Essential Components of an AML Program for MSBs
September 10, 2020
Money services businesses (MSBs) are in uncertain territory, facing increasing fines and pressure from regulators while trying to adjust to disruptions to traditional banking services. To protect their business, MSBs must step up their anti-money laundering (AML) compliance programs.
This guide offers MSBs insights into the current market and regulatory landscape, and how to overcome challenges specific to them in order to build a comprehensive and effective AML compliance program supported by an advanced technology solution.
Market and regulatory environment for MSBs
What started off as a way for immigrants to send small amounts of money to those who could not access traditional banking services is also a way for criminal networks to move and launder money from illicit activities including drug trafficking, human trafficking, terrorist financing and more.
To help combat these crimes, financial regulators are paying more attention as to how money services businesses (MSBs) conduct business and how effective their anti-money laundering (AML) compliance programs are in detecting suspicious activities.
So what does this mean for MSBs? A requirement to have a more comprehensive AML program could potentially mean more operational costs and increased risk of sanctions and fines. Fortunately, there are solutions in the marketplace for MSBs to enhance their existing existing compliance programs quickly and cost-effectively.
According to FinCEN, the term “money services business” includes any person doing business, whether or not on a regular basis or as an organized business concern, in one or more of the following capacities:
- Current dealer or exchanger
- Check casher
- Issuer of traveler’s checks, money orders or stored value
- Seller or redeemer of traveler’s checks, money orders or stored value
- Money transmitter
- U.S. Postal Service
The term “money services business” does not include:
- A bank, as that term is defined in 31 CFR 1010.100(d) (formerly 31 CFR 103.11(c)), or
- A person registered with, and regulated or examined by, the Securities and Exchange Commission or the Commodity Futures Trading Commission.
Penalties for MSBs
In 2017 U.S. authorities penalized Western Union for failures relating to its AML compliance program, namely for aiding and abetting wire fraud and helping individuals use the company’s services for fraudulent purposes and to avoid detection.
As punishment for these failures, Western Union has agreed to pay a settlement of more than $580 million. In this case, significant portions of the money being laundered through Western Union involved structured payments sent to China that avoided triggering the regulatory reporting requirements of the Bank Secrecy Act (BSA). The payments were from illegal immigrants for services provided by their human smugglers.
In another case, Western Union processed hundreds of thousands of transactions for an international scam where people were directed to send money to a fraudster in order to claim a prize or help a relative. According to authorities, employees often processed the payments in return for a cut of the proceeds.
According to U.S. Attorney Wifredo Ferrer of the Southern District of Florida, Western Union displayed a flawed corporate culture and “failed to provide a checks and balances approach to combat criminal practices.” As part of the agreement, Western Union had agreed to implement stricter policies to prevent future fraud and money laundering.
More fines and penalties
- $25 Million: Civil money penalty against American Express Bank International and American Express Travel Related Services Company Inc. for:
(i) failing to implement adequate internal controls;
(ii) failing to conduct adequate independent testing;
(iii) failing to designate compliance personnel to ensure compliance with the Bank Secrecy Act (BSA);
(iv) a substantial number of failures to file timely, accurate and complete suspicious activity reports (SARs) involving more than $500 million in suspicious transactions.
- $1 Million: Civil money penalty against Thomas Haider, who was the Chief Compliance Officer and Senior Vice President of Government Affairs at MoneyGram when it was found to have violated AML regulations. Haider was found to have willfully violated the requirement to implement and maintain an effective AML program and the requirement to report suspicious activity.
- $700K: Civil money penalty against Ripple Labs Inc. for acting as an MSB and selling its virtual currency without registering with FinCEN, and for failing to implement an adequate AML program.
More at stake than money | Every crime that leads people to launder money has had a direct negative impact on society, whether it is drug or human trafficking, terrorist financing, human smuggling, elder abuse or other illicit activity.
Money laundering is not simply a matter of banks and MSBs losing money to fines and penalties—it’s also about innocent people harmed by the associated crimes.
