The New Normal: Compliance Operations and COVID-19
June 30th, 2020
COVID-19 and Compliance: Where are we now?
As we continue life with COVID-19 around the world, our environment looks dramatically different from January 2020. Financial crime compliance teams have now been operating under business continuity plans for months. Lockdown restrictions are easing as countries grapple with the challenge of getting life back to normal as safely as possible. When it comes to fighting financial crime and ensuring compliance, what might the future look like?
Compliance always has and always will be a critical function that receives focus from both internal audit teams and regulatory and legislative agencies. For this reason, compliance functions were primarily office-based, existing on a secured floor within the organization. System access was tightly controlled with a number of key systems restricted to on-premise access only. Organizations were already transitioning toward flexible working practices to varying degrees, allowing home working and flexible hours for compliance professionals. Because of the confidentiality and sensitivity of the role, the majority of compliance employees were still primarily office-based in a secured office environment.
Our new normal means that at many organizations, the entire AML compliance team is working remotely. While most organizations have had varying short term success at adapting and remaining resilient, it’s not without its challenges. Technology is a key part of any remote working strategy, and without it many compliance teams simply would not be able to function. Long term, certain aspects of remote work could make certain areas challenging, such as maintaining ongoing team engagement, ensuring team members share ideas and knowledge amongst themselves and maintaining investigation quality.
Financial crime has adapted
There has been no relaxing of financial crime regulations. Regulated organizations still need to adopt a risk-based approach and maintain adequate systems and controls to prevent financial crime. When the UK FCA released updated guidance in May 2020, they acknowledged the disruption to ‘business as normal’ in financial crime compliance, but stated they still expect firms to maintain effective systems and controls to combat financial crime and terrorist financing. They also reiterated that firms should be aware of new or changing financial crime threats and take an appropriate risk-based approach to mitigate these threats.
Before COVID-19, financial institutions were fairly well established in identifying normal versus suspicious activity for their customers and transactions flowing through their organizations. The current climate has raised challenges as ‘normal’ activity for customers changes. As businesses like restaurants and gyms try to stay in business, they may have diversified their legitimate activities to earn revenue yet remain compliant with government restrictions. Another scenario is that customers who have historically been cash heavy in their activity have now gone digital. Are these new activities legitimate, or a suspicious change in behavior?
The majority of changes we see with customer behavior are likely to be legitimate as people adapt to the new reality. As some customers are unlikely to revert to their old transactional behavior, it will be difficult for compliance investigation teams to keep up with legitimate changes, making it even harder to spot suspicious behavior.
As a result of COVID-19, criminals have also had to adapt. During the height of the lockdown, it was not as easy to walk into a bank branch and deposit money into an account. Criminals ran the risk of sticking out to authorities, as there were fewer people around.
I believe we will see a quicker transformation toward digital banking, both from legitimate customers and criminals. We will likely see a greater fall in the use of cash across our economy. Criminals will look for ways to digitalize the cash intensive parts of their operations, allowing them to move and layer their illicit gains quicker, even when bank branches and MSBs are closed.
Not only will criminals change how they acquire and move their illicit wealth, they will also exploit any opportunity to expand into new ventures. You only have to look at how quickly new fraud scams appeared once the pandemic took hold. We saw fraud, such as phishing scams where victims were asked to click a bogus link to claim back a tax refund, scams alleging that someone came into contact with a COVID-infected person, and sales of fake testing kits or non-existent or substandard PPE. The Italian mafia also used COVID-19 as an opportunity to win over people by offering support to households who had run out of cash. Their motive is clear: to gain influence to expand their criminal empire.
These changes mean that now, more than ever, we must be alert to potential new threats. We need to review our detection systems to ensure our models and thresholds are appropriate. It’s important to spend more time reviewing unusual behavior to check if it’s actually suspicious, and we need to use relevant channels to share new typologies. Sharing what we can with other regulated entities will help ensure we can adapt faster and maintain the front line against the criminals.
Operational resilience: The new phrase in compliance
Not only is criminal behavior evolving, but the way compliance works is ultimately changing. Resilience will now be at the forefront of every compliance managers’ mind. Over the next few months, workers will be returning to the office. One thing COVID has taught us is that we can work remotely and remain fairly resilient and effective. As a result, organizations are now looking at the cost of their office space, wondering whether they need to maintain these spaces for staff at all times.
We now all know that resiliency is a core requirement for any compliance function. If we are not resilient, our operations could fail when the unexpected happens, resulting in a potential breach of compliance regulations. Moving forward, we need to ensure that any issues we encountered during this time are dealt with, mitigating the risk of regulatory or governance breaches.
One challenge that organizations will continue to face with remote working is ensuring appropriate conduct, maintaining productivity and ensuring consistent, quality outcomes. Staff can feel isolated while working from home, especially with little or no access to the office or restricted access to colleagues to share knowledge. For flexible working to be successful, management must put processes in place to ensure staff feel connected and reduce barriers to allow employees to share ideas and knowledge. This could include daily or weekly huddles, and ensuring that staff log into messaging apps to show their availability. When possible, it’s also important that staff have access to use video features during meetings, providing better engagement compared with voice-only meetings.
In a recent survey I ran, I asked what compliance professionals thought would happen to compliance operations in the new normal.
- 44 percent of respondents thought it would still be office based, but with increased flexibility in working practices,
- Only eight percent thought it would go back to the old normal.
