• Cognizant Reports

cognizant reports | may 2016

Financial Crime: How Financial Institutions Can Mitigate Risk and Improve Compliance

Banks face dramatically higher operating costs and business complexity, with the increased scope of financial crimes and growing regulatory liabilities, highlighting the need for a more integrated and unified approach to risk mitigation and compliance.

cognizant reports 2

Executive SummaryTop financial industry executives are increas-ingly concerned about the rising sophistication of financial crimes, including money laundering, terrorism financing, cybercrime, fraud, tax eva-sion, bribery and internal threats from employ-ees. At the same time, the number of banks being penalized for regulatory and sanctions violations in the U.S., the UK, the European Union and else-where has spiked in recent years, demanding greater transparency, responsibility and compli-ance. Furthermore, the increase in extra-territo-rial enforcement of U.S. laws and reciprocation from other countries has amplified compliance challenges, vastly increasing the cost and com-plexity of doing business.

Banks have made huge investments in risk and compliance management, but their fragmented approach to financial crime has had limited success in staving off threats and meeting regula-tory requirements. This has resulted in increased violations and money spent on regulatory compliance.

Clearly, banks need to refresh their approach to handling financial crime and regulatory compli-ance. We recommend six key steps to help banks adapt to the ever-changing criminal and regula-tory landscape.

• Conduct a risk assessment based on the bank’s products, services, geographies and clients to better understand the threat envi-ronment.

• Integrate the efforts of various disciplines involved in financial crime prevention across the organization to identify synergies and

overlaps in people, processes and technolo-gies; this will help reduce redundancies and streamline processes.

• Improve the availability and quality of data to support real-time transaction monitoring and advanced analytics.

• Apply advanced analytics to gain a holistic view of threats and the entities that cause them; this will help uncover complex and sub-tle threats, as well as emerging ones, early and effectively.

• Nurture a culture of high ethics and integrity by setting accountability standards, establish-ing controls and policies, working closely with regulators and increasing employee awareness.

• Actively participate in the industry-wide initiatives undertaken to mitigate risk and improve compliance.

The Growing Burden of Financial Crime and Regulatory Compliance Criminals are more sophisticated than ever when it comes to financial and cybercrime, and banks are struggling to catch up. Meanwhile, increased regulatory demands for transparency and compli-ance, as well as hefty penalties for non-compli-ance, have put enormous pressure on banks, both financially and operationally.

Rising Threats A number of drivers — including globalization, the proliferation of banking channels, rising transaction volumes and accelerated technol-ogy advancements (i.e., new digital tools and intelligent automation) have introduced new

42%

15%

11%

10%

10%

10% Evolving criminal methodologies

Cost of AML compliance

Lack of personnel in risk function

Civil prosecution/class actions

Geo-political events

Sectoral sanctions

Single Biggest Barrier to Fighting Financial Crime Effectively for UK Banks

Figure 1Source: The British Bankers’ Association and LexisNexis, November 2015

Base: 198 senior-level financial crime and AML compliance professionals

cognizant reports 3

opportunities for financial malfeasance. Crimi-nals continuously probe banking organizations’ defenses through innovative algorithms and complex schemes across channels and vectors; banks must also guard against internal employee threats (see Figure 1, previous page).

Big banks are not the only targets; small banks are easy prey for criminals, as many lack robust systems to fend off threats.

Heightened Regulatory Scrutiny and Surging Compliance CostsRegulators across the globe have intensified their scrutiny and are assessing heavy fines to banks that fail to adopt adequate defenses or that violate the Banking Secrecy Act/Anti-Money Laundering (BSA/AML) program. Between 2007 and 2014, banks paid about $21 billion in cumula-tive anti-money laundering (AML) fines alone in the U.S.1

Banks are continuously challenged by emerging AML compliance requirements (see Figure 2). This includes the long-awaited beneficial owner-ship rule from the Financial Crimes Enforcement Network (FinCEN), expected to be finalized this year, which will require banks to verify and iden-tify the true owner of companies behind financial transactions. Banks will also need to understand the implications of the ongoing assessment of the U.S. Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) framework developed by the Financial Action Task Force (FAFT).

