How to evaluate an AML system

AML solutions

ID verification

Electronic ID verification may occasionally be necessary and, at other times, it will provide an extra level of assurance relevant to the client risk assessment. By automating document checks and cross-referencing multiple databases simultaneously, electronic ID verification can reduce the risk of human error and provide more reliable verification. However, ID verification – whether performed electronically or face-to-face - is only one component of the CDD measures necessary for a particular client (and, of course, AML compliance comprises much more than CDD).

MLR 2017 has something to say about electronic ID verification. It states, in regulation 28, that verification must be “on the basis of documents or information in either case obtained from a reliable source”. It goes on to state that information may be regarded as obtained from a reliable source where it is obtained by means of electronic identification and the electronic ID verification process is secure from fraud and misuse and able to provide the required level of assurance “to a degree that is necessary for effectively managing and mitigating any risks of money laundering and terrorist financing”.

A further word of caution is given in regulation 39 (on reliance on third parties). It states that a firm may apply CDD measures using an agent or an outsourcing service provider, provided that “the arrangements between the [firm] and the agent or outsourcing service provider provide for the [firm] to remain liable for any failure to apply such measures”. AMLGAS provides helpful guidance in this respect, noting that a firm must gain a reasonable understanding of the system it intends using, and consider whether the information the system provides is reliable, comprehensive and accurate. The firm should ensure it has answers to the following questions:

• Does the system draw on multiple sources?
• Are those sources checked and reviewed regularly?
• Are there control mechanisms to ensure data quality and reliability? (Does the system have built-in data integrity checks?)
• Is the information accessible (i.e. to download and store search results electronically or to print a hard copy)?
• Does the system provide adequate evidence that the client is who they claim to be? (Has the evidence provided by the system been obtained from an official source, e.g. the certificate of incorporation or a passport?)

A different type of electronic ID verification tool is one that relies on the self-capture of documentation, where an individual being identified uses an app. In such a case, the firm must be able to satisfy itself that the tool is sufficiently sophisticated to be able to analyse any official documentation and detect possible forgeries.

Manual solutions 

Manual processes can be appealing, particularly for smaller firms, as they require minimal upfront investment in technology. These processes give staff complete control over compliance activities, enabling immediate adjustments to meet evolving needs. A no-software approach offers greater flexibility. Without an automated system dictating processes, firms have the freedom to design an AML compliance system tailored to their specific needs.

With a largely manual solution, a firm can reduce its technical vulnerabilities and avoid service interruptions by operating independently of external systems. Many employees are also more comfortable with familiar manual methods they have used for years, which can ease the burden of change. Because change would tend to be incremental, the need for staff training on the AML compliance system is minimised, along with any associated costs. Additionally, modifications to these processes can be implemented quickly without the constraints of technical integration, allowing for greater flexibility in day-to-day operations.

While manual processing may offer initial simplicity, it demands significant staff time and resources to manage routine compliance tasks (and to maintain the system). The reliance on manual completion increases the risk of human error, and can compromise objectivity. Ensuring consistent standards across teams becomes progressively challenging as operations scale. Additionally, manual systems often struggle to handle growing client volumes efficiently, leading to bottlenecks and delays. Maintaining comprehensive audit trails requires meticulous record-keeping, further adding to the administrative burden and threatening overall efficiency.

Comprehensive AML software 

There are comprehensive AML platforms that offer fully integrated solutions to meet all AML compliance requirements, streamlining operations and reducing complexity. These systems can include:

• workflow management tools that automatically guide staff through each compliance step, ensuring nothing is overlooked,
• client oversight that provides continuous tracking of client onboarding and ongoing monitoring, promptly flagging potential issues for review,
• centralised data management, helping to ensure consistent and accurate information across all compliance functions, improving efficiency and decision-making,
• standardised processes embedded within the platform, facilitating the consistent application of compliance procedures across teams.