Challenges with Reporting Requirements
With changing and growing regulations comes an increasing volume of regulatory reports for MSBs to complete and submit by specific deadlines, and possibly across jurisdictions.
These reports can contain hundreds of fields, with validation rules that make manual completion and filing tedious. While data quality is discussed later in this guide, it has a direct impact on reporting.
The inability to group transactions from the same person(s) because identification data is not exact adds complexity, and risks regulatory noncompliance. Some regulators require that for every currency transaction report (CTR), a matching suspicious activity report (SAR) is also generated. MSBs may have to include attachments with each report submitted which can be overwhelming, and often requires a dedicated compliance team to handle.
Other challenges for MSBs
Many MSBs operate in retail storefronts, so training a large number of detached, remote employees to properly collect information for regulatory reports and other matters related to AML compliance is not trivial. What further complicates the task is that retail employees are often cyclical and detecting potentially illicit activity is not part of their core skills.
All these factors make it difficult to ensure that employee training is consistently up to date and thorough, putting the MSB at risk.
Good margins on transactions volumes is a key business objective for an MSB, but the growing compliance requirements have a direct cost implication, potentially eroding margins. MSBs who opt to use untrained personnel to maintain compliance or technology solutions designed for other types of financial institutions can quickly erode profits, jeopardize the viability of the business and tarnish their reputation.
Given the identification process of some MSBs— no identification (ID) is required to send or receive small amounts of money, and larger amounts may only require one piece of ID—it’s not surprising that data quality presents a major challenge.
To add to the data challenges, many MSBs don’t maintain customer profiles, making it harder to detect structuring and other forms of money laundering. Multiple or fake IDs and data entry errors also make it difficult to maintain a complete customer profile across transactions and successfully report suspicious activities.
As criminals turn toward small and medium-sized financial institutions such as MSBs as a means to move illicit funds, these companies represent a greater risk to larger financial institutions.
To reduce their risks, large financial institutions are applying stricter due diligence or discontinuing their relationship with some MSBs. This makes it challenging for MSBs to obtain the banking services they need to service their customers.
Solutions for MSBs
Governance and risk management
To create a culture of compliance, a governance process must be built on formal policies for key stakeholders across the entire organization, including groups that own, manage and provide independent assurances on risk.
Communication, planning, execution and reporting details should be included. Well-defined and meaningful metrics that provide insights into the risk-taking functions based on aggregation and evaluation of risk data at the enterprise level are also important. Policies and procedures should be crafted and actions taken to support this process.
In addition to corporate culture, risk assessments are a vital part of any organization’s risk management process, and one should be conducted at least annually to identify risk, inform compliance plans and drive any required mitigation strategies. These must inform policy and focus the compliance program on current key risks and their attendant controls.
Strong internal controls, data and training programs
To build an effective AML compliance program, MSBs must integrate various components to protect the organization from high-risk customers and transactions. These components include internal processes and procedures, such as policies, training and risk management, as well as technology capabilities, including transaction monitoring, risk scoring, regulatory reporting and sanctions list screening.
Data and its quality cannot be ignored. An effective program must continuously improve data quality based on an established set of policies and procedures. Data from multiple sources should be aggregated in the AML program. Customer-centric data will allow the MSB to group related transactions (e.g., in identifying structuring across locations).
The program also needs to help employees identify suspicious activity efficiently, and train them to monitor for situations specific to MSBs. One such situation, for example, is identifying an individual using different pieces of ID at multiple locations in order to structure transactions.
Compliance technology: The basics
Given the volume of customers, transactions and regulatory reports that MSBs must process, not implementing an AML compliance technology is no longer an option—it’s a necessity.
When evaluating options, MSBs should select one that is designed for their business. Many existing solutions are designed for traditional banking and are dependent on having comprehensive customer information, which is not always the case for MSBs.
The best solutions integrate all compliance components into a single platform, enabling an effective AML process. Key capabilities to consider include the ability to effectively monitor transactions, maintain customer risk scores, automatically complete and submit regulatory reports, and provide for sanctions list screening and filtering.
