The Importance of a Strong AML Transaction Monitoring Governance Framework in Today’s Regulatory Environment

How to run a successful AML Transaction Monitoring Governance Framework

Transcription

Robert Bateman:

Hello, welcome back to FinCrime Global day two. I’m Robert Bateman, head of content at GRC world forums. And I’m your host for this afternoon. We’ve had a great day so far. There’s still four sessions remaining. Just a reminder to use the chat function, to interact with our panelists. We’ve had some really strong audience engagement so far. Lots of questions, and also comments on what panelists are saying, which is great to see. And a big thank you once more to our sponsors, Blackdot, Biocatch and Trunarrative for supporting this event. So our next session is about the importance of a strong AML transaction monitoring governance framework in today’s regulatory environment. I’ll be handing over to Sarah Francis, whose payments advisor and senior consultant at Polymath Consulting to moderate this session. Over to you Sarah.

Sarah Francis:

Thank you. Good afternoon all. It’s a pleasure to virtually sit in the room with you all. We are joined today by Paul Munson and Richard Parlour. I hope I’ve pronounced all of that right. Shout at me if I haven’t. The title for today’s session is the importance of a strong AML transaction monitoring governance framework in today’s regulatory environment. So what I’d like to do to kick off perhaps, is if I can ask first Paul and then Richard, to just briefly tell us a little bit about yourselves, what you do, what your history is type thing. So Paul, if I could ask you first.

Paul Munson:

Yeah, of course. So I’m currently head of compliance and MLRO at a UK based retail crypto exchange called Solidi Limited. We got FCA approval in July 2021. Went through the FCA, quite a rigorous process to get approval under the MLRs. My professional background prior to working with Solidi, I’ve spent a large chunk of my life in law enforcement conducting money laundering investigations, corruption investigations. I then worked at the FCA as a regulator working the financial crime team there. And then I worked in a consultancy firm helping arrange in its fee of payment firms. That firm was called Electronic Money Association. We’d help firms with regulatory matters. That was a whole range of things like getting approval to different countries across Europe because of Brexit was going on, but also generally doing this. Going into firms and advising them on their control frameworks, policies and [inaudible 00:03:27] and all that stuff will come onto. So that’s my background really. Very interested in innovative payments, particularly obviously crypto that’s why I’ve moved into that space.

Sarah Francis:

Great.

Paul Munson:

Thank you.

Sarah Francis:

And Richard.

Richard Parlour:

Yeah, thanks very much. Good to have everybody watching on the line and so on. I suppose my current role on this is I’m co-rapporteur on the EU Task Force on AML effectiveness. So we’ve been looking at all the issues which are going on with the system at the moment, why it’s not really working particularly well and coming up with ideas as to how to make it more effective. So I’m previously a member of the UK AML experts group under HM Treasury. I’ve written a book on international money laundering quite a while ago. I think that’s the first one which came out. And what I do? I do strategy policies, procedures. Then we put those in place through accelerated learning techniques to make sure that you get proper, really effective training. And then we help people do their investigation work. So we’ve done due diligence and investigation work in about 140 jurisdictions worldwide to date.

Sarah Francis:

Brilliant. Okay. So we’re well geared up to talk about the subject then. So tell me gentlemen, we talk about a governance framework and there’s new companies setting that up. But then there’s going up on with this operationally, what in practice does a governance framework look like?

Paul Munson:

Do you want me to go first or?

Sarah Francis:

Please do.

Paul Munson:

Yeah. I’ve put some bullets down on this. So I’ve thought about from what… I was doing quite a number of audits when I was at the FCA, of different types of firms, range of business models, that kind of thing. What is absolutely key, or the key thing for me, I think the first key pillar is risk assessment. It’s required under the money in laundering regs. It’s absolutely key to understand your business, what it does, how it does it. The product services do you use, agents or distributors. It’s defined in the regs, but that document, that business wide risk assessment document, is an absolute key document. And a lot of firms actually fall down on that by just not having that. That’s effectively your macro risk look across the business. And then obviously the control framework comes in, where are the risks or the likely risks from terrorist financing or money laundering for our business?

