AML Program Effectiveness: Policy and Automation

When many compliance professionals make plans for determining a strategy for managing your financial institution’s AML program, the use of software, such as SimpliRisk, may be at the forefront of planning. There are many situations for which software can be the proper tool for alleviating some of the risks. Developing risk models for measuring your member or customer base as a business segment is one such mitigation strategy where software can easily assist in making the job easier to manage. Developing
specific rules to catch outliers within your portfolio is another step many take regarding the use of software.

As effective as software is in crunching large volumes of numbers to determine hot spots for review, there are times where the use of software is better meant to assess a policy’s effectiveness, as opposed to
being that front line of defense. Often, when establishing AML monitoring rules, a compliance professional is left wondering, “How do I establish a threshold to gain insight on what is worthy of review?” Often, the answer lies within the financial institution’s already established policies.

For example, all financial institutions have a good grasp on the basic patterns of structuring and Currency Transaction Report (CTR) evasion. This goes beyond industry-wide best practices, as the rules for situations involving cash transactions is very clear, as seen in FinCEN’s Notice to Customers: A CTR Reference Guide. It is common knowledge that the thresholds for monitoring CTR evasion involves aggregating transactions involving cash at a threshold above $10,000. Similarly, Monetary Instrument Log (MIL) evasion is established by monitoring the cash purchases or exchanges of monetary instruments within aggregated thresholds of $3,000 and $10,000. Both instances require looking at the results of both queries and comparing those results against the daily paperwork at the branch level.

However, as simple as this might seem, there are gaps. One of the most common gaps involve transactions that appear outside of the system. For instance, a person walks in with $5,000 in cash and wishes to procure a monetary instrument for an equal or lesser amount. This request may appear to
be commonplace and inconsequential, until the AML professional realizes that these transactions are not being easily captured. In essence, these transactions often do not trigger a rule because the transactions are not tied to a distinct account.

To alleviate this monitoring gap, a common practice by many financial institutions involves policy. While not all people conducting such transactions are necessarily doing so with the intent to obfuscate the source of funds, it is well known that bad actors do employ such a tactic, and as such, a policy of
deposit prior to purchase is commonplace. Similarly, a policy of not executing non-customer cash purchase transactions may be put into place as well.

One last point on this topic involves persons negotiating checks for cash. It is important that a financial institution, specifically smaller ones, gain an in-depth knowledge of Regulation CC, which governs ‘funds availability’ for various deposits. While many transactions require immediate or next-day funds availability, checks not deemed ‘on-us’ allow for longer delays of full funds availability to ensure the funds guaranteed by the instrument are available within the account at the other financial institution.

Becoming knowledgeable on Regulation CC and other regulations will greatly assist in tightening your policies on higher risk transactions. As is always the case involving policies affecting consumers,
publishing all changes, such as changes to your Regulation CC policy, in accordance with all rules and regulations is mandatory. Managing and understanding various controls through policy gives the AML professional better insight into establishing risk-based thresholds for monitoring compliance, both inside and outside of your financial institution.

Watch List Scanning: Tips for Determining & Clearing Potential Matches

When it comes to watch list scanning, there are a variety of approaches and methods for determining whether a potential match is false or positive, but a lot also depends on the type of watch list for which the potential match has been triggered. The term ‘watch list’ itself also carries different meanings, whether the type of list is OFAC or an internal exclusion list.  Below are various types of watch lists scenarios and the application of each for a financial institution:

