A new report by PricewaterhouseCoopers identifies some of the pitfalls in the anti-money laundering programs that financial institutions have put in place to address the ever tougher requirements in the U.S. and other parts of the world to stem the tide of illegal sources of cash.

In the report, Avoiding the Drift: Optimizing and Maintaining AML Surveillance Programs, PwC contends that many banks are not giving their existing systems enough attention and many of those systems have become obsolete in recent years as crooks change their tactics to continue laundering funds. Unless the AML systems are regularly updated, banks run the risk of letting them drift into a state of unintentional noncompliance. But allowing that to happen can pose a big risk, as regulators are imposing hefty fines and cease-and-desist orders against banks in both the U.S. and abroad. This is not only a concern for banks, but also for their auditors, both internal and external.

“We’re talking about hundreds of millions of dollars and sometimes billions in fines,” said John Sabatini, a partner in PwC’s Risk Assurance practice and leader of the firm’s Advanced Risk & Compliance Analytics Services. “We’re finding that our audit teams want to make sure there isn’t going to be a major blow-up from a compliance or risk standpoint. When you look at some of these financial firms, some of the issues that they’ve had—whether it’s Ponzi schemes or whether it’s not being able to identify the value at risk, a counterparty risk, or whether it’s just AML in general—these are all things that companies have struggled with, and if they don’t get it right, they can have a major issue with continuing operations. From an external audit standpoint, it’s very relevant. When you start thinking about it from an internal audit standpoint, with some of the reputational risks out there, we’re finding this is one of the highest risk areas.”

Sabatini used to work for Goldman Sachs, where he spent time identifying what some of the highest-risk areas were. “We coupled that with what we thought our own assessment and the regulator’s assessment of risk was,” he recalled. “In both cases—in our own assessment and the regulatory assessment of these areas—both risk and compliance were the highest areas. When you look at internal audit and how accountants can support the internal audit needs, I think this is an area of great demand. What we’re trying to offer up from a PwC standpoint is that there are much better ways of doing this type of work. There are better ways of doing testing, intelligence sampling and assessments.” He believes it’s possible to leverage technology and analytics to do that type of work in a more efficient manner.

Heavy Fines
Vikas Agarwal, managing director of PwC’s Risk Assurance Practice, pointed to the heavy fines that organizations are facing for not complying with the AML requirements. “As you look at companies and their ongoing processes, they have to get this right,” he said. “Not only are they materially significant fines, but they also have threats from the regulators to take away their licenses, which can affect ongoing business. So it becomes more important that accountants understand the risk of money laundering and regulations like these that are becoming significant.”

Sabatini sees anti-money laundering as an important issue from a business viability standpoint, even as more companies put in place surveillance systems to monitor the cash flow. “When you think about anti-money laundering, there’s a requirement for you to go in and know your customer, and then really manage and observe their activity, and try to look for things that are suspicious, that could be indicative of money laundering,” he said. “One of the things we found is that these systems were put in place five or 10 years ago at a time when people were thinking about it as a project.”

Once the project had been completed, they then moved on to the next project without adapting their anti-money laundering systems as criminal activity patterns changed. “Well, the customer activity changes over time,” said Sabatini. “People become more wealthy. In some cases, they have different relationships. The asset base is different. The volume of their activity is different. Things change pretty dramatically over time. If they don’t keep their systems up to date and maintain those systems, it becomes a pretty significant issue with systems that were working very well and effectively five or 10 years ago, but not being very productive today. The alerts that are generated today are not going to be as effective and as productive.”

PwC’s report highlights the importance of proper governance over an AML system and maintaining it so it remains as productive and reliable as when it was originally put in place, by thinking about it as a program rather than as a temporary project that was taken care of years ago.

Technology Controls
Agarwal pointed to the importance of IT change management and controls. “It’s really being able to look at change control and understand what’s changing in other systems that can affect your AML systems,” he said. “I think people have done this very well with financial controls since Sarbanes-Oxley, but we’re now in an environment where those types of controls and that type of rigor around change processes need to also be applied to other regulations like anti-money laundering.”

“That whole idea of certifying your SOX program and having the business take ownership of that, we haven’t seen that happen on the compliance side or even on the risk side,” Sabatini added. “What we’re seeing over the last couple of years is the importance of having business sign off on, “Yes, this is the way we’re operating. These are all of our systems. These are all of our products. These are all the feeds that actually go into our monitoring systems.’ Have them participate and sign off and certify that things are the same as they were a couple of years ago, like this yearly validation that you would have in SOX.”

Sabatini noted that oftentimes when companies start having problems, they immediately blame the IT system or point to the chief compliance officer or the AML officer. “What we’re saying is the AML officer can’t do this by themselves,” he added. “They have to have input from technology. They have to have input from the businesses. If there are changes that are going on in the business and changes in technology, and the compliance officer is not aware of it, that can be a major disconnect. This whole idea of certification brings this together.”

When law enforcement or regulators find money laundering taking place before the bank discovers it, the responsibility becomes institution wide and could put the business at risk of losing its license. “At the end of the day, there is broad-stroke responsibility for the organization,” said Agarwal. “If the government is finding things that the bank is not identifying, it can put their banking license at risk. Then it also individually becomes a responsibility of the C-level executives of whether they’re creating a culture that’s helping identify these things, and whether they’re taking the topic seriously.”

Higher Expectations
Major banks have faced heavy penalties in recent years for not doing more to combat money laundering. HSBC, for example, agreed to pay $1.9 billion in July under a deferred prosecution deal with the Justice Department to settle allegations that it helped drug cartels launder billions of dollars. But HSBC is not the only bank to have run afoul of regulators looking for AML noncompliance.

“No bank that we’ve worked with has been free of criticism,” said Sabatini. “There’s a tremendous amount of expectation. The regulatory expectations seem to be changing every year, and what the regulators are doing is they’re going from bank to bank. They’re looking at the best in breed from every bank, and they’re picking and choosing what they like. They’re going in and saying, ‘Why are you not doing what this other bank is doing?’ Even if there were shortcomings in certain areas, they’re going to highlight the things that are working really well and start comparing other banks against the best things that they see. It’s been very, very difficult for companies to maintain that and keep up with what’s going on.”

PwC has been working with banks and other companies on governance, checking on whether their programming and systems are currently working effectively.

“There’s a whole validation process that we recommend a lot of companies go through,” said Sabatini.

PwC’s whitepaper discusses the kinds of questions they should ask to identify and assess the areas of concern within their environment. “That’s one of the first things, an assessment,” said Sabatini. “How does somebody know that it’s working well? There are a lot of things that have been happening over the last couple of years where people are looking at new technology and configuring their systems differently. They’re looking at clustering their customers and what they call customer segmentation. They’re looking at putting governance and tools in place that will allow them to look at hot spots or areas of concern where thing are starting to go off track.”

Financial institutions need to put in place indicators for each of their lines of business to assess when their AML operations are working effectively. “I think it’s the validation piece in the beginning and how are you uplifting your program and how are you maintaining it,” said Sabatini. “How are you providing governance and reporting so that you know if things are going adrift?”