Paul Munson:

And then where do we put resources to mitigate those risks? And what do those resources look like? So that document is absolutely key. It’s normally you’ve got inherent risks, mitigation controls, and then residual risks. A lot of firms, well A, they may have one or get one designed by an external provider. I think we’ve touched on this earlier when we were doing our prep discussions. They then stop. It’s an iterative process. It has to continue. So that is my first pillar of a governance framework, is risk assessment business wide and then that flows down into lots of other things in the business. Would flow then through into individual customer risk assessments and things like that. But that is an absolute key pillar in my view. Did you want me to go through some others or, or should we…?

Sarah Francis:

Well, Richard, would you agree with that? And also with the concept that maybe it’s easy to lose track of that once you’ve initially done it?

Richard Parlour:

Yeah. Well, Paul’s absolutely right on that. Risk management is absolutely key to the whole process. And if you have a look at our EU task force support on AML effectiveness across Europe, you’ll see that we’ve divided it into three sections and those are governance, risk management and capability. And those are the three pillars that we decided were really important. Governance is if you haven’t got the architecture right, you may as well just go home. Risk management is absolutely vital. And then capability is also vital. Because if you’re not going to do anything about, it’s just an academic exercise which produces a whole bunch of false positives and loads of reports that actually gets nowhere near achieving the overall objective.

Richard Parlour:

But I would offer you a slightly different angle on that. So governance framework, I would say look at your AML architecture. And it’s not just about the architecture as it’s a standing building as it were. This has to be per pretty fluid. So into that, I would introduce a military kind of approach and say look at your battle rhythm as the military would say. So how do you go about making sure that architecture is working every day and producing what it needs to produce to keep you secure, first and foremost.

Sarah Francis:

Okay. Can I just-

Richard Parlour:

There are two, just very quickly, key aspects there. So one is, what do the rules say? But more important than what do the rules say is, what perfection do you need against the risks that you face? And that’s why, what Paul said, is so fundamental. Because if you don’t understand the risks, you won’t be able to build the architecture, you won’t get the battle rhythm right.

Sarah Francis:

Sure. Could you describe for me what you actually mean by architecture?

Richard Parlour:

For sure. Well [crosstalk 00:08:52]-

Sarah Francis:

For me.

Richard Parlour:

For me, architecture is looking at all the different elements that you’ve got at your disposal to counteract the risks that you face. Now, this is where we’ve got a bit of a structural problem, not just in the UK but worldwide, because the regulators in this sector have decided that what they think is a really good way of putting these together, is using what’s known as the three lines of defense. And this three lines of defense model is something which was quite effective in medieval times when building castles. It was something which was used at Rorke’s Drift in the [Ball 00:09:35] War. But if you have a look at all the world’s militaries, nobody does that any anymore. The castle model of defense, the only organization building castles these days is Walt Disney.

Richard Parlour:

So we need to get away from that. And what I would say is look at something which is more akin to an integrated air defense system. And see look at all your assets, you bring them all together, you work out what their strengths and weaknesses are. How they interlink and then make sure that they are interlinked. And you do have an active mobile defense which follows the risks that you’ve identified and assessed and keeps you as protected as you can be. You can never get a hundred percent protection, but this is…

Sarah Francis:

Oh, We lost Richard.

Paul Munson:

I think we’ve lost him.

Sarah Francis:

A bad… Okay. All right. Well, hopefully he’ll come back to us in a second. But carrying on almost that theme on what you were saying of about the business wide risk assessment, Paul. Richard was talking about architecture and battle lines and the rest, when we talk about transaction monitoring and the rest, how do you see that coming to the fore in terms of what are your resources and your tools? So is it all about the technology or is it using a mix of technology and resource, and how does that interact with your risk assessment as it were?

