For those who have put their AML compliance programs on autopilot, it may be time for an intervention. With a combination of new guidance, new threats, and new resources, I strongly encourage a reevaluation of existing AML/KYC compliance programs.
I perform a good number of AML Independent Tests for BDs throughout the course of a year. In my observation, many AML compliance programs adequately comply with their FINRA and BSA requirements through reasonable reliance on surveillance tools that are tried and tested. These include ID verification and screening for client onboarding, various watch lists, and custodian-provided exception reports for ongoing client and transaction monitoring. Commonly, compliance reviewers combine the output from electronic systems with manual reviews and detection processes. But are “reasonable” and “adequate” really enough to satisfy the needs of the enterprise?
Let’s face it, the number of false positives resulting from legacy compliance tools' surveillance reports can be mind-boggling, degrading their overall effectiveness. Compliance personnel make a substantial investment in time but often with a limited number of reportable findings. AML reviews are typically repetitive, tedious, and unfulfilling leading to fatigue and low morale.
Noting the high degree of human resources inherent in the review process, it follows that firms face high costs to sustain their AML/KYC compliance programs. Regulatory pressure adds to the burden on firms’ resources. The SEC issued risk alerts in 2021 and 2023 reinforcing the importance of establishing robust AML/KYC programs. In the alerts, the SEC highlighted adequate staffing alongside focused training, enhanced testing, and tailored surveillance programs. FINRA’s AML key topics page provides links and resources that highlight current issues including a useful summary of AML compliance program enhancements and exam findings.
Customers too can pay the price for outdated AML processes. Customers expect efficient onboarding and real-time payment processing but may not get the efficiency they desire due to manual reviews of AML/KYC compliance risk factors. Both the SEC and FINRA cite to FINCEN’s guidance adopting the requirement that firms adopt a facts-and-circumstances approach for the purpose of creating a customer risk profile. This takes time; and for customers, additional time may lead to frustration.
Preparing your firm’s AML/KYC compliance for the future will involve addressing the needs of the enterprise, its personnel, and its customers with a dose of new thinking. To be effective, AML/KYC compliance programs will need to identify available tools to help address the risks associated with financial crimes while also considering regulatory expectations.
FINRA’s 2024 Annual Risk and Oversight Report (AROR) provided insight into the regulator’s focus points putting cyber-enabled crime, Reg S-ID, and new account fraud at the forefront.
The AROR advised, “AML compliance professionals are wise to consider cyber threats in the context of their AML programs” and urged firms to consider detection and SAR reporting of cyber events among their enhanced AML procedures.
RESOURCE TIP: AML compliance professionals can find resources for detection and reporting in the FinCEN FAQ that addresses the reporting of cyber events, cyber-enabled crime, and SAR reporting.
More than a decade since Reg S-ID was implemented, FINRA’s 2024 AROR highlighted an increase in suspicious and fraudulent activity related to new account fraud (NAF.) Not new but newly relevant are the risks related to ID theft emerging yet again as firms and regulators make the connection between ID theft and AML. NAF can result from information extracted during data breaches that is then sold on the dark web. Bad actors can use this information to pose as an individual or to synthesize stolen information by combining it with a false name, DOB, and address. NAF ultimately leads to theft by automated customer account transfer (ACAT). (Consider FINRA’s information podcast on the topic.)
Adding Reg S-ID red flags and related training seem imperative in light of the regulatory guidance.
RESOURCE TIP: My go-to resource in this context is the SEC’s 2022 Risk Alert that includes observations from BD and IA examinations and Appendix A to the Regulation itself.
Artificial intelligence (AI) is becoming the tool of choice for financial criminals who have leveraged it to create RaaS (Ransomware), Maas (Malware), and PaaS (Phishing). Criminals can be expected to continue to exploit weak IT protocols, set up fake investment websites, and carry out cyber attacks that trick people into sharing sensitive information such as phishing (email), smishing (text), and vishing (voicemail).
Let’s fight back. We as an industry have an increasing number of AI tools available as well, and they appear to bring the resources we need: efficiency and effectiveness. There is a case to be made that generative AI could revolutionize the way financial services firms address AML compliance.
AI is being deployed to address adverse media and sanctions screening as well as imposter websites. In theory, and in application, AI can help reduce false positives, enrich customer data, and help firms identify new risks.
I hope you will take away some inspiration to bring AML compliance back to the center of your compliance radar. I suggest implementing program enhancements responsive to regulatory guidance, upping your AML surveillance with AI, and adding a degree of new diligence to help ensure that the program meets today’s expectations of going beyond “adequacy.”
For tips on and strategies for assessing AI-based AML screening tools, download the white paper, Mitigating risk in the digital age: a roadmap to AI-enhanced adverse media screening.
The opinions provided are those of the author and not necessarily those of Fidelity Investments or its affiliates. Fidelity does not assume any duty to update any of the information.
1160701.1.0