As an avid reader, my favorite genre is mystery. A good mystery writer will drop a clue now and then, just enough to keep me guessing and occasionally I may be able to figure out who did the deed once I reach The End.
However, as much as I love a good mystery, a compliance manual should not read like one. And yet, sadly, so many do. Too many require the reader to hunt for the clues to a company’s anti-money laundering (AML) processes and policies and approach to risk analysis.
Why are people writing such bad manuals?
First, because people regard AML compliance manuals as exercises in “just get it done.” We usually start with some template (Yes, I too am guilty of this) and then make minor edits to “fit our business” just to tick the item off our very long to-do list.
Second, because we hesitate to truly edit. Good editing requires cutting and we have this fear in compliance that to remove something that’s been working so far is a huge risk. This results in a compliance manual that changes little through the years except to get wider – like my waistline. This added girth is because the new AML directives, new money laundering trends, and the increased risk of AML fines and penalties add to our stress level. Consider these the cortisol of middle-aged compliance manuals.
Finally, because every year more people review it to demonstrate that “culture of compliance” – a few Board members, a lawyer, the new IT manager, etc. They each have to have their “two-cents” approved and emailed to staff so that staff can flick through it, underwhelmed, before putting it back on the digital shelf where it gathers digital dust.
We need to change this. Why? Well, there are lots of good reasons to change but the one that counts is because auditors and regulators are actually reading these manuals now. And they don’t like mystery novels the way I do.
But where to start?
Here’s an idea, instead of it being a “manual” (i.e., boring, dull, a lot of CYA wording, and generally unhelpful), what if we refer to what we create as an “AML Compliance Map” – one we use to plan our exciting journey in the world of AML regulated services.
Have you ever been on a great journey? I know most of you have been on at least one hiking trail. Or maybe you prefer skiing. Or biking. Perhaps you’ve been on a long road trip, or an exciting train ride. Whatever the journey you took, you will remember that the trip began before the trip began. And it began with a map.
Maybe it was a paper map with multiple folds in it, or maybe it was on your device. Whatever the medium, there was a map. Can’t read it properly? You might get lost. And if the map is wrong, you’re definitely lost. But the second you opened that map is when your journey truly began. The amount of time you spend studying that map and getting to know its details correlates to your journey’s success. (And really, think about it. When we’re lost on a journey, do we pull out our car’s manual? No, we look at a map. Isn’t that what we want our staff to do if they get lost on their AML journey?)
AML compliance is a journey.
It’s an exciting one too, if you approach it with the right mindset. Yes, some people think I’m insane because I enjoy AML compliance. I find it exciting and interesting. I truly enjoy the Know Your Client (KYC) aspects of AML compliance. Reviewing Client Due Diligence (CDD) is, to me, like meeting the stranger on the train on my journey that soon becomes a good, lifelong friend that I happen to do business with. Or, they’re the stranger that makes me want to change seats.
That’s what CDD and KYC process does. Help you decide if you want this person in your life – or not.
Yes, I wish I had the skills of a good AML compliance officer in my 20’s. It would have saved me from a lot of bad second dates. But I digress.
Let’s return to our AML compliance manuals.
Lately, clients have asked me to review a few. Why? Because regulators are stating that the manuals are missing some critical aspect (but they won’t say what exactly) or insisting they don’t meet their expectation or policies aren’t well stated in the manual.
When I get the offending manual, I find myself flipping through the pages and sections and sometimes (god forbid) CHAPTERS. My first goal is to figure out how to start getting paid by the word because clearly that’s what’s going on out there.
My second (real) goal is to figure out, by just reading the manual, what I would have to do to onboard a new client or end a client relationship.
It’s a good thing I like mystery novels because more often than not that’s what I feel like I’m reading when one of these things lands on my desk. I’m searching for clues how to onboard and risk assess a new client.
A compliance manual is not, however, a mystery novel. The manual should, instead, be our map, our guide, on our journey. We want our readers to WANT to print it out, to refer to it multiple times in their AML compliance journey – especially at every crossroad.
If you are sighing heavily because you know your manual is not the helpful, well-written tool that it should be or you’ve been told (unhelpfully) that “there are gaps in your compliance process”, you’re probably wondering what to do next.
My advice:
Lock yourself in a room with a large whiteboard and lots of colored markers. On that whiteboard you are going to draw a map of the AML compliance journey that you and your staff have to take to onboard, review, and end a client relationship. What you are creating is a called a flow chart.
This flow chart should be boxes and lines only. Don’t add long legal definitions or foot notes. Just boxes and lines. With a yes or no question inside every box. Flowing out of those boxes will be two lines – one for when you answer yes, the other for no – each answer leading to another box with another question until you reach one of multiple final conclusions such as: Decline the business, esclatate to a higher authority, or onboard the new client at a specific risk assessment level.
Now, test it.
Run your typical and a few atypical clients through that flow chart.
Our goal with this exercise is to efficiently identify those clients that are strangers on the train that make us want to change seats. Your flow chart should weed them out quickly – by box 2 or 3 is ideal.
The clients that do get to stay on the train with you, you’ll be able to move through the flow chart quickly and you’ll be able to assign the relevant AML risk assessment at the end.
You will likely find you need to create multiple flow charts. You’ll definitely need one for those clients that need to get escalated to senior management or your Board for review for politically exposed persons, or ones that have some negative press or are requesting some higher risk services or products that you provide.
What you should NOT have is a flow chart with only three boxes: (1) Do I have all CDD on file? (2) If Yes, mark client as completed. (3) If No, get more pieces of paper from them.
Sadly, I have come across a manual that essentially said just that.
So let me say it now: Completed CDD does not mean completed AML obligations.
Let me repeat that: Completed CDD does not mean completed AML obligations. The initial CDD is merely that start point for your client risk analysis.
Your first question in a box could be “Do I have the minimum required CDD?” If yes, then the next question could be, “Are they sanctioned?” (Hint: your minimum required CDD should include a sanctions screening result.) If yes, they are sanctioned, then push them off your train immediately. But if no, then move on to the next question which might be, “Are they from a high-risk country?” If no, they can stay on the train with you. If yes…. Well, you tell me – what does your compliance manual say you should do?
Once clear, comprehensive flow charts are drawn, you will have a map to guide you through every conceivable situation of onboarding, reviewing, and ending client relationships.
Finding the Gaps
If your flow charts cannot guide you through every conceivable situation to an acceptable risk analysis or decision to end the relationship, then that’s where the gaps are in your policies and procedures. And you want to find those gaps before a regulatory inspection finds them for you.
The flow charts that you create are just one tool that you will need to pack for a successful AML compliance journey. And we’ve got some packing to do because the weather up ahead looks a little stormy. You’re going to need to buckle up, too, because the regulatory road is looking a bit treacherous. But like any exciting journey worth experiencing, you can take steps to be safe and be well prepared. And, who knows, if you are anything like me, you’ll still pack a good mystery novel to enjoy on the days you can rest. Just don’t make that mystery your compliance manual.
Kimberly Smith is co-founder of SILO Compliance System and a former compliance officer and MLRO. She has her AML certification from the International Compliance Association.