How Embedded Compliance Plays the Game to Win, Not Break Even

Imagine a game where your team can’t score points and there’s no such thing as winning. All you can do is meticulously follow the rules; if you follow them well enough, then your team doesn’t lose. Most banks approach compliance with this survival mindset and it shows.

According to the Federal Reserve Bank of St. Louis, compliance expenses account for 7% of banks’ non-interest expenses. The majority of that spend is typically directed at headcount distributed across siloed operational functions — using equally siloed technology — to get the job done during the last leg of a transaction. The best that can be said for this approach is that it achieves baseline compliance. The worst? It prevents institutions from investing in transaction data management strategies that deliver compliance while simultaneously driving efficiencies and business growth that show up on the bottom line. This scenario becomes more untenable with each passing year: Increasing compliance complexity drives up costs, and that diversion of investment erodes a bank’s ability to compete.

Banks can choose to play the game differently, by viewing compliance as an integrated part of the data management process. Solutions that leverage application programming interfaces, or APIs, provide a mechanism for technology components to communicate with each other and exchange data payloads. Outside of this approach, transaction data resides in bifurcated systems and requires extra handling, either by software or human intervention, to complete a transaction and book the right data to the core. Having the same data in multiple systems and rekeying data dramatically increase an institution’s risk profile. Why make it harder to “not lose” the game when banks can leverage API-first solutions to ensure that data is only collected once and passes through to the touchpoints where it’s needed? The key to unlocking this efficiency is a compliance architecture that separates the tech stack from the compliance stack. Otherwise, banks are obliged to wait for code changes every time compliance updates are pushed.

Mobile enablement is now as critical for a bank’s success as any product it offers. The customers that banks are trying to reach have no practical limit to their financial services options and are increasingly comfortable with contact-free experiences. According to studies from J.D. Power & Associates released this year, 67% of U.S. bank retail customers have used their bank’s mobile app and 41% of bank customers are digital-only customers. Given historical trends, those numbers are expected to only increase.

Compliance represents an opportunity to remove friction from the mobile banking experience, whether offered through an app or a website. Traditional PDF documents are designed for in-branch delivery and are a clumsy fit for the mobile world. Responsive design applies to compliance content no less than it applies to mobile apps; content needs to adjust smoothly to fit the size of the viewing screen. The concept of “document package” is evolving to the point where a “compliance package” should be constructed on responsive design principles and require minimal user clicks to view and acknowledge the content.

An embedded compliance solution should treat optimized mobile channels as table stakes. To survive and thrive in this environment, institutions need to be where their customers are, when they are there. Traditional banker’s hours have officially gone the way of the dodo.

Embedded compliance can also enhance bank data security in the event of a breach. It is difficult to overstate the reputational damage that results from a data breach. Embedded compliance offers critical safeguards for sensitive customer information, bolstering an institution’s overall security profile. Legacy compliance or document-prep solutions often require duplicate data entry and expose customer personal identifiable information to the inherent data breach risks that come with multiple databases scattered across technology platforms. Look for solutions that do not store PII data, and instead offer bi-directional integrations with your platform.

Increasing demand for digital engagement provides banks with opportunities to rethink their technology stacks. Management should evaluate each component for its potential to address a myriad of business needs. Compliance solutions can sharpen or dull a bank’s competitive edge and should be considered part of a strategic plan to grow business. Who knows, maybe someday compliance will actually become “cool”? A dreamer can dream.

Eight Questions For Prospective Small Business Lending Partners

For many banks, the ability to offer small-business loans efficiently, quickly and compliantly has been more of an aspiration than a reality. The technical, financial and staffing obstacles involved in launching small business loan products have created daunting barriers to entry, while the need for small business credit persists in the post-pandemic economic recovery.

This creates a fertile breeding ground for new fintechs that claim they can streamline loan processing time, increase the profitability of even the smallest loans and improve the entire experience for banks and their customers.

But how can you distinguish between achievable goals and lip service? Bank executives need to ask the right questions to break through the noise and get real, honest answers. As a provider in the space, we spend countless hours researching the competition, talking with banks about their challenges and enhancing our small business lending platform. Here are the top eight questions to ask a prospective partner when considering a small business lending platform.

1. Is there a white-labeled borrower website option that can be branded with the bank’s colors, graphics and messaging?
It takes years to establish a well-known brand identity that your customers recognize and trust. It is crucial that any prospective loan origination platforms have the capability to incorporate bank branding, corporate color palette and distinct messaging to create a seamless experience for customers.

