sectors, the SAR process and network analysis often relies on manual reviews. The result is an almost impossible mission of fighting 21st century financial crimes using 20th century technologies. 

Whether due to a failure to commit to a culture of compliance or adopt a true risk-based model, or the failings of design and technical challenges posed by an outdated system, the current approach is not geared toward meeting the demands of defending the global financial and commercial systems from abuse by illicit actors. A new design could help leapfrog over those deficiencies.

Reimagining the AML/CFT System

Fortunately, we now have the opportunity to reimagine the current system and make it more effective. There is a creeping recognition that there needs to be a new cost-effective and sustainable model for managing compliance risk.

New technologies are blazing the trail for a novel approach. Capabilities that allow organizations to collect, share, analyze, and protect mass amounts of data and transactions in real time, establish more reliable customer and transaction identification, and apply more sophisticated and automated analytic tools are the cornerstone for a new model. From 2013 to 2020, the digital universe will grow by a factor of 10 – from 4.4 trillion gigabytes of data to 44 trillion, which means it more than doubles every two years. Such a monumental shift is fueled by the rapid increase in “virtualized datacenters, seamless public and private cloud computing, and new storage management technologies,” according to IDC. In the realm of regulatory technology, new tools allow for more collaborative sharing of information in smarter and more effective ways. 

There are a variety of new technologies, data aggregation mechanisms, platforms, and pilot programs that could help shape and build confidence in a new AML/CFT system.
It’s now possible to consider what the design of a new system might look like. Like a common utility, this system would involve participating institutions to automatically share bulk customer and transaction information. Automated analytics would be applied against transactions to screen sanctioned and suspect parties and identify patterns of concern on a real-time basis. Red flags would be provided to participating institutions, relevant authorities, and FIUs. Information provided could be anonymized to protect customer privacy, while transactions and reports to relevant parties would be provided in real time. This model could be applied on different platforms and involve different actors, in some cases with government, including FIUs, at the center, and in others a private sector actor or consortium acting as the trusted clearinghouse. There are seven core principles that are critical to this new design:

1. Prevention and Risk-Based Paradigm: There must be a recognition – in law, practice, and design – that the AML/CFT system needs to move from a reactive model to a preventative, risk-based model. The intent is not simply to respond to criminal activity but to prevent illicit actors from accessing the financial system. There also needs to be a commitment to true risk management and allowance for financial firms to engage in risk-taking, especially when trying to meet the goal of financial inclusion.

2. Sector-Wide Protection: The system needs to be constructed to protect financial and commercial sectors broadly and collectively. This means that key sectors – such as the global banking community, the insurance sector, investment firms, and particular businesses – would be viewed and treated as a whole to prevent them from being abused. This would allow for high-risk sectors to manage their risk collectively and provide necessary assurances to the marketplace.

3. More Data and More Sharing: Higher-quality data and greater information sharing would be essential for this model, using big data capabilities, biometrics and identity verification, and network and behavioral analysis. This would include automatic sharing of cross-border wire data, customer transaction information, and suspicious activity information within organizations and sectors and across borders. This would also include real-time feedback loops and continuous learning and analysis for use by the participants, and would take advantage of any new technologies, such as blockchain, or other digital tools. 

4. Automation and Analytics as Drivers: Leveraging more powerful analytics and automation to discover and even predict where suspicious illicit behavior or vulnerabilities may lie will be essential to any new system. This would require a common understanding of how such analytics would be used to screen customers, monitor transactions, and reveal illicit activity – and an acceptance that there would be shared risk in the calibration of relevant algorithms and typologies. This would also take advantage of the evolution and use of artificial intelligence, where machines can recognize patterns of behavior over time.

5. Enhanced Privacy and Protection: Trust in any new model is essential for it to work. Any new model must reinforce the security of individuals’ information and the protection of privacy and civil liberties. Technologies can be applied to mask and protect sensitive customer data – for privacy and proprietary reasons – while allowing for effective network analysis and anomaly detection. Any data aggregation would need to be paired with the best cybersecurity practices and systems.

6. Risk Sharing and Management: This new model requires there to be shared risk among like actors in specific sectors, along with more robust, shared risk management between the public and private sectors and between governments. Parties must be comfortable sharing more information and managing risk together, and governments must be willing to help inform and manage risk along with the private sector. This model could extend to collaboration among correspondent banks. With more information comes more responsibility. All actors would need to allow for a model of shared financial crime and sanctions risk management. 

