Banks today are responsible for preventing a host of financial crimes from infiltrating their ecosystems. Some of these crimes, such as money laundering and sanctions violation, are highly visible, with high potential to create regulatory problems and lasting reputational damage.
These typically receive the most attention in financial crime compliance building efforts, but a number of banks are expanding that function to counter many other financial crimes as well.
Exhibit 1: Internal and external demands on financial crime compliance
For many global and European banks, this increased focus on financial crime compliance has not been a choice. Rather, it is driven by a spate of costly and embarrassing regulatory findings and events. Settlement fines in financial services total more than $300 billion since 2008. The scandals causing these fines have also done tremendous harm beyond the direct settlements, through lost business and tarnished reputations. Responding to these events and preventing them has required substantial investment, with banks typically adding between $900 million and $1.3 billion in run-rate spending on financial crime compliance annually. These spending increases continue today.
Exhibit 2: Estimated financial institutions’ regulatory spending on talent and consulting
Most banks began to build substantial financial crime compliance capabilities in response to specific regulatory findings with a remediation process. This resulted in a “quick fix” approach in which money and human capital were deployed quickly and haphazardly to counter the immediate problem. These solutions typically work in the short run but become unwieldy as banks are forced to react to new compliance challenges. Such initial fixes can sag under the weight of many types of challenges, including:
- New incoming legislation
- Increasing regulatory scrutiny
- Major industry events
- Emerging, changing, and non-static threats (for example, Panama Papers, Islamic State)
These initial builds were inefficient. Western banks have had to embark on a three-stage journey toward a financial crime compliance function that provides robust risk mitigation capability in an efficient, sustainable manner.
Stage 1—Remediation. The focus is on managing embarrassing events or regulatory findings. Organizations at this stage typically seek immediate fixes for damage control in the short term. Challenges include gaining back trust and comfort from the board, as well as the customers and public; lack of adequate resources; and low bandwidth to think about structural and embedded solutions.
Stage 2—Transformation. Organizations target upgrades in risk management and structural changes by building out compliance to full function, which will be embedded as a strategic partner to the business. At this stage, managers need to ensure that transformation and business-as-usual operations run in parallel and find the right talent to manage upgraded tools and generate insightful analysis.
Stage 3—Operational efficiency. Leading institutions are now embarking on an ambitious goal to achieve efficiency and effectiveness at the same time. Quality of service and risk control agility is improved with lowered or similar cost. Organizations will need to continue to professionalize the function and efficiently manage new and upcoming regulations.
Many large global and European banks have gone through with the “remediation” stage of financial crime compliance building and are turning unwieldy quick fixes into full-fledged compliance capabilities that are sustainable in the long term. Some leading banks have largely completed initial builds of these functions and are now focusing on refining them to increase efficiency without compromising risk effectiveness.
Final operating models that are fit-for-purpose, effective from a compliance perspective, and satisfactory to business stakeholders can take a variety of forms. We find that they start with effective top-of-the-house risk strategy, include solid governance and multiple lines of defense, and are backed by effective processes, controls, and infrastructure (including data).
Exhibit 3: Financial crime compliance framework
Until recently, regulatory scrutiny on Asian banks had not reached the same levels as their American or European counterparts, which means that Asian banks could largely avoid the embarrassing incidents that have plagued Western banks without building out mature financial crime compliance functions.
There are signs, however, that this is starting to change. One example is the ongoing scandal surrounding a major Asia-Pacific bank over anti-money laundering and terrorism financing law breaches that could leave it exposed to massive multimillion-dollar civil penalties. The bank was cited for failing to report suspected money laundering and 50,000-plus suspicious transactions to the financial crime compliance regulator. The regulator said that the bank ignored warnings that its ATMs were being used to funnel money to individuals connected to, or charged with and convicted of crimes.
The international impact of recent investigations is likely to compound the level of scrutiny banks in the region will face going forward, and some players are already beginning to respond with increased compliance spending. Examples from our industry experience include a major bank in Singapore that has seen a 37 percent increase in fixed cost for compliance from 2014 to 2015 and half of China’s major banks seeing more than a 20 percent increase in compliance budget in 2016.
While Western banks began the financial crime compliance development process with “quick fixes” put into place in the immediate aftermath of a scandal, it only progressed further when these quick fixes failed due to further regulation, more scandals, or major industry events. Asian banks have a unique opportunity to avoid this pitfall by building out fully formed financial crime compliance capabilities now and getting ahead of the game.
One key area is building a more digital and modular approach for critical financial crime compliance activities. One good example is the “know your customer” process. Other elements to consider include:
- Manage a ramp-up of headcount, while finding and competing for talent and building capabilities in the team
- Clarifying “lines of defense” roles and ensuring that they work properly together
- Manage linkages with conduct-risk management
- Develop AML controls and ensure these are working correctly
Exhibit 4: Know your customer process—a digital and modular approach
The American and European banking industry’s journey from reactive fixes in the wake of unsightly financial crime scandals to fully mature financial crime compliance capabilities has been long and has involved multiple waves of transformation and efficiency efforts. Increasing regulatory scrutiny in Asia means that banks in the region that have not already started this journey will soon need to do so, given the risks involved.
However, banks in Asia have a unique opportunity to learn from the mistakes of their Western counterparts and leapfrog earlier, lesser-developed models for the financial crime compliance function.
Jameson White is a millennial attorney, law professor, entrepreneur, writer, and speaker on privacy, cybersecurity, A.I., AR/VR, blockchain, and digital monies. He has written for many outlets, and contributed to cybersecurity and technology publications.