2. How much time does it take for business borrowers to complete and submit a full loan application?
Research shows that one of the top complaints of business borrowers is the amount of time it takes to complete an application. Any digital process will certainly be quicker than a manual method, but every step of the application process should be optimized for efficiency, resulting in a fully submitted loan application within 20 minutes or less.

3. Is the application process straightforward and intuitive for the borrower and back-office team?
We mentioned the importance of an efficient application, but efficiency can only be achieved if the application is clear, intuitive and guides users along the way. Ask potential vendors how applicants and the bank’s back office can track their progress through the application, and whether the system has measures in place to identify and alert the applicant to inaccurate or incomplete entries. It is also important that FAQs are prominently displayed, and that users have easy access to support.

4. Are there methods in place to ensure that borrowers are selecting the right loan product?
Your applicants don’t know your products as well as you do, so rather than asking them to select a loan product, a top-tier platform will incorporate an automated, intelligent “rules engine.” This type of technology gathers pertinent information throughout the application process and selects the most appropriate product(s) based on the applicant’s inputs. This streamlines the application for the borrower and saves your staff valuable time and resources.

5. Does the system help identify and filter out unqualified applications?
Once the borrower starts the application, the rules engine should activate, dynamically collecting data points to ensure that the application is meeting the bank’s specific product requirements. Further, it should also evaluate the data against the bank’s credit policy to verify the applicant meets the minimum acceptance criteria. The best loan platforms will identify such issues and prevent the applicant from progressing by redirecting them to a different page, product or contact method.

6. How does the system ensure compliance and security?
Ask a potential vendor whether their system supports all federal regulations that impact small businesses and lending practices, such as Know Your Customer/Know Your Business, anti-money laundering, Americans with Disabilities Act and web content accessibility guidelines , among others. The best systems will incorporate a bank’s credit and risk policy into the platform, so there is no impact to your bank’s risk profile with the regulators. Ask whether the system utilizes 24/7 monitoring to ensure the integrity and safety of bank data, whether they are SOC 2 compliant and whether they undergo regular third-party audits of their infrastructure and systems.

7. How does the system ensure quality control and prevent fraud?
Advanced loan technology should integrate into numerous background check sources and employ digital fraud detection using AI-powered captchas and two-factor authentication, among others. Specific criteria should immediately disqualify borrowers, such as zip-code, signing rights and industry type. The best systems will ensure that exceptions are identified and shown to the bank, so your staff doesn’t waste time trying to find them.

8. Does the platform provide automated document management?
Secure, efficient document management is one of the most critical functions of digital loan technology. Ensure that all documents are securely uploaded in transit and at rest. Here are just a few of the features an advanced platform should offer:

  • A centralized document library housing all documents.
  • The ability to collect any necessary form at the right time and have it electronically signed.
  • Functionality that allows the lender to easily approve, reject or request individual documents with explanatory notes for the borrower.
  • Protection of personal information by restricting the viewing of information to only the individual who owns it.

Getting Faster, Simpler, Cheaper and More Secure

In June 2020, Coastal Financial Corp. began onboarding financial technology clients to ramp up its banking as a service (BaaS) business.

The $1.8 billion community banking company in Everett, Washington, would lend its bank charter, compliance program and payment rails to nonbanks for a fee. Nine out of 10 of those clients are unregulated by any financial regulator; one out of 10 might be a regulated entity such as a broker-dealer. This arrangement means the bank must monitor its nonbank customers for compliance with anti-money laundering, foreign sanctions and Bank Secrecy Act (BSA) laws.

Andrew Stines, the chief risk officer of Coastal Financial, and his staff of BSA experts keep track of a fluctuating amount of flagged transactions per month, about 3,000 to 4,000, on everything from ACH and loan payments to debit and credit card transactions. It’s a lot. From the bank regulators’ point of view, “I’m the one who really owns that risk,” Stines says.

The company previously had manually pulled flagged transactions for further investigation  with Excel spreadsheets. But that didn’t work anymore, given the workload. So Coastal turned to Hummingbird, the winner of Bank Director’s 2021 Best of FinXTech Award for compliance & risk.

Hummingbird automatically pulls flagged transactions from the bank’s core, Neocova, and automates compliance reporting. It sends suspicious activity reports (SARs) to regulators after Coastal Financial conducts investigations. Hummingbird also creates an auditable trail of each case.