7. Cost Sharing: Though the new model would not alleviate the need for each institution to invest and engage in baseline compliance risk management or for governments to create regulatory and enforcement capacity, it would provide for a collective platform to analyze sector-wide risks. Over time, this would allow for the reliance on capabilities that are collectivized and automated. This could also provide a more sustainable cost model that can be shared among participants.

There are challenges to implementing any new model on a global or even jurisdictional basis. Existing legal strictures, bureaucracies and calcified cultures, regulatory expectations, sunk systemic costs and investments, lack of agreement on the common model, and risk of massive change all suggest this won’t be easy. The good news is that innovations are already emerging, and the vision for a new AML/CFT paradigm is appearing in pieces in various new platforms, technologies, and pilot programs.

 

Emerging Elements of a New System

There are a variety of new technologies, data aggregation mechanisms, platforms, and pilot programs that could help shape and build confidence in this new system.

Innovative Technologies

With customer identification, the field of biometrics is rapidly evolving. Countries such as India are at the forefront of this area, with the biometrics market in India predicted to reach $3 billion by 2021. Banks are beginning to introduce “touch ID” log-in capabilities for their customer accounts (for example, mobile banking apps). In addition, biometric fusion – including iris scans and voice recognition – is providing banks with alternative ways of confirming a customer’s identity.

New payment models and the financial technology market are transforming the way customers and transactions are accessing financial services. Alternative payment providers and systems are challenging banks’ traditional dominance of the sector, and younger consumers and those outside of the traditional banking system are adopting a wider range of payment options. 

The rise of digital ecosystems provides opportunities for innovation that could enhance financial efficiency and compliance. Financial institutions are beginning to embrace the underlying blockchain technology (which provides an open public ledger for transactions). Other banks are joining consortia such as R3 to collaborate on exploring and developing distributed ledger technologies that can be leveraged by the financial sector. Regulators in advanced economies are finding the balance between regulating new financial products and services and allowing for innovation.

The distributed ledger technology is being imagined as a secure way to record contracts, facilitate remittance payments, and revamp trade finance. It “offers the intriguing possibility of eliminating [banks as the] ‘middle man’ by filling three important roles – recording transactions, establishing identity, and establishing contracts – traditionally carried out by the financial services sector,” as Bernard Marr wrote in Forbes. Technology giants are moving toward promoting the technology, and in May 2016, Microsoft announced that it had joined the Chamber of Digital Commerce, the world’s largest trade association representing the digital asset and blockchain industry. The data captured and shared via blockchain allows for analysis well beyond the immediate transaction and allows targeted insights into global illicit financial streams. With these new technologies deepening customer and transactional identification, the potential for the identification of suspicious patterns and networks increases exponentially.

Aggressive Information-Sharing Structures

Information-sharing platforms are emerging to optimize how parties are sharing information. These are beginning to open the possibility for more collaborative models of information sharing, including customer information.

In the United Kingdom, for example, the Joint Money Laundering Intelligence Taskforce (JMLIT) links government agencies, law enforcement bodies, and 25 major U.K. and international banks. JMLIT’s approach is based on a model of “collaboration, collective ownership and prioritization” to combat high-end money laundering. The approach has worked well. JMLIT members have developed cases, identified and closed banks accounts, obtained 50 new court orders, and made numerous arrests. As a result, the U.K. government now plans to move JMLIT to a more permanent footing and expand its membership.

In the United States, there is movement toward more active models of information sharing under Section 314(b) of the USA Patriot Act. The Office of the Comptroller of the Currency, the Department of Justice, and the Treasury Department’s Office of Terrorism and Financial Intelligence have all expressed their support for 314(b) communications. Efforts by Standard Chartered Bank, Bank of America, and Wells Fargo to focus information-sharing efforts on combating human trafficking are good examples of this practice. Financial Crimes Enforcement Network (FinCEN) reports demonstrate a steady growth in the number of SARs explicitly referencing 314(b) communications from banks, broker-dealers, insurance companies, and financial services companies, among others.

The cyber domain is also providing an arena and models for greater collaboration. Major U.S. banks have recently announced efforts to collaborate to protect against cyberattacks. Other platforms and alliances already demonstrate the success of dedicated real-time information sharing between the public and private sectors.