Comprehensive transaction monitoring across all locations and online channels is a necessity. The key is to apply good analytics against data aggregated from various sources. It’s wise to also perform cleansing and standardization of customer data in order to group individuals together to reduce the risk of missing critical patterns and under-reporting.
MSBs can also create best-of-breed customer records to further improve the quality of data being aggregated, or can go so far as implementing a process to maintain virtual customer records.
Screening customers is a best practice that every financial institution should follow. Gaining insights into high-risk customers or recipients of funds being transferred based on research data like World-Check reduces the risk of regulatory fines and reputational damage.
Customers can be screened at various points in the AML process, including during onboarding, periodically and in real-time to stop any suspicious transactions. Many MSBs are starting to implement sanctions screening, starting with high-risk customers and transactions and expanding as necessary.
MSBs can choose to apply a risk-scoring methodology to an individual and/or their transactions. Risk scores can be calculated using several customer and transaction dimensions including:
- Cash activity volume and frequency
- Length of relationship with MSB
- Is the client a PEP or related party?
- Is the client in a cash-intensive business?
- Is there a sanctions list match?
- Completeness of customer data
- Any previous CTR and STR filings?
- Any high-risk links and customer relationships?
Other customer, transaction and relationship risk factors may be introduced based on the MSB’s risk assessment. Final scores should be derived based on a sum of weighted risk factors.
Compliance regulations require MSBs to report suspicious activities and transactions that exceed defined thresholds in a timely and consistent manner. Because of the large volume of filings, regulatory reporting should be automated, allowing MSBs to create and modify reports and then capture notes and comments.
Types of reports to be completed and filed include but are not limited to:
- Suspicion concerning the source of the funds
- Suspicious electronic funds transfer (EFT)/wire transfers
- Transaction out of pattern for customer(s)
- Suspicious use of multiple identities
- Suspicious use of non-cash monetary instruments
Some technologies can automatically create a SAR for every CTR along with the necessary attachments for the previous 30 days of activity. More advanced solutions also sync with regulators and document the reply across a secure connection on what has been accepted or declined, and why. The best solutions also validate the submission against the regulator’s rules to prevent rejections.
Regulatory reporting can be time-consuming and tedious for a mid-sized MSB that has only one or two employees responsible for AML compliance. Suppose an MSB has to file 300 CTRs every month (plus an accompanying SAR) and each report contains 90 to 300 fields.
Assuming each report takes 1.5 hours to complete, that means the process to investigate, write and file 300 CTR/SAR reports would require 450 man-hours each month—that is equivalent to three employees working on nothing else but regulatory reporting. The case for automating the regulatory reporting process is unequivocal.
Compliance technology: Beyond the basics
While implementing a solution that fulfills the basics of an MSB’s AML compliance program is essential, the importance of finding one that can grow to meet future needs cannot be overlooked. More extensive capabilities include advanced fraud detection models, highly configurable risk models, data quality and master data management, adaptive workflow and case management, and visualization and reporting of insights.
Fraud detection analytics
Fraud detection that leverages advanced analytics models can drastically deter and prevent fraud in all channels by improving detection processes, expanding observation within the company and accelerating investigations in order to adhere to regulatory requirements.
Adaptive workflow and case management
After the AML solution detects an issue and generates an alert, workflows should engage stakeholders in the investigation and remediation process. Workflows should be highly configurable. Look for configurable notifications and escalation paths; ability to add remediation guidelines, comments, attachments and root-cause reasons; and false-positive management.
Workflows should also have the ability to learn from past actions and adapt to increase the efficiency of the remediation process. For example, if a sanctions list match is flagged as a false positive then future alerts should not be flagged unless the customer record changes (e.g., date of birth is now available) or the research data changes (e.g., the customer is now deemed a PEP).
