Compliance Operations During COVID-19

Adam McLaughlin


November 2, 2020

Compliance is a critical function that receives attention from both internal audit teams and regulatory and legislative agencies. Given the sensitivity of their work, compliance functions have traditionally been office-based, existing on a secured floor or area within the organization. While some organizations were transitioning toward some degree of flexible working practices for compliance professionals before the pandemic, the majority of compliance employees were still primarily based in a secured office environment due to the confidentiality and sensitivity of the work.

COVID-19 changed all that. Now, entire anti-money laundering (AML) compliance team are working remotely. While many organizations have successfully adapted and remain resilient, in the long-term, certain aspects of remote work could create new challenges, such as maintaining team engagement, ensuring team members share ideas and knowledge, maintaining investigation quality, and securing sensitive data. When it comes to fighting financial crime and ensuring compliance, what might the future look like?

The Evolution of Financial Crime

Regardless of external factors like the chaos of a pandemic, regulated organizations still must adopt a risk-based approach and maintain adequate systems and controls to prevent financial crime at all times. Indeed, when the UK Financial Conduct Authority released updated guidance in May 2020, it acknowledged the disruption to “business as normal” in financial crime compliance, but stated that it still expected firms to maintain effective systems and controls to combat financial crime and terrorist financing. It also reiterated that firms should be aware of new or changing financial crime threats and take an appropriate risk-based approach to mitigate these threats.

Before COVID-19, financial institutions had fairly well-established processes for identifying suspicious activity for their customers and in transactions flowing through their organizations. The current climate has created challenges, as what is considered “normal” customer activity has changed. As enterprises like restaurants and gyms try to stay in business, they may have diversified their activities to earn revenue. Customers who have historically relied primarily on cash have gone digital. Are these new activities legitimate, or a suspicious change in behavior?

The majority of changes in customer behavior are likely to be legitimate as people try to adapt to new circumstances. But some customers are unlikely to revert to their old transactional behavior, so it will be difficult for compliance investigation teams to keep up with legitimate changes and spot suspicious behavior.

Going forward, we will likely see a quicker transformation toward digital banking and reduction in the use of cash, both from legitimate customers and criminals. Criminals will look for ways to digitalize the cash-intensive parts of their operations, allowing them to move and layer their illicit gains quicker, even when bank branches and money service businesses are closed.

Not only will criminals change how they acquire and move their illicit wealth, they will also exploit any opportunity to expand into new ventures. For example, once the pandemic took hold, new instances of fraud quickly appeared, such as phishing scams asking victims to click a bogus link to claim a tax refund, scams alleging that someone came into contact with a COVID-infected person, and sales of fake testing kits or non-existent or substandard personal protective equipment. The Italian mafia even used COVID-19 to win over people and expand their criminal empire by offering support to households that had run out of cash.

These changes mean that organizations must be alert to potential new threats and review their detection systems so their models and thresholds are appropriate. It is important to spend more time reviewing unusual behavior to check if it is actually suspicious, and share new fraud typologies with other regulated entities to help ensure all organizations can adapt more quickly and maintain the front line against criminals.

The Need for Operational Resilience

Like criminal behavior, compliance is also evolving. The pandemic has shown us that resiliency is a core requirement for any compliance function and it will now be at the forefront of many compliance managers’ minds. As workers return to the office in some areas, organizations may be more open to the possibility that employees can operate remotely and remain fairly effective.

However, remote working creates challenges for organizations, including how to maintain productivity and ensure appropriate conduct and consistent, quality outcomes. Staff can feel isolated while working from home, especially with little or no access to the office or limited access to colleagues to share knowledge. To be successful, management must put processes in place to ensure staff feel connected and reduce barriers to allow employees to share ideas and knowledge. This could include daily or weekly huddles, and ensuring that staff log into messaging apps to show their availability. When possible, staff should also have access to video features during meetings to promote better engagement than voice-only meetings.

At least some of the operational changes forced by the pandemic may become permanent, making it important to maintain management oversight regardless of work environment. When staff are not in the same office as management to have a quick conversation or review, managers must maintain discipline to ensure appropriate conduct among staff and quality and timeliness of work performed.

Resiliency Through Technology

Not only do organizations need to help staff remain operationally robust and resilient, they also need the right technology to support workers and ensure the organization is complying with regulations. Technology can help identify criminal activity and ensure compliance in various ways:

Better detection. Both contextual analytics and AI can help improve detection, reducing false positives and ensuring true negatives are not missed. Contextual analytics monitors all known information about a customer, checking know-your-customer data against transaction data. Organizations can integrate third-party data into the analytics, such as adverse media or corporate information, or additional internal data sources such as voice or digital communication with a customer. The more information you know about a customer, the easier it is to spot abnormal behavior.

AI and advanced customer segmentation can also reduce alert volumes, allowing you to concentrate on the alerts that are likely to result in a suspicious activity report (SAR) filing. This, in turn, reduces the number of staff required to respond to alerts and will provide capacity if there is an absence on the team, allowing you to reallocate your workforce.

Improved alert and case management. Technology can provide greater efficiency in the way alerts and cases are managed and investigated. Predictive scoring using machine learning can predict how likely an alert is to result in a SAR. This includes automating the alert allocation process, sending some alerts directly to specific teams, and hibernating alerts with low predictive scores until other suspicious activity occurs. Ensuring higher-risk alerts are addressed first will help manage risk where investigation teams may be stretched. Integrating third-party data into the platform can also reduce manual processing, allowing investigators to quickly access all customer activity.

Greater transparency and auditability. Integrated management information and quality assurance tools can allow management to quickly see what detection models are working effectively. They can also monitor alert throughput, investigation and disposition quality, and ensure all of this is completed quickly. Digitizing this process mitigates risk and provides faster and higher quality oversight. It also ensures the organization is fully compliant and able to justify its processes and decisions.

Effective communication. Communication is key when staff are working in multiple locations. Both staff and management need the ability to interact with each other. This helps with staff development and decision-making, and builds a successful, coherent and aligned team. Isolation and lack of communication among team members could result in reduced quality and productivity, increasing the risk of something going wrong, such as an incorrect disposal decision.

COVID-19 will continue to introduce new challenges. Whatever the future holds, compliance teams will have to become more resilient and flexible without sacrificing quality or consistency.

Adam McLaughlin is head of anti-money laundering (AML) solutions for EMEA at NICE Actimize.