Anti-Money Laundering (AML) is an indispensable process that helps stem the flow of illicit money into the financial system and protects financial institutions and services from being manipulated by bad actors. But efforts to optimize AML information sharing — the sharing of identity, monitoring, suspicious activity and other critical data — are mired in difficulties. What can regulators, compliance teams and other parties do to improve the sharing process?
While sharing of data can vastly improve AML efforts, there are legal and other considerations, such as the risks inherent in sharing sensitive personal financial information, which can impede the process. Let’s examine how AML intelligence can be shared in a safe and compliant way:
Building a safe harbor for sharing: Within the USA PATRIOT Act, Section 314(b) offers protections from liability for qualified information sharing to fight money laundering and terrorist financing. In an interagency statement from October, 2018, collaborative arrangements “are most suitable for banks with a community focus, less complex operations, and lower-risk profiles for money laundering or terrorist financing.” However, despite the availability of such protections, financial institutions may be uncomfortable with sharing customer information with each other. On the other hand, collaboration on AML administration carries less risk. For financial institutions, sharing and collaboration on the following facets of their AML programs can lead to substantial cost savings and other benefits.
Internal controls: Written policies, systematic procedures, customer identification, monitoring and reporting processes, are all areas that have many commonalities across financial institutions; working together to improve internal controls can help deliver better AML programs and lower costs.
Testing and reviews: Having all the strategies and systems in place is great, but how do you know that they are, in fact, effective? A review process helps uncover incorrect assumptions or technical oversights. Working together with other institutions, where the parties review each other, provides coverage without paying for outside expertise.
Training: A comprehensive training program helps keep all employees knowledgeable and cognizant of the issues to watch for, when running an AML program. Sharing the cost and effort of creating and delivering AML training disperses the expenditure. Establishing documentation and process controls that define the exact relationship, the nature of resource sharing, protections for confidential information, are necessary. In addition, reviewing and updating these procedures on an ongoing basis, protects all parties.
Precautions around disclosure of Suspicious Activity Reports (SARs): One common requirement for obliged entities is to report suspicious activities. As these reports are used by regulators and law enforcement to investigate suspicious activities, it’s important to maintain tight control over the information. In the United States, FinCEN has made a specific rule – Maintaining the Confidentiality of Suspicious Activity Reports, which makes unauthorized disclosure of SARs a violation of federal law. Information should be made available only on a need-to-know basis.
Distinctions between sharing information within the institution, with regulators, with other financial institutions, and across borders, are critical considerations. The rules for each type of information sharing are different.
FinCEN Exchange: Money launderers are constantly devising new schemes to clean their ill-gotten gains. If they find success with a particular technique, they quickly find new targets to use it against. Therefore, it’s imperative for institutions to work more closely with each other, and with regulators, and use their collective intelligence to keep bad actors at bay.
To that end, FinCEN has created the FinCEN Exchange, a voluntary program to improve the information flow between regulators and obliged entities.
One of the best indicators of the efficacy of this program would be its ability to effectively prioritize SARs. Obliged entities are required to report any suspicious activity; thus, many err on the side of the caution and file everything, regardless of the gravity of the report. In 2017, over 3 million SARs were reported to FinCEN. Over-reporting can divert resources away from more serious cases. As The Clearing House, a banking association and payments company that is owned by some of the world’s largest commercial banks, states, “the combined data set [from filed SARs] has massive amounts of noise and little information of use to law enforcement.”