  • OFAC List – The Office of Foreign Assets Control (“OFAC”) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States. OFAC publishes lists of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific1. This list is primarily comprised of Specially Designated Nationals List and the Consolidated Sanctions List.
  • FinCEN’s 314(a) List – This program is in furtherance of Section 314(a) of the USA PATRIOT Act of 2001… FinCEN receives requests from law enforcement and upon review, sends notifications to designated contacts within financial institutions across the country once every 2 weeks informing them new information has been made available via a secure Internet web site. The requests contain subject and business names, addresses, and as much identifying data as possible to assist the financial industry in searching their records2.
  • PEP List – A politically exposed person (PEP) is defined by the Financial Action Task Force (FATF) as an individual who is or has been entrusted with a prominent public function. Due to their position and influence, it is recognized that many PEPs are in positions that potentially can be abused for the purpose of committing money laundering (ML) offences and related predicate offences, including corruption and bribery, as well as conducting activity related to terrorist financing (TF)3. A PEP list is a curated list of politically exposed persons, their family members, and other relations, business or otherwise, often requiring some sort of subscription to a third-party service.
  • Internal Exclusion List – This is any list maintained internally by a financial institution containing the names and other identifiers of people and entities that are barred from doing business with the financial institution. There are a variety of reasons for developing and maintaining an exclusion list.

Manual screening of the various watch lists is tedious. Most obligated institutions use a watch list screening service such as SimpliRisk to apply fuzzy logic to name screening as an efficient way to handle the initial watch list process. After this automated process, it then becomes important that compliance staff are comfortable with making risk-based decisions, and this comfort level can be enhanced by understanding the information and its effects on the decision-making process. This decision-making process can be individualized based on institutional compliance knowledge or generalized using a rubric or decision tree.  Regardless of which process is used, it should be documented and understood by all stakeholders. Escalation to management for confirmation of a positive determination, along with periodic spot-checking of accuracy, are other ways to manage the decision-making process.

Depending on the type of list a potential match belongs to, determination of a match depends heavily on the amount of primary and secondary data provided by a watch list. Primary data consists of those data elements that are not usually subject to change. These elements tend to be name, date of birth, country of origin, and passport details. Secondary data tends to consist of other information considered temporary or perishable in nature, such as address details, aliases, local identification numbers, phone numbers and email and IP addresses. Organizing an approach keeping primary and secondary information in mind is integral to developing an institution’s risk-based approach to each list’s decision-making process.

Other factors in determining watch list matches tend to be subjective. This subjectivity can be distilled to a variety of internal questions one might ask, such as the likelihood of an OFAC-sanctioned entity existing inside the United States and attempting to access your financial institution by opening an account. While possible, this may not seem likely, but it is far more probable that a business entity banking with your financial institution may inadvertently attempt to transact with an OFAC-related entity. Another example can be as simple as comparing the date of birth or location for a potential PEP name match. Determining that an age disparity exists is an obvious defect in the potential match and contributes to the decision-making process. Specific to PEP, it may be well within the institution’s right to simply ask the customer or member if they are politically exposed.

While there are numerous other scenarios involving determination of potential match information, we will briefly go over secondary data and its use within the decision-making process. Address and phone number details should be considered perishable, meaning that their importance to determining a potential match does not get better with age. Address details within an institution’s database often is not as up to date as it could be. Still, an example of using secondary data can be evident when determining a match on an internal exclusion list match or a 314(a) match. Specific to addresses, an institution might find that a certain address is consistent with numerous fraud investigations. It would be well within reason to add the address involved as its own entry on an exclusion list. However, with a 314(a) match, this logic may not apply. Address details within a 314(a) match tend to be provided to assist the compliance professional in further determining whether a potential match is positive.

In summary, there is no ‘one size fits all’ approach to decisions made on watch list screening matches. For this reason, it is imperative that a compliance professional document their decision-making processes for each watch list scenario. Hopefully, this blog post has been helpful in determining an effective way of processing watch list potential matches. If you would like to discuss in greater detail, feel free to reach out to us!


1 https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions-programs-and-information

2 https://www.fincen.gov/sites/default/files/shared/314afactsheet.pdf

3 https://www.fatf-gafi.org/media/fatf/documents/recommendations/Guidance-PEP-Rec12-22.pdf

High Risk Customers: Tips to Create and Manage an Exclusion List

Creating an Exclusion List is a great way for a Compliance department to manage risk associated with people and entities that the financial institution determines are too high of a risk to pursue or continue a relationship with. They are often considered a fallback to keep those that pose excessive risk away from your institution. Reasons that some institutions implement an exclusion list vary; keeping out bad actors, barring entities for which some sort legal action may be in place, and adding potential criminal identities identified in various fraud task force meetings, to name a few. Regardless of the reason, managing and creating an exclusion list can be instrumental in maintaining the safety and soundness of your financial institution.