While comprehensive software solutions offer significant benefits, they can also be excessively complicated – often having a wide range of features that may be irrelevant to smaller firms in particular. Criteria to consider when choosing a comprehensive AML software solution should be affordability, licence flexibility, transparency and ease of use. It may be unrealistic to acquire bespoke software; so, firms will need to research their requirements and the various products on the market, and be prepared to shop around.

Software reduces the likelihood of human error and inconsistency, as it will have built-in controls to ensure that all relevant employees follow the same processes and that decision-making is objective. Software will usually have the advantage of providing a comprehensive audit trail, which records who did what and when. This, in turn, enhances individual accountability.

A platform claiming to provide an AML solution for a firm may helpfully integrate AML compliance into the wider process of client onboarding, and throughout the client lifecycle. Alternatively, it may simply be available to use whenever the firm identifies the need, in which case integration is achieved manually – through clearly documented policies and procedures.

However AML compliance procedures are integrated with the firm’s client services, the firm should be aiming to achieve effective AML compliance that does not impede efficient workflows. Automation, if effective, can save time and worry. However, care must be taken not to overlook the need for professional judgement. AML compliance is rarely condensed down into an algorithm. While acknowledging the power of generative AI, many people would concur that professional judgement still requires a degree of human input.

Fragmented solutions 

An all-in-one AML solution may be too costly or offer more functionality than a firm requires. Therefore, a firm may draw upon several different resources – some electronic and some manual. However, maintaining multiple systems can significantly increase complexity, and the task of ensuring procedures are up-to-date is complicated, and responsibility for doing so must rest with the firm.

Integrating different AML systems into the firm’s procedures requires thought and care. For example, onboarding a new client starts with considering a potential client’s needs and ends with the signing of an engagement letter; but CDD measures and other processes must take place in between.

In addition, staff must be able to use multiple tools, with various interfaces, which can be challenging and frustrating, and fragmented processes can result in data being stored in several different places, making it more difficult to access and use. These challenges highlight the importance of clear and comprehensive AML policies and procedures.

Solution criteria

Cost considerations 

When considering compliance systems, a firm must provide for an initial investment that includes all implementation and integration expenses, and not only the cost of the initial licence. For example, integrating new tools into existing systems will often incur additional professional fees.

Ongoing maintenance will require a regular budget allocation to cover updates, technical support, and system optimisation. For firms with growing client volumes, usage-based fees can escalate quickly, adding to overall expenses. Comprehensive staff training programs also demand significant resource allocation. In view of the complexity of the proposed system, and the pace at which it is likely to evolve, staff training costs should not be underestimated.

Efficiency factors 

It may be argued that efficiency is best measured with reference to the time spent per client in meeting the firm’s AML compliance obligations. However, another factor to consider is the types of staff (i.e. relevant employees) empowered by the AML compliance system to perform CDD, monitor AML risk, etc. If use of the system is restricted to senior members of staff, clearly there are weaknesses in terms of efficiency and costs.

Efficiency needs to be considered alongside effectiveness, as any weaknesses in the system that risk supervisory intervention will have a significant impact on the firm’s efficiency. This would include an effective documentation management system that streamlines record-keeping and retrieval. Similarly, a powerful reporting capability will make it easier to monitor compliance, which will assist the firm while demonstrating compliance to a supervisory authority and enhancing its confidence in the firm.

Compliance effectiveness 

An AML compliance system must be designed to meet all current requirements of MLR 2017 and the supervisory authorities, while having the flexibility to adapt to new ones. A firm must be able to assess the effectiveness of a proposed system in all relevant areas, including:

• the documentation and maintenance of a FWRA,
• all elements of CDD, including appropriate verification measures related to client risk,
• ongoing monitoring,
• supporting the relevant AML compliance roles within the firm,
• recording staff training and other relevant communications,
• internal reporting of suspicious activity, and
• the secure retention of sensitive data for the appropriate period.

Throughout any compliance software solution, there must be a clear audit trail that documents all activity and attributes it to appropriately authorised individuals. Regular updates – to the software and the documentation within it – must be sufficient to keep up-to-date with changes to the firm’s AML compliance obligations, including its response to emerging risks.