Paul Munson:

Yeah, so the risk assessment will come in looking at how your transactions could be used for money laundering or terrorist financing. So that would be articulating that risk. The mitigation or the controls, the systems come in terms of the mitigation side. So that’s what system you use to monitor transactions. And I’ve been to a range of firms, I’ve been to very small firms, where they literally sit with a spreadsheet and monitor manually transactions. That may be feasible in a small firm, but obviously wouldn’t be feasible in a larger firm. So most firms will have their own either in-house built transaction monitoring system, and will heavily rely on technology because they will have to. If they have any number of payments, transactions to monitor.

Paul Munson:

From my experience, generally the bulk of them, historically, they will work around rule sets. So they’re rules driven either based on transaction values or volumes. And certain things will trigger and then there’ll be alerted and then there’ll be an in investigation process. Those are all key documents where you set those controls, where you set those parameters is very important. And they must be reviewed continually and updated. Particularly if you change business model, or transactions change, or country risk changes. For example, you move into new territories, you would then not obviously update your rules. But they’re absolutely fundamental. A lot of other firms now build their own systems. I work in a very technically adept firm, so we have our own transaction monitoring.

Paul Munson:

We also, because we’re in crypto, have blockchain monitoring going on in tandem. So we are monitoring fee app transactions, normal currency transactions, but we’re also monitoring, in tandem, blockchain transactions. And we did have our own technology, but actually we rely on a vendor now for that, a third party vendor. But obviously your job as MLRO is understand how those systems work, A, generate the alerts. The other type I didn’t cover… Sorry. A lot of firms now have artificial intelligence. Where they’ll use either an algorithm to put all their transaction data through and it’ll find anomalies, or they may use known typologies from the past, feed them into the system and the system will look for more of those money movements or typologies that are risky ones that they’ve obviously already noted or stopped in the past.

Paul Munson:

And you certainly can get some of that from case studies and things like that. So you can feed in red flags into your system. But the main issue is having a system deciding on an approach. And then obviously seeing if that’s fit for purpose for your business. And then obviously the challenge part is actually looking at what comes out of it, how are those alerts managed? Obviously they will then become, the SARS, or [inaudible 00:46:59], or defense against money launderings based on each case.

Sarah Francis:

Okay. Well fortunately, we’ve got Richard back it would seem. Richard, sorry we lost you.

Richard Parlour:

To my defense, I think certainly might have been listening in. So you’re not talking about that.

Sarah Francis:

You were just talking about given your the input you put in terms of the battle lines and the architecture and stuff. What are the tools and the resources that come into transaction monitoring? The different types of systems and the mix of resources and technology. In your viewpoint and from your experience, how finely tuned does the line be between all technology, oral resource and working the mix of the two?

Richard Parlour:

Yeah, well, we have a lot of discussion about this in our task force. And some people who have got some quite of technology, have been trying to apply it to rather substantial databases. And we were all shocked actually to hear that some organizations have a number of thousands of staff whose job it is every day just to run through false positive spat out by an incompetent algorithm, and try and work out whether this is something they really ought to be concerned about or not. So I think my view on that, having say 5,000 staff doing this, to give you an idea of the context, that’s more people doing just that mindless job than are in the whole of Europe on, than are in the whole of the city of London police, our UK’s financial police. So monumental waste of effort in an attempt, I think, from on high to try and save money on people. And actually what they ended up doing is creating more people.

Richard Parlour:

So how would you get round that? A lot of people say, well just have a look at the specifications of the vendor system, which is in front of you. But I would say before that have a look at the human elements. So the key components of transaction monitoring really, if you go to make it effective tie into the habits of high performance. And there are six of those, which are clarity, energy, necessity, productivity, influence, and courage. So what does that mean in terms of AML? Well clarity, first and almost, be really clear on what you are doing. Getting a clear objective and making sure you’ve got the correct habits in. Make sure it works on from a human angle before you start getting the tech is involved.

