Main Content

Our AML/CFT Approach Must Be Modernized

The financial industry must be allowed to modernize its approach to AML/CFT by leveraging newer technologies.

By William J. Fox

The Clearing HouseIn a post-Sept. 11 world, it is critical for the overall health of our financial system and our national security to have a robust, effective national anti-money laundering (AML) regime that delivers a more transparent financial system and is designed to help protect that system from abuse here in the United States and around the world. Financial information is valuable to law enforcement because money doesn’t lie, leaves a trail, and establishes connections. Information provided by financial institutions under our AML and combating the financing of terrorism (CFT) framework is critical for our national security. However, it is time to take a fresh look at the regime so that financial institutions can make their AML programs more innovative by adopting practices and technologies that let them address present-day illicit finance threats.

The U.S. AML/CFT regime is primarily codified in a collection of laws known as the Bank Secrecy Act (BSA). Most of these laws were enacted in 1970. They require financial institutions to keep certain records and make reports to the government, including reports on cash transactions greater than $10,000. The stated purpose for the establishment of the regime was to provide highly useful information to regulatory, tax, and law enforcement authorities relating to the investigation of financial crime (Note: See 31 U.S.C. § 5311, which states that “[i]t is the purpose of this subchapter [the BSA] to require certain reports or records where they have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.” Note that the last clause was added by the Patriot Act in 2001). Congress gave the authority to implement the regime to the Treasury secretary, thereby designating an agency with both financial and law enforcement expertise as its administrator. In addition, the BSA gave the Treasury Department examination authority over financial institutions to assess their compliance with the law, which Treasury has since delegated to various regulatory authorities according to institution type (Note: See 31 CFR § 1010.810(b)).

In the 1990s, the BSA was amended to require financial institutions to detect and report their customers’ “suspicious” transactions (suspicious activity reports or SARs). After the tragic events of Sept. 11, the BSA was further amended by the USA Patriot Act, which provided Treasury with additional tools to address terrorism-related financial risks and imposed additional AML/CFT requirements on financial institutions.

The enactment of the Patriot Act, in 2001, was the last time that Congress conducted a broad review or adopted significant amendments to our national AML/CFT framework. The current SAR regime remains largely unchanged since it was developed in the mid-1990s. Similarly, the requirements for reporting large cash transactions remain largely unchanged since the BSA was enacted. Just think of what has happened since 1970. Today, most banking business can be conducted from a cellphone, money and information move in microseconds, and it is simple and common to move money across borders. The SAR regime, which originally was intended to provide law enforcement with a written narrative lead, today is used as a data source for word searches and other data mining by the Financial Crimes Enforcement Network (FinCEN) and law enforcement.

At Bank of America, we invest significant resources into discharging our responsibilities under our nation’s AML/CFT regime, and we’re committed to this work. However, we have come to believe that the mechanisms through which we discharge our AML/CFT responsibilities are highly inefficient and that a significant portion of what we do and what we report ultimately is not as effective as it could be in achieving the desired outcomes of the regime (Note: See supra Footnote 1. See also the FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual – 2014, Introduction, on p. 7, which states that “[t]he BSA is intended to safeguard the US financial system and the financial institutions that make up that system from the abuses of financial crime, including money laundering, terrorist financing, and other illicit financial transactions.... [A] sound BSA/AML compliance program is critical in deterring and preventing these types of activities at or through banks and other financial institutions.”)

I have a team of employees worldwide who are fully dedicated to AML compliance, detection, and investigation work, as well as economic sanctions compliance, filtering, blocking, and rejecting (Note: The number of employees in Global Financial Crimes Compliance at Bank of America is greater than the combined authorized full-time employees in Treasury’s Office of Terrorism and Financial Intelligence and the Financial Crimes Enforcement Network). Today, a little over half of these people are dedicated to finding customers or activity that is suspicious. These employees train our customer-facing employees so they can escalate unusual activity; tune our detection systems to generate investigative cases; assess and analyze the financial crimes risks inherent in and the controls placed over our products and services; resolve investigative cases; and, when appropriate, report suspicious activity to the government. They also work on strategic initiatives aimed at understanding and reporting on significant financial crimes threats, such as foreign terrorist fighters; human trafficking, drug trafficking, and other transnational crime; and nuclear proliferation.

The remaining employees on my team, and the vast majority of employees dedicated to these efforts in the business and operations teams that support our program, are devoted to perfecting policies and procedures; conducting quality assurance over data and processes; documenting, explaining, and governing decisions taken relating to our program; and managing the testing, auditing, and examinations of our program and systems. Our focus on these processes has had positive effects; it has brought discipline and rigor to our work.

However, today’s regime requires enhanced efforts relating to these broad categories that increase compliance costs and distract from those customers that present real risk. For example, we spend a significant amount of time collecting defined enhanced due diligence on broad categories of customers that have been deemed “high risk” in regulatory guidance manuals, yet we know from our activity monitoring of their actual behavior that many of the customers that fall into those categories aren’t high risk. The danger is that at some point it becomes easier to exit certain businesses, or decline to serve legitimate customers, because the benefits of serving them are outweighed by the costs. When legitimate businesses or individuals cannot be served by mainstream financial institutions, it harms economic growth and job creation.

Compliance Expectations
A core problem is that today’s regime is geared toward compliance expectations that bear little relationship to its actual goal of preventing or detecting financial crime. This means that one can have a technically compliant program, but that program may not be effective at preventing or detecting – and reporting – suspected financial crime. These activities require different skill sets, tools, and work. Indeed, the Federal Financial Institutions Examination Council’s (FFIEC) BSA/AML Examination Manual, which provides the blueprint for federal banking agency examiners to examine our programs, focuses on banks’ programs, not on providing actionable, timely information to law enforcement, as the critical means to deter and prevent money laundering and terrorist financing (Note: See the FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual – 2014, Introduction, on p. 7, which states that “[b]anking organizations must develop, implement, and maintain effective AML programs that address the ever-changing strategies of money launderers and terrorists who attempt to gain access to the U.S. financial system. A sound BSA/AML compliance program is critical in deterring and preventing these types of activities at, or through, banks and other financial institutions.”)