In response to the 2001 terrorist attacks, the U.S. significantly expanded the scope of laws govern-ing money laundering, bribery and fraud and applied them extra-territorially; the European Union and the UK followed suit. The EU’s Anti-Money Laundering Directive (AMLD 4) — which will be implemented by member states starting June 26, 2017 — requires financial institutions to continuously identify, evaluate and document risks related to money laundering and terrorist financing; report suspicious transactions made by their clients; and maintain records of payments.

Sanctions compliance is another major challenge for global banks as they strive to keep pace with a dynamic sanctions list comprising individu-als, countries and institutions, separately main-tained by the EU, the U.S. and organizations such as the United Nations. Banks must also keep up with lists for AML, tax evasion and other forms of crime. The growing list of individuals and enti-ties to be screened has put pressure on banks’ transaction screening systems, increasing the number of false positives generated. U.S. authori-ties have clamped down on foreign banks for lax controls over financial crime and sanctions; Euro-pean banks are most affected by this crackdown (see Figure 3, next page).

In the UK, the Financial Conduct Authority (FCA) has increased its scrutiny and updated its guid-ance on financial crime prevention. The move was based on a 2014 review of 21 small banks, which found significant weaknesses in the AML systems and controls in high-risk situations at most banks;

AML Compliance Challenges in the Next 12 Months

Figure 2

Source: Dow Jones and ACAMS, 2016

Base: 812 AML, BSA and/or compliance executives

58%

40%

37%

36%

25%

20%

18%

16%

11%

10%

8%

Increased regulatory expectations and enforcement

Having enough properly trained AML staff

Additional regulations

Insufficient/outdated technology

Too many false positive screening results

Sanctions compliance

Understanding regulations outside home country

Formal regulatory criticism

Fear of personal civil and criminal activity

Lack of senior management/board engagement

Understanding regulations in home country

cognizant reports 4

additionally, staff at one-third of the banks lacked awareness of AML and sanctions risks.2

Further, regulators want banks to take greater responsibility for preventing financial crime and reporting suspicious activities. In response, banks have made efforts to enhance their transaction monitoring systems, acquire greater knowledge about customers and their transactions, and recruit people with expertise in risk investigation and compliance.

The shortage of trained compliance specialists and the increasing responsibilities of compliance professionals — who assimilate an average of 167 regulatory alerts per day, a sharp increase from 68 a few years ago — are forcing banks to offer higher salaries to find and retain the best talent. This has vastly increased costs, with the largest global banks spending about $4 billion a year on compli-ance.3 Amid demands from customers and inves-tors to lower costs, global banks have terminated certain products, services and customer relation-ships in high-risk segments and geographies.

For resource-constrained small- and medium-size banks, regulatory compliance has become a par-ticular concern, with costs at many banks spiral-ing out of control. Many of these institutions have not updated their compliance programs, espe-cially for BSA/AML, although they are held to the same expectations as their larger counterparts.

Banks have invested heavily in strengthening security and meeting compliance demands, but such efforts are undermined by their piecemeal approach to dealing with financial crime.

Challenges of Fighting Financial CrimeKeeping up with accelerating regulatory change is proving difficult for banks, but non-compliance can be even more costly. Costs include monetary fines, remediation, termination of business lines and temporary or permanent restrictions on sell-ing certain products, not to mention the unquan-tifiable impact of investor dissatisfaction and reputational damage to the brand.

Banks have invested heavily in strengthening security and meeting compliance demands, but such efforts are undermined by their piecemeal approach to dealing with financial crime. Risks such as money laundering, cyber-crime and fraud are tradition-ally handled independently by various organizational functions. Each has its own tools, systems, processes and compliance mechanisms, with minimal communication among them.