Richard Parlour:

A lot of these people on the tech side, one of the adages about FinTech is that the real problem is that Fin doesn’t understand tech, and tech doesn’t understand Fin. So you really do need to make sure that it works and have AI before AI, so actual intelligence before artificial intelligence. So the supports tools can be absolutely fantastically helpful, but do not use that as your number one defense element. Make sure it works from the human side first and then attach and see how the technology works. And if you do it that way round A, you’ll get a better provider. Because you’ll know half of the problem is that these technology providers rock up and talk a whole load of things about their system and all those words are words in the English language. But quite often when they’re put together in a certain fashion, you just don’t know what’s happening. So working what the questions are that you want to ask of the technology provider to make sure the system’s going to work before you do that.

Sarah Francis:

Good advice there, I think, from both but a question. As somebody who’s been recently very involved in the day to day running of an entity who’s grown rapidly, been in business a few years, how hard is it? How much does it take to upkeep or keep going the requirements of a governance framework and the transaction monitoring. Paul, for instance, you mentioned about keeping up to date with the rules and everything else. And you mentioned, Richard, about measuring the false positives and things like that. When you’re neck deep in this stuff, a business is going on, how do you keep the focus on that framework and everything else? How do you keep it as fresh and your risk viewpoint as targeted and fresh as it were the day you set up or the last time, eight months ago that you did a business wide risk assessment? How do you keep that viewpoint in an operational environment? How hard is it? Paul, you come from a regulator and sitting in the sharp end of operations now, how do you find this?

Paul Munson:

I think it came out a little bit in what Richard said before, but I’ve seen a lot of firms where they basically churn out tons of alerts. The system generates a lot of noise, but of very little value or not substantial value. If we go back to the principles, what a transaction monitor system is meant to do in essence is find suspicious activity. You investigate it, the firm, whoever that is the compliance team or the larger team. And then where we’re appropriate alert the authorities. It’s as simple as that. What happens a lot I’ve seen is, I think maybe firms think if they have a lot of numbers, it looks good. If a regulator comes that they’ve gone through thousands of alerts.

Paul Munson:

And I have seen these teams, like Richard saying, that hundreds of people doing very mundane jobs. Going through stuff that really isn’t or basically there’s a flaw with the system. I think there’s always that challenge of when you are in the moment and you are operationally working, getting that time to step back and look at the things in the round. Like we talked about earlier, when you do an audit, you tend to do that. If an FCA audit’s coming up, you may have that opportunity and you may also sometimes bring in some advisory or external help with that to sort of… But that process has to be given weight and be done at least annually, I would say. Where you basically kick the tires and look, well, all of your controls. But really if we’re talking about transaction monitoring here today, so that would be looking at the rule set.

Paul Munson:

If it’s a rules driven system, even more difficult, the algorithm. If it’s an algorithm it’s effectively like a black box, you’re putting data in and data comes out. You’ve got to understand really how that works and that can be a very complicated process. But I suppose the trouble is that also stops innovation a little bit because a lot of firms have very big established systems. It’s not an easy process for them to move to something more nimble or something better. And there may be a lot of reticence against doing that anyway, in case it goes wrong. They know what they know, they don’t know what they don’t know. So I think it is a massive challenge to keep everything up to date and prioritize things in the moment when you are very busy doing lots of other things, but I think it’s absolutely key.

Paul Munson:

And I think probably transaction monitoring, of all the controls you can put in place, is one of the probably key for any business. Because you stop things at source don’t you? You’re stopping money laundering at source. And the tech can be very good, but I think back to Richard’s point, it’s also about effective human interaction with the system. Feeding the right things into the system if it’s an AI system. And you cannot be having skilled people looking at the alerts and making the right decisions. And that is absolutely as key as what the system does to be fair. I think that’s where I come.

