At most large banks, the legacy compliance processes designed to fight financial crimes such as money laundering have grown so complex as to be barely manageable. Multiple iterations, multiple handovers and too many manually controlled processes prevent banks from attaining truly effective or efficient compliance systems. Excessive complexity has led to greater operational risks and a spate of large fines.

In recent interviews with Bain & Company, bank executives described how the complexity affects their daily compliance activities:

• “Relationship managers spend hours every week resolving false alarms.”
• “Our automated rules are not sophisticated enough. Clients have been getting flagged because of the name of their street.”
• “Operations cannot make fast decisions on alarms, because everything is escalated and it takes ages to get a green light.”

What accounts for this state of affairs? Banks face pervasive challenges on several fronts:

• Processes. Most compliance processes and handovers still incorporate a high level of manual work for screening, alerts processing and other activities. For instance, staff at many banks are copying and attaching computer screenshots to protocols. Each manual step is inefficient and prone to errors.

  A related problem is the fragmented, siloed nature of many compliance processes, with frequent manual interventions and delays in the process. Banks lack an end-to-end vision of compliance with respect to financial crimes regulation. They rarely have frequent communication among the onboarding teams, commercial due diligence analysts and transaction monitoring teams.

  Commercial due diligence at most banks contains other flaws, namely that the set of questions often are not aligned with the regulatory objectives, or consistent with a coherent customer experience, or linked to a system that would give the bank a better understanding of the client. For example, an address on Baghdad Street in Singapore might understandably trigger an alarm in the first instance, but in subsequent instances the bank’s process should know this is not a threat.

• Data. Low-quality and unstructured data resides within most banks without being fully integrated. That leads to difficulties with client reference data and documentation sharing, as well as data extraction or aggregation from flawed databases. While some third-party products have proved useful, certain popular databases lack some essential customer data—for example, more than 60% of names missing the date of birth for the client or the ultimate beneficial owner.

• Model. When data quality suffers, so does the quality of the model. The rigidity of “hard-coded” or static transaction monitoring algorithms makes it difficult to adjust for policy changes or client behaviors. That drives up the volume of investigations and results in abnormally high false positive rates, sometimes exceeding 90% in our experience.

• People. If banks staff transaction monitoring processes with inexperienced employees, especially when offshoring, the amount of investigation effort will continue to increase. Lacking expertise, these employees will either tend to emphasize risk reduction over efficiency, or the reverse—they will not understand the complexities involved and therefore miss risks. They may also tend to solve process issues rather than seeking the root causes of problems. And when the bank has no probability-tuned assessment of risks, using inexperienced staff leads to very high escalation rates.

When Bain and Parker Fitzgerald benchmarked five major global banks, we found that none of them has yet solved all of these challenges. They typically have oversized teams, a slow onboarding process and high false positives (or, in one case, high false negatives) that plague their models. They have taken mostly tactical not strategic, measures to try to improve broken compliance processes. For instance, they have hired dozens of people and paired them with external contractors, and they are applying multiple technology solutions, further raising complexity that’s hard to manage.

Emerging best practices

Yet in other ways, these five banks are demonstrating some good practices that can be adopted by other banks to advantage. These practices, as well as promising practices at other banks we have observed, suggest that a more effective approach to financial crimes compliance consists of several key components (see Figure 1).

First, banks should develop a streamlined, end-to-end process. Leading banks are starting to review their processes with an eye toward maximizing the client experience, minimizing effort and eliminating breaks and complexity. To do this, some use zero basing, which takes a start-from-scratch view to set the baseline on activities and roles in compliance, rather than starting from existing activities. They are defining the desired future state of compliance, defining the gap between the future state and current state, then mobilizing the organization to redesign processes.

Effective compliance also demands a “golden record’’—a single source for all compliance processes. The record’s core consists of internal structured data that goes through a rules-based cleanup and gets integrated into a data lake. Internal data is enhanced with unstructured and external data such as text, voice and pictures. Some of that data may come from vendors, but banks can also look off the beaten track to non-indexed web pages and search-engine results (see Figure 2). Predefined algorithms then process and score the data for relevance.