This fragmented approach has resulted in duplication of data, technology and efforts, resulting in rising costs. The largest global banks spend an estimated $1 billion to $1.5 billion annually on financial crime compliance.4 Without consolidated data from

Bank Year Fine (in $ million)

BNP Paribas (France) 2014 8900

Standard Chartered (UK) 2013 667

ING (The Netherlands) 2012 619

Credit Suisse (Switzerland) 2009 536

ABN Amro (The Netherlands/UK) 2010 500

HSBC (UK) 2012 375

Lloyd’s (UK) 2009 350

Commerzbank (Germany) 2015 342

Bank of Tokyo — Mitsubishi (Japan) 2014 315

Barclays (UK) 2010 298

Deutsche Bank (Germany) 2015 258

Bank of Tokyo — Mitsubishi (Japan) 2013 250

Clearstream (Luxembourg) 2014 152

Royal Bank of Scotland (UK) 2013 100

Major Fines Applied to Foreign Banks for U.S. Sanctions Law Violations

Source: Council on Foreign Relations, April 2015, and The Guardian, November 2015

Figure 3

cognizant reports 5

multiple channels and geographies, it is also more difficult to identify suspicious activities or gain a unified view of organization-wide risk.

The challenge for banks is to enhance their abil-ity to detect, prevent and report financial crime while containing spiraling regulatory and compli-ance costs.

Six Steps to Fighting Financial Crimes There is no silver bullet to preventing finan-cial crime. Banks must take a series of steps to become more adept at fighting threats and navi-gating the complex regulatory landscape. Organi-zations can begin by conducting a comprehensive risk assessment, and then integrating the vari-ous financial crime prevention efforts across the organization to remove silos, improve the quality and availability of data, and create a culture of data-driven decision-making.

1. Tailor the Risk Management ApproachThe key to developing and applying adequate con-trols is becoming knowledgeable about the risks themselves and the business areas they impact. A risk assessment should then be carried out based on the organization’s size, channels, geographies, customer types and product and service complex-ity (e.g., risks for wealth management products can arise from high-value transactions, politically connected individuals, multiple jurisdictions and banking secrecy). By mapping these risks against internal policies, procedures and controls, banks can assess their effectiveness in mitigating risks, and fine-tune them accordingly. A periodic review of the risk assessment should be conducted to ensure relevancy.

2. Address SilosThere is a wide spectrum of financial crime types, including money laundering, terrorist financing, fraud and cyberattacks. Intrusions, however, often go unnoticed, as these disciplines often operate in silos. To more effectively manage the growing sophistication of crimes, banks are increasingly focused on tightly integrating or merging the var-ious internal functions tasked with financial crime prevention. However, some experts warn about the risks of such integration as it can increase vulnerability to cyberattacks, and instead recom-mend improving communication and coordina-tion among the teams.5

We believe banks should start by integrating transaction monitoring in their cybercrime and

AML disciplines to see the benefits for themselves, since these teams face similar types of challenges, and typically overlap in terms of processes, systems and data require-ments. For example, if a cyber-attack occurs that involves the theft of online customer data, the team within the AML dis-cipline could provide complete details of all suspicious activi-ties flagged by its transaction monitoring systems. These details could then be used to cross-check any surge in e-commerce purchases, wire transfers, ATM withdrawals or similar transac-tions, thus detecting and preventing criminals from using the stolen data.

Similarly, a cyberattack alert by the cybersecu-rity team will enable the AML function to tighten transaction scrutiny and prevent money launder-ing, while the fraud prevention team can take steps to ensure the stolen customer data is not monetized, as well as investigate insider activity. The sooner the information is passed to the other teams, the more time they have to prevent the crime or identify the perpetrators.6

This type of collaboration will help banks gain new efficiencies in transaction monitoring and investi-gation, plug security gaps, reduce redundancies, streamline processes, innovate and build models that can identify and prevent even sophisticated crimes effectively, which can go a long way toward reducing costs and limiting financial damage.

3. Overcome Data Challenges The key to integrating multiple risk efforts lies in the bank’s ability to get high-quality and con-sistent data from across the organization. This is no easy task for large banks, many of which have accumulated multiple systems and technologies over the years through mergers and acquisitions. Standardizing large volumes of customer, trans-action, crime and other unstructured and semi-structured data from across the organization can be a challenge, as is encouraging employees to comply with internal standards and practices when entering data. However, doing so can signifi-cantly improve the overall data quality and accu-racy needed to support real-time monitoring and data-driven decision-making.

