Anti-Money-Laundering (AML) and EDM
Aite Group recently published a new report - Anti-Money Laundering Technology: Automating the Haystack Search. Sadly I don't have access to the report but I wanted to take a moment to discuss AML. In the interests of full disclosure I would also say that the report did not include Fair Isaac as we do not offer a specific AML solution. The report expects an increased emphasis on money laundering compliance and notes that AML vendor offerings are improving as emerging needs are identified.
No-one doubts money laundering's potential to impact institutions nor that regulators will continue to look for signs of criminal behavior. The question is how should institutions respond to the problem - by making better use of existing systems or by buying new ones? Personally I think most organizations have the data and systems they need and should be focused not on adding another system but on applying consistent decisioning to their existing systems.
Let's break the AML problem into its two parts - ensuring that one is compliant with the rules (whether or not they catch the crooks) and actually catching crooks/preventing money laundering. On the first point, Eva Weber of the Aite Group said
"Institutions should be asking themselves the same questions that regulators are asking: Am I consistently applying AML policies and procedures? Are those policies and procedures appropriate to the risks my business faces? Can I demonstrate compliance fairly readily?" and
"Regulators are unlikely to penalize institutions for isolated oversights, as long as those institutions have given appropriate thought to their anti-money laundering programs."
So the key issue in compliance is being able to demonstrate that a program has been implemented, that the procedures being followed are appropriate and that the procedures are followed for every transaction. This is clearly a job for a business rules management system - I have written elsewhere on the role of business rules in compliance and this need to demonstrate compliance is a perfect use of business rules and decision automation rather than manual processes or traditional code.
The second problem, actually preventing and catching money laundering, is a little more complex and more akin to a traditional fraud problem. One might use business rules for some of this but one is also likely to build predictive models to enhance them. Neural nets are particularly good at this kind of detection as they learn what is normal and what is not.
To be honest most organizations are letting the government define the rules and then focusing on compliance so this is less of an issue.
If we consider the key AML functionality they list it includes such obviously rule-centric functionality as list checking (something rules can do in batch on interactively) and transaction monitoring (a form of business activity monitoring).
I do not believe there is a single answer when it comes to AML and that it possible to spend a lot of money or a little. I do believe that more organizations should think about applying a decisioning mindset to this problem rather than just buying another application.
I posted in response to an article on AML in insurance recently too.
James,
I know this post has been out there for a while, but maybe someone will click thru from your more recent post: http://edmblog.fairisaac.com/weblog/2006/06/using_business_.html
My view of AML is broader than the one you describe, although you do capture many of the key issues. Here is a link to what I consider to be a fairly complete AML technology framework: http://improving-nao-content.blogspot.com/2006/06/aml-framework-picture.html
Working through this we see how many items are pulled together on top of a technology backbone (in pink) of: EDRMS, BPMS, SOA, Rules, EDM, Analytics, etc.
Working across the blue verticals we see the many processes that make up a complete AML program.
As you state, manual processes are bad, so some form of process automation is absolutely required, and this is a focus for many financial institutions right now, especially around new account opening. Here, process automation ties together the individual tasks and decisions that must be performed. Rules and EDM are an essential part of this new account opening process, both for AML and for other items like suitability assessment.
As we move on to monitoring, which is periodically performed on all current accounts, and used to assess transactions in isolation and combination, it is obvious again the importance of strong rules capability.
Goverment (BSA in the US) reporting is really just a follow on from any red-flags raised in the previous processes, or from monitoring, and should absolutely be coordinated through a workflow to ensure timeliness of response.
Then there is that evil of all compliance: documenting what you do. This should be a lot easier when you have systems in place, and is a lot harder when you do so much process manually.
Finally, the event management requires process automation again, to ensure that you follow defined internal controls for requests and events that inevitably happen.
Why I have I gone through this? Really to validate that the use of rules and decision management is essential for AML as well as other issues. Rather than picking an individual AML component to solve a specific task (e.g. money-laundering risk ranking a new customer), it would be better to combine that with your current capabilities around credit-risk and suitability. Point solutions are rarely able to manage this. And in all cases the underlying technologies of BPMS and EDRMS provide the required control, enforcement and audit for a top-class enterprise compliance program.
For further reading, I have blogged about the combination of technologies required for a well controlled organization, at: http://improving-nao.blogspot.com/2006/06/online-processes-are-more-than-web.html
Expect more AML musings in the near future.
Posted by: Phil Ayres | June 23, 2006 at 11:24 AM