Sarah Francis:

Yeah. Well, you guys have got a lot of interesting questions here. So…

Richard Parlour:

Quickly come in, just to follow up on what Paul said about and what you asked about keeping it fresh. Because there are two really important points there. One is, to keep it fresh then you to develop a cycle of how you build that freshness in. And the best way of doing that is to use what’s known as the intelligence cycle. Now this is a cycle which is used by pretty much all the world’s intelligence agencies to greater or lesser effect and impact as we’ve seen. But it has four elements to it. So it’s direction, first of all. So you direct what is it that you are trying to achieve? And then from there, okay, now you’ve got an idea of what the goal is. Move through and collect information on that.

Richard Parlour:

So the next section is collection. Once you’ve collected and collected the data in, then you need to process it. That’s where a lot of the transaction monitoring system can come in to play, but do make sure that you don’t ignore the human element. Humans are, by nature, very lazy. So if you’ve got a system in place and you can just press a button, hit and go, and then switch off mentally. That’s a support system, it’s not meant to get you to switch off. So you do need to work out how you are going to process that and build the human element into it. And then the fourth element from that is dissemination. Now that’s a cycle. So once you’ve done your dissemination, you go back and you revisit the direction. So in that revisitation, you need to work out how are you going to measure that? How are you going to assess it?

Richard Parlour:

And one of the big problems there is that, particularly in the financial sector, is that when I ask people how they measure it they say, we’ve got to… I was talking to a director of AML of a very large bank, not so long ago. And she was saying, well, we’ve got hundreds and hundreds of KPIs. And I thought, well, that doesn’t sound particularly good to me actually. So I said, well, what are your top 10? She said, well, we’ve got loads. It’s unfair to try and whistle it down to 10. So I said, top three? And I was still getting the same answers. Top one? At that stage, I got the response back. Well we measure how many suspicious activity reports we submit. Well, we look at Einstein’s quote about measuring what matters, we count what’s easy and we don’t count what’s more difficult.

Richard Parlour:

What I would really encourage all listeners to do is to follow this OKR methodology. O is objectives and KR are key results. This is the methodology which has driven the success behind companies like Twitter and LinkedIn, which started off in a garage not very long ago, and are now monumentally huge global companies. So if we were to start applying that kind of methodology to the financial crime sector, my view is that look out, we’d actually start achieving something. Because at the moment we’re only really, interdicting about 1% by most measurements of financial crime activity. And if any of us came home from school and said, well, how much? And your parents will say, what did you get in your test? And you say, 1%. I think all parents will be a bit disturbed.

Richard Parlour:

Hence our task force looking at what is it that we need to do to change things around and make sure we’re more effective on this. Because it’s been decades now. And I’m decrying some of the efforts. I think if you have a look at the Interpol website, if you have a look at FBI and so on there are some great stories about some fantastic action, but there isn’t enough of it. There are a number of reasons for that. Some of that is risk management, some of that is capability issues, some of it is governance, hence the structure of our report. But I think if you take that and then do a little exercise and translate it into what is needed in your organization, then that will help enormously. And then the final element of it is, remember that the top high performance element is joy. So this is a war and if you don’t keep morale up over the people who are doing the system, it is just going to be rot with high job turnover.

Sarah Francis:

I hear you. I think the challenge there though, Richard is, as you say, these cycles, the objectives and everything else. And I think the challenge often, I think, for a lot of companies and Paul, you are in at the deep end, tell me if I’m wrong here. But when you are particularly the growing FinTechs meeting with challenges, how do you get the mindset and the resources to apply to a continual view like that, a continual cycle that? A refreshed objective viewpoint when you’ve got dozens of people screaming at you. Can you make a decision on this? How do you do this? Where do we go with that? So do you find there is a challenge on keeping that refreshed view, the objective view that Richard is talking about?

Paul Munson:

Yes. You have to set yourself key targets and deadlines and make yourself do it, is the only way to achieve success. Because there’s plenty of other things you could be doing. I’ll give you an example now, in my firm, we’re relatively small and quite a small nimble firm, but I’m still going to produce an MLRO report because it helps everybody in the business to understand. That document in itself shows your number of SARS, your risks, have you got enough resources? That document tells effectively that can be your map to the whole system. So it’s just about making yourself put time aside and do that and treating it as a priority. Because it is a massive priority. If you don’t do these overview, these helicopter views as we were talked about earlier, how do you know the system’s working?