The bank is not alone in trying to ramp up its fraud and compliance monitoring and reporting using new software. Financial institutions are under increasing pressure to update their fraud technologies with machine learning, robotic process automation and other tools to combat increasingly sophisticated criminals and higher use of digital services, according to a February 2021 report from the research firm Celent.

Celent Head of Risk Neil Katkov projects that North American financial institutions — which are the greatest targets for global fraud — will spend $3.1 billion on fraud technology in 2021, or 16.1% more than the year before. Spending on fraud operations will amount to another $4.55 billion, he wrote.

The marketplace for fraud and compliance software has become crowded, which benefits banks, says Kevin Tweddle, the senior executive vice president for community bank solutions at the Independent Community Bankers of America.

“People ask me what’s a fintech,” he says. “It makes [banking] faster, simpler, cheaper and more secure.” An especially active group right now are cybersecurity companies, all vying to monitor threats for financial institutions and to help with compliance and reporting requirements.

Finalists in the compliance and risk category for the Best of FinXTech Awards included IT compliance company Adlumin, which uses machine learning to detect threats, malfunctions and operations failures in real time, and the cybersecurity provider DefenseStorm, which is a cybersecurity compliance platform built for banks and credit unions. For more on how Bank Director chose winners, click here.

But Hummingbird was clearly a stand-out for Coastal Financial. The software program was cost competitive, although Stines declines to name the price. Using the software clearly pays for itself, he says. But he admits the company might not need Hummingbird if not for its BaaS business, which adds to the company’s reporting requirements. Stines estimates he’d have to hire four to five additional full-time employees without it.

The drawback is that Hummingbird’s software doesn’t include every tool the banking company needs. But there’s a roadmap to adding functionality, and Hummingbird sticks to its promised dates, Stines says. The real selling factor was the user interface and the fact that Hummingbird seems eager to make changes as needed, and understands Coastal Financial’s technology clients. “They are more forward-thinking and more in tune with digital and fintech services than traditional players in the space,” he says.

This may just be the beginning. For Tweddle, banks and credit unions are enjoying an early to middle development period for fintech. “There’s a lot more interesting things to come,” he says.

Solve the Right Problem: The Path to Remediation Success

At some point, your bank will find an operation or process isn’t working or failing on intent. When that happens, don’t fall prey to the impulse to fix the wrong problem without looking below the surface for the root cause.

No matter the scenario, your best position is always to self-identify an issue and kick off remediation before a customer or regulator reports a problem. Once external forces step in, the stakes run even higher; you really can’t afford a misstep. Without question, the most common way that banks err is by starting on the wrong foot.

In my front-line experiences, I’ve seen financial institutions work ambitiously on remediating issues only to have regulators assign a failing grade. While no bank wants to be under a regulatory finding’s shadow, working smart and rejecting shortcuts is the only way to deliver the right solution and minimize future risk. With compliance costs expected to more than double and reach 10% of revenue spend by 2022, banks can’t afford to get it wrong.

Here are the steps for an effective remediation:

1.Take a breath — then dive into the deep end
Too often, companies fix what they think is the problem, only to learn that they’ve missed the mark and broken other things along the way. Not understanding the crux of the issue wastes a bank’s time, energy and resources.

If you’re dealing with a regulatory finding, be sure to engage your legal and compliance teams to ensure you understand the issue and solve for exactly what’s at risk, especially for issues with broader scope and breadth. Those leading your remediation plan should dig deeper into root problems by asking “why?” up to five times, peeling off another layer each time as you strive toward the core issue. Apply those questions to your business problem until you’ve identified the precise thing that needs to be fixed.

2. Know how to get from Point A to Point Z
Develop a roadmap to move effectively and efficiently from understanding the issue and identifying root causes to implementing solutions. From aligning on stakeholder engagement to technology resources, no solution happens overnight. Some regulatory remediation activities can take 12 to 18 months to resolve.

3. Make sure everyone’s on the same journey
Nothing derails remediation more than missed consensus on its direction and end goal. Remain focused on actions to fix your root issue, ease regulator or auditor concerns  and reduce customer complaints. Engage the right people in the right roles. Involving too many people can water down intent, while involving too few means you might miss capturing relevant insights from key parts of your business.

4. Document your journey
A comprehensive action plan can take time to execute. During that time, people in key roles might leave and business processes, and objectives, technology or regulations could change. Thorough and complete documentation keeps a record of execution activities, action plan or intent changes, and provides evidence of key decisions.

