Several banking giants, such as HSBC and Standard Chartered, are currently being investigated by US regulators for alleged failings in anti-money laundering (AML) compliance. What is the reason for these large banks’ failures? All fingers point to lapses involving outsourcing units operating without adequate oversight. Due to these scandals, banks seeking to save costs by outsourcing increasingly sensitive and sophisticated work overseas will now be forced to step up oversight of their back office operations.
There is some debate about how far a financial institution can go in offloading its AML compliance tasks to a third party. In other words, how hands-off can a financial institution be? Are there any tasks that should be kept in-house only? Outsourcing may seem to be a cost-effective and efficient way of managing AML compliance, but it can result in great disaster if not adequately monitored. For financial institutions, there are several important differences to note between AML outsourcing and other common outsourcing activities.
AML compliance requires a higher level of training in contrast to standard outsourcing tasks.
Legally, the financial institution is ultimately responsible for the quality of work executed by an outsourcing operation.
Outsourcing the wrong tasks or not providing appropriate oversight exposes banks to legal risk, security risk, operational risk, and reputational risk, not to mention regulatory fines and potentially the disruption of business.
For these reasons and more it is important to differentiate between tasks that can be outsourced and those that should not.
Which AML compliance functions can be outsourced?
Activities that are appropriate for outsourcing companies are typically those that are low risk; meaning that they can be effectively and safely done by a non bank employee. For example, outsourcing companies are suitable to handle labor intensive but routine work including tasks such as customer due diligence, enhanced due diligence, verification of customer identification. Other activities that can be conducive to outsourcing might include alert reporting and notifications generated by automated transaction monitoring systems.
Notably, a financial institution remains responsible for all AML systems and controls related to outsourced activities. Therefore, financial institutions, in particular, are wise to review and address any and all risks, as well as their risk tolerance, before they even begin to think about outsourcing specific functions.
Which AML compliance functions cannot be outsourced?
Activities that are not conducive to outsourcing are any that include the filling of sensitive reports. Filing sensitive reports is the obligation and responsibility of the financial institution and as such, are best completed by an employee of the financial institution. The targets of filings cannot be disclosed by a financial institution.
Transaction analysis is also considered the most sensitive part of the money-laundering detection process because it provides the underpinning for the filing of suspicious activity reports. Clearly, a third party is not even in a position to analyze transactions because it may not have access to all of the customer information, such as daily internet activity or loan files, which is essential in analyzing transactions.
Likewise, internal investigations of suspicious activities should be handled by the financial institution and should be approved by the board of directors of the institution. These types of investigations may involve employee interviews, finding and reviewing documents, and preparation of reports, all of which should effectively be kept highly confidential. Also, if a financial institution is confronted with a government investigation, it is recommended to immediately consult a legal counsel.
Nothing is simple about AML Outsourcing!
On the face of it, AML outsourcing may appear to be a win-win situation. But is everything really that simple? Can a financial institution simply find the cheapest supplier of services and watch the overheads fall? Nothing is simple in AML outsourcing. Assess what you outsource, avoid risk, and remember: the ultimate responsibility of AML compliance is in the hands of the financial institution. Responsibility can not be outsourced.