Advanced analytics and algorithms form another essential component. Artificial intelligence increasingly can use the enhanced database mentioned earlier to power a proactive compliance model. Machines make a logical substitute for people on routine, low-cognition tasks, as when Fair Isaac introduced a credit scoring model that largely replaced the human element in many lending decisions. Human intervention remains valuable where machines cannot make better decisions, but a growing number of tasks will blend machines and human actors—data collection and crunching by the former, assessment of unclear data points by the latter.

The role of regtechs

Finally, a strong financial crimes compliance strategy now virtually requires some form of partnership with specialist regulatory technology firms, or “regtechs,” which have developed expertise that most banks would find too costly or time-consuming to develop themselves. Regtechs range from know-your-customer or anti-money-laundering specialists such as Palantir, to customer onboarding and workflow process firms such as Encompass and Contego, to major technology firms including IBM, SAS and Oracle. The market also features utilities such as Experian and Accelus, which act as intermediaries or data providers to other companies. We believe that most of the regtech startups will disappear, a few will be acquired and perhaps roughly 2% will continue as standalone firms. Among the established tech firms, one-third to one-half will be able to succeed in this market.

Many banks will outsource activities to regtechs, while some banks might buy a regtech in order to insource a particular technology. And we foresee that some banks might partner with other banks in a joint venture to buy an equity stake or build a new regtech firm. After a bank has redesigned its end-to-end financial crimes compliance process, the transition to a successful regtech partnership requires attention on several fronts (see Figure 3):

• Legal and regulatory compliance. Gaining the confidence of regulators will be essential for a partnership strategy, including with companies that may not yet be approved for certain operations. Regulators will need to be convinced that a bank can outsource activities without hampering reliability and quality, so regtechs must prove that their business and operating models are sound, and that client data will be kept confidential if several banks participate.
• Operations. Most regtechs are digital natives accustomed to using Agile methods. To collaborate effectively with them, banks will have to become more nimble as well, with fewer handoffs, fewer workarounds and clear metrics for each step in the process.
• IT. Banks will need to adapt their core system interfaces to work seamlessly with a network of various plug-and-play applications. As testing cycles get faster, the risk of fraud could rise; IT teams should home in on system stability and security.
• Culture. Banks will have to let go of their traditional bent to build systems themselves, and instead learn to work with firms that are much smaller yet more proficient in their field.
• Project management. Given that regtechs use mainly Agile methods, banks’ own IT and operations teams will have to adopt a similar mindset and greater level of flexibility. If a regtech proposes a new technology, banks won’t have the luxury of taking months for internal approval.

Even as bank supervisors heighten their scrutiny of bank compliance, fraud and money-laundering schemes grow more sophisticated. Banks have no viable choice but to upgrade their crime-detection and crime-fighting capabilities. Their arsenals will increasingly include more powerful analytical models, artificial intelligence and the help of regtech specialists. Yet with each new technology and partnership, banks risk making their compliance operations still more complex. Banks that eventually excel in compliance will be those that strike the right blend of people and machines, build a seamless end-to-end compliance process, and adopt Agile ways of working in order to make the most of regtech expertise.

Jan-Alexander Huber and Matthias Memminger are partners in Bain & Company’s Financial Services practice, and are based in Frankfurt. Michael Soppitt is a partner with Parker Fitzgerald’s Digital Risk Solutions practice. Matthew Hayday leads Parker Fitzgerald’s Risk Technology practice. Soppitt and Hayday are based in London.

Parker Fitzgerald is a global leader in risk management solutions for the banking and capital markets industry, focused on improving resilience and risk-adjusted performance. The firm advises international regulators, governments and key industry bodies in all areas of risk management, capital and liquidity management, market conduct and the impacts of financial technology.