5. You’re not finished until you get an official pat on the back
Did your action plan include time to validate your work? Whether you have a third-line audit, loan review finding or a regulatory ruling, the issuer will return to confirm you solved the right problem completely. Build in solid testing to validate your solution fulfills on its intent, with no side effects that disrupt other processes. Also, if possible, check in with third-line partners regularly or when hitting major milestones to prevent surprises.

Remediation success comes with both the assessor’s endorsement, as well as sustained results from your action plan as evidenced by reporting and monitoring put into place. More importantly, don’t overlook this moment to repurpose your team’s learnings and experiences as the foundation for a repeatable remediation framework. When the next issue arises — and it will — your bank will already have a strategy and blueprint for smart action with minimal risk.

How the Edges of Financial Technology Could Change Regulation

Financial regulation in the United States follows a longstanding pattern: The presidential administration changes, the other political party takes power and the financial regulation pendulum swings. Those working in compliance inevitably need to recalibrate.

President Joe Biden’s messaging so far has aimed to minimize polarization. This bodes well for moving beyond the typical “financial deregulation” versus “more regulation” dynamic. It gives the industry an opportunity to turn our attention towards pulling the overall framework out of an old, slow, manual and paper-based reality. What the U.S. financial regulatory framework really needs are large, fundamental overhauls and modernizations that will support a healthy, ever-changing financial services marketplace — not just through the next presidential administration, but further beyond, through the next several decades.

The incoming leadership could make regulation smarter and more effective with reforms that:

  • Measure success by outcomes and evidence, as opposed to procedural adherence.
  • Leverage technology to streamline compliance for agencies as well as providers.
  • Catch up and keep up with the ongoing advancements in financial technology.

The time for these sorts of changes just so happens to be ripe.

Digital or cryptocurrencies and charters for financial technologies have an awkward fit within the existing regulatory framework. Cannabis, another fringe area of finance, poses extra layers of legal and regulatory challenge, but its status could change on a dime if the new administration resolves the state and federal disconnect. All three of these peripheral business opportunities have gained significant momentum recently and may force regulators to adapt. To support these new use cases, which would otherwise break existing bank infrastructure, technology providers would have to modernize in ways that would benefit financial service compliance across the board.

As the emerging regulatory lineup takes shape from the legacies of the outgoing agency heads, the swing from the past administration to the present may not be all that dramatic. There are strange bedfellows in fintech. In the last six months of Donald Trump’s administration, there was already a balance between Acting Comptroller of the Currency Brian Brooks and U.S. Treasury Secretary Steven Mnuchin.

Brooks was indeed very active in his short tenure. Under him, the Office of the Comptroller of the Currency issued full-service national bank charters for fintech companies, published interpretive letters supporting digital currencies and published a working paper from its chief economist, Chartering the FinTech Future,” that lent support to the use of stablecoins.

In contrast, Mnuchin spent his last month in office encouraging  Financial Crimes Enforcement Network, or FinCEN, to issue a controversial proposed rulemaking that would affect crypto wallets and transactions. Critics argue this would make compliance impossible for decentralized technologies.

The Biden administration may have a similar dynamic between these two regulatory roles, albeit less dramatic. The confirmation of Treasury Secretary Janet Yellen, with her experience and moderate stance, conveys a great deal of stability. Still, she may not champion stablecoins, given her public statements on cryptocurrency.

At writing, Michael Barr is the anticipated pick for comptroller. His extensive and diverse résumé shows a long history of supporting fintech. We anticipate that he would continue the momentum towards modernization that Brooks started.

Gary Gensler, the nominated chair of the Securities and Exchange Commission, has a great deal of expertise and enthusiasm for digital currencies. Since his tenure as chair of the Commodity Futures Trading Commission during Barack Obama’s administration, he has served on faculty at MIT Sloan School of Management, teaching courses on blockchain, digital currencies and other financial technologies. Chris Brummer, the Biden administration’s anticipated choice for the CFTC, currently serves as faculty director at Georgetown University’s Institute of International Economic Law, has written books on the regulation of financial technologies and founded D.C. Fintech Week to help promote discussion of fintech innovation among policymakers.