A cyberattack alert by the cybersecu rity team will enable the AML function to tighten transaction scrutiny and prevent money launder ing, while the fraud prevention team can take steps to ensure the stolen customer data is not monetized.

cognizant reports 6

4. Embrace AnalyticsCombining effective data management with advanced analytics is essential for detecting and preventing growing threats. By collecting and analyzing the massive volumes of current and his-toric data within the organization (across all lines of business) and from external agencies providing financial crime data, banks can gain a comprehen-sive view of customers and transactions, as well as insights into relationships between various entities that previously went unnoticed. Through analytics, banks can better understand the risks posed by customers, transactions and other enti-ties, and discover complex threats that impact multiple lines of business.

For instance, a transaction that appears legiti-mate in one channel may appear suspicious when viewed holistically. Forensic data analytics will help banks identify and predict risk patterns and issues in advance, enabling them to pre-empt criminal activity, particularly insider threats and data breaches that involve gaining unauthorized access to sensitive data.

5. Address Culture and People ChallengesThe tone set by senior management is key to driv-ing an organization’s crusade against financial crime. Senior bank officials need to set account-ability standards, establish policies and controls, promote transparency by working closely with regulators, provide incentives for promoting com-pliance, and show zero tolerance toward potential internal and external risks.

Organizations should also grow their awareness of emerging threats, such as risks posed by vir-tual currencies and new channels and technolo-gies. Employees should be trained and updated on the latest regulatory developments and emerging risks, and be sensitized to the various ways crimi-nals can exploit them. High-risk users, such as contractors, suppliers and employees with access to sensitive organizational data and information, must be monitored and analyzed continuously for suspicious behavior or use of technology.

6. Collaborate with Industry-wide InitiativesWhile banks have invested heavily to improve their compliance programs, evolving regulations have hindered them from developing a sustain-able and scalable solution. Individual banks have developed proprietary solutions, with no industry-wide standards or best practices to guide them, resulting in duplicate efforts across the industry and accelerating compliance costs.

Banks need to move toward a more collaborative and unified approach, similar to what exists for international trade confirmation and settle-ment. Doing so would address skill shortages, facilitate the creation of standards and best practices and foster innovation.7

By collaborating with law enforcement agencies and the government, banks can also take the fight against financial crime to the next level. A case in point is the UK’s Joint Money Laundering Intel-ligence Taskforce (JMLIT) initiative, a one-year pilot started in February 2015 by the government, banks, law enforcement agencies and others. The task force, expected to become a permanent insti-tution, was set up to study the scale and methods employed in money laundering, suggest reme-dial measures and improve intelligence-sharing across parties.8

Looking ForwardFast-evolving financial crime and regulatory uncer-tainty impacts banks of all sizes and warrants a proactive approach. Large banks with multiple lines of business must focus on integrating various crime prevention disciplines and building a culture that supports data-driven decision-making. Banks should consider hiring former military and law enforcement intelligence officers with expertise in analytics to proactively identify trends in transac-tions with links to terrorist organizations.

Small banks can seek technology and talent resources from businesses that specialize in cybercrime to avoid the high costs of procuring, maintaining and updating technology, as well as attracting and retaining people with needed skills, while also gaining the flexibility to offer new prod-ucts and services and enter new business areas. This is significant as small banks are beginning to adopt new business lines or product segments that larger banks have exited due to higher BSA/AML compliance risks.9

Improving collaboration within the banking indus-try, as well as with regulators and law enforcement agencies, will result in targeted efforts to prevent crime, improve compliance, alleviate talent con-straints, contain costs and resolve other challenges.

A transaction that appears legitimate in one channel may appear suspicious when viewed holistically. Forensic data analytics will help banks identify and predict risk patterns and issues in advance.

cognizant reports 7

Footnotes

1 “AML and Sanctions Enforcement The Price of Dirty Money,” CEB TowerGroup, 2014, https://www.cebglobal.com/content/dam/cebglobal/us/EN/best-practices-decision-support/financial-services/images/infographics/fs-tg-cb-anti-money-laundering-2014.pdf.

2 “How Small Banks Manage Money Laundering and Sanctions Risk Update,” Financial Conduct Authority, November 2014, https://www.fca.org.uk/news/tr14-16-how-small-banks-manage-money-laundering-and-sanctions-risk.