Paul Munson:

You could have a big problem coming down the track that you don’t… And certainly in larger firms, when I’ve been to those, that’s the issue. The issue there is really those people you are relying on to manage the alerts from transaction monitoring are they making the correct choices and keeping doing it? Because it can be quite a mind numbing job, but it’s lots of very similar alerts. But again, why waste that time and those resources by having a system that doesn’t work in the first place? So that’s why that overview is so key.

Sarah Francis:

Okay. Well, we’re up to question 10.

Paul Munson:

Okay. Good.

Sarah Francis:

So we’ve certainly got an audience today. I’m going to try and pick out them in the right order, so forgive me if I don’t get them quite right. But let’s start with what I think is quite an interesting one. Because I think it’s a shark in the water, because it says it’s asking us about should transaction monitoring rules be limited by geographical boundaries and how you suggest making rules global? Now this kind of strikes me as when you are looking at your transaction monitoring, how much of a geographical aspect does it have? Is there really a one size fits all in terms of global boundaries or are we still dealing with domestic aspects or regional aspects, would you say?

Paul Munson:

I think it’s hard to have global rules because there’s different risk in different jurisdictions. I’ve certainly seen that when I’ve done audits. You go to a big firm that has a group fund or lot of group functions. They may outsource to centers where labor’s a bit cheaper. The issue you have then is the UK MLRO is when somebody comes to ask you, well, how do you fit into those rules? If you can’t, how do you demonstrate your approach is effective? If you are given a group set of rules, which maybe a priority in Boston or somewhere else, they won’t necessarily… Well, they’re very unlikely to be fit for purpose in the UK. And you’ve got to take account of everything else that’s going on in the UK and what’s published.

Paul Munson:

So I think it’s a recipe for disaster if you do have one set of global rules in my, in my experience. You need to your rules to your business and your business could be a big, huge multinational and then you need different sets or looking for different types of behavior. But it must be tailored. You get a lot of firms who just buy a set of rules off the shelf from a vendor or something. Don’t really feed into that process. Just take the rules on face value, if it’s a rule set or whatever it is. And that is just the worst way to approach it. You should be looking at what you do and how you do it. A bit like the macro risk assessment we talked about. Same with transaction monitoring. Do these rules make sense for the business and the types of transaction and where the risk lies in our transactions? As simple as that really. So if you go for a global set, I think it’s very difficult to achieve that objective.

Sarah Francis:

Okay. And Richard, here’s one directly for you. What are your thoughts with respect to breaking down silos and creating efficient collaboration between business and tech units? A bit of a challenge for you?

Richard Parlour:

Yeah. I really wanted to just before I answer that, just to come answer more to Paul’s response, because that was one of the issues which we covered in our task force as well. And one of the reasons for that was we looked at the amount of suspicious activity reporting across Europe. And 50% of all Europe’s suspicious activity reports came from just two of the member states. And one of those has just left or recently left. So you can see that even though we’ve got what we’re up to now, we should have a number directs everyone, they seem to be coming in thick and fast these days. Up to six aren’t we? So whatever directors you got, you end up with different interpretation and implementation at different levels. Now that’s not surprising in a few other respects because obviously we are talking about financial movements. And you would expect the UK, being Europe’s leading financial center bar none certainly at the moment, to have many more kinds of suspicious activity reports or numbers of them than say a small estate, which hasn’t got the financial center, hasn’t got the financial infrastructure. Has only got basic banking by comparison with what you’ve got in London.

