A financial institution’s (FIs) monitoring and testing (M&T) team, which typically resides within the compliance department, is the Chief Compliance Officer’s (CCO) early warning system for compliance risks that are on the horizon. M&T and internal audit often work together to test various aspects of an FIs’ daily operations including, but not limited to:
- Regulatory change;
- Transaction monitoring;
- AML investigation;
- Regulatory reporting;
- KYC requirements;
- Adverse media monitoring for customers;
- Data governance;
- Above the Line (ATL) and Below the Line (BTL) testing effectiveness;
- Third-party relationships with vendors etc.;
- Policies and Procedures;
- Case management system utilization, and;
- Compliance IT infrastructure.
Many FI compliance models have evolved over the years to embrace the “Three Lines of Defense Model:”
- The first line of defense is the Business and Operations function of an FI. This line owns all financial products, systems and processes and is the primary owner of risk;
- The second line of defense is Compliance. It develops, implements, improves and adjusts compliance risk mitigation efforts for the FI. The second line also advises the first line on compliance risk matters.
- The third line of defense is Internal Audit. This line provides overall assurance that the first and second lines of defense are effectively managing risk for the institution.
An effective M&T team working in conjunction with the other two lines of defense can turn a potentially high-risk matter into a low-risk issue. CCOs face the daunting task of being responsible for driving ownership of compliance risk across all facets of the business. Compliance departments are often categorized as a necessary cost center that handles regulatory matters and reports statistics on the number of Suspicious Activity Reports (SARs), Currency Transaction Reports (CTRs), and sanctions-related reports filed every month. In practice, CCOs are hamstrung by outdated and siloed IT systems that are incapable of producing accurate reporting on the effectiveness of their compliance program.
The critical question that CCOs can’t effectively answer today is: How much risk did we prevent? Data science, including the new technologies of artificial intelligence (AI) and machine learning, has matured into proven approaches that CCOs can rely upon to enhance traditional transaction monitoring (TM), Know Your Customer (KYC) data, and sanctions screening across their institution. From this analysis, AI can help the M&T team tell the story of what risk was found and more importantly, what risk was prevented.
As we enter a period of heavy regulatory change, adequate monitoring and testing for effectiveness presents a growing challenge for M&T and internal audit teams. Regulatory change includes new state or federal banking and compliance regulations, best practices and guidelines. Regulatory testing should also include checking the FI’s controls after a regulatory, civil or criminal sanction is levied.
For example, if the OCC were to issue a consent order against a bank for conducting business with unlicensed money service businesses (MSBs), an FI should have a M&T plan in place to test the FI’s KYC, transaction monitoring and AML investigation systems to ensure that the FI does not have any system or process weakness that would allow a similar OCC sanction.
Data science has evolved and enabled AI and machine learning solutions to enhance M&T operations by quickly examining large amounts of transactional and customer data to find hidden problems quicker, allowing CCOs to gauge the effectiveness of their compliance program.