Exclusion lists do not have to stop at names of people or businesses. For example, one good use of an exclusion list can be to monitor compromised physical or mailbox addresses1 known to the institution or law enforcement to be involved in some sort of criminal conspiracy. Phone numbers can also be a great addition to a list, as often, certain phone numbers may be logged and used repeatedly by criminal elements. Tax Identification Numbers (SSN, EIN, TIN, etc.) as well as State Issued Identification details are also used similarly and can be added to an institution’s exclusion list. Often these entries are due to identification theft or even more sinister, theft of a deceased person’s identity2.

Regardless of data points used or reasons for adding a record or detail to an exclusion list, it is critical to have some sort of remediation process in place, in the event an entry in the exclusion list is no longer valid. While tax identification numbers are not reused3, a compromised number may not be realized for some time, with the person assigned unaware of the previous use of said number. More common is the recycling of phone numbers, so this data can go stale within a shorter length of time. Similarly, address information can change with ownership or further redevelopment of property.

Consequently, the Compliance professional should review the exclusion list periodically. As technology changes, finding other identifiers or seeing patterns in a list can be beneficial to continually improving your BSA Compliance Program.


1 https://www.uspis.gov/tips-prevention/mail-fraud/
2 https://www.consumer-action.org/downloads/outreach/2015_deceased_ID_theft.pdf
3 https://www.ssa.gov/history/hfaq.html see: Q20

High Risk Customers: Peer Grouping & Analysis

In a previous blog post, I discussed how to determine high risk customers as it pertains to financial crime risk. To summarize, a risk professional can use publicly available information on crime statistics to augment the FFIEC guidance on establishing a BSA/AML Risk Assessment. Once high-risk customer segments have been determined, the next steps are gathering data and conducting analysis. There are varying methods of conducting analysis, but today I want to give an overview of a method called Peer Group Analysis.

Peer Group Analysis, in layperson’s terms, is the grouping of like businesses and entities for the purpose of comparison. From this grouping of like entities, various ratio and statistical methodologies can be applied to determine outliers. Once outliers have been isolated, analysis of these outliers is integral to learn more about the entity and their activity. Ultimately, the goal is to learn more about the business sector or determine whether the outlying activity is a consequence of suspicious activity. Once suspicious activity is determined, the associated data can provide basis for developing behavioral typologies to find other potential suspicious activity.

Now that Peer Group Analysis has been covered, I will walk through an example of a simple use case. Consider a credit union that maintains relationships with several pawn shops. Given the nature of pawn shops and the potential for high-risk activities such as dealing with precious metals and gems, short-term loan activity, and bulk cash handling, the credit union considers pawn shops to be higher risk. Once the pawn shops have been identified, the risk professional can then conduct a sampling of transactions using the same time frames, and then parse the data by transaction type.

Once parsed, the data can then be aggregated into various transaction type pools. The first thing to note is, while pooling the transactions, if the risk professional notices a transaction type that is not common to the peer group, isolate those transactions and determine causation.  Next, various methods can be used to determine outliers, but for this instance, I will begin by using the Sample Standard Deviation formula found in Microsoft Excel as function STDEV.S.

Once I have calculated the sample standard deviation, I can apply it to my data and analyze it using the Empirical Rule. This rule, while not perfect, makes the statement that within a normal distribution of values, roughly 68% of values lie within one standard deviation of the mean, about 95% within two standard deviations, and about 99.7% within three. Knowing this, the sample standard deviation can then be applied against the pooled transaction data at either two or three standard deviations from the mean or average of the data sample. I can then assume that anything outside of my choice can be considered an outlier for further review.

While not perfect, this is one method of looking at high risk relationships and determining risk within their transactional data. Harnessing the ability of business tools such as Microsoft Excel makes using these powerful statistical methods a much easier task. If you are curious to learn more, feel free to reach out for a discussion!