AML is weak if banks lack measures for success. They need to set KPIs
By Gabriella Bussien, CEO at tech-first financial crime prevention organisation Trapets, a Nordic market leader that has been fighting emerging forms of financial crime for over 20 years.
NASDAQ’s recent report on how $3T in dirty money is flowing through the world’s financial system also highlighted the role banks’ shortcomings play. One of the main culprits harming banks’ ability to fight financial crime is: a “Lack of Measures for Success.”
Banks and financial institutions (FIs) need stronger KPIs for financial crime prevention that break free of ineffective traditional benchmarks. Companies often attempt to measure their results in terms of reducing the number of false positives or suspicious activity alerts. But these “easy” indicators are actually red herrings, either unattainable or distractions from the true problems.
For example, while FIs track the number of “suspicious activity reports” (SARs) filed, they have no idea how many of them accurately identified a crime, because once they’re handed off to law enforcement, tracking stops.
There are better ways to measure an FI’s success in fighting crime, improving their risk models, and setting future goals that aren’t just vanity metrics, but truly move the needle.
Here is a strategy all FIs can follow in implementing robust anti-crime KPIs.
- Start with Key Risk Indicators – KRIs
Before even thinking about KPIs, FIs have to set Key Risk Indicators, or KRIs. This means essentially understanding your crime exposure in every aspect of your company, meaning there is no one-size-fits-all.
KRIs will depend on the FI’s size, geographical presence, customer base, distribution channels and product offering. Every bank should already have a thorough risk assessment. What they need to do is make sure that it is differentiated across variables that affect risk, such as the industries and countries in which your customers operate (a company offering gambling services requires a stricter risk assessment from one selling sports equipment); the risk level of your different branches (are they cash or credit-intensive?); and the types of product you’re offering (a loan for a cash-heavy business is riskier than offering car insurance).
FIs must also make sure that the risk assessment is being regularly updated with new contextual information, such as any national risk assessments and internal data on customer behaviour, transactions and more.
Then, you can use that assessment to determine what your unique Key Risk Indicators are. For example, if your bank has opened a branch in a country that is inherently at higher risk of AML, then your local customers might all be considered high-risk because of their area of operations alone. The KRIs in that branch are a lot more nuanced to local dynamics. In this case, it would be irrational for your resulting KPI to be “reduce the number of high-risk customers,” as that would basically mean closing down the branch. You want to keep those “high-risk” customers, but lower the incurred risk for your institutions. One way to do this, for example, could be to establish a KPI that increases the frequency of enhanced due diligence on local customers, or increases the level of local risk training of your branch employees.
Risk indicators are snapshots of historical data – they only measure what has already happened. KPIs are a future indicator – where you want to be in the near future. But you have to know where you are now to know where you want to be.
- Don’t use traditional indicators as vanity metrics
Once you have established your unique KRIs, turn to the metrics you’ve currently been using to assess your anti-crime strategy.
A lot of the figures presented to management – such as false positives, the number of high-risk customers, the number of alerts generated – are used as “vanity metrics” because they look good when they trend downwards. But typically they are an unreliable snapshot of the superficial situation. They’re so volatile that they can jump erratically from one day to the next, as reporting might not be consistent across days.
Here are some examples – the number of customers with KYC overdues is a highly valued metric in FIs. It measures the number of customers whose KYC data should have been updated, but is now overdue. While it might be low today, tomorrow the threshold could push a large part of your customers to overdue. The real issue you’re chasing shouldn’t be the number, but the efficiency of the mechanism you have in place to update KYC info. An alternative tracker could be the diffusion of automated options to customers for hassle-free updating of KYC data.
Another common indicator is the number of false positives, or how many of the transaction alerts generated by the system are dismissed as false alarms upon review. But what does that % really say? If false positives have decreased by 20%, does that mean that your transaction monitoring system has become more discerning, or does it mean you’ve been completely missing a sector of transactions because criminals’ MOs have changed? You should instead be looking at whether your transaction monitoring system is working correctly and whether it has been updated regularly with new scenarios and risk models.
Finally, you need to be looking at these metrics for an extended period of time to truly decipher trends and peak periods, and understand the purpose behind their measurement (which feeds back into the KRIs).
- KPIs for your team are essential
While all the aforementioned metrics come with some level of ambiguity, the clearest metrics for any FIs are those that measure the proficiency and trustworthiness of your employees, from the first line of defence all the way to top management.
Several KPIs can serve this purpose. In terms of proficiency, you can measure the team’s efficiency in, for example, the processing time of onboarding and updating KYC; or the processing time of an alert.
An essential KPI is ongoing training for employees. Awareness and compliance training can be monitored in terms of courses completed and resources distributed. Also make sure your internal intelligence is constantly growing by tracking how often you send employees to conferences, read new papers on emerging trends and more.
Your employees can be a liability if you don’t have good KPIs on conducting background checks and continuously reviewing your team members.
- Set up a KPI refinement wheel
Your main global objective with KPIs should be to keep fine-tuning them constantly. You need to set a wheel in motion: Set KPIs – Risk assessment – Routine monitoring and data analysis – Update risk assessment – Update KPIs.
For example, suspicious activity alerts can give you a broader picture of the factors impacting your risk assessment and where it might need to be refined. You may see multiple alerts coming up within a specific channel, such as when customers are paying online, or when they’re conducting cash transactions at a specific branch. You can take that information and use it to update the risk assessment and rework your transaction monitoring systems. That could lead to new KPIs on increasing enhanced due diligence on customers at a specific branch, or using specific channels.
Your work is never done. As I said before, this process is not about the numbers. It’s about having an effective, working risk management system. Use your KPI journey to upgrade your financial crime prevention strategy as a whole.