Richard Parlour:

But nonetheless, when you look at the really big suspicious activity reports, if I should say the more were important ones, which are involving organized crime, they always have an international element. And if you look at Russian organized crime, it has a certain international element to it. So it goes usually from Russia through into say Cypress, although increasingly Malta and Gibraltar over to some Caribbean jurisdiction, then the money it’s float around in the States. Come back into Europe either through somewhere like Switzerland or through the [buttocks 00:34:47] or somewhere before they ended up back in Russia. And of course, when you look at that from an interdiction point of view, legally, you have to prove every single transaction in that transaction link beyond all reasonable doubt because it’s a criminal burden of proof. And that’s really difficult. So that’s why we do need to share information internationally so that we can bring down these large organizations and we can indeed.

Sarah Francis:

I think what you’re saying there is, the rules can’t really be global because it is the movement between jurisdictions and things that can be meaningful.

Richard Parlour:

So my view is that you need… Certain fundamentals are the same wherever. So certain fundamentals of AML enshrine that in law, gets information exchange systems upgraded. So they’re much better than they are at the moment. And that’s at certain different levels as well. So it’s not just between states it’s between financial institutions.

Sarah Francis:

But if we’re talking about setting operational roles in a system, then that what you’re saying really gets down to, you need to monitor the movements between geographies, but the rule sets wouldn’t be global. They would still take into account the geographies, the domestic nature of things as well.

Richard Parlour:

Well, they’ll take into account the risk profile and that’s really what should happen. So certain countries have got absolutely no terrorism risk and their view is why should we have terrorism rules and so on? It doesn’t make any sense. It’s not a risk for us at all. We’re not involved in that. We’re not part of that system. So you can see that, but overall the basic elements, the six elements of anti-money laundering controls…

Sarah Francis:

I’m sorry to rush you, but we’re now up to question 12 and I’m keen to keep the momentum going as we’ve got people’s interests.

Richard Parlour:

If you don’t get a question answered, just get in touch and I’ll see if we can get you an answer.

Sarah Francis:

Sure. But this thought of efficient collaboration between business and tech units, I think Paul, you’ll be seeing that on a day to day basis and Richard, I’m sure your overall and your task force looked at this, what is the best way of efficiently making that communication, that collaboration, happen in your viewpoint?

Richard Parlour:

You just got to build it into your systems. Certain organizations have just the most unbelievable silos. So one of our largest banks, for example, has silos within its AML department would you believe.

Sarah Francis:

But how do you build it into the system?

Richard Parlour:

You make sure that you’ve got elements of collaboration in there. So you have regular meetings between tech and operational people. You make sure that both of you have really understood and agreed upon the objectives and what those key results will be that you are both aiming towards. Once you’ve set your OKRs, so you know your measures of effectiveness, then set a KPIs. Don’t do it the other way around. Set the OKRs, then the KPIs. Because KPIs are not measures of effectiveness. They’re measures of efficiency. So if you just put the KPIs in without any effectiveness measures, then you are potentially just driving yourself to the wrong result even faster than you would’ve done beforehand, which is not the ideal solution. So build that into your system. And then the intelligent cycle that I mentioned earlier that obviously needs to have tech people involved in that cycle, as well as the operational strategic people as well.

Sarah Francis:

Okay. Couple of interesting ones here. So nitty grit, I love this question because I’ve come across this happening before. Your thoughts on how lowering or increasing the transaction threshold should be handled to avoid missing out on positive may matches. So how much of a tool is it really to lower, higher the threshold on your transaction monitoring?

Paul Munson:

Well, you can do it but it’s got a risk, isn’t it? It’s like everything. It’s where you set those parameters. So it’s what we’ve talked about all day today, isn’t it? You set them too low and you churn out a lot of noise that may not be the… I would argue it’s not as simple as just setting a figure, a hundred pounds, or 200 pounds or something. When systems work well, it’s really about… Some of the best I’ve seen is these AI systems where you feed a typology in. Which is a bit what Richard is talking about, where the money’s moving around a lot it’s true money laundering. So there’s the layering going on in the transactions. There could be multiple things that would trigger an alert. There’s a lot of basics, I think somebody else lost about cash transactions. Cash transactions you’d presume would have lower thresholds for alerting than the normal transactions, because cash is higher risk. They’re normally givens but I have been to firms where they call that out in their risk assessment. Cash transactions are higher and then have exactly the same limits in the transaction monitoring system, which makes no sense at all.