When we get to the outer edges of finance — to crypto, charters and cannabis — the divide between political camps starts to disappear. But there’s still quite a bit of rigidity in the traditional financial industry and regulatory framework. Combining the slate of steady, open-minded regulators with the building pressures of technology yields reasonable hope for regulatory overhauls that will pull compliance along into the future.

Developing a Digital-First Approach to Risk Management

The world has leaned further and further into the digital realm, largely thanks to a younger, more tech-dependent generation.

The Covid-19 pandemic accelerated a years-long push toward online and mobile banking use. Does your institution have a true digital banking strategy to deliver simple and secure digital banking services to your customers? As the primary channel through which customers conduct nearly all their banking activities, digital is your bank now.

But as more consumers turn to digital channels, cybercriminals are following suit — as demonstrated by increasing incidents of fraud and unauthorized account access. To mitigate cybersecurity threats and protect your customers, your bank’s risk management strategy now requires a digital-first approach.

Risk Management in Digital Banking
Even though customers demand digital transformation, delivering frictionless experiences comes with certain inherent challenges and risks. Once you identify these hurdles, you can mitigate them so that your institution can move forward.

The most pressing digital banking risk management issues fall into two categories: overcoming organizational challenges and mitigating regulatory risks. Each of them has several considerations and variables your institution should consider.

Overcoming Organizational Challenges

Outdated corporate culture: Entrenched processes and perspectives can stall your digital transformation. Promoting a more forward-thinking culture must start at the top and flow down in order for the entire institution to embrace change. Confirm your bank’s risk management personnel are onboard, and involve them from the beginning to ensure a secure and safe transformation.

Refocusing of key positions: Some of your bank’s key positions may change in response to digital transformation. Digitization may shift the focus of some, but these positions are still critical to the institution’s success. For example, instead of manually performing tasks, employees working in an operations department may begin focusing on automating processes for the institution.

Resistance to change: Many institutions have executives that will champion progress, while others are resistant to the changes required to adopt a digital-first approach. Identify the champions at your institution and empower them to lead your digital transformation.

Lack of innovative thought leadership: It will take true out-of-the-box thinking to digitally compete with the big banks and emerging fintech companies. Encourage that kind of modern thinking within your institution.

Misguided beliefs: Quash any notions that a mobile banking app is the only component of a digital strategy, or that a digital-first approach means that personalization is no longer needed. Back-end operations and internal processes must fully support a digital environment that effectively identifies and fulfills individual customer needs based on their actions and behaviors — without adding friction to the customer experience.

Mitigating Regulatory Risks

Digital compliance and cybersecurity: Banks operating in a digital environment must still comply with all applicable laws and regulations. This includes paying attention to uniquely digital processes that are covered under specific rules, such as electronically signing documents per the E-Sign Act. To mitigate risk, institutions should invest in technology designed to ensure compliance and strengthen cybersecurity.

Third-party risk management: Many banks are outsourcing all or part of their digital strategy to fintechs and other third-party vendors out of necessity. But institutions are still ultimately responsible for all functions, whether they are performed internally or externally. A robust vendor management program is key to avoiding unqualified third-party providers. A provider must understand applicable regulatory requirements, be able to adhere to them and guarantee compliance.

Fraud and identity theft: The increase in banking without face-to-face interaction can increase the risk of synthetic identity fraud, traditional identity theft and account takeovers. Your bank should meet these challenges by reviewing and strengthening your Bank Secrecy Act/anti-money laundering (BSA/AML), know your customer (KYC), customer due diligence (CDD), cybersecurity and other relevant compliance programs. Digitizing internal processes will result in more available data as well as the ability to use AI to monitor customer behaviors and efficiently identify potential fraud.

While digitization can increase certain risks for banks that undertake such a transformation, enabling enhanced digital banking risk management to secure digital channels, mitigate risk and deliver a frictionless customer experience is worth the effort.

Does your Bank Need a SOC?

Banks’ IT departments are at risk of burning out, given the constant pressure to comply with industry standards while preventing emerging cybersecurity threats.

Risk management solutions are in high demand within the financial industry, as the need for continuous network monitoring has only grown. If this sounds more like your current reality than a distant memory, a security operation center (SOC) could be the ideal cybersecurity solution that your bank needs.

What is a SOC?
Gartner defines a security operations center as “a team, often operating in shifts 24/7, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance.”