Countries and the financial industry are also beginning to collaborate and consolidate know-your-customer (KYC) databases and systems. India and France have established KYC platforms. In 2010, India’s Credit Information Bureau (CIBIL) and several other industry associations launched CIBIL Mortgage Check, a nationwide tool for fraud control lauded by Business Standard as the country’s “first centralized nationwide database of mortgage information that will help banks and financial institutions share and access mortgage information, exercise stronger due diligence, and reduce fraudulent transactions.” France operates a central database of bank accounts known as FICOBA (Fichier national des comptes bancaires et assimilés), which is managed by the French tax administration and holds more than 80 million account registrations. Other countries, including the United Kingdom, have announced efforts to establish corporate registries to facilitate CDD requirements, which may provide another vehicle for analyzing bulk customer data.

In addition, the banking industry is working with organizations such as KYC.com to share customer information as a means to make adding customers more efficient, share costs, and avoid bank arbitrage by nefarious actors. This platform could prove helpful in allowing the banking sector to share more information and costs.

Real-time information-sharing mechanisms used in other contexts, such as fraud detection and prevention, may also provide helpful examples of how customer and transaction information can be shared and used efficiently by competitors to protect sectors against illicit activity.

Screening Platforms

Common screening systems and platforms present an intriguing opportunity to consolidate compliance risk management and to share the risk attendant to addressing illicit finance. 

In Mexico, the Central Bank has established the Banco de México’s Domestic USD Transfer System (SPID), an electronic domestic payment system designed for the settlement of interbank U.S. dollar payments between Mexican banks. Launched in 2016, SPID was developed in part to increase traceability and transparency of dollar-denominated transactions within the Mexican financial system, and it requires enhanced AML/CFT obligations of all participating banks through the Central Bank’s role as operator. As SPID members, banks are specifically required to apply more stringent AML/CFT policies and reject transactions of which they do not approve on AML/CFT or fraud grounds. 

SPID has not yet become fully functional, and financial crime risks and questions remain, including how transparent the system will be, whether it could shield suspect dollar transactions from U.S. authorities, and how it responds to real risks to the Mexican system. Despite those questions, SPID provides an opportunity to think creatively about how a credible national authority might use the real-time collection, screening, and analysis of financial data and transactions to identify and respond to vulnerabilities and threats to the banking sector.

Such national centralization efforts are echoed by corresponding supranational developments, such as the consolidated transaction monitoring and analytic systems from the Society for Worldwide Interbank Financial Telecommunication (SWIFT). In late 2014, SWIFT launched its KYC Registry, a secure shared platform for financial institutions to exchange and manage standardized KYC data, developed in collaboration with the industry. To date, approximately 2,000 banks in 191 countries are using it as a cost-effective way to improve the efficiency of their operations, reduce cost, and mitigate risk. SWIFT has also launched the Sanctions Screening service, which allows for real-time message screening for institutions, especially midsize institutions, against 30 sanctions lists. 

These types of platforms and screening models could be expanded beyond sanctions screening to include the monitoring, analysis, and flagging of illicit financing. They could also be combined with models of centralized collection of transaction information in addition to enhanced KYC information sharing. Australia and Canada have developed noteworthy models to capture cross-border transfer information and opportunities for systemic analysis and information sharing among multiple stakeholders.

The Australian Transaction Reports and Analysis Centre (AUSTRAC), the Australian FIU, collects, analyzes, and disseminates financial intelligence data on cross-border currency transactions, suspicious transactions, and large currency transactions. AUSTRAC oversees the compliance of – and collects data from – more than 14,000 Australian businesses, including major banks, casinos, and single-operator businesses. Canada is using a similar approach through its Financial Transactions and Reports Analysis Centre (FINTRAC). FINTRAC first required the reporting of cross-border electronic funds transfers (EFTs) made via SWIFT messages in 2002 and expanded the reporting requirement to cover all forms of international EFT regardless of the system used.

The United States has long flirted with systemic reporting of cross-border wire transfer information. In September 2010, FinCEN proposed a regulatory requirement that would require certain banks and money transmitters to report transmittal orders associated with certain cross-border electronic transmittals of funds. Officials argued that “by establishing a centralized database, […] an exceptional benefit to law enforcement and the modest cost to industry” could be leveraged. 

In 2015, FinCEN announced its intent to revisit its 2010 proposal to capture information on all bank cross-border wires and non-bank remittances of $1,000 or more.  FinCEN’s renewed interest was sparked by the completion of the FinCEN IT Modernization Project, which now gives the bureau the systems and information technology platforms required to collect and analyze the large volume of cross-border electronic funds transfers. The U.S. government has not yet moved toward the capture of all cross-border wire information, but the technical possibilities may spur its eventual collection and analysis. 