Paul Munson:

I think basically rule sets, as we’ve talked about, they have to work for your business and you have to be able to justify where you set the thresholds. So it’s not just about saying, my threshold is 200 pounds. It’s saying, my thresholds at 200 pounds because how that works out with my average transaction, or where risk lies, or previous case studies have said. But normally they’re volume and value. So it’ll be three alerts for certain value. But you only really know if it’s working by taking this look back and seeing what comes out of the system, however it works. And is it finding the right outcomes? Are those investigations becoming SARS? You’d be looking at the management information in the system. What’s the conversion rate? Because if it’s half a percent or something and probably your system is generating too much noise because when it comes to it…

Paul Munson:

But obviously, that’s part of the challenge as well is, are those… You delegate that responsibility to, as MLRO, investigate the alerts coming to the right conclusions. So you may be in a situation where you can’t look at every single look because there’s just too many. But you would then be doing some audit or dip sampling to be comfortable that the processes are working effectively. But it’s not as simple as just saying, I’ll put the limit up and down. More thought has to go into it than that in my experience.

Sarah Francis:

Okay. I’d just like to pop back to the first question we were asked, because this is fascinating me and I’d love to hear your viewpoints, particularly yours on this, Richard. Will national supervisors and FIUs be abolished and be replaced by the new EU body? And let me just put another bit on that and what does that mean for the UK now? So do we see an EU wide body or will we remain with national supervisors? And if we did do that what would it mean to the UK?

Richard Parlour:

Yeah. Short answer to the question written down is no. And the short answer to your question is neither. The national supervisors and FIUs are not going to be abolished and replaced. They have to be there. Each member state has got different risk profiles and actually in certain member states the risk profiles are different between different areas of the member state, or the former member state. What about UK involvement? This has been really tricky actually because essentially the UK is no longer part of Europe, which is an absolute unmitigated disaster in terms of information exchange. We do have some informal information exchange procedures, but they are so arcane. You wouldn’t believe that you have to put information requested through various embassies in other countries. It’s just insane. So Brexit just probably the most poorly negotiated agreement on the planet history, I think. And to leave gaps in the system like that to enable criminals to get through is absolutely disastrous.

Richard Parlour:

You look at the Brexit agreement, there is one page on this and it is so high level that it’s virtually meaningless. Just appalling behavior, it really was. And really irritating as well because it was going so well. And if you have a chat with Sir Rob Wayne Wright, who was the previous head of Europol, he’ll give you loads more on why it’s such a bad decision. But we’ll still try and exchange information, it just not going to be as effective. And the criminals absolutely flipping love that.

Sarah Francis:

Okay. We’ve hit our time limit but I think we could have continued talking for hours. And there’s lots of unanswered questions, but I’m sure you guys will be willing if we distribute them afterwards. We will try and publish the answers or some opinions as I’m sure there are some opinions, particularly about the anonymity of crypto, and third party risks associated with transactions, and how we actually affect change in the longer term. And I’m sure Richard, your task force has much to contribute on that part. But I think, I’m just checking, we are at about the end of the session. But it has been very worthwhile. So I think you’ll agree, Robert. Interesting discussion, lots that could have been talked about afterwards.

Robert Bateman:

A great discussion. Thank you so much to all three of you and as well to the audience. We have had an incredible amount of audience interaction this time around. Double digit questions every time. So thanks so much for that. Two interesting points there for me, among many others of course. The differences between jurisdictions and how difficult it is to create a globally consistent rule set on anti-money laundering. Now we’re seeing these parallel regimes develop here in the UK and in the EU. And we have two sessions coming up that will be of interest to anyone who is watching that. At three o’clock, there’s a session on the EU’s new package of anti-money laundering regulations and the establishment of the European Money Laundering Authority, which is mentioned in the session there. And up next, we have a presentation.