It’s often hard to judge just how much effort you will need to put forth on behalf of your institution in order to have peace of mind for AML compliance. On one hand you could put a great deal of effort into AML compliance, which could simply be a waste of money. On the other hand, you could put only a little effort into AML Compliance and find your name in the news. However, it doesn’t have to be so cut and dry. There is a happy medium; you just have to know what to consider. In two parts, I plan to provide some high level guidance on how to make this judgment more effective for compliance officers or non-technical compliance professionals. The first part of this article will focus on evaluating your AML software needs, the vendors, your budget, and planning the actual implementation.
Evaluation of AML Software and AML Consulting:
When browsing the market for the various software options, there are several things that should be done to compare apples to apples. First, compare each and every feature so that you know how much you are getting for your money, but don’t allow yourself to simply be wowed by volume of features. You’ll want to look for the quality in which those features perform. Do you need all of them? Do you need more? Are they providing the value of what they’re claiming? Are they relevant to your lines of business?
Now, there are some standard features that all AML software should have so that they meet the spirit of the law and AML industry standards. But there are also advanced features that are like the icing on the cake. The advanced features allow you to generally go above and beyond in your operational efficiency, the depth in which you monitor a customer and lastly how presentable your AML program is to the auditors, management and regulators.
Figure 1: The vendor checklist.
A
ML software is a very specialized market and requires specialized consulting. AML consulting ranges from compliance expertise to technical expertise. General compliance expertise can assist with the implementation of AML software and how it fits into an AML program, but tends to give you limited results. The same can be said for general IT consulting. The best-case scenario is that you utilize a compliance expert that specializes in that AML software, and a more specialized IT consultant that will have in-depth product expertise and experience. This will create a much more efficient compliance operation for your institution (Refer to Figure 1, the vender checklist). This will help you understand some of the basic questions that you should be asking when evaluating AML software and AML consulting.
Figure 2: Exposure vs. Risk.
N
ext, you’ll need to consider your budget; how much to spend and how to spend it is the toughest decision in implementing AML software and consulting. There are often many variables to determining a budget, which include up-front costs and on-going, year over year costs. See Figure 2 and 2.1 as examples to help you calculate cost vs. compliance. What is important to understanding your inherent risk and residual risk? Typically, the first mistake is not full understanding the risks. It is the responsibility of the compliance officer(s) to understand these risks and communicate these risks effectively to management. Commonly the compliance officer and management do not agree on risk verses reward or there is a communication gap, so often management treats compliance like a necessary evil and tends to shortcut the compliance officer. In the end, the institution suffers because of this ineffective communication.
Figure 2.1: Inherent risk, risk mitigation and residual risk.
any institutions will pay an independent consultant or team of consultants to objectively
evaluate their institutions risks. There are so many reasons this makes sense. For one, if the risks are identified then the institution has a better chance of putting forth the appropriate level of effort. Second, management tends to have a perception that this is a one-time cost and maybe a small maintenance attached to it; however, this is not the case. It is best to stage your efforts by creating a 5-year plan as shown in figure 3.
Figure 3: Sample 5 year plan.
Typically the greatest costs with implementing AML software are up front, but it is critical to continue to invest annually to 
continue to progress your AML effectiveness. Even the best programs go out of date very quickly in today’s regulatory market, so continued incremental compliance improvement really is best.
AML software is not effective no matter how good it might be without proper integration and complete data. Every institution has data issues. Unfortunately this impact is tremendous on your AML software. When deciding on what systems to pull from for your regulatory requirements, err on the side of caution. More than likely if you think you may need to pull from a certain system, you probably will eventually. It’s generally cheaper to build a better foundation than to pick the house up and expand the foundation later.
Planning:
Planning goes hand in hand with success and more often than not this is what makes or breaks the project. Perform an analysis of your compliance risks and your exposure to those risks. Be sure to document these requirements in a Business Requirements Document (BRD). A business requirements document defines what compliance requires from the technology to manage a successful AML compliance program, such as case management, rules/scenarios, profiling, reporting. When implementing the software you will need to have design sessions to decide on how to configure the software to meet your compliance needs defined in the BRD. These sessions should evaluate each feature of the software to see how it pertains to your compliance needs. This is typically documented in a Functional Design Document (FDD). The functional design document defines the technical requirements, such as data requirements, interface controls, reconciliation, server requirements. With these two documents you will understand the full scope of what you need to do, and it’s more than likely that you will need to stage the project.
Generally, once this type of in-depth analysis is performed you will not be able to tackle the full scope all at once. However, by staging you can tackle the most important items first and address the other items in later stages. This is also a generally acceptable practice to the regulators because you are demonstrating the effort to tackle the bulk up front and have a plan to tackle the rest soon thereafter. The risk is that you are not moving fast enough or do not manage it well and miss your commitments.
Figure 4: Sample project plan.
All projects are managed best with a project plan. A project plan is a written form of communication that should keep everyone on track with what needs to be done and when. See Figure 4 for what a sample plan may look like. After the BRD and FDD, the project plan can be written with confidence and accuracy. Once the project plan is completed, the most important task is to manage to the plan. Be sure you get commitment from the resources that own their tasks; otherwise your plan is going to have a lot of slippage. Don’t start a project with resources that are spread too thin or timelines that your resources were bullied into. If you do this you are doomed for slippage, which creates frustration and failures.
The principals in this article apply whether you are using internal resources, external consulting or a combination of. More often than not, we see a combination of both internal and external resources used to implement AML software. I believe the reason is because of specialization and costs. Internal resources are specialized in the internal workings of the organization and they have the keys to the castle. External resources (consultants) are specialized in implementing AML software and understand the process. External resources are often considered costly, but inefficiency is also a cost, so consider all your options before you select a consulting vendor to support you.
Conclusion:
As you have learned in this article, evaluating your needs, vendors, budget and having a good plan, including a BRD and FDD are the first steps to implementing your AML software successfully. Each step will be imperative to your efficiency in both expense and workflow. Next month, we’ll cover part two of this article, which will focus on the technical and business implementation, testing, production cutover, and post implementation.
If you would like to know more about ARC Risk and Compliance, and our approach to the RFP/RFI process; assistance in creating a BRD or FDD; or the implementation, upgrade or conversion of your AML software, please contact us.