Scalability

Firms of any size can benefit from comprehensive AML software that forms an integral part of the firm’s procedures. However, for smaller firms, it may be difficult to tailor an off-the-shelf product to its needs. Ironically, to save the time and stress that small firms are seeking requires financial resources that small firms generally do not have. However, some form of electronic ID verification, combined with well-understood manual processes can provide a cost-effective and practical entry point for smaller firms.

Cloud-based AML compliance solutions can provide a scalable alternative to a largely manual system. It is important that an AML compliance solution can adapt to the evolving size and nature of the firm, without requiring any disruptive and expensive overhauls.

User experience 

It may be difficult to know what a relevant employee would regard as a ‘good’ user experience. It is likely to include the way they experience change and the management of that change. For some, a good user experience might be to continue to use well-understood manual processes, although care should be taken to ensure that alternatives are fully considered. This will entail some or all of the users being involved in the decision-making process concerning any new AML compliance solution.

Once an AML compliance system has been implemented, its interfaces with other practice software (and manual procedures) should support the efficient and intuitive completion of compliance tasks with relative ease. Effective staff training will impact both the timeline for implementation and the efficiency of ongoing operations. Reliable, easily accessible technical support will help to enhance staff engagement and boost staff confidence to use the tools effectively.

Transition Planning 

Change can be challenging in any organisation. Those leading the change must be seen to be managing the change effectively, and that will usually require effective communication and the involvement of those impacted by the change - notably those who will be expected to use a new AML compliance tool.

Implementation timelines need to accommodate staff training, data migration and system testing. Staff training programs require structure while accommodating flexible and varied forms of delivery. Early monitoring post-implementation will help to identify and address implementation issues, and resources must be allocated to such monitoring to ensure staff feel supported.

AML policies and procedures should, generally, be consistent across a firm. However, in a firm comprising several offices, some offices will specialise in various ways (e.g. clients, locations, industries, sectors, services, etc). When a firm grows by combining with another firm, there will (initially at least) be different processes in different offices. Therefore, a firm must determine the extent to which policies and procedures should be standardised and how any such standardisation is to be achieved.

A larger firm is likely to have a compliance team, which will understand where practices within the firm vary. It will be well-placed to monitor policies, controls and procedures across the firm, and it will identify offices in which the implementation of those policies, controls and procedures is less effective. The compliance team may also be responsible for certain AML compliance functions, such as the submission of SARs, authorisation to onboard a high-risk client, and electronic ID verification.

Conclusion 

An AML compliance review – either internally or by way of a compliance visit – may leave you feeling that your firm needs to implement some significant changes. Fortunately, the outcome of that review should provide the firm with some clues about what needs to change. Any change in a business needs to be managed and introduced sensitively to those impacted. But the first stage is to compare what the firm has in place now with the AML compliance system that will exist in the near future (and the longer term).

Designing an appropriate AML system requires balancing the need to enhance effectiveness and efficiency with the firm’s available resources. Regular evaluation of the system will help to ensure the firm’s AML compliance system evolves with the firm. Of course, the firm’s annual compliance review will go some way to evaluating the system designed to support that compliance.

Key Recommendations 

An objective assessment of a firm’s current compliance gaps will help to identify the extent of change necessary and which areas of change must be prioritised. The firm must be clear which criteria are most important to it in selecting an appropriate AML solution, although none of the criteria discussed here should be ignored. In particular, seeking a solution in the short-term should not be at the cost of longer-term development, i.e. scalability.

Care must be taken to recognise all costs involved in the transition to a new set of policies and procedures. The transition itself must be carefully planned and managed, to maximise the possibility of staff understanding and engagement with the new AML compliance environment.

Implementation success factors might include:

• effective change management processes,
• clear project leadership and accountability,
• comprehensive staff training programs,
• regular progress monitoring and staff updates,
• strong vendor relationships and support,
• regular compliance monitoring, and
• post-implementation review.

‍