Data visualization and reporting
An AML compliance solution should provide dashboards and reports on the effectiveness of the compliance program. Users should also be able to generate ad-hoc charts and graphs using a self-service data visualization module, which can then be added to dashboards and shared with others. These provide critical insights for the business and compliance leadership.
Implementing an AML technology takes time and money, making it all the more important to choose a solution that not only meets current needs but that can grow with the organization well into the future.
Essential MSB scenarios
A robust AML compliance program for MSBs is dependent on active monitoring for relevant scenarios. Consider the following:
- Structuring: Transactions being structured to avoid breaching acceptable thresholds in an attempt to avoid being reported.
- Smurfing: Transactions from multiple senders may be sent to the same receiver. Common in human and drug trafficking.
- Location jumping: Customers may be sending money on a regular basis from multiple MSB locations. A more deliberate form of structuring.
- Flipping: Customers may be immediately sending money after receiving it. Often less a “fee”. Common in human and drug trafficking.
- False identity: Multiple customers with different names may be using the same identification. Important to correlate to employee processing the transaction.
- Elder exploitation: Customers may have a high number of transactions with the elderly. Common in lottery scams.
- High value: Customers may have an unusually high transaction value over a set period of time.
- Cross product: Customers may have cross-product transactions that exceed a set threshold over a set period of time.
- Changes in customer behavior: Significant changes in frequency, amount, receiver/sender subjects and types of transactions. Best implemented using anomaly detection models.
- Location risks: Scoring the risks of sending from or receiving at specific locations (country and cities), as well as at an agent level where applicable.
- Watchlist/sanctions screening: Using internal or third-party data to detect high-risk customers.
Using more advanced analytics
Advanced analytics, machine learning and AI are becoming part of best practices when implementing an effective AML program. Methodologies include anomaly detection and link/network analysis.
To begin detecting anomalies, the subjects (senders and receivers) in the network are first segmented. Segmentation can be based on several factors, including customer type (e.g., business or individual), industry codes, location and transaction patterns (frequency, amounts, etc.).
Depending on what the best fit is for the specific MSB, an appropriate clustering approach to the data can be developed. The model is trained using historical transactions and then validated. In addition, the data can also be further enriched using third-party sources such as the World-Check database, Country Corruption Index, Tax Haven Locations, etc.
Being able to look at subjects’ (i.e., senders and receivers) static data (e.g., telephone number, address and name) and transactional data to identify links is key to uncovering high-risk subjects in a payment network.
High-risk behaviors tend to have an identifiable pattern that makes it possible to detect schemes and criminal activity, including human trafficking, drug smuggling and terrorist financing. It will be increasingly commonplace for AML technology to include advanced analytics that help identify and link members of any given customer’s network to help compliance teams identify the patterns that may be indicative of criminal activity.
Other fraud layers – Authentication
When it comes to online transactions, MSBs should consider implementing a fraud detection layer to increase their protection. For example, before a user completes a transaction, their authentication session can have a risk score applied to it.
Several authentication attributes can be used in creating anomaly detection models, such as IP address, operating system (OS), browser, browser version and language. The MSB’s software solution should then be able to learn normal authentication behavior and assign an anomaly score to new sessions.
Other key attributes can be created by enriching the data with IP address locations of login attempts. Consecutive login attempts can be analyzed based on the time difference between those attempts and the distance between the locations, helping to determine if it is physically possible to reach those places in that time duration to perform those login attempts.
AML compliance for MSBs is complex – simplify it with Alessa
To keep up with regulations and quickly adapting criminals, MSBs must continuously evolve their AML processes. A successful program is dependent on identifying the objectives of the program, implementing key components, knowing what scenarios to monitor, and understanding the vital role that technology must play within the program. Going forward, emerging best practices must also be noted and eventually implemented.
Integrating all of these key components will help ensure that your MSB avoids the penalties and reputational damage that come with major compliance failures. Alessa integrates all of these key components within a single platform and offers the advanced analytics that are quickly becoming industry best practices.
To learn more about how the solution can improve your MSB’s compliance program, contact us.