SOCs are responsible for monitoring and analyzing activity on networks, servers, and more. The service center is consistently looking for abnormal activity, indicating a potential breach, security incident, or malicious activity in your network. SOCs also detect harmful attempts to compromise your network and assist with the incident response lifecycle, allowing your bank’s IT team to respond more efficiently and work towards preventing security threats altogether. The goal is simple: get the job done quickly and accurately.

The key to deciding whether to move forward with external SOC support is the ability to deliver all of your enterprise network traffic, laptops, desktops, firewalls, VPNs, routers, switches and application security application detections to your SOC for their review and analysis. Paying a SOC service to watch your firewall traffic isn’t comprehensive enough and will give you a false sense of security. This is why you should consider buying a Security Information and Event Management (SIEM) platform that will ingest all of your data, making it easier for your SOC to protect your network.

What to look for in a SOC?
Searching for an ideal security operations center is not an easy task. There can be delays due to limited knowledge about key features. Below is a list of some primary features your bank should require in a SOC service:

  • Network Monitoring: The service should continuously monitor your network traffic and detect potential intrusions. You should also receive real-time alerts for any anomalous or malicious activity.
  • Incident Response: The incident response lifecycle starts with the initial detection and containment, then continues to the eradication phase, and finally returns to normal business operations.
  • Account Privilege: Privilege analysis of every account, system and group provides a financial institution’s staff with knowledge of exactly who can access the most sensitive data.
  • Compliance Reporting: Compliance reporting tools should include PCI DSS (Payment Card Industry), NIST (National Institute of Standards and Technology), and HIPAA. The FFIEC’s Cyber Assessment Tool (CAT) should be directly integrated into the service as well.
  • 360° View of Network: A SOC service should have the capability to monitor and defend networks on-premise, in the cloud continuously, and across the globe.

According to an Information Security Buzz article, the key to maximizing features like those listed above is to “integrate the data flowing among all the tools. This gives your entire security operations team a filtered view into what the information means.” The more perspectives that analytics can produce from data flow, the higher the value of that analysis. While all SOCs are different, they have critical components that will make or break the success of your bank’s cybersecurity team.

Why prioritize your network’s security?
Cybercriminals are becoming more creative and methodical with their attacks, especially now that remote work is the new normal. The occurrences and threat potentials of data breaches and cyberattacks are at an all-time high, and Security Ventures projects cybercrime damage to total $6 trillion by 2021.

It’s unrealistic to expect your bank’s IT department to quickly and efficiently monitor and solve every problem as demand increases. Your team should feel like they can do their job without continuously worrying about capacity concerns. By implementing a SOC service into your cybersecurity roadmap, your organization can expand its security capabilities, without breaking the bank, for years to come.

The High Cost of the Suspicious Activity Report

Bank boards know all too well about the reputational toll and hefty fines from lapses in regulatory compliance. But governance usually doesn’t tend to drill down into specific practice areas and their finer-grained costs.

An ounce of prevention, though less expensive than the proverbial cure, still runs pretty high in Bank Secrecy Act and anti-money laundering (BSA/AML) compliance programs. Directors might want to ask for a more-detailed picture from their bank’s AML team at the next board meeting. Not just to follow up on the damage-control response to the FinCEN Files media spectacle, but also in terms of profit and loss and team morale issues.

Suspicious activity reports (SARs) can get very expensive. We conservatively estimate that about $180 million in annual BSA/AML analyst salaries in the U.S. goes just to preparing the SAR form. But there’s also a huge opportunity to do better for society.

What are SARs? Some might say they are a headache-inducing form that demands a whole lot of painstaking and tedious detail, and then never quite fulfills its ultimate purpose of stopping criminals. Unfortunately, there’s a lot of truth to that description. What should — and could — SARs be?

  • An essential tool for fighting crime.
  • An effective communication channel for AML collaboration.
  • An invaluable resource for law enforcement to identify, track, and prosecute criminals.

At the risk of overstating the obvious, not every “suspicious” activity leads to criminal activity. Though banks do have the power to block the flow of funds, financial crime regulators (in the U.S., that’s the Financial Crimes Enforcement Network, or FinCEN) and jurisdictional law enforcement (such as district attorneys) hold the authority to go after the criminals. A bank’s primary responsibility in AML is to provide relevant information from the financial vantage point.

The level of detail can make all the difference in the usefulness of these reports. A complete and accurate SAR, filed with ample, highly relevant information, provides texture and nuance for regulators to make strong decisions about which cases deserve the attention of law enforcement. Prosecutors can then use information from SARs to build criminal cases. A future with somewhat fewer illicit arms sales or much less human trafficking could hinge on a few form fields.