An important step toward greater transparency and risk management is a new FinCEN reporting requirement, announced in May 2016, that requires financial institutions to identify and verify the identity of beneficial owners of legal entity customers, which would enhance the effectiveness of analyzing cross-border wire transfer information.

Safe Harbors and Experimentation

Regulators and policymakers need to allow for greater experimentation and be open to collectivized models of risk management, including between government and the private sector. The U.K.’s Financial Conduct Authority (FCA) has led these efforts, and announced in May 2015 the creation of a “regulatory sandbox,” a safe space in which businesses can test innovative products, services, business models, and delivery mechanisms in a live environment without immediately incurring all the normal regulatory consequences of engaging in the activity in question. Participating firms will report on agreed-upon milestones during testing, and the FCA will then publish findings from sandbox testing to educate the industry on any findings and emerging best practices.

In the United States, a more permissive use of Section 314(b) to include involvement of technology companies may provide greater freedom to experiment with information-sharing platforms and mechanisms. The expansion of models such as the JMLIT would also assist in creating the trust and mechanisms necessary as platforms for a new model to emerge.

Globally, this requires a commitment to, and allowance for, more aggressive information sharing while still respecting privacy and civil liberties protections. Without this, enterprise-wide risk management and a more advanced model of sector-wide information sharing will be stunted.

For industry, this requires a commitment to innovation, with most major banks investing in innovation teams to account for technological advances and industry changes. This also means finding internal efficiencies and breaking down internal barriers for information sharing and risk management. For example, the blending of separate systems and platforms used for compliance, fraud, cybersecurity, and business intelligence may prove essential for protecting major global institutions against evolving vulnerabilities and risks. Shared systems and defenses may allow for greater efficiency and innovation. Finally, more aggressive information sharing by the private sector will require greater regulatory cooperation and deference to encourage experimental “sandboxes” to pilot such collective risk management and network analysis initiatives.

Conclusion

Despite unprecedented efforts, the current AML/CFT system is not working systematically, efficiently, or effectively, and it must be improved beyond short-term fixes to promote the security and integrity of the financial system. Such improvements should allow for the simplification of regulatory requirements while improving the effectiveness of controls. The solution is emerging, enabled by new technologies and the recognition that we need to establish a sustainable and shared compliance risk management system. We’re on the brink of developing this new paradigm for protecting the integrity of the financial system and national security. We need to continue to experiment and design a new model with a clear road map and principles in mind. This is the path to an effective and sustainable AML/CFT system.

About the Authors:

Chip Poncy is the President and Co-Founder of the Financial Integrity Network and a Senior Advisor for the Foundation for Defense of Democracies’ Center on Sanctions and Illicit Finance. From 2002 to 2013, Poncy served as the inaugural Director of the Office of Strategic Policy for Terrorist Financing and Financial Crimes (OSP) and a Senior Advisor at the U.S. Department of the Treasury. As the Director of OSP from 2006 to 2013, he led an office of strategic policy advisers in creating policies and initiatives to combat the full spectrum of illicit finance, including money laundering, terrorist financing, WMD proliferation financing, and kleptocracy flows. 

Poncy graduated with honors from Harvard University (B.A. in government) and The Johns Hopkins School of Advanced International Studies (M.A. in international relations), and holds a J.D. from Georgetown University.

Juan C. Zarate is the Chairman and Co-Founder of the Financial Integrity Network, the Chairman and Senior Counselor for the Foundation for Defense of Democracies’ Center on Sanctions and Illicit Finance, and the Senior National Security Analyst for NBC News and MSNBC. He is also a Visiting Lecturer of Law at the Harvard Law School, a Senior Adviser at the Center for Strategic and International Studies, and a Senior Fellow to the Combating Terrorism Center at West Point.

Zarate served as the Deputy Assistant to the President and Deputy National Security Advisor for Combating Terrorism from 2005 to 2009, and was responsible for developing and implementing the U.S. Government’s counterterrorism strategy and policies related to transnational security threats. He was the first-ever Assistant Secretary of the Treasury for Terrorist Financing and Financial Crimes, where he led domestic and international efforts to attack terrorist financing, the innovative use of Treasury’s national security-related powers, and the hunt for Saddam Hussein’s assets. 

He is a magna cum laude graduate of Harvard College, a cum laude graduate of Harvard Law School, and a former Rotary International Fellow at the Universidad de Salamanca, Spain.