This focus has many repercussions but notably hinders the ability of financial institutions to create innovative AML programs and coordinate that innovation with their peers to address the evolving nature of illicit finance threats. At Bank of America, we have implemented robust transaction monitoring, sophisticated screening and filtering, and intelligence systems and processes, all of which assist us with AML/CFT and Office of Foreign Assets Control sanctions compliance. Earlier in this decade, we developed an innovative way to process and connect the disparate “events” that are produced by these systems, as opposed to reviewing each “alert” from these systems and resolving them in the order in which they were generated. This innovation enabled us to create investigative cases that contained more holistic information about potentially suspicious activity, which makes our reporting better. Since then, we have taken steps to significantly improve the stability and performance of our systems; however, we have found further innovation challenging to achieve.

One reason is that changes to the parameters of our systems are now subject to the same validation rigor employed against complex economic models. These changes to our systems, which used to take weeks, now take anywhere from nine months to a year to implement. In addition, the employees whose expertise is needed to innovate are the same employees who are now required to validate the changes we would like to make to our parameters. Like most financial institutions, we have begun to pilot innovative technologies commonly referred to as artificial intelligence (AI). But to make AI work, you need the substantive expertise to develop the innovative processes. We think Christopher Mims aptly described the limitations of today’s sophisticated algorithms in his article titled “Without Humans, Artificial Intelligence is still Pretty Stupid” in the Wall Street Journal.

Improving the System

A lot of work needs to be done to improve the national AML/CFT regime and make it more effective and efficient. I suggest the following:

Treasury should take a preeminent role in setting policy, coordinating and setting priorities, as well as in examining institutions’ compliance with, and enforcing, our national AML/CFT regime. Our national AML/CFT regime suffers from the absence of an effective “captain” empowered to lead improvement and enforcement and to set national priorities and define desired outcomes. Under the BSA, there are no fewer than eight different entities with delegated responsibility to supervise, examine, or audit financial institutions. (Note: Agencies with examination or audit authority are the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit and Insurance Corporation, the National Credit Union Administration, the Securities and Exchange Commission, the Financial Industry Regulatory Authority, the Commodities Futures Trading Commission, and the Internal Revenue Service).  In addition, law enforcement is no less disjointed, with five principal agencies with authority to investigate money laundering (Note: This includes the Federal Bureau of Investigation, Homeland Security Investigations, the U.S. Secret Service, the Criminal Investigation Division of the Internal Revenue Service, and the Drug Enforcement Administration). Each of these agencies has different, albeit intermittently overlapping, missions and areas of focus. However, Treasury is uniquely positioned to balance these sometimes conflicting interests as well as other U.S. priorities (e.g., financial inclusion). In addition, measurable outcomes or goals should be clearly and specifically defined for each component of our nation’s AML/CFT regime, including financial institutions’ AML programs, and agreed-upon ways to measure the achievement of those outcomes or goals should be set and reported. A focus on achieving measurable outcomes established for financial institutions’ AML programs will encourage and enable innovation.

The current regime needs to be rationalized in order to ensure that information of a high degree of utility is reported to law enforcement. As discussed earlier, financial institutions are subject to a wide range of record-keeping and reporting requirements under the BSA, some of which date back to the 1970s. From time to time, we receive anecdotal feedback from government agencies regarding the usefulness of our reporting in particular cases, which we appreciate. However, we do not receive direct feedback from the government on whether the bulk of our reporting is useful. Finding out the general usefulness of the reporting we provide would significantly help us tune our systems, or innovate, more effectively. This does not have to be complicated; it could be as easy as a simple “thumbs-up” when a particular report was useful. This feedback would provide meaningful assistance to financial institutions. Today, to measure the usefulness of our reporting, we have developed a metric that tracks when we get follow-up requests from law enforcement or regulatory agencies for backup documentation relating to our reports. We receive such requests in connection with roughly 7% of the reports we file.

Although we know reports can be useful in other ways that do not require a request for backup documentation, we are blind to which reports are actually useful. A government-led effort to measure the usefulness of reports, or other BSA record-keeping and reporting requirements, would help determine whether these requirements are ultimately useful in achieving the goals of our AML/CFT regime. It would also potentially allow financial institutions to redeploy some of the resources currently devoted to “check-the-box” compliance efforts, moving them to more innovative and effective AML/CFT endeavors.

Financial institutions must be able to innovate alone or in concert with their peers as new technologies emerge that allow for efficiency gains and improved threat assessments. Advances in technology have the potential to change the way in which institutions approach illicit finance threats, which can only enhance our nation’s AML/CFT regime. This coupled with tools provided by the Patriot Act, particularly tools relating to information sharing under Section 314(b), could change the way in which financial institutions and the federal government address money laundering and terrorist financing risks.

Such information sharing not only makes AML programs more effective and efficient, it focuses resources on the most important matters. The government should encourage this innovation and provide responsible yet sufficient leeway to test and utilize these new systems and processes. The authorized and appropriate sharing of information between the government and the private sector as well as the sharing of information between financial institutions is critical to efforts to address current illicit finance threats.

Conclusion
A 21st century U.S. AML/CFT regime should be one in which the government defines what needs to be accomplished and financial institutions are given the freedom to figure out how to accomplish the what in the most effective and efficient way that focuses on the people and entities attempting to abuse the system, and protects innocent customers.