The status quo for most bank AML compliance programs entails a substantial amount of manual inputs. Lacking automation, providing more high quality detail in SARs demands more time. U.S. financial institutions filed 2.3 million SARs in 2019. An AML analyst can command, on average, an annual salary of $75,000. These figures, plus some other industry-specific estimates and general human resources conventions, fed into my calculation above for the total annual SARs tab for U.S. financial institutions. And that $180 million figure doesn’t even account for the nine out of 10 investigations that don’t lead to a SAR filing — yet typically do result in more monitoring.

Manual processes, even with the best intentions of highly skilled AML teams, are inherently prone to human error. I also suspect these professionals would rather focus on the aspects of their work that demand the subtle discernment of human judgement. Some of the lowest-hanging fruit for using technology in AML investigations include automation that can:

  • Populate the SAR form with case information.
  • Organize case data from fragmented sources across the bank and vendors.
  • Visualize trends in the case to spot strange behaviors.
  • Quickly separate false positives from true positives.
  • Capture the insights of investigators as structured data, creating clean data that can be used for analytics and machine learning.
  • Validate and quickly transmit the SAR to expedite information flow.
  • Securely store the case information for future analytics and audits.
  • Keep casework across the team thorough and efficient.

Investigating and reporting suspicious financial activity is both an enormous expense for banks and a systemically important resource for protecting society. It’s worth investing in automation technology that will make a bank’s BSA/AML compliance program more efficient and effective.

How a specific bank might move forward in leveraging compliance automation technology will vary on a wide range of factors. Adopting this sort of technology isn’t an all-or-nothing proposition. A careful analysis of a bank’s AML practice area can identify minor changes that are likely to have an outsize impact in the fight against crime.

Embracing a Challenging Environment to Evolve

New York University economist Paul Romer once said, “A crisis is a terrible thing to waste.”

With a nod to Dr. Romer, we believe banks have an extraordinary opportunity to embrace the challenging environment created by the Covid-19 pandemic to enhance critical housekeeping matters. Here are five areas where banks may find opportunities to declutter or reengineer policies, procedures and best practices.

Culture
One of the most obvious opportunities for banks is to focus on culture. Employees working from home has eliminated the ability to have typical office parties, barbeques and other events to build comradery. Remote and semi-remote working environments are challenging employees in many difficult ways. Fortunately, banks are finding simple, yet creative, ways to stay in contact with their employees and build culture through additional correspondence and feedback — electronic happy hours, car parades, and socially distant visits, for example. Creatively maintaining high engagement in challenging times will serve to improve communication and culture over the long term. As management consultant Peter Drucker once said, “Culture eats strategy for breakfast.”

Cybersecurity
Cybersecurity risk continues to be top of mind for bankers and regulators given the remote work brought on by Covid. Certainly, most banks’ cybersecurity risk management planning did not contemplate the immediate scale of remote work, but the extreme experience is an opportunity to drill down on underlying policies and procedures. Banking agencies have provided the general blueprint on sound risk management for cybersecurity.

This heightened risk environment provides executives with a perfect opportunity to note where their vulnerabilities may exist or be discovered, where cyberattacks focus and what works—or doesn’t —for your bank. Use the guidance provided to assess your bank’s response and resilience capabilities. Consider the overall map and configuration of your cyber architecture. Consider authentication requirements and permissions to protect against unauthorized access. Take the time to work with information technology experts to clean up access controls and response plans. This is an active situation that provides bankers the unique opportunity to learn and adapt in real time.

Compliance
Banks also face enhanced compliance originating from federal programs aimed at keeping businesses afloat. A worthy endeavor to be sure, but the rollout of some federal programs such as the Small Business Administration’s Paycheck Protection Program has far outpaced the guidance for banks tasked with implementation. The trickle of (often inconsistent) guidance on the documentation, eligibility and certification adds compliance challenges in reporting under the Bank Secrecy Act, fair lending under the Equal Credit Opportunity Act and unfair or deceptive acts and practices under the Federal Trade Commission Act, for example.

Compliance teams have an opportunity to shine at something they are already extraordinarily good at: documentation. They should document the processes and practices they deploy to demonstrate compliance, despite the uncertainty and pace at which they are expected to operate. This documentation can support real-time decision-making that may come up with regulators in the future, and can serve as a basis for improvement on future best practices and training. Compliance teams will discover new questions to ask, novel scenarios to address and gaps to fill.

