This is an excerpt from The Future of Risk Management and Compliance 2023 report.

Financial crime, particularly anti-money laundering (AML) and counter-terrorist financing measures remains at the top of regulators’ agenda. Global tensions and instability, anti-money laundering, and counter-terrorist financing measures have become central to risk management for financial institutions, and firms need to prepare and firms must prepare and protect against such risks in an increasingly digital world.

Research from Fenergo found that global AML fines surged by 50% during 2022, with a total of $56.1 billion in enforcement actions levelled against financial institutions for AML, data privacy, MiFID and ESG compliance breaches.

Given the rise in international instability and nation state-backed threat actors conducting attack campaigns, Jacob Ansari, director, National PCI Practice Leader at Mazars, US, explains that financial institutions will need to take a more aggressive position in defending themselves against ransomware, impersonation threats, or attempts to launder money internationally. “While financial institutions need to adhere to existing regulations, particularly as they pertain to anti-money laundering anti-terrorism statutes, it’s likely that they will need to conduct extensive risk assessments to determine the efficacy of their controls and possibly go beyond what regulations mandate to address their particular risk appetites.”

Indwar believes that AML and sanctions risk management will be more fraught than ever during 2023. “UK regulators are highly focused on this area, as illustrated by their substantial and sustained levels of financial crime enforcement actions which now regularly account for at least half of the total value of the fines that they impose.”

Indwar adds that the UK regulators’ key messaging continues to be that financial crime, including AML and sanctions, are key risks, and that firms should manage them holistically, recognising the substantial overlap in the controls needed for the various financial crime risks.

The FCA’s 2022/23 business plan identified “reducing and preventing financial crime” as one of its key commitments within its “Reducing and preventing serious harm” area of focus. In January 2023, the FCA imposed two fines related to financial crimes and/or AML failures, one on Guaranty Trust Bank (UK) Limited, and a the second on Al Rayan Bank, totalling £11,695,400.

This overlap of control will prove ever more challenging for firms, Indwar warns, as UK AML rules continue to evolve and this trend will produce increasing divergence between UK and EU requirements. “With the EU full steam ahead on its own AML regulatory consolidation and reform agenda. This divergence is an area ripe for gaps in compliance system to appear and can be low-hanging fruit for investigators.”

When it comes to risk management, Firmin argues that risk assessments are all too often seen as a box ticking exercise, or annual process. Rather, data should be monitored, and risk assessment should be continually reviewed, updated, and reported. Firms should use trigger events, such as the introduction of new products, changes in policies or regulatory requirements, audit findings, risk and issue management – both new and closed – as a reason to reassess a given risk.

Such risk assessments can be enriched, he furthers, in two ways:

1. through subject matter expert (SME) knowledge; and
2. data.

Unfortunately, the data held and used by many organisations is static and based on historic data, rendering it backward looking. Firmin explains that the skill of a good risk assessment is taking that data and using it to look forward to challenge existing processes and controls to exploit where it could manifest, how it could materialise and what can be done to prevent risks from coming to fruition. “The use of real-time date and 'dynamic' risk assessments is an emerging theme that allows firms to focus on actual, up to date risks and allocate resources proportionate to the risks faced.”

The importance of data management and the use of multiple data points across an organisation is becoming increasingly important to ensure an organisation has the full picture of their clients and access to information that may be held on multiple systems.

Lauder continues that the most effective organisations are able to pull together and continually update a variety of data points throughout the customer life cycle, and leverage this information. “This is not only for the purpose of complying with AML and sanctions regulations and mitigate the associated risks with an optimal use of resources, but also to aid a better service to customers in terms of account management and offering of new products. This includes a blend of information collected from the customers and from third party providers.”

The challenges in sharing data between the US and EU will be eased by the ratification of the Trans-Atlantic Data Privacy Framework by the EU this year, with the UK expected to follow suit with their own parallel arrangements. Such a framework supports cybersecurity, counter terrorism, and anti-money laundering efforts in particular.

Lauder adds that the EU’s work toward the establishment of a supranational Authority for Anti-Money Laundering (AMLA) can only be a good thing to bring consistency in approach and application. He continues that when it comes to AML or data privacy regulations, there is no real competitive advantage to be gleaned, meaning financial institutions should be more transparent in their approach. “The only way we can improve the fight against financial crime is through collaboration and joint effort, compared to the piecemeal approach that we currently take,” Lauder states.

Ansari points to a handful of regulatory and legal updates which are coming into effect across security and privacy in the US. In the US, The federal Risk and Authorization Management Program (FedRAMP) is becoming law, and the Cybersecurity Maturity Model Certification (CMMC) program is aligned to the Department of Defence’s information security requirements for Defense Industrial Base (DIB) partners.

FedRAMP is the process that Cloud Service Providers (CSPs) follow to get their Cloud Service Offerings (CSOs) approved for Federal agencies or the DoD to use a building blocks for systems hosted in the cloud. The US government-wide program will delivers a standard approach to the security assessment, authorisation, and monitoring for cloud products and services. Ansari elaborates that it is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors.