INSIGHT: The behaviours that are leading to big AML fines for banks – and how to fix them

By Paul O’Donoghue for AML Intelligence

We’ve all read the headlines as some of Europe’s biggest banks have faced massive fines for failing to properly deal with anti-money laundering (AML) issues.

Global fines for failing to prevent money laundering and other financial crime soared by 50pc in 2022 alone, with over $8bn dished out for AML-related breaches.

With fines nearly accepted as an inevitable cost of doing business by some banks, a new report from UK financial consultants Beyond FS asked why banks are so often penalised for AML issues – and what they can do to rectify this.

Beyond FS reveals the results in its white paper ‘Fine Prevention: Why financial crime and regulatory programmes fail and how to fix them’ which is published today.

What causes the fines?

The first key point raised by the report is – why? Santander UK was hit with a £108m charge by the UK’s Financial Conduct Authority in December 2022. Mere days later, Danske Bank received a $2 billion penalty from the US Department of Justice. And just a few months later, in July 2023, the US Federal Reserve imposed a $186m fine on Deutsche Bank.

In all three cases, the banks were ultimately felt to have made a similar key mistake – reacting too slowly and ineffectively to suspicious transactions. This was aggravated by the fact that often, these issues were brought to the company’s attention by regulators.

Where do banks go wrong?

But why do banks fail to react, especially when pointed in the right direction by state officials? To start, they tend to be poorly set up to deal with regulators.

Complex remediation programmes with externally mandated, immovable deadlines delivered under intense scrutiny are not something banks are geared towards in their day-to-day business.

This sets them up to run into several roadblocks when trying to respond to flagged AML problems. The report found banks may:

• Implement poor project governance, losing sight of key objectives
• Have an inadequate closure process that fails to satisfy the regulator’s requirements
• Treat a regulatory programme like a normal ‘change’ programme, underestimating the scale of the amount of work needed

This last point is one to hammer home, as regulatory programmes often have completely different requirements to other ‘change’ initiatives.

These include how they have to be able to stand up in front of a regulator and the difficulty of the closure process. Beyond FS found this last problem was one of particular concern, with banks repeatedly underestimating the “copious” supporting documentation and time-consuming face to face meetings needed to close a programme to a regulator’s satisfaction.

Setting up for success

So then, the heart of the matter for banks is how to put things right and successfully deliver AML and financial crimes regulatory remediation programmes.

First, Beyond FS identified the basics – get good controls in place from day one. This includes how documentation is collected and setting clear governance frameworks.

Recognising the key issue at the start is vital and will ensure the most important areas get most of the team’s focus, while less critical problems can be tackled later.

This is also where a bank should set their ‘Definition of Done’ (DoD). This is all of the conditions that a piece of work must satisfy in order for it to be considered completed.

Setting this involves analysing what the regulator asked. It then includes demonstrating the link between the regulatory requirements, what has been promised, and how the programme will contribute to those requirements.

Finally, projects should be set up with closure in mind, with clear sight of what is being worked towards.

Managing the remediation programme

Once a remediation scheme for AML or financial crimes is up and running, the next phase is managing it properly.

Despite the many differences in regulatory and normal ‘change’ initiatives, one area where they are similar is in governance. The usual management and control mechanisms are needed including standard programme forums, roles and responsibilities.

But a major difference is the level of rigour applied to regulator remediation programmes. To aid with this, timely and accurate reporting should be a central focus to guarantee firms stay on track. Of critical importance here is that data should be made accessible through dashboards, so it can be accessed quickly and easily.

Linking in with this is documentation. Remediation schemes often demand a detailed paper trail which must show what the programme set out to do, how things changed along the way and what was delivered.

General good project governance applies – tasks should be simplified and team members given clearly defined responsibilities and goals. But a potential stumbling block to be avoided in remediation programmes is silos – large financial institutions often have ‘Chinese walls’ between different parts of the business which must be broken down to stamp out miscommunications.

Management should also create spaces for people to speak freely. Beyond FS said team members are often reluctant to speak up when things are going wrong, which may result in ‘disaster striking’, apparently from nowhere.

A final recommendation is if firms are using consultants, to utilise them in the right way. Rather than banks trying to turn external consultants into experts in their business, they should be empowered to utilise their skills not available in-house.

Closure and beyond

The final step is closure. Here again is where a key difference from a normal project comes in, as senior figures in the business will have to meet with the regulator and demonstrate how the firm has met each of the objectives originally agreed. Generally this process can take several months and involves various closure committees meeting to review programme output and deliverables.

This is also where the ‘Definition of Done’ (DoD) comes back into play. Firms must check that what has been delivered meets the requirements set out by the regulator. A body of evidence and documentation must be able to support this view.

A tip highlighted by Beyond FS which may not be immediately obvious to banks is that closing a regulatory remediation programme is often based on emotion as well as facts.

A closure meeting with a regulator is essentially an oral exam and banks must be able to convince qualified (and likely sceptical) people that their programme has delivered what it should have. A strong narrative here can go a long way, carrying the regulator through the ‘story’ of how the programme started and ended, so that they literally ‘feel’ a sense of closure.

The final steps for senior leaders is ensuring their organisation has the right capabilities in place. Ideally, large banks would have a core permanent team tackle these programmes, or at least one which can be assembled as soon as needed. If pursuing outside help, stay away from generalists. Specialist firms which have been through the wringer of regulatory remediation programmes before, with experience in clear deliverables, will be needed.

Download the financial crime programme playbook:

Financial consultancy Beyond FS has considerable first-hand experience in delivering successful regulatory change in both extreme and less extreme circumstances, with a strong record of getting these programmes on track swiftly. Their new playbook, for senior leaders with oversight or responsibility for complex financial crime or regulatory change programmes, offers practical insights that will help bring programmes to a successful and timely conclusion.

DOWNLOAD HERE: ‘Fine Prevention: Why financial crime and regulatory programmes fail and how to fix them’ explores why programmes fail, and what can be done to deliver success, achieve the stated programme objectives and build frameworks for ongoing compliance.

Share this on:

Follow us on: