Lessons Learned: Weak AML governance wove through 2017, cyberattacks to continue, worsen
Friday, February 2, 2018
Posted by: Brian Monroe
By Brian Monroe
February 2, 2018
ACFCS is continuing our “Lessons Learned” series where we are querying top financial crime compliance professionals for takeaways from 2017 and what issues could be the new compliance vanguard this year.
This week, we share some critical insight offered by Larry Greenberger, who has been working in trading, banking, finance and compliance for more than two decades in Asia and Europe.
Greenberger, now a consultant for K2 Intelligence in Spain, is able to cut through the noise of loudly buzzing buzzwords – including AI, fintech regtech and others – to analyze some of the more foundational precepts that some banks and compliance departments missed last year.
Greenberger noted that while charting the course of compliance, for some, it may feel like crystal ball gazing.
Compliance officers and frontline risk assessment teams are trying to tap into precognitive abilities to accurately forecast if a customer or company will fall afoul of financial crime laws and, hopefully, have those aberrations picked up by whatever systems are in play and, lastly, hope that whoever is reviewing the alerts correctly identifies the suspicious behavior.
If you think this sounds like trying to pick order out of a sea of chaos in a roiling cauldron of probabilities, you are right, Greenberger said.
But that’s where you can use better governance at the front end and tone from the top to improve results across the compliance function – providing less fuel for regulatory knuckle wraps, but more valuable intelligence for law enforcement.
Here is an edited chat with Greenberger and ACFCS Director of Content, Brian Monroe.
What do you think were the biggest financial crime trends in 2017 and why?
While clearly the headline grabbing, hipster, trending buzz word articles mainly focused on cyberattacks, digital currencies, fintech, and AI, a common thread we saw running through the world of financial crime was the exploitation of institutions with weak corporate governance.
Why? Because it works.
This view looks at the problem from a top down perspective as opposed to the bottom up approach which focuses on the problem at the transactional level. Both approaches are right but need to be addressed in a synchronized manner. Implementation of one without the other won’t work.
How did the industry respond to those vulnerabilities, regulatory focal points or criminal tactics?
To a large part the response was to pay big fines and then attempt to improve governance, tighten controls, and monitor transactions at a higher level after the fact. A lot of work needs to be done on this front with respect to implementing and improving accountability at the highest levels of governance.
What else do you think financial crime compliance professionals, regulators and FIs should be doing to better detect and prevent financial crime?
This is very difficult. That said, if it were easy, everyone would do it. One could argue that to a large degree, financial crime occurrence is random in time and place. It can happen in a lot of different areas, and cloak itself in many different ways.
Two possible common denominators of predicting the randomness of where and how financial crime occurs come when need/greed meets opportunity.
One of the definitions of chaos I really like is “when the present determines the future, but the approximate present does not approximately determine the future.”
I think this definition applies nicely when looking at attempting to prevent financial crime. In essence, the prevention of financial crime boils down to being able to predict randomness. Randomness is what the financial criminal sees as chaos and their ability to exploit that chaos.
Since by definition we’re dealing with approximates, it only follows that the best we can do to improve prevention is via probabilities, i.e. get the odds in our favor – strengthen corporate governance while simultaneously tightening controls at the transactional level.
This answer applies mostly to financial institutions. The spectrum gets much broader when the focus widens to include alternative stores of value that don’t have to flow through financial intermediaries.
At an institutional level firms can make much better use of external audits. I’m not speaking of public or transactional audits here, but rather independent procedural audits.
I’ve seen too many cases of corporate laziness which leads to willful blindness which leads to internal obfuscation as problematic situations quickly go from bad to worse. Hoping that problems will go away is not a strategy.
The insight and advice of an experienced external consultant can prove invaluable in maintaining a front-footed posture as opposed to being caught on the back foot.
What do you think will be the big issues to tackle in 2018?
In addition to continuing to improve corporate governance roles, responsibility and accountability, the biggest issue I see for 2018 will be defending against cyberattacks.
As old school financial criminals look to exploit weaknesses in governance as seen from the top down approach, attackers will continue to try and exploit systemic weaknesses from a cyber angle.
One of the main problems in deterring cyberattacks is the faceless nature of the attacks and inability to punish, and therefore fail to act as a deterrent.
Lastly, do you have any tips to help banks maximize resources and better keep their teams strong in a time of tight budgets?
1. Tighten up on corporate governance roles, responsibility, and accountability.
1. Keep looking at the dynamics of vulnerabilities (they change). Think like a criminal- If I wanted to accomplish _____, how would I do it. Align/re-align the probabilities of occurrence/prevention. Play the odds.
1. Don’t skimp on the cyber defense budget.
*All purposefully numbered as 1.