Operational Planning
The best time to consider the impacts of Covid on your bank’s operations is while events and memories are fresh. Banks all over the country are experiencing what a handful of institutions may go through in the wake of a natural disaster: devastation, uncertainty and a need for banking support. This is the time to review your bank’s disaster recovery and business continuity plans, specifically including pandemic planning, to assess the plans against reality.  

To help, the Federal Financial Institutions Examination Council released an updated statement on pandemic planning suggesting actions that banks can take to potentially minimize a pandemic’s adverse effects. This is an chance to improve business continuity planning for similar future events, understanding that they may not be as deep or prolonged as the coronavirus. Exercising the plans in real time, compared to a scheduled test, can reveal helpful improvements that will only strengthen the bank.

Customer Experience
Coping with remote work and providing banking services outside of a branch provides the opportunity for banks to consider strategies around technology and financial technology partnerships. Customers have been rerouted to electronic avenues, and many seem to have embraced technology to deposit checks, access accounts online and transact business.

This evolution offers banks the opportunity to adapt and recognize the use of financial technologies. Many customers will understandably return to branches to conduct some of their business when they reopen, but may require them less. Banks may want to consider how they can satisfy future customer demand and improve the customer experience more broadly. These are just five areas where we see opportunities for banks of all levels and complexity to enhance their policies, procedures and best practices as they prepare to move forward.

Turning Compliance From an Exercise Into a Partnership

The Greek philosopher Heraclitus once observed that no one can ever step into the same river twice. If these philosophers tried to define how the financial industry works today, they might say that no bank can ever step into the same technology stream twice.

Twenty-first century innovations, evolving standards and new business requirements keep the landscape fluid — and that’s without factoring in the perpetual challenge of regulatory changes. As you evaluate your institution’s digital strategic plan, consider opportunities to address both technology and compliance transformations with the same solution.

The investments your bank makes in compliance technology will set the stage for how you operate today and in the future. Are you working with a compliance partner who offers the same solution that they did two, five or even 10 years ago? Consider the turnover in consumer electronics in that same period.

Your compliance partner’s reaction time is your bank’s reaction time. If your compliance partner is not integrated with cloud-based systems, does not offer solutions tailored for online banking and does not support an integrated data workflow, then it isn’t likely they can position you for the next technology development, either. If your institution is looking to change core providers, platform providers or extend solutions through application programming interfaces, or APIs, the limitations of a dated compliance solution will pose a multiplying effect on the time and costs associated with these projects.

A compliance partner must also safeguard a bank’s data integrity. Digital data is the backbone of digital banking. You need a compliance partner who doesn’t store personally identifiable information or otherwise expose your institution to risks associated with data breaches. Your compliance data management solution needs to offer secured access tiers while supporting a single system of record.

The best partners know that service is a two-sided coin: providing the support you need while minimizing the support required for their solution. Your compliance partner must understand your business challenges and offering a service model that connects bank staff with legal and technology expertise to address implementation questions. Leading compliance partners also understand that service isn’t just about having seasoned professionals ready to answer questions. It’s also about offering a solution that’s designed to deliver an efficient user experience, is easy to set up and provides training resources that reach across teams and business footprints — minimizing the need to make a support call. Intuitive technology interfaces and asynchronous education delivery can serve as silent accelerators for strategic goals related to digitize lending and deposit operations.

Compliance partners should value and respect a bank’s content control and incorporate configurability into their culture. Your products and terms belong to you. It’s the responsibility of a compliance partner to make sure that your transactions support the configurability needed to service customers. Banks can’t afford a compliance technology approach that restricts their ability to innovate products or permanently chains them to standard products, language or workarounds to achieve the output necessary to serve the customer. Executives can be confident that their banks can competitively adapt today and in the future when configurability is an essential component of their compliance solution.

A compliance partner’s ability to meet a bank’s needs depends on an active feedback loop. Partners never approach their relationship with firms as a once-and-done conversation because they understand that their solution will need to adjust as business demands evolve. Look for partners that cultivate opportunities to learn how they can grow their solution to meet your bank’s challenges.

Compliance solutions shouldn’t be thought of as siloed add-ons to a bank’s digital operations. The right compliance partner aligns their solution with a bank’s overall objectives and helps extend its business reach. Make sure that your compliance technology investment positions your bank for long-term return on investment.