3 “Banks Face Pushback Over Surging Compliance and Regulatory Costs,” The Financial Times, May 28, 2015, https://next.ft.com/content/e1323e18-0478-11e5-95ad-00144feabdc0.

4 “Future Financial Crime Risks: Considering the Financial Crime Challenges Faced by UK Banks,” The British Bankers’ Association and LexisNexis, November 2015, https://www.bba.org.uk/wp-con-tent/uploads/2015/12/Future-Financial-Crime-Risks-DIGITAL-final.pdf.

5 Brett Wolf, “Link Cyber and Anti-money Laundering Units, But Do Not Combine Them — Experts,” Reuters, March 30, 2016, http://blogs.reuters.com/financial-regulatory-forum/2016/03/30/link-cyber-and-anti-money-laundering-units-but-do-not-combine-them-experts/.

6 "The Convergence of Anti-Money Laundering and Cyber Security," K2 Intelligence, November 2015, https://www.k2intelligence.com/wp-content/uploads/2015/10/2015-10-20-ABA-The-Convergance-of-AML-and-Cyber-Security.pdf.

7 Luc Meurant, “Financial Crime Compliance: The Case for an Industrywide Approach,” American Banker, August 18, 2014, http://www.americanbanker.com/bankthink/financial-crime-compliance-the-case-for-an-industrywide-approach-1069406-1.html.

8 “Joint Money Laundering Intelligence Taskforce,” National Crime Agency, February 2015, http://www.nationalcrimeagency.gov.uk/about-us/what-we-do/economic-crime/joint-money-launder-ing-intelligence-taskforce-jmlit.

9 Daniel S. Alter, “How to Lighten Community Banks’ AML Compliance Load,” American Banker, May 14, 2015, http://www.americanbanker.com/bankthink/how-to-lighten-community-banks-aml-compliance-load-1074307-1.html.

References

• “What Are Economic Sanctions?” Council on Foreign Relations, April 8, 2015, http://www.cfr.org/sanctions/economic-sanctions/p36259.

• “New EU Anti-money Laundering Directive to Come into Force From 26 June,” Out-Law, June 10, 2015, http://www.out-law.com/en/articles/2015/june/new-eu-anti-money-laundering-rules-to-take-effect-from-26-june/.

• Luc Meurant, “Industry Should Pull Together to Combat Financial Crime,” Financial News, October 12, 2015, http://www.efinancialnews.com/story/2015-10-12/industry-should-pull-together-to-combat-financial-crime.

• "Guidance for a Risk-based Approach: The Banking Sector," Financial Action Task Force, 2014, http://www.fatf-gafi.org/media/fatf/documents/reports/Risk-Based-Approach-Banking-Sector.pdf.

World Headquarters

500 Frank W. Burr Blvd.Teaneck, NJ 07666 USAPhone: +1 201 801 0233Fax: +1 201 801 0243Toll Free: +1 888 937 3277Email: inquiry@cognizant.com

European Headquarters

1 Kingdom StreetPaddington CentralLondon W2 6BDPhone: +44 (0) 20 7297 7600Fax: +44 (0) 20 7121 0102Email: infouk@cognizant.com

India Operations Headquarters

#5/535, Old Mahabalipuram RoadOkkiyam Pettai, ThoraipakkamChennai, 600 096 IndiaPhone: +91 (0) 44 4209 6000Fax: +91 (0) 44 4209 6060Email: inquiryindia@cognizant.com

© Copyright 2016, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.

About Cognizant

Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out-sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 100 development and delivery centers worldwide and approximately 233,000 employees as of March 31, 2016, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world.

Visit us online at www.cognizant.com or follow us on Twitter: Cognizant.

Credits

Author and AnalystVinaya Kumar Mylavarapu, Senior Researcher, Cognizant Research Center

Subject Matter Experts Henry Shiembob, Cognizant Chief Security Officer, Corporate SecurityDaniel Smith, Cognizant AVP, Corporate Security

DesignHarleen Bhatia, Research ManagerHari Kuppala, Senior Designer

Codex 1949