- Interestingly, 31 percent thought their organizations would move to remote working as normal practice, with the office acting as a hot desk hub.
- When compliance professionals were asked how they would prefer to work, 39 percent said they would love the flexibility to work in both the office and remotely as needed.
- 37 percent of respondents stated that they would like to remain working remotely full time
- Unsurprisingly, only five percent said they would prefer to return to the office full time.
The biggest challenge identified with remote working was effective communication between teams, access to relevant systems to effectively perform their role and training and staff development.
It appears that at least some of the changes we have seen will be permanent, making it important to maintain management oversight regardless of work environment. When staff are not in the same office as management to have a quick review, it is even more important that managers maintain discipline to ensure appropriate staff conduct, work quality and that cases are being worked in a timely manner.
Some challenges were identified in the survey with remote working. When it comes to management, we recommend to:
- Ensure alerts and cases are allocated to appropriate team members, according to skills and workload.
- Monitor alert and case aging, making sure cases are worked in a timely manner and are not neglected by investigators.
- Review investigation quality. Are investigators conducting a diligent investigation in accordance with policies and procedures? Have they gathered sufficient evidence to make an appropriate decision?
- Review investigation outcomes. Has the investigator made the right disposal decision? Was this decision based on the right information?
- Maintain knowledge sharing. Compliance teams are by their nature varied, with some staff more experienced than others. The ability for teams to share knowledge and experiences helps individuals develop and become better investigators. This needs to be maintained through regular knowledge share sessions. Are the team seeing a change in alert types? How are they dealing with these?
- Development training is critical for compliance staff to receive regular training to remain current and continue to expand their skills. Leaders need to provide the tools and resources to develop their staff. Are your staff aware of new typologies? Are there changes in regulations or legislation that will impact investigations? Are there specific threats of which staff need to be cognizant?
Greater flexibility in working practices with significantly fewer people working in the office environment may seem alien, but with the right leadership you can maintain work quality and staff morale.
Remaining resilient with technology
Not only do we need to help our staff remain operationally robust and resilient, we also need the right technology to support them and ensure the organization is complying with regulations.
Technology is not the main solution that will solve all resiliency problems, but it will help put controls and governance in place to allow for smoother, more consistent remote working operations. Organizations’ resiliency plans have been tested to the extreme in recent months, and hopefully any gaps have been identified. Moving forward, we need to be prepared for anything.
How can technology help:
- Better detection – Both contextual analytics and AI can help improve detection, reducing false positives and ensuring true negatives are not missed. Contextual analytics monitors all known information about a customer, checking KYC data against transaction data. Organizations can also integrate third-party data into the analytics, such as adverse media or corporate information, or even additional internal data sources such as voice or digital communication with a customer. The more information you know about a customer, the easier it is to understand what is normal or abnormal for that customer. AI and advanced customer segmentation can help spot anomalies in customer behavior, allowing you to identify the unknown unknowns. With these technologies, you can reduce alert volumes and concentrate more on the alerts that are likely to result in a SAR filing. In turn, reducing the number of staff required to work alerts will provide capacity if there is increased illness in the team, allowing you to reallocate your workforce.
- Improved alert and case management – A financial crime hub platform will provide much greater efficiency in the way alerts and cases are managed and investigated. Predictive scoring, through machine learning, will predict how likely an alert is to result in a SAR or no SAR disposition. This includes automating the alert allocation process, sending some alerts directly to SAR teams and others to either level 1 or level 2 teams, and hibernating alerts with low predictive scores until other activity occurs that increases suspicion. Ensuring that higher risk alerts that are more likely to result in SARs are worked first will help manage risk where investigation teams may be stretched. The financial crime hub helps by providing a 360 degree view of the customer across the organization. Integrating third-party data into the platform can reduce manual processing, allowing investigators to quickly see all customer activity and risk.. This then reduces unproductive time, giving the investigator the ability to see all the information they need in one place to make a justified SAR or no SAR decision.
- Greater transparency and auditability – A financial crime hub with integrated management information and quality assurance tools allows the management team to maintain quality, whether the staff are working in the office or remotely. Management can quickly see what detection models are working effectively and which are not, and they can also monitor alert throughput, investigation and disposition quality and ensure all of thi sis completed quickly. Digitizing this process mitigates risk and provides a faster and higher quality oversight. It also ensures the organization is in a strong compliance position and able to fully justify their processes and decisions.
- Effective communication – This is key when staff are working in multiple locations. Both staff and management need the ability to communicate with each other. This helps with staff development, decision making and builds a successful, coherent and aligned team. Isolation and lack of communication between team members could result in a reduction in quality and productivity, increasing the risk of something going wrong, such as an incorrect disposal decision.
The new normal has and will continue to introduce new challenges. It will also create opportunity, potentially through increased engagement from staff who welcome the flexibility open to them during the working week. Whatever the future holds, as a compliance industry we have to change and become more resilient and flexible. This is important not just to help save costs and attract and retain talented staff, but to be prepared for a future with COVID-19.
With the right staff, leadership and technology, we all can remain resilient without sacrificing quality or consistency. The last few months have proven that it is possible, we just need to continue to risk assess the changing criminal threats and adjust our operations, processes and governance to ensure we counter these threats and remain a strong front line against the criminals. By working together, we have and